{
    "catalog": {
        "securityControls": [
            {
                "parameters": [
                    {
                        "uuid": "a98b7c79-94f4-46ef-b0f8-ef956aefd6bd",
                        "parameterId": "AC-1(a)",
                        "text": "organization-defined personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ac-1_prm_1"
                    },
                    {
                        "uuid": "0a129b60-0f1b-4e1f-9ff6-07a5e8f0dc61",
                        "parameterId": "AC-1(a)(1)",
                        "text": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ac-01_odp.03"
                    },
                    {
                        "uuid": "aa4df469-53c3-4cff-ba4f-74d6eb3cb387",
                        "parameterId": "AC-1(b)",
                        "text": "official",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined official] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ac-01_odp.04"
                    },
                    {
                        "uuid": "d0735cf9-fd46-4724-a49f-433bbe3a8836",
                        "parameterId": "AC-1(c)(1)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ac-01_odp.05"
                    },
                    {
                        "uuid": "c3ac73f4-fea4-468f-b930-3641afd0ed5d",
                        "parameterId": "AC-1(c)(1)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ac-01_odp.06"
                    },
                    {
                        "uuid": "7fca32c2-62e4-43f2-a08d-a632e4de561f",
                        "parameterId": "AC-1(c)(2)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ac-01_odp.07"
                    },
                    {
                        "uuid": "d3011662-d205-40e6-ad10-ca9af819afb6",
                        "parameterId": "AC-1(c)(2)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ac-01_odp.08"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "2a6ce37c-4172-4dd6-a509-ab3f708bce0a",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ac-1_smt.a",
                        "description": "<ul><li>a. Develop, document, and disseminate to {{ insert: param, AC-1(a) }}:</li><ul><li>1. {{ insert: param, AC-1(a)(1) }} access control policy that:</li><ul><li>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</li><li>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</li></ul><li>2. Procedures to facilitate the implementation of the access control policy and the associated access controls;</li></ul>"
                    },
                    {
                        "uuid": "c6dc9675-a1b0-489e-a653-a68e72e5f9c4",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ac-1_smt.b",
                        "description": "<ul><li>b. Designate an {{ insert: param, AC-1(b) }} to manage the development, documentation, and dissemination of the access control policy and procedures; and</li></ul>"
                    },
                    {
                        "uuid": "e3a7acff-827f-4275-9f7b-9c216063bad1",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ac-1_smt.c",
                        "description": "<ul><li>c. Review and update the current access control:</li><ul><li>1. Policy {{ insert: param, AC-1(c)(1)-1 }} and following {{ insert: param, AC-1(c)(1)-2 }} ; and</li><li>2. Procedures {{ insert: param, AC-1(c)(2)-1 }} and following {{ insert: param, AC-1(c)(2)-2 }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "8ebd3923-3f29-41e6-8bc9-edaf761b8655",
                        "testId": "AC-01-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Access control policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3e3b6871-f66b-4c36-b66b-12ee7f1b6fd7",
                        "testId": "AC-01-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with access control responsibilities.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b01a85dc-35ab-4271-bd54-cbd733df1d64",
                        "testId": "AC-01a.[01]",
                        "test": "Determine if an access control policy is developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with access control responsibilities.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0ae5f4d8-f72e-4b87-b74f-04ba6e3f2dfc",
                        "testId": "AC-01a.[02]",
                        "test": "Determine if the access control policy is disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with access control responsibilities.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4a5d0f23-5aab-49d5-ab23-8c79fad11d6a",
                        "testId": "AC-01a.[03]",
                        "test": "Determine if access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with access control responsibilities.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "77c1ad7b-6d48-468c-8a17-b3020f6b1bdc",
                        "testId": "AC-01a.[04]",
                        "test": "Determine if the access control procedures are disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with access control responsibilities.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6f29fd2b-b178-4dbf-8758-1c90cb3a734c",
                        "testId": "AC-01a.01(a)[01]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  access control policy addresses purpose;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with access control responsibilities.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ade81279-4750-4883-a44a-a3901fa26e4d",
                        "testId": "AC-01a.01(a)[02]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  access control policy addresses scope;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with access control responsibilities.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "adf6ab77-0373-4b53-bf5b-77e21de7377c",
                        "testId": "AC-01a.01(a)[03]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  access control policy addresses roles;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with access control responsibilities.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e204df47-5e7c-40bc-bfdd-790cc84d0540",
                        "testId": "AC-01a.01(a)[04]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  access control policy addresses responsibilities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with access control responsibilities.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a747c540-8a40-438b-9c03-20cfc3962008",
                        "testId": "AC-01a.01(a)[05]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  access control policy addresses management commitment;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with access control responsibilities.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "62678a56-be51-474a-ae6a-104377c89fce",
                        "testId": "AC-01a.01(a)[06]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  access control policy addresses coordination among organizational entities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with access control responsibilities.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5e3008c8-0ecc-45bd-ba52-191e243c8606",
                        "testId": "AC-01a.01(a)[07]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  access control policy addresses compliance;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with access control responsibilities.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "61226359-c2cb-466f-97d8-233afe42d35a",
                        "testId": "AC-01a.01(b)",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  access control policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with access control responsibilities.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9ef33c0c-55c9-4b72-b88c-648d2a39ef26",
                        "testId": "AC-01b.",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): official ]  is designated to manage the development, documentation, and dissemination of the access control policy and procedures;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with access control responsibilities.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a2f3f545-6a9a-4632-b266-8f2bd047725a",
                        "testId": "AC-01c.01[01]",
                        "test": "Determine if the current access control policy is reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with access control responsibilities.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "33bf0945-b867-4f0d-a8d6-12b500891bc3",
                        "testId": "AC-01c.01[02]",
                        "test": "Determine if the current access control policy is reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with access control responsibilities.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0291fd75-db05-44f9-870d-fd276477bd62",
                        "testId": "AC-01c.02[01]",
                        "test": "Determine if the current access control procedures are reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with access control responsibilities.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f82dbe1f-0ea3-4b18-b9c1-eb1c12e9cbd3",
                        "testId": "AC-01c.02[02]",
                        "test": "Determine if the current access control procedures are reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with access control responsibilities.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "81c97dc9-f42f-451f-9319-f1ad1c8149af",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "AC-01 - Policy and Procedures",
                "description": "<ul><li><p>a. Develop, document, and disseminate to {{ insert: param, AC-1(a) }}:</p><ul><li><p>1. {{ insert: param, AC-1(a)(1) }} access control policy that:</p><ul><li><p>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p></li><li><p>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p></li></ul></li><li><p>2. Procedures to facilitate the implementation of the access control policy and the associated access controls;</p></li></ul></li><li><p>b. Designate an {{ insert: param, AC-1(b) }} to manage the development, documentation, and dissemination of the access control policy and procedures; and</p></li><li><p>c. Review and update the current access control:</p><ul><li><p>1. Policy {{ insert: param, AC-1(c)(1)-1 }} and following {{ insert: param, AC-1(c)(1)-2 }} ; and</p></li><li><p>2. Procedures {{ insert: param, AC-1(c)(2)-1 }} and following {{ insert: param, AC-1(c)(2)-2 }}.</p></li></ul></li><li><p><br><strong>Discussion</strong><br></p><p>Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.</p></li></ul><p></p><p><strong>OT Discussion</strong></p><p>The policy specifically addresses the unique properties and requirements of OT and the relationship to non-OT systems. OT access by vendors and maintenance staff can occur over a large facility footprint or geographic area and into unobserved spaces, such as mechanical or electrical rooms, ceilings, floors, field substations, switch and valve vaults, and pump stations.</p>",
                "controlId": "AC-1",
                "family": "Access Control",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "2c1d07aa-69e9-4506-8971-7314ce9908a0",
                        "parameterId": "AC-2(c)",
                        "text": "prerequisites and criteria",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined prerequisites and criteria] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ac-02_odp.01"
                    },
                    {
                        "uuid": "6a32fb42-72a4-42c4-af5f-0e1e25b783ce",
                        "parameterId": "AC-2(d)(3)",
                        "text": "attributes (as required)",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined attributes (as required)] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ac-02_odp.02"
                    },
                    {
                        "uuid": "0acf54c2-df8a-468e-9248-95fc37c7b959",
                        "parameterId": "AC-2(e)",
                        "text": "personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ac-02_odp.03"
                    },
                    {
                        "uuid": "2149bd43-5129-4b69-b612-9005e4d63bfa",
                        "parameterId": "AC-2(f)",
                        "text": "policy, procedures, prerequisites, and criteria",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined policy, procedures, prerequisites, and criteria] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ac-02_odp.04"
                    },
                    {
                        "uuid": "932df96d-a31d-401a-b1fd-5fc90d1a2147",
                        "parameterId": "AC-2(h)",
                        "text": "personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ac-02_odp.05"
                    },
                    {
                        "uuid": "04e58efe-defe-4524-92a3-6536ba4c0b42",
                        "parameterId": "AC-2(h)(1)",
                        "text": "time period",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined time period] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ac-02_odp.06"
                    },
                    {
                        "uuid": "30de3560-efdc-4992-ae38-8174349be6b0",
                        "parameterId": "AC-2(h)(2)",
                        "text": "time period",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined time period] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ac-02_odp.07"
                    },
                    {
                        "uuid": "a3be5a8f-9de3-40f7-8171-9d31fca4dc7e",
                        "parameterId": "AC-2(h)(3)",
                        "text": "time period",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined time period] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ac-02_odp.08"
                    },
                    {
                        "uuid": "bddfb2dd-7f4d-4270-878d-5ff85a8f99a8",
                        "parameterId": "AC-2(i)(3)",
                        "text": "attributes (as required)",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined attributes (as required)] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ac-02_odp.09"
                    },
                    {
                        "uuid": "b17f9cd7-77bb-4762-aa36-129b6a5d2f6c",
                        "parameterId": "AC-2(j)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ac-02_odp.10"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "9e79f815-a1a7-409a-a5a1-1d4043129d30",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ac-2_smt.a",
                        "description": "<ul><li>a. Define and document the types of accounts allowed and specifically prohibited for use within the system;</li></ul>"
                    },
                    {
                        "uuid": "10158675-0421-40fe-8cc3-6bffcf937873",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ac-2_smt.b",
                        "description": "<ul><li>b. Assign account managers;</li></ul>"
                    },
                    {
                        "uuid": "6d02aa18-9de1-490c-9979-835ec9c66b6e",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ac-2_smt.c",
                        "description": "<ul><li>c. Require {{ insert: param, AC-2(c) }} for group and role membership;</li></ul>"
                    },
                    {
                        "uuid": "205cef88-5339-43cf-8764-98ac91cc3f0f",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "ac-2_smt.d",
                        "description": "<ul><li>d. Specify:</li><ul><li>1. Authorized users of the system;</li><li>2. Group and role membership; and</li><li>3. Access authorizations (i.e., privileges) and {{ insert: param, AC-2(d)(3) }} for each account;</li></ul>"
                    },
                    {
                        "uuid": "edfaf478-2d36-47ba-82a8-77ed7112626b",
                        "name": "e.",
                        "objectiveType": "",
                        "otherId": "ac-2_smt.e",
                        "description": "<ul><li>e. Require approvals by {{ insert: param, AC-2(e) }} for requests to create accounts;</li></ul>"
                    },
                    {
                        "uuid": "dff3c491-9073-4f7e-8fba-126c747166a5",
                        "name": "f.",
                        "objectiveType": "",
                        "otherId": "ac-2_smt.f",
                        "description": "<ul><li>f. Create, enable, modify, disable, and remove accounts in accordance with {{ insert: param, AC-2(f) }};</li></ul>"
                    },
                    {
                        "uuid": "8f54f5c4-ca0d-4a53-b66b-b223e88982c8",
                        "name": "g.",
                        "objectiveType": "",
                        "otherId": "ac-2_smt.g",
                        "description": "<ul><li>g. Monitor the use of accounts;</li></ul>"
                    },
                    {
                        "uuid": "ce033bf8-ab68-4091-93a3-f9d4ff46e38a",
                        "name": "h.",
                        "objectiveType": "",
                        "otherId": "ac-2_smt.h",
                        "description": "<ul><li>h. Notify account managers and {{ insert: param, AC-2(h) }} within:</li><ul><li>1. {{ insert: param, AC-2(h)(1) }} when accounts are no longer required;</li><li>2. {{ insert: param, AC-2(h)(2) }} when users are terminated or transferred; and</li><li>3. {{ insert: param, AC-2(h)(3) }} when system usage or need-to-know changes for an individual;</li></ul>"
                    },
                    {
                        "uuid": "7704eaee-33db-4ab1-a80f-a6b9f28ae643",
                        "name": "i.",
                        "objectiveType": "",
                        "otherId": "ac-2_smt.i",
                        "description": "<ul><li>i. Authorize access to the system based on:</li><ul><li>1. A valid access authorization;</li><li>2. Intended system usage; and</li><li>3. {{ insert: param, AC-2(i)(3) }};</li></ul>"
                    },
                    {
                        "uuid": "69234583-7ea4-4145-b902-73da8864ce15",
                        "name": "j.",
                        "objectiveType": "",
                        "otherId": "ac-2_smt.j",
                        "description": "<ul><li>j. Review accounts for compliance with account management requirements {{ insert: param, AC-2(j) }};</li></ul>"
                    },
                    {
                        "uuid": "4a2e9fc0-ba30-45bb-93a8-533aea345e82",
                        "name": "k.",
                        "objectiveType": "",
                        "otherId": "ac-2_smt.k",
                        "description": "<ul><li>k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and</li></ul>"
                    },
                    {
                        "uuid": "7f4528c3-55d6-402d-b5aa-4de1f54eca56",
                        "name": "l.",
                        "objectiveType": "",
                        "otherId": "ac-2_smt.l",
                        "description": "<ul><li>l. Align account management processes with personnel termination and transfer processes.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "a0ec0c18-c71b-40cf-bb01-07da523b39d6",
                        "testId": "AC-02a.[01]",
                        "test": "Determine if account types allowed for use within the system are defined and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Personnel termination policy and procedure.</li><li>Personnel transfer policy and procedure.</li><li>Procedures for addressing account management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of active system accounts along with the name of the individual associated with each account.</li><li>List of recently disabled system accounts and the name of the individual associated with each account.</li><li>List of conditions for group and role membership.</li><li>Notifications of recent transfers, separations, or terminations of employees.</li><li>Access authorization records.</li><li>Account management compliance reviews.</li><li>System monitoring records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for account management on the system.</li><li>Mechanisms for implementing account management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b5b818a4-6962-4164-afd3-907e84fade8c",
                        "testId": "AC-02a.[02]",
                        "test": "Determine if account types specifically prohibited for use within the system are defined and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Personnel termination policy and procedure.</li><li>Personnel transfer policy and procedure.</li><li>Procedures for addressing account management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of active system accounts along with the name of the individual associated with each account.</li><li>List of recently disabled system accounts and the name of the individual associated with each account.</li><li>List of conditions for group and role membership.</li><li>Notifications of recent transfers, separations, or terminations of employees.</li><li>Access authorization records.</li><li>Account management compliance reviews.</li><li>System monitoring records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for account management on the system.</li><li>Mechanisms for implementing account management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8fa38c50-7c70-4a98-93bd-24b1d56f99dd",
                        "testId": "AC-02b.",
                        "test": "Determine if account managers are assigned;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Personnel termination policy and procedure.</li><li>Personnel transfer policy and procedure.</li><li>Procedures for addressing account management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of active system accounts along with the name of the individual associated with each account.</li><li>List of recently disabled system accounts and the name of the individual associated with each account.</li><li>List of conditions for group and role membership.</li><li>Notifications of recent transfers, separations, or terminations of employees.</li><li>Access authorization records.</li><li>Account management compliance reviews.</li><li>System monitoring records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for account management on the system.</li><li>Mechanisms for implementing account management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f676706f-14e6-493b-b31c-a9317640b126",
                        "testId": "AC-02c.",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): prerequisites and criteria ]  for group and role membership are required;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Personnel termination policy and procedure.</li><li>Personnel transfer policy and procedure.</li><li>Procedures for addressing account management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of active system accounts along with the name of the individual associated with each account.</li><li>List of recently disabled system accounts and the name of the individual associated with each account.</li><li>List of conditions for group and role membership.</li><li>Notifications of recent transfers, separations, or terminations of employees.</li><li>Access authorization records.</li><li>Account management compliance reviews.</li><li>System monitoring records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for account management on the system.</li><li>Mechanisms for implementing account management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4a89bfb6-1a17-404e-a8a8-db5e0150d7af",
                        "testId": "AC-02d.01",
                        "test": "Determine if authorized users of the system are specified;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Personnel termination policy and procedure.</li><li>Personnel transfer policy and procedure.</li><li>Procedures for addressing account management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of active system accounts along with the name of the individual associated with each account.</li><li>List of recently disabled system accounts and the name of the individual associated with each account.</li><li>List of conditions for group and role membership.</li><li>Notifications of recent transfers, separations, or terminations of employees.</li><li>Access authorization records.</li><li>Account management compliance reviews.</li><li>System monitoring records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for account management on the system.</li><li>Mechanisms for implementing account management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9e696de6-9009-484a-9a16-960c4a5b12ff",
                        "testId": "AC-02d.02",
                        "test": "Determine if group and role membership are specified;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Personnel termination policy and procedure.</li><li>Personnel transfer policy and procedure.</li><li>Procedures for addressing account management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of active system accounts along with the name of the individual associated with each account.</li><li>List of recently disabled system accounts and the name of the individual associated with each account.</li><li>List of conditions for group and role membership.</li><li>Notifications of recent transfers, separations, or terminations of employees.</li><li>Access authorization records.</li><li>Account management compliance reviews.</li><li>System monitoring records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for account management on the system.</li><li>Mechanisms for implementing account management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b24b1df5-3468-47c0-80ee-a3da1e9a0747",
                        "testId": "AC-02d.03[01]",
                        "test": "Determine if access authorizations (i.e., privileges) are specified for each account;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Personnel termination policy and procedure.</li><li>Personnel transfer policy and procedure.</li><li>Procedures for addressing account management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of active system accounts along with the name of the individual associated with each account.</li><li>List of recently disabled system accounts and the name of the individual associated with each account.</li><li>List of conditions for group and role membership.</li><li>Notifications of recent transfers, separations, or terminations of employees.</li><li>Access authorization records.</li><li>Account management compliance reviews.</li><li>System monitoring records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for account management on the system.</li><li>Mechanisms for implementing account management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e47a9ab7-53cd-4679-9c9d-8075e0ebaad0",
                        "testId": "AC-02d.03[02]",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): attributes (as required) ]  are specified for each account;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Personnel termination policy and procedure.</li><li>Personnel transfer policy and procedure.</li><li>Procedures for addressing account management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of active system accounts along with the name of the individual associated with each account.</li><li>List of recently disabled system accounts and the name of the individual associated with each account.</li><li>List of conditions for group and role membership.</li><li>Notifications of recent transfers, separations, or terminations of employees.</li><li>Access authorization records.</li><li>Account management compliance reviews.</li><li>System monitoring records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for account management on the system.</li><li>Mechanisms for implementing account management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f5890369-b438-4105-8ee2-06b61784c570",
                        "testId": "AC-02e.",
                        "test": "Determine if approvals are required by  [SELECTED PARAMETER VALUE(S): personnel or roles ]  for requests to create accounts;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Personnel termination policy and procedure.</li><li>Personnel transfer policy and procedure.</li><li>Procedures for addressing account management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of active system accounts along with the name of the individual associated with each account.</li><li>List of recently disabled system accounts and the name of the individual associated with each account.</li><li>List of conditions for group and role membership.</li><li>Notifications of recent transfers, separations, or terminations of employees.</li><li>Access authorization records.</li><li>Account management compliance reviews.</li><li>System monitoring records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for account management on the system.</li><li>Mechanisms for implementing account management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5005e8d6-373d-42d0-a85f-62af8e0b6611",
                        "testId": "AC-02f.[01]",
                        "test": "Determine if accounts are created in accordance with  [SELECTED PARAMETER VALUE(S): policy, procedures, prerequisites, and criteria ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Personnel termination policy and procedure.</li><li>Personnel transfer policy and procedure.</li><li>Procedures for addressing account management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of active system accounts along with the name of the individual associated with each account.</li><li>List of recently disabled system accounts and the name of the individual associated with each account.</li><li>List of conditions for group and role membership.</li><li>Notifications of recent transfers, separations, or terminations of employees.</li><li>Access authorization records.</li><li>Account management compliance reviews.</li><li>System monitoring records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for account management on the system.</li><li>Mechanisms for implementing account management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "af41372c-38d6-4caf-b279-db5fa8da7df0",
                        "testId": "AC-02f.[02]",
                        "test": "Determine if accounts are enabled in accordance with  [SELECTED PARAMETER VALUE(S): policy, procedures, prerequisites, and criteria ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Personnel termination policy and procedure.</li><li>Personnel transfer policy and procedure.</li><li>Procedures for addressing account management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of active system accounts along with the name of the individual associated with each account.</li><li>List of recently disabled system accounts and the name of the individual associated with each account.</li><li>List of conditions for group and role membership.</li><li>Notifications of recent transfers, separations, or terminations of employees.</li><li>Access authorization records.</li><li>Account management compliance reviews.</li><li>System monitoring records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for account management on the system.</li><li>Mechanisms for implementing account management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9c4267d0-6ed7-48e7-b940-eb68f7063d38",
                        "testId": "AC-02f.[03]",
                        "test": "Determine if accounts are modified in accordance with  [SELECTED PARAMETER VALUE(S): policy, procedures, prerequisites, and criteria ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Personnel termination policy and procedure.</li><li>Personnel transfer policy and procedure.</li><li>Procedures for addressing account management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of active system accounts along with the name of the individual associated with each account.</li><li>List of recently disabled system accounts and the name of the individual associated with each account.</li><li>List of conditions for group and role membership.</li><li>Notifications of recent transfers, separations, or terminations of employees.</li><li>Access authorization records.</li><li>Account management compliance reviews.</li><li>System monitoring records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for account management on the system.</li><li>Mechanisms for implementing account management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "bcea62ca-df60-407a-85d0-03400d0e4cd5",
                        "testId": "AC-02f.[04]",
                        "test": "Determine if accounts are disabled in accordance with  [SELECTED PARAMETER VALUE(S): policy, procedures, prerequisites, and criteria ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Personnel termination policy and procedure.</li><li>Personnel transfer policy and procedure.</li><li>Procedures for addressing account management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of active system accounts along with the name of the individual associated with each account.</li><li>List of recently disabled system accounts and the name of the individual associated with each account.</li><li>List of conditions for group and role membership.</li><li>Notifications of recent transfers, separations, or terminations of employees.</li><li>Access authorization records.</li><li>Account management compliance reviews.</li><li>System monitoring records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for account management on the system.</li><li>Mechanisms for implementing account management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1c8d87be-3992-437a-8e9b-f50156d2611f",
                        "testId": "AC-02f.[05]",
                        "test": "Determine if accounts are removed in accordance with  [SELECTED PARAMETER VALUE(S): policy, procedures, prerequisites, and criteria ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Personnel termination policy and procedure.</li><li>Personnel transfer policy and procedure.</li><li>Procedures for addressing account management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of active system accounts along with the name of the individual associated with each account.</li><li>List of recently disabled system accounts and the name of the individual associated with each account.</li><li>List of conditions for group and role membership.</li><li>Notifications of recent transfers, separations, or terminations of employees.</li><li>Access authorization records.</li><li>Account management compliance reviews.</li><li>System monitoring records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for account management on the system.</li><li>Mechanisms for implementing account management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "bf1ff771-efed-4d9e-a776-6e9f6f03dfe9",
                        "testId": "AC-02g.",
                        "test": "Determine if the use of accounts is monitored; <br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Personnel termination policy and procedure.</li><li>Personnel transfer policy and procedure.</li><li>Procedures for addressing account management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of active system accounts along with the name of the individual associated with each account.</li><li>List of recently disabled system accounts and the name of the individual associated with each account.</li><li>List of conditions for group and role membership.</li><li>Notifications of recent transfers, separations, or terminations of employees.</li><li>Access authorization records.</li><li>Account management compliance reviews.</li><li>System monitoring records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for account management on the system.</li><li>Mechanisms for implementing account management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f9459578-da68-4b0f-b537-aa99ff9cd3a4",
                        "testId": "AC-02h.01",
                        "test": "Determine if account managers and  [SELECTED PARAMETER VALUE(S): personnel or roles ]  are notified within  [SELECTED PARAMETER VALUE(S): time period ]  when accounts are no longer required;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Personnel termination policy and procedure.</li><li>Personnel transfer policy and procedure.</li><li>Procedures for addressing account management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of active system accounts along with the name of the individual associated with each account.</li><li>List of recently disabled system accounts and the name of the individual associated with each account.</li><li>List of conditions for group and role membership.</li><li>Notifications of recent transfers, separations, or terminations of employees.</li><li>Access authorization records.</li><li>Account management compliance reviews.</li><li>System monitoring records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for account management on the system.</li><li>Mechanisms for implementing account management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "fbeb34ee-c0dc-4225-a3ed-5c353662b260",
                        "testId": "AC-02h.02",
                        "test": "Determine if account managers and  [SELECTED PARAMETER VALUE(S): personnel or roles ]  are notified within  [SELECTED PARAMETER VALUE(S): time period ]  when users are terminated or transferred;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Personnel termination policy and procedure.</li><li>Personnel transfer policy and procedure.</li><li>Procedures for addressing account management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of active system accounts along with the name of the individual associated with each account.</li><li>List of recently disabled system accounts and the name of the individual associated with each account.</li><li>List of conditions for group and role membership.</li><li>Notifications of recent transfers, separations, or terminations of employees.</li><li>Access authorization records.</li><li>Account management compliance reviews.</li><li>System monitoring records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for account management on the system.</li><li>Mechanisms for implementing account management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e92e2ebc-1bde-4f7e-9ad5-bb7c2e623432",
                        "testId": "AC-02h.03",
                        "test": "Determine if account managers and  [SELECTED PARAMETER VALUE(S): personnel or roles ]  are notified within  [SELECTED PARAMETER VALUE(S): time period ]  when system usage or the need to know changes for an individual;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Personnel termination policy and procedure.</li><li>Personnel transfer policy and procedure.</li><li>Procedures for addressing account management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of active system accounts along with the name of the individual associated with each account.</li><li>List of recently disabled system accounts and the name of the individual associated with each account.</li><li>List of conditions for group and role membership.</li><li>Notifications of recent transfers, separations, or terminations of employees.</li><li>Access authorization records.</li><li>Account management compliance reviews.</li><li>System monitoring records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for account management on the system.</li><li>Mechanisms for implementing account management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d59cdf47-dcbc-43be-9686-1d8ae0a50b4c",
                        "testId": "AC-02i.01",
                        "test": "Determine if access to the system is authorized based on a valid access authorization;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Personnel termination policy and procedure.</li><li>Personnel transfer policy and procedure.</li><li>Procedures for addressing account management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of active system accounts along with the name of the individual associated with each account.</li><li>List of recently disabled system accounts and the name of the individual associated with each account.</li><li>List of conditions for group and role membership.</li><li>Notifications of recent transfers, separations, or terminations of employees.</li><li>Access authorization records.</li><li>Account management compliance reviews.</li><li>System monitoring records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for account management on the system.</li><li>Mechanisms for implementing account management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "74539417-94e2-400d-a533-a0798787ffa5",
                        "testId": "AC-02i.02",
                        "test": "Determine if access to the system is authorized based on intended system usage;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Personnel termination policy and procedure.</li><li>Personnel transfer policy and procedure.</li><li>Procedures for addressing account management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of active system accounts along with the name of the individual associated with each account.</li><li>List of recently disabled system accounts and the name of the individual associated with each account.</li><li>List of conditions for group and role membership.</li><li>Notifications of recent transfers, separations, or terminations of employees.</li><li>Access authorization records.</li><li>Account management compliance reviews.</li><li>System monitoring records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for account management on the system.</li><li>Mechanisms for implementing account management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4f7ead35-23ce-41f9-8d76-0f0817554417",
                        "testId": "AC-02i.03",
                        "test": "Determine if access to the system is authorized based on  [SELECTED PARAMETER VALUE(S): attributes (as required) ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Personnel termination policy and procedure.</li><li>Personnel transfer policy and procedure.</li><li>Procedures for addressing account management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of active system accounts along with the name of the individual associated with each account.</li><li>List of recently disabled system accounts and the name of the individual associated with each account.</li><li>List of conditions for group and role membership.</li><li>Notifications of recent transfers, separations, or terminations of employees.</li><li>Access authorization records.</li><li>Account management compliance reviews.</li><li>System monitoring records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for account management on the system.</li><li>Mechanisms for implementing account management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d100ecd8-4dd6-478a-a7d4-4b0b60221264",
                        "testId": "AC-02j.",
                        "test": "Determine if accounts are reviewed for compliance with account management requirements  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Personnel termination policy and procedure.</li><li>Personnel transfer policy and procedure.</li><li>Procedures for addressing account management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of active system accounts along with the name of the individual associated with each account.</li><li>List of recently disabled system accounts and the name of the individual associated with each account.</li><li>List of conditions for group and role membership.</li><li>Notifications of recent transfers, separations, or terminations of employees.</li><li>Access authorization records.</li><li>Account management compliance reviews.</li><li>System monitoring records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for account management on the system.</li><li>Mechanisms for implementing account management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "cdca61ed-0219-4396-8e97-08f3b880a7c7",
                        "testId": "AC-02k.[01]",
                        "test": "Determine if a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Personnel termination policy and procedure.</li><li>Personnel transfer policy and procedure.</li><li>Procedures for addressing account management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of active system accounts along with the name of the individual associated with each account.</li><li>List of recently disabled system accounts and the name of the individual associated with each account.</li><li>List of conditions for group and role membership.</li><li>Notifications of recent transfers, separations, or terminations of employees.</li><li>Access authorization records.</li><li>Account management compliance reviews.</li><li>System monitoring records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for account management on the system.</li><li>Mechanisms for implementing account management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a5757867-c2c3-4ecf-bc59-efbc2a7c4416",
                        "testId": "AC-02k.[02]",
                        "test": "Determine if a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Personnel termination policy and procedure.</li><li>Personnel transfer policy and procedure.</li><li>Procedures for addressing account management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of active system accounts along with the name of the individual associated with each account.</li><li>List of recently disabled system accounts and the name of the individual associated with each account.</li><li>List of conditions for group and role membership.</li><li>Notifications of recent transfers, separations, or terminations of employees.</li><li>Access authorization records.</li><li>Account management compliance reviews.</li><li>System monitoring records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for account management on the system.</li><li>Mechanisms for implementing account management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1aca4a32-e143-496f-85e1-967a40b1d86a",
                        "testId": "AC-02l.[01]",
                        "test": "Determine if account management processes are aligned with personnel termination processes;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Personnel termination policy and procedure.</li><li>Personnel transfer policy and procedure.</li><li>Procedures for addressing account management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of active system accounts along with the name of the individual associated with each account.</li><li>List of recently disabled system accounts and the name of the individual associated with each account.</li><li>List of conditions for group and role membership.</li><li>Notifications of recent transfers, separations, or terminations of employees.</li><li>Access authorization records.</li><li>Account management compliance reviews.</li><li>System monitoring records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for account management on the system.</li><li>Mechanisms for implementing account management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "135cfe2f-dab1-4828-9f86-a7a158f367b5",
                        "testId": "AC-02l.[02]",
                        "test": "Determine if account management processes are aligned with personnel transfer processes.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Personnel termination policy and procedure.</li><li>Personnel transfer policy and procedure.</li><li>Procedures for addressing account management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of active system accounts along with the name of the individual associated with each account.</li><li>List of recently disabled system accounts and the name of the individual associated with each account.</li><li>List of conditions for group and role membership.</li><li>Notifications of recent transfers, separations, or terminations of employees.</li><li>Access authorization records.</li><li>Account management compliance reviews.</li><li>System monitoring records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for account management on the system.</li><li>Mechanisms for implementing account management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a71127f4-784f-4d19-81ef-a26d3d74ce93",
                        "testId": "AC-02-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Access control policy.</li><li>Personnel termination policy and procedure.</li><li>Personnel transfer policy and procedure.</li><li>Procedures for addressing account management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of active system accounts along with the name of the individual associated with each account.</li><li>List of recently disabled system accounts and the name of the individual associated with each account.</li><li>List of conditions for group and role membership.</li><li>Notifications of recent transfers, separations, or terminations of employees.</li><li>Access authorization records.</li><li>Account management compliance reviews.</li><li>System monitoring records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5835485d-a199-490c-91b0-086f0aaf131f",
                        "testId": "AC-02-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c8fce0ad-ee40-4fc5-8250-3737c5899c30",
                        "testId": "AC-02-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for account management on the system.</li><li>Mechanisms for implementing account management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "9dcdd7ff-e2ff-4a29-bd74-e061730275a1",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "AC-02 - Account Management",
                "description": "<ul><li><p>a. Define and document the types of accounts allowed and specifically prohibited for use within the system;</p></li><li><p>b. Assign account managers;</p></li><li><p>c. Require {{ insert: param, AC-2(c) }} for group and role membership;</p></li><li><p>d. Specify:</p><ul><li><p>1. Authorized users of the system;</p></li><li><p>2. Group and role membership; and</p></li><li><p>3. Access authorizations (i.e., privileges) and {{ insert: param, AC-2(d)(3) }} for each account;</p></li></ul></li><li><p>e. Require approvals by {{ insert: param, AC-2(e) }} for requests to create accounts;</p></li><li><p>f. Create, enable, modify, disable, and remove accounts in accordance with {{ insert: param, AC-2(f) }};</p></li><li><p>g. Monitor the use of accounts;</p></li><li><p>h. Notify account managers and {{ insert: param, AC-2(h) }} within:</p><ul><li><p>1. {{ insert: param, AC-2(h)(1) }} when accounts are no longer required;</p></li><li><p>2. {{ insert: param, AC-2(h)(2) }} when users are terminated or transferred; and</p></li><li><p>3. {{ insert: param, AC-2(h)(3) }} when system usage or need-to-know changes for an individual;</p></li></ul></li><li><p>i. Authorize access to the system based on:</p><ul><li><p>1. A valid access authorization;</p></li><li><p>2. Intended system usage; and</p></li><li><p>3. {{ insert: param, AC-2(i)(3) }};</p></li></ul></li><li><p>j. Review accounts for compliance with account management requirements {{ insert: param, AC-2(j) }};</p></li><li><p>k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and</p></li><li><p>l. Align account management processes with personnel termination and transfer processes.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.</p><p>Where access involves personally identifiable information, security programs collaborate with the senior agency official for privacy to establish the specific conditions for group and role membership; specify authorized users, group and role membership, and access authorizations for each account; and create, adjust, or remove system accounts in accordance with organizational policies. Policies can include such information as account expiration dates or other factors that trigger the disabling of accounts. Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of the two. Examples of other attributes required for authorizing access include restrictions on time of day, day of week, and point of origin. In defining other system account attributes, organizations consider system-related requirements and mission/business requirements. Failure to consider these factors could affect system availability.</p><p>Temporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training.</p><p></p><p><strong>OT Discussion</strong></p><p>In OT systems, physical security, personnel security, intrusion detection, or auditing measures may support this control objective.</p><p></p>",
                "controlId": "AC-2",
                "family": "Access Control",
                "enhancements": "<strong>Enhancements</strong><ul><li>AC-2(1) - Automated System Account Management</li><li>AC-2(2) - Automated Temporary and Emergency Account Management</li><li>AC-2(3) - Disable Accounts</li><li>AC-2(4) - Automated Audit Actions</li><li>AC-2(5) - Inactivity Logout</li><li>AC-2(6) - Dynamic Privilege Management</li><li>AC-2(7) - Privileged User Accounts</li><li>AC-2(8) - Dynamic Account Management</li><li>AC-2(9) - Restrictions on Use of Shared and Group Accounts</li><li>AC-2(11) - Usage Conditions</li><li>AC-2(12) - Account Monitoring for Atypical Usage</li><li>AC-2(13) - Disable Accounts for High-risk Individuals</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "c134fad6-6abf-46b6-9118-4256af889c86",
                        "name": "AC-3",
                        "objectiveType": "",
                        "otherId": "ac-3_smt",
                        "description": "Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies."
                    }
                ],
                "tests": [
                    {
                        "uuid": "f9b61ce0-5c6b-4949-af6c-4bc71a29e0f0",
                        "testId": "AC-03-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Access control policy.</li><li>Procedures addressing access enforcement.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of approved authorizations (user privileges).</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "42f34d45-4a50-4b9f-a84e-7f7ab1ae2cdc",
                        "testId": "AC-03-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with access enforcement responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System developers.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9bda876c-2b07-4530-9b74-cd2a9111b3ce",
                        "testId": "AC-03-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms implementing access control policy.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "51b74e16-188c-4371-890c-333f6e9f9e53",
                        "testId": "AC-03",
                        "test": "Determine if approved authorizations for logical access to information and system resources are enforced in accordance with applicable access control policies.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing access enforcement.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of approved authorizations (user privileges).</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with access enforcement responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing access control policy.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "ac197491-d451-47a1-b0a1-c20da127d7c5",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "AC-03 - Access Enforcement",
                "description": "<p>Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.<br><strong>Discussion</strong><br></p><p>Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection ( <a href=\"#pe\">PE</a> ) family.</p><p></p><p><strong>OT Discussion</strong></p><p>The organization ensures that access enforcement mechanisms do not adversely impact the operational performance of the OT. Example compensating controls include encapsulation. The policy for logical access control to non-addressable and non-routable system resources and the associated information is made explicit. Access control mechanisms include hardware, firmware, and software that control the device or have device access, such as device drivers and communications controllers. Physical access control may serve as a compensating control for logical access control. However, it may not provide sufficient granularity when users require access to different functions.</p>",
                "controlId": "AC-3",
                "family": "Access Control",
                "enhancements": "<strong>Enhancements</strong><ul><li>AC-3(2) - Dual Authorization</li><li>AC-3(3) - Mandatory Access Control</li><li>AC-3(4) - Discretionary Access Control</li><li>AC-3(5) - Security-relevant Information</li><li>AC-3(7) - Role-based Access Control</li><li>AC-3(8) - Revocation of Access Authorizations</li><li>AC-3(9) - Controlled Release</li><li>AC-3(10) - Audited Override of Access Control Mechanisms</li><li>AC-3(11) - Restrict Access to Specific Information Types</li><li>AC-3(12) - Assert and Enforce Application Access</li><li>AC-3(13) - Attribute-based Access Control</li><li>AC-3(14) - Individual Access</li><li>AC-3(15) - Discretionary and Mandatory Access Control</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "71ee44bf-714d-4602-b4cc-4ec8d5164e4d",
                        "parameterId": "AC-7(a)-1",
                        "text": "number",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined number] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ac-07_odp.01"
                    },
                    {
                        "uuid": "fce4d551-d643-42ab-8a14-f20861aec80c",
                        "parameterId": "AC-7(a)-2",
                        "text": "time period",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined time period] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ac-07_odp.02"
                    },
                    {
                        "uuid": "2a19fe9e-0455-49b5-ac3c-869082bffb60",
                        "parameterId": "AC-7(b)",
                        "text": "[Selection (one or more): lock the account or node for [(NESTED PARAMETER) Assignment for ac-07_odp.04: time period]; lock the account or node until released by an administrator; delay next logon prompt per [(NESTED PARAMETER) Assignment for ac-07_odp.05: delay algorithm]; notify system administrator; take other [(NESTED PARAMETER) Assignment for ac-07_odp.06: action]]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): lock the account or node for [(NESTED PARAMETER) Assignment for ac-07_odp.04: time period]; lock the account or node until released by an administrator; delay next logon prompt per [(NESTED PARAMETER) Assignment for ac-07_odp.05: delay algorithm]; notify system administrator; take other [(NESTED PARAMETER) Assignment for ac-07_odp.06: action]]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ac-07_odp.03"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "a4d09a88-06d7-4d61-988e-1c78dee09e1b",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ac-7_smt.a",
                        "description": "<ul><li>a. Enforce a limit of {{ insert: param, AC-7(a)-1 }} consecutive invalid logon attempts by a user during a {{ insert: param, AC-7(a)-2 }} ; and</li></ul>"
                    },
                    {
                        "uuid": "2db1ff52-6133-4497-b880-0964727bc9ab",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ac-7_smt.b",
                        "description": "<ul><li>b. Automatically {{ insert: param, AC-7(b) }} when the maximum number of unsuccessful attempts is exceeded.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "1be153b8-26c2-4314-9d57-3402081a5394",
                        "testId": "AC-07a.",
                        "test": "Determine if a limit of  [SELECTED PARAMETER VALUE(S): number ]  consecutive invalid logon attempts by a user during  [SELECTED PARAMETER VALUE(S): time period ]  is enforced;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing unsuccessful logon attempts.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information security responsibilities.</li><li>System developers.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing access control policy for unsuccessful logon attempts.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4d56b88c-1c74-455b-9566-20cb5866bd07",
                        "testId": "AC-07b.",
                        "test": "Determine if automatically  [SELECTED PARAMETER VALUE(S): [Selection (one or more): lock the account or node for [(NESTED PARAMETER) Assignment for ac-07_odp.04: time period]; lock the account or node until released by an administrator; delay next logon prompt per [(NESTED PARAMETER) Assignment for ac-07_odp.05: delay algorithm]; notify system administrator; take other [(NESTED PARAMETER) Assignment for ac-07_odp.06: action]] ]  when the maximum number of unsuccessful attempts is exceeded.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing unsuccessful logon attempts.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information security responsibilities.</li><li>System developers.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing access control policy for unsuccessful logon attempts.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e3caa4e0-641f-4341-9705-022f4f9161a1",
                        "testId": "AC-07-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Access control policy.</li><li>Procedures addressing unsuccessful logon attempts.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "46f2cfcd-7526-429b-b12b-638688ff64df",
                        "testId": "AC-07-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with information security responsibilities.</li><li>System developers.</li><li>System/network administrators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5d758de4-cdd1-4151-8dcf-f74d9d752ded",
                        "testId": "AC-07-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms implementing access control policy for unsuccessful logon attempts.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "3f452c18-b5ee-483d-aa43-72ed548139a3",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "AC-07 - Unsuccessful Logon Attempts",
                "description": "<ul><li><p>a. Enforce a limit of {{ insert: param, AC-7(a)-1 }} consecutive invalid logon attempts by a user during a {{ insert: param, AC-7(a)-2 }} ; and</p></li><li><p>b. Automatically {{ insert: param, AC-7(b) }} when the maximum number of unsuccessful attempts is exceeded.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>The need to limit unsuccessful logon attempts and take subsequent action when the maximum number of attempts is exceeded applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by systems are usually temporary and automatically release after a predetermined, organization-defined time period. If a delay algorithm is selected, organizations may employ different algorithms for different components of the system based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at the operating system and the application levels. Organization-defined actions that may be taken when the number of allowed consecutive invalid logon attempts is exceeded include prompting the user to answer a secret question in addition to the username and password, invoking a lockdown mode with limited user capabilities (instead of full lockout), allowing users to only logon from specified Internet Protocol (IP) addresses, requiring a CAPTCHA to prevent automated attacks, or applying user profiles such as location, time of day, IP address, device, or Media Access Control (MAC) address. If automatic system lockout or execution of a delay algorithm is not implemented in support of the availability objective, organizations consider a combination of other actions to help prevent brute force attacks. In addition to the above, organizations can prompt users to respond to a secret question before the number of allowed unsuccessful logon attempts is exceeded. Automatically unlocking an account after a specified period of time is generally not permitted. However, exceptions may be required based on operational mission or need.</p><p></p><p><strong>OT Discussion</strong></p><p>Many OT systems remain in continuous operation, and operators remain logged onto the system at all times. A \u201clog-over\u201d capability may be employed. Example compensating controls include logging or recording all unsuccessful logon attempts and alerting OT security personnel through alarms or other means when the number of organization-defined consecutive invalid access attempts is exceeded. Unsuccessful logon attempt limits are enforced for accounts (e.g., administrator) or systems (e.g., engineering workstations) that are not required for continuous operation.</p>",
                "controlId": "AC-7",
                "family": "Access Control",
                "enhancements": "<strong>Enhancements</strong><ul><li>AC-7(2) - Purge or Wipe Mobile Device</li><li>AC-7(3) - Biometric Attempt Limiting</li><li>AC-7(4) - Use of Alternate Authentication Factor</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "70a00a6f-1a7c-493c-9916-e60b8ea9fa15",
                        "parameterId": "AC-8(a)",
                        "text": "system use notification",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined system use notification] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ac-08_odp.01"
                    },
                    {
                        "uuid": "51b719a7-8ee0-426d-9042-848c5fb7b741",
                        "parameterId": "AC-8(c)(1)",
                        "text": "conditions",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined conditions] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ac-08_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "bb54d7a0-8b72-4ddf-94e0-4031ed52a7b4",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ac-8_smt.a",
                        "description": "<ul><li>a. Display {{ insert: param, AC-8(a) }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:</li><ul><li>1. Users are accessing a U.S. Government system;</li><li>2. System usage may be monitored, recorded, and subject to audit;</li><li>3. Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and</li><li>4. Use of the system indicates consent to monitoring and recording;</li></ul>"
                    },
                    {
                        "uuid": "c8c5ceff-197b-4ef1-a860-269266b05c3e",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ac-8_smt.b",
                        "description": "<ul><li>b. Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and</li></ul>"
                    },
                    {
                        "uuid": "45662c82-580d-4768-b67c-d960182b054b",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ac-8_smt.c",
                        "description": "<ul><li>c. For publicly accessible systems:</li><ul><li>1. Display system use information {{ insert: param, AC-8(c)(1) }} , before granting further access to the publicly accessible system;</li><li>2. Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and</li><li>3. Include a description of the authorized uses of the system.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "717d09fa-5851-4878-9fed-c5824c5651eb",
                        "testId": "AC-08a.",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): system use notification ]  is displayed to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Privacy and security policies, procedures addressing system use notification.</li><li>Documented approval of system use notification messages or banners.</li><li>System audit records.</li><li>User acknowledgements of notification message or banner.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System use notification messages.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy assessment report.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Legal counsel.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing system use notification.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "080c4ee0-d3e9-4975-a29b-86a7ee2b0a9b",
                        "testId": "AC-08a.01",
                        "test": "Determine if the system use notification states that users are accessing a u.s. government system;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Privacy and security policies, procedures addressing system use notification.</li><li>Documented approval of system use notification messages or banners.</li><li>System audit records.</li><li>User acknowledgements of notification message or banner.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System use notification messages.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy assessment report.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Legal counsel.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing system use notification.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d2e7179c-02c8-477f-aa7a-413111c9f0a1",
                        "testId": "AC-08a.02",
                        "test": "Determine if the system use notification states that system usage may be monitored, recorded, and subject to audit;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Privacy and security policies, procedures addressing system use notification.</li><li>Documented approval of system use notification messages or banners.</li><li>System audit records.</li><li>User acknowledgements of notification message or banner.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System use notification messages.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy assessment report.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Legal counsel.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing system use notification.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e596f812-88b4-4382-b5e4-35cb5b9891bb",
                        "testId": "AC-08a.03",
                        "test": "Determine if the system use notification states that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Privacy and security policies, procedures addressing system use notification.</li><li>Documented approval of system use notification messages or banners.</li><li>System audit records.</li><li>User acknowledgements of notification message or banner.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System use notification messages.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy assessment report.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Legal counsel.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing system use notification.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d8673350-d043-42b8-b710-721e921ab3a9",
                        "testId": "AC-08a.04",
                        "test": "Determine if the system use notification states that use of the system indicates consent to monitoring and recording;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Privacy and security policies, procedures addressing system use notification.</li><li>Documented approval of system use notification messages or banners.</li><li>System audit records.</li><li>User acknowledgements of notification message or banner.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System use notification messages.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy assessment report.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Legal counsel.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing system use notification.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "717465ee-2992-425b-9bee-4ce4ff4874a0",
                        "testId": "AC-08b.",
                        "test": "Determine if the notification message or banner is retained on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Privacy and security policies, procedures addressing system use notification.</li><li>Documented approval of system use notification messages or banners.</li><li>System audit records.</li><li>User acknowledgements of notification message or banner.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System use notification messages.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy assessment report.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Legal counsel.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing system use notification.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6d421403-bb38-475e-85b5-9e0553c46cc0",
                        "testId": "AC-08c.01",
                        "test": "Determine if for publicly accessible systems, system use information  [SELECTED PARAMETER VALUE(S): conditions ]  is displayed before granting further access to the publicly accessible system;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Privacy and security policies, procedures addressing system use notification.</li><li>Documented approval of system use notification messages or banners.</li><li>System audit records.</li><li>User acknowledgements of notification message or banner.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System use notification messages.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy assessment report.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Legal counsel.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing system use notification.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b191a70a-c6f4-4ca8-ae5a-6ccdf908357a",
                        "testId": "AC-08c.02",
                        "test": "Determine if for publicly accessible systems, any references to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities are displayed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Privacy and security policies, procedures addressing system use notification.</li><li>Documented approval of system use notification messages or banners.</li><li>System audit records.</li><li>User acknowledgements of notification message or banner.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System use notification messages.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy assessment report.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Legal counsel.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing system use notification.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a1155de2-0ecb-41d4-8ea8-421386bbad71",
                        "testId": "AC-08c.03",
                        "test": "Determine if for publicly accessible systems, a description of the authorized uses of the system is included.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Privacy and security policies, procedures addressing system use notification.</li><li>Documented approval of system use notification messages or banners.</li><li>System audit records.</li><li>User acknowledgements of notification message or banner.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System use notification messages.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy assessment report.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Legal counsel.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing system use notification.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "37185c25-c42c-494d-bb14-58cee86ef8e6",
                        "testId": "AC-08-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Access control policy.</li><li>Privacy and security policies, procedures addressing system use notification.</li><li>Documented approval of system use notification messages or banners.</li><li>System audit records.</li><li>User acknowledgements of notification message or banner.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System use notification messages.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy assessment report.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c859f82f-a6e7-41c4-b6fd-9cbe52e42a58",
                        "testId": "AC-08-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Legal counsel.</li><li>System developers.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "496f2548-7bee-4736-9849-2a29ce28608b",
                        "testId": "AC-08-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms implementing system use notification.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "d40c4b44-df70-4f74-8cbc-a2d33f009d01",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "AC-08 - System Use Notification",
                "description": "<ul><li><p>a. Display {{ insert: param, AC-8(a) }} to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:</p><ul><li><p>1. Users are accessing a U.S. Government system;</p></li><li><p>2. System usage may be monitored, recorded, and subject to audit;</p></li><li><p>3. Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and</p></li><li><p>4. Use of the system indicates consent to monitoring and recording;</p></li></ul></li><li><p>b. Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and</p></li><li><p>c. For publicly accessible systems:</p><ul><li><p>1. Display system use information {{ insert: param, AC-8(c)(1) }} , before granting further access to the publicly accessible system;</p></li><li><p>2. Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and</p></li><li><p>3. Include a description of the authorized uses of the system.</p></li></ul></li><li><p><br><strong>Discussion</strong><br></p><p>System use notifications can be implemented using messages or warning banners displayed before individuals log in to systems. System use notifications are used only for access via logon interfaces with human users. Notifications are not required when human interfaces do not exist. Based on an assessment of risk, organizations consider whether or not a secondary system use notification is needed to access applications or other system resources after the initial network logon. Organizations consider system use notification messages or banners displayed in multiple languages based on organizational needs and the demographics of system users. Organizations consult with the privacy office for input regarding privacy messaging and the Office of the General Counsel or organizational equivalent for legal review and approval of warning banner content.</p></li></ul><p></p><p><strong>OT Discussion</strong></p><p>Many OT systems must remain in continuous operation, and system use notification may not be supported or effective. Example compensating controls include posting physical notices in OT facilities or providing recurring training on system use prior to permitting access.</p>",
                "controlId": "AC-8",
                "family": "Access Control",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "feb9a219-d194-49e7-bcfc-85bdd459d6b3",
                        "parameterId": "AC-14(a)",
                        "text": "user actions",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined user actions] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ac-14_odp"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "097c5193-51af-44c4-b5c8-79d1b1956bfc",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ac-14_smt.a",
                        "description": "<ul><li>a. Identify {{ insert: param, AC-14(a) }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and</li></ul>"
                    },
                    {
                        "uuid": "0a9f4e02-ee7f-48c3-a5a2-eb0b12650069",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ac-14_smt.b",
                        "description": "<ul><li>b. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "6020f03a-d0e4-47d9-8af9-51d66d81d370",
                        "testId": "AC-14-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Access control policy.</li><li>Procedures addressing permitted actions without identification or authentication.</li><li>System configuration settings and associated documentation.</li><li>Security plan.</li><li>List of user actions that can be performed without identification or authentication.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a637ffb9-0dbc-474a-ad7c-0ed00fd29d33",
                        "testId": "AC-14-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "aa0e4141-2598-43b4-81f3-e7c509fab273",
                        "testId": "AC-14a.",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): user actions ]  that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing permitted actions without identification or authentication.</li><li>System configuration settings and associated documentation.</li><li>Security plan.</li><li>List of user actions that can be performed without identification or authentication.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3d403016-771d-423f-8732-7a00954b241a",
                        "testId": "AC-14b.[01]",
                        "test": "Determine if user actions not requiring identification or authentication are documented in the security plan for the system;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing permitted actions without identification or authentication.</li><li>System configuration settings and associated documentation.</li><li>Security plan.</li><li>List of user actions that can be performed without identification or authentication.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7f9dc3ae-4670-461d-ab85-1dccd7642fe4",
                        "testId": "AC-14b.[02]",
                        "test": "Determine if a rationale for user actions not requiring identification or authentication is provided in the security plan for the system.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing permitted actions without identification or authentication.</li><li>System configuration settings and associated documentation.</li><li>Security plan.</li><li>List of user actions that can be performed without identification or authentication.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "65b685ba-0683-47e2-a36f-0b9d7b58e631",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "AC-14 - Permitted Actions Without Identification or Authentication",
                "description": "<ul><li>a. Identify  {{ insert: param, AC-14(a) }}  that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and</li><li>b. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.</li></ul><br/><strong>Discussion</strong><br/><p>Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be  <q>none.</q>\n</p>",
                "controlId": "AC-14",
                "family": "Access Control",
                "enhancements": "<strong>Enhancements</strong><ul></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "30beac72-716f-4469-b883-cdb1ab3fbf3f",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ac-17_smt.a",
                        "description": "<ul><li>a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and</li></ul>"
                    },
                    {
                        "uuid": "7ad3595d-ad5b-4cb4-a67c-e087abf1613a",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ac-17_smt.b",
                        "description": "<ul><li>b. Authorize each type of remote access to the system prior to allowing such connections.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "716dbfad-4980-40c0-a207-2e06e2f098c6",
                        "testId": "AC-17-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Access control policy.</li><li>Procedures addressing remote access implementation and usage (including restrictions).</li><li>Configuration management plan.</li><li>System configuration settings and associated documentation.</li><li>Remote access authorizations.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4d78b061-d4b6-4cfd-bec1-0ddc47d04333",
                        "testId": "AC-17-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with responsibilities for managing remote access connections.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "76e99277-dbc1-4ff4-9eeb-1e736c4c8eb4",
                        "testId": "AC-17-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Remote access management capability for the system.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "831a8527-a8ea-48b5-8f9f-d656b42efcf8",
                        "testId": "AC-17a.[01]",
                        "test": "Determine if usage restrictions are established and documented for each type of remote access allowed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing remote access implementation and usage (including restrictions).</li><li>Configuration management plan.</li><li>System configuration settings and associated documentation.</li><li>Remote access authorizations.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for managing remote access connections.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Remote access management capability for the system.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7aea8b08-d46a-4e81-a892-b07394f65fec",
                        "testId": "AC-17a.[02]",
                        "test": "Determine if configuration/connection requirements are established and documented for each type of remote access allowed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing remote access implementation and usage (including restrictions).</li><li>Configuration management plan.</li><li>System configuration settings and associated documentation.</li><li>Remote access authorizations.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for managing remote access connections.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Remote access management capability for the system.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0866dbc9-1d97-43f0-bec5-27c730159525",
                        "testId": "AC-17a.[03]",
                        "test": "Determine if implementation guidance is established and documented for each type of remote access allowed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing remote access implementation and usage (including restrictions).</li><li>Configuration management plan.</li><li>System configuration settings and associated documentation.</li><li>Remote access authorizations.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for managing remote access connections.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Remote access management capability for the system.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "bd73b81f-5cac-4bf1-8cc1-a82f5a00b46d",
                        "testId": "AC-17b.",
                        "test": "Determine if each type of remote access to the system is authorized prior to allowing such connections.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing remote access implementation and usage (including restrictions).</li><li>Configuration management plan.</li><li>System configuration settings and associated documentation.</li><li>Remote access authorizations.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for managing remote access connections.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Remote access management capability for the system.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "740a1d12-878a-49fe-a3d1-9565186842e4",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "AC-17 - Remote Access",
                "description": "<ul><li><p>a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and</p></li><li><p>b. Authorize each type of remote access to the system prior to allowing such connections.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of <a href=\"#ca-3\">CA-3</a> . Enforcing access restrictions for remote access is addressed via <a href=\"#ac-3\">AC-3</a>.</p><p></p><p><strong>OT Discussion</strong></p><p>When the OT cannot implement any or all of the components of this control, the organization employs other mechanisms or procedures as compensating controls in accordance with the general tailoring guidance.</p>",
                "controlId": "AC-17",
                "family": "Access Control",
                "enhancements": "<strong>Enhancements</strong><ul><li>AC-17(1) - Monitoring and Control</li><li>AC-17(2) - Protection of Confidentiality and Integrity Using Encryption</li><li>AC-17(3) - Managed Access Control Points</li><li>AC-17(4) - Privileged Commands and Access</li><li>AC-17(6) - Protection of Mechanism Information</li><li>AC-17(9) - Disconnect or Disable Access</li><li>AC-17(10) - Authenticate Remote Commands</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "8fc96642-36a1-4f12-95cd-ad05612e4d5d",
                        "parameterId": "AC-17(9)",
                        "text": "time period",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined time period] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ac-17.09_odp"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "0aff706a-2f25-457d-893c-252ec207c3af",
                        "name": "AC-17(9)",
                        "objectiveType": "",
                        "otherId": "ac-17.9_smt",
                        "description": "Provide the capability to disconnect or disable remote access to the system within {{ insert: param, AC-17(9) }}."
                    }
                ],
                "tests": [
                    {
                        "uuid": "f764d91a-a40c-4eb8-b33d-3eb744edaee1",
                        "testId": "AC-17(09)-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Access control policy.</li><li>Procedures addressing disconnecting or disabling remote access to the system.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Security plan, system audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0e066edb-fbca-4ae8-a41a-13796523f78b",
                        "testId": "AC-17(09)-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>System developers.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "63877215-d149-44f9-b5f1-6f19c217201a",
                        "testId": "AC-17(09)-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms implementing capability to disconnect or disable remote access to system.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2a7b0a8f-f9b1-4ca2-883e-39d1835c92c7",
                        "testId": "AC-17(09)",
                        "test": "Determine if the capability to disconnect or disable remote access to the system within  [SELECTED PARAMETER VALUE(S): time period ]  is provided.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing disconnecting or disabling remote access to the system.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Security plan, system audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing capability to disconnect or disable remote access to system.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "30442fdd-ee23-45e3-b576-d0b980193d9b",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "AC-17(09) - Disconnect or Disable Access",
                "description": "<p>Provide the capability to disconnect or disable remote access to the system within {{ insert: param, AC-17(9) }}.<br><strong>Discussion</strong><br></p><p>The speed of system disconnect or disablement varies based on the criticality of missions or business functions and the need to eliminate immediate or future remote access to systems.</p><p></p><p><strong>OT Discussion</strong></p><p>Implementation of the remote access disconnect should not impact OT operations. OT personnel should be trained on how to use the remote access disconnect.</p>",
                "controlId": "AC-17(9)",
                "family": "Access Control",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "cd920664-b433-4e43-b7f4-341967026244",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ac-18_smt.a",
                        "description": "<ul><li>a. Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and</li></ul>"
                    },
                    {
                        "uuid": "b235bdc4-7539-4b57-af27-05d41e09a885",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ac-18_smt.b",
                        "description": "<ul><li>b. Authorize each type of wireless access to the system prior to allowing such connections.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "e87aa1c5-66e4-492a-adcb-8a67d7118bd3",
                        "testId": "AC-18-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Access control policy.</li><li>Procedures addressing wireless access implementation and usage (including restrictions).</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Wireless access authorizations.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a870e09e-be04-4afa-a7fc-87892a77d19f",
                        "testId": "AC-18-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with responsibilities for managing wireless access connections.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4bc8fb3e-105a-4a1b-9015-ac275e22914a",
                        "testId": "AC-18-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Wireless access management capability for the system.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "235a4bd0-4779-4ae1-ae11-c03957c72ac6",
                        "testId": "AC-18a.[01]",
                        "test": "Determine if configuration requirements are established for each type of wireless access;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing wireless access implementation and usage (including restrictions).</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Wireless access authorizations.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for managing wireless access connections.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Wireless access management capability for the system.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6dd6ca60-9f10-4521-b190-92c0d44f5721",
                        "testId": "AC-18a.[02]",
                        "test": "Determine if connection requirements are established for each type of wireless access;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing wireless access implementation and usage (including restrictions).</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Wireless access authorizations.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for managing wireless access connections.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Wireless access management capability for the system.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b3552fe1-c60f-4401-9e63-2f092d8001ef",
                        "testId": "AC-18a.[03]",
                        "test": "Determine if implementation guidance is established for each type of wireless access;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing wireless access implementation and usage (including restrictions).</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Wireless access authorizations.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for managing wireless access connections.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Wireless access management capability for the system.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ae420ee6-bbda-4fc6-98de-9faadbbb72b9",
                        "testId": "AC-18b.",
                        "test": "Determine if each type of wireless access to the system is authorized prior to allowing such connections.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing wireless access implementation and usage (including restrictions).</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Wireless access authorizations.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for managing wireless access connections.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Wireless access management capability for the system.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "2604b122-4804-4d81-8d17-84039eb8a8c5",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "AC-18 - Wireless Access",
                "description": "<ul><li><p>a. Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and</p></li><li><p>b. Authorize each type of wireless access to the system prior to allowing such connections.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>Wireless technologies include microwave, packet radio (ultra-high frequency or very high frequency), 802.11x, and Bluetooth. Wireless networks use authentication protocols that provide authenticator protection and mutual authentication.</p><p></p><p><strong>OT Discussion</strong></p><p>When OT cannot implement any or all of the components of this control, the organization employs other mechanisms or procedures as compensating controls in accordance with the general tailoring guidance.</p>",
                "controlId": "AC-18",
                "family": "Access Control",
                "enhancements": "<strong>Enhancements</strong><ul><li>AC-18(1) - Authentication and Encryption</li><li>AC-18(3) - Disable Wireless Networking</li><li>AC-18(4) - Restrict Configurations by Users</li><li>AC-18(5) - Antennas and Transmission Power Levels</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "856ce01f-39e2-41d3-8106-0cf1fbfa583b",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ac-19_smt.a",
                        "description": "<ul><li>a. Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and</li></ul>"
                    },
                    {
                        "uuid": "ee237789-5a30-4343-9810-36a7e3422acb",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ac-19_smt.b",
                        "description": "<ul><li>b. Authorize the connection of mobile devices to organizational systems.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "8c20ad07-3dfe-45c6-972f-16b2029ce4ae",
                        "testId": "AC-19a.[01]",
                        "test": "Determine if configuration requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing access control for mobile device usage (including restrictions).</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Authorizations for mobile device connections to organizational systems.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel using mobile devices to access organizational systems.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Access control capability for mobile device connections to organizational systems.</li><li>Configurations of mobile devices.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "84ea4d27-9c7a-4b42-abf3-e78fc48a3dbb",
                        "testId": "AC-19a.[02]",
                        "test": "Determine if connection requirements are established for organization-controlled mobile devices, including when such devices are outside of the controlled area;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing access control for mobile device usage (including restrictions).</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Authorizations for mobile device connections to organizational systems.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel using mobile devices to access organizational systems.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Access control capability for mobile device connections to organizational systems.</li><li>Configurations of mobile devices.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ee256cc4-5160-421e-9165-814955fdcbc7",
                        "testId": "AC-19a.[03]",
                        "test": "Determine if implementation guidance is established for organization-controlled mobile devices, including when such devices are outside of the controlled area;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing access control for mobile device usage (including restrictions).</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Authorizations for mobile device connections to organizational systems.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel using mobile devices to access organizational systems.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Access control capability for mobile device connections to organizational systems.</li><li>Configurations of mobile devices.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6cf18fc2-9ca7-4511-852f-de0dd3d91f6d",
                        "testId": "AC-19b.",
                        "test": "Determine if the connection of mobile devices to organizational systems is authorized.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing access control for mobile device usage (including restrictions).</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Authorizations for mobile device connections to organizational systems.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel using mobile devices to access organizational systems.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Access control capability for mobile device connections to organizational systems.</li><li>Configurations of mobile devices.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7d97f072-90ec-4a7b-a74d-658055426e52",
                        "testId": "AC-19-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Access control policy.</li><li>Procedures addressing access control for mobile device usage (including restrictions).</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Authorizations for mobile device connections to organizational systems.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "54af94c5-bf76-4d1a-afb7-8e4724599213",
                        "testId": "AC-19-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel using mobile devices to access organizational systems.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "18b9614c-4e0e-4fd5-8e96-5d15e3cd1ed2",
                        "testId": "AC-19-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Access control capability for mobile device connections to organizational systems.</li><li>Configurations of mobile devices.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "4e6007c9-550d-4154-813d-2e0ae06bb705",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "AC-19 - Access Control for Mobile Devices",
                "description": "<ul><li>a. Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and</li><li>b. Authorize the connection of mobile devices to organizational systems.</li></ul><br/><strong>Discussion</strong><br/><p>A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.</p><p>Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.</p><p>Usage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in  <a href=\"#ac-19\">AC-19</a> . Many safeguards for mobile devices are reflected in other controls.  <a href=\"#ac-20\">AC-20</a>  addresses mobile devices that are not organization-controlled.</p>",
                "controlId": "AC-19",
                "family": "Access Control",
                "enhancements": "<strong>Enhancements</strong><ul><li>AC-19(4) - Restrictions for Classified Information</li><li>AC-19(5) - Full Device or Container-based Encryption</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "e7bf547c-1f25-40eb-b8da-52e1c5d88d96",
                        "parameterId": "AC-20(a)",
                        "text": "[Selection (one or more): establish [(NESTED PARAMETER) Assignment for ac-20_odp.02: terms and conditions]; identify [(NESTED PARAMETER) Assignment for ac-20_odp.03: controls asserted]]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): establish [(NESTED PARAMETER) Assignment for ac-20_odp.02: terms and conditions]; identify [(NESTED PARAMETER) Assignment for ac-20_odp.03: controls asserted]]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ac-20_odp.01"
                    },
                    {
                        "uuid": "009d5696-29ca-4937-a93e-4a9b5464a1f9",
                        "parameterId": "AC-20(b)",
                        "text": "prohibited types of external systems",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined prohibited types of external systems] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ac-20_odp.04"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "bf1cd9f0-7f63-4aae-bd51-b95e365d6413",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ac-20_smt.a",
                        "description": "<ul><li>a. {{ insert: param, AC-20(a) }} , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:</li><ul><li>1. Access the system from external systems; and</li><li>2. Process, store, or transmit organization-controlled information using external systems; or</li></ul>"
                    },
                    {
                        "uuid": "685e92a9-25c9-4af5-a767-47ae500e91af",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ac-20_smt.b",
                        "description": "<ul><li>b. Prohibit the use of {{ insert: param, AC-20(b) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "2885fcdb-b59d-49d7-830e-253da170525d",
                        "testId": "AC-20-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Access control policy.</li><li>Procedures addressing the use of external systems.</li><li>External systems terms and conditions.</li><li>List of types of applications accessible from external systems.</li><li>Maximum security categorization for information processed, stored, or transmitted on external systems.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5327f3d0-b113-4a19-b9b3-1c3c93fffe0a",
                        "testId": "AC-20-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5c90f1e5-0d4e-4169-b122-6966d5de90fb",
                        "testId": "AC-20-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms implementing terms and conditions on the use of external systems.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f8ce5790-341a-4248-867d-de651c707776",
                        "testId": "AC-20a.1",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): [Selection (one or more): establish [(NESTED PARAMETER) Assignment for ac-20_odp.02: terms and conditions]; identify [(NESTED PARAMETER) Assignment for ac-20_odp.03: controls asserted]] ]  is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing the use of external systems.</li><li>External systems terms and conditions.</li><li>List of types of applications accessible from external systems.</li><li>Maximum security categorization for information processed, stored, or transmitted on external systems.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing terms and conditions on the use of external systems.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9a99b7f1-77f1-40f9-904c-cdc3476659be",
                        "testId": "AC-20a.2",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): [Selection (one or more): establish [(NESTED PARAMETER) Assignment for ac-20_odp.02: terms and conditions]; identify [(NESTED PARAMETER) Assignment for ac-20_odp.03: controls asserted]] ]  is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing the use of external systems.</li><li>External systems terms and conditions.</li><li>List of types of applications accessible from external systems.</li><li>Maximum security categorization for information processed, stored, or transmitted on external systems.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing terms and conditions on the use of external systems.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "468b3713-8fe1-4b09-9008-cf36dbc0bccb",
                        "testId": "AC-20b.",
                        "test": "Determine if the use of  [SELECTED PARAMETER VALUE(S): prohibited types of external systems ]  is prohibited (if applicable).<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing the use of external systems.</li><li>External systems terms and conditions.</li><li>List of types of applications accessible from external systems.</li><li>Maximum security categorization for information processed, stored, or transmitted on external systems.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing terms and conditions on the use of external systems.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "31774732-7665-4473-84e8-80783568967f",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "AC-20 - Use of External Systems",
                "description": "<ul><li><p>a. {{ insert: param, AC-20(a) }} , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:</p><ul><li><p>1. Access the system from external systems; and</p></li><li><p>2. Process, store, or transmit organization-controlled information using external systems; or</p></li></ul></li><li><p>b. Prohibit the use of {{ insert: param, AC-20(b) }}.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems).</p><p>For some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.</p><p>External systems used to access public interfaces to organizational systems are outside the scope of <a href=\"#ac-20\">AC-20</a> . Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.</p><p></p><p><strong>OT Discussion</strong></p><p>Organizations refine the definition of \u201cexternal\u201d to reflect lines of authority and responsibility, the granularity of an organization entity, and their relationships. An organization may consider a system to be external if that system performs different functions, implements different policies, falls under different management authorities, or does not provide sufficient visibility into the implementation of controls to allow the establishment of a satisfactory trust relationship. For example, an OT system and a business data processing system may be considered external to each other depending on the organization\u2019s system boundaries. Access to an OT for support by a business partner, such as a vendor or support contractor, is another common example. The definition and trustworthiness of external systems is reexamined with respect to OT functions, purposes, technology, and limitations to establish a clearly documented technical or business case for use and an acceptance of the risk inherent in the use of an external system.</p>",
                "controlId": "AC-20",
                "family": "Access Control",
                "enhancements": "<strong>Enhancements</strong><ul><li>AC-20(1) - Limits on Authorized Use</li><li>AC-20(2) - Portable Storage Devices \u00e2\u20ac\u201d Restricted Use</li><li>AC-20(3) - Non-organizationally Owned Systems \u00e2\u20ac\u201d Restricted Use</li><li>AC-20(4) - Network Accessible Storage Devices \u00e2\u20ac\u201d Prohibited Use</li><li>AC-20(5) - Portable Storage Devices \u00e2\u20ac\u201d Prohibited Use</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "6e5ad341-1589-4b09-a9ef-094dbbcff3a2",
                        "parameterId": "AC-22(d)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ac-22_odp"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "b17b4de2-be07-4a8d-a46e-52abe063f391",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ac-22_smt.a",
                        "description": "<ul><li>a. Designate individuals authorized to make information publicly accessible;</li></ul>"
                    },
                    {
                        "uuid": "5387ad40-7fa6-4604-a2eb-19bb3e95f3a4",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ac-22_smt.b",
                        "description": "<ul><li>b. Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;</li></ul>"
                    },
                    {
                        "uuid": "20a4999e-8cce-4b86-8391-7baca035aad1",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ac-22_smt.c",
                        "description": "<ul><li>c. Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and</li></ul>"
                    },
                    {
                        "uuid": "4784de01-2c54-4d55-b83f-704552c17177",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "ac-22_smt.d",
                        "description": "<ul><li>d. Review the content on the publicly accessible system for nonpublic information {{ insert: param, AC-22(d) }} and remove such information, if discovered.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "416668d5-a989-4be2-bb75-6d9e9a0a842a",
                        "testId": "AC-22a.",
                        "test": "Determine if designated individuals are authorized to make information publicly accessible;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing publicly accessible content.</li><li>List of users authorized to post publicly accessible content on organizational systems.</li><li>Training materials and/or records.</li><li>Records of publicly accessible information reviews.</li><li>Records of response to non-public information on public websites.</li><li>System audit logs.</li><li>Security awareness training records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing management of publicly accessible content.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "21100bf0-d2f7-4c5e-8777-8b3513d603e7",
                        "testId": "AC-22b.",
                        "test": "Determine if authorized individuals are trained to ensure that publicly accessible information does not contain non-public information;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing publicly accessible content.</li><li>List of users authorized to post publicly accessible content on organizational systems.</li><li>Training materials and/or records.</li><li>Records of publicly accessible information reviews.</li><li>Records of response to non-public information on public websites.</li><li>System audit logs.</li><li>Security awareness training records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing management of publicly accessible content.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "14767337-cc11-4db3-8eb1-a3e312a3dc81",
                        "testId": "AC-22c.",
                        "test": "Determine if the proposed content of information is reviewed prior to posting onto the publicly accessible system to ensure that non-public information is not included;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing publicly accessible content.</li><li>List of users authorized to post publicly accessible content on organizational systems.</li><li>Training materials and/or records.</li><li>Records of publicly accessible information reviews.</li><li>Records of response to non-public information on public websites.</li><li>System audit logs.</li><li>Security awareness training records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing management of publicly accessible content.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "db3acf8c-0791-42ae-8964-af485c6e76d7",
                        "testId": "AC-22d.[01]",
                        "test": "Determine if the content on the publicly accessible system is reviewed for non-public information  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing publicly accessible content.</li><li>List of users authorized to post publicly accessible content on organizational systems.</li><li>Training materials and/or records.</li><li>Records of publicly accessible information reviews.</li><li>Records of response to non-public information on public websites.</li><li>System audit logs.</li><li>Security awareness training records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing management of publicly accessible content.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "417aed07-adda-4f76-a4dd-40c778e81c03",
                        "testId": "AC-22d.[02]",
                        "test": "Determine if non-public information is removed from the publicly accessible system, if discovered.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing publicly accessible content.</li><li>List of users authorized to post publicly accessible content on organizational systems.</li><li>Training materials and/or records.</li><li>Records of publicly accessible information reviews.</li><li>Records of response to non-public information on public websites.</li><li>System audit logs.</li><li>Security awareness training records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing management of publicly accessible content.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a90b8cea-91db-41d5-afa5-10eadc85584f",
                        "testId": "AC-22-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Access control policy.</li><li>Procedures addressing publicly accessible content.</li><li>List of users authorized to post publicly accessible content on organizational systems.</li><li>Training materials and/or records.</li><li>Records of publicly accessible information reviews.</li><li>Records of response to non-public information on public websites.</li><li>System audit logs.</li><li>Security awareness training records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "85270618-6a8c-4039-90a7-d37fdf39a813",
                        "testId": "AC-22-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with responsibilities for managing publicly accessible information posted on organizational systems.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4db0edec-93cc-4e93-bfcd-ed57a2446e28",
                        "testId": "AC-22-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms implementing management of publicly accessible content.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "b8ad9964-5d87-4278-8248-7aebaf4455ff",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "AC-22 - Publicly Accessible Content",
                "description": "<ul><li><p>a. Designate individuals authorized to make information publicly accessible;</p></li><li><p>b. Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;</p></li><li><p>c. Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and</p></li><li><p>d. Review the content on the publicly accessible system for nonpublic information {{ insert: param, AC-22(d) }} and remove such information, if discovered.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the <a href=\"#18e71fec-c6fd-475a-925a-5d8495cf8455\">PRIVACT</a> and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible.</p><p></p><p><strong>OT Discussion</strong></p><p>Generally, public access to OT systems is not permitted. Select information may be transferred to a publicly accessible system, possibly with added controls. The organization should review what information is being made accessible prior to publication.</p>",
                "controlId": "AC-22",
                "family": "Access Control",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "d54e5978-e88d-4006-af04-e52a36ea432c",
                        "parameterId": "AT-1(a)",
                        "text": "organization-defined personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "at-1_prm_1"
                    },
                    {
                        "uuid": "1b1d1671-1185-4a77-8b04-e755aa532d96",
                        "parameterId": "AT-1(a)(1)",
                        "text": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "at-01_odp.03"
                    },
                    {
                        "uuid": "4a87bc2d-8c6f-45c7-b732-f91f48faec7e",
                        "parameterId": "AT-1(b)",
                        "text": "official",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined official] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "at-01_odp.04"
                    },
                    {
                        "uuid": "9725006a-17d6-4fcf-bfa4-cc9b2923e042",
                        "parameterId": "AT-1(c)(1)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "at-01_odp.05"
                    },
                    {
                        "uuid": "364b5d8c-cc3d-40a3-8331-735f961c0502",
                        "parameterId": "AT-1(c)(1)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "at-01_odp.06"
                    },
                    {
                        "uuid": "0f02f1c4-3afd-4363-92b3-7c3b031fa145",
                        "parameterId": "AT-1(c)(2)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "at-01_odp.07"
                    },
                    {
                        "uuid": "bc81df69-5f58-48c7-a83f-4af9107732c4",
                        "parameterId": "AT-1(c)(2)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "at-01_odp.08"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "a5199b78-eb2d-4f0d-b00d-4878d58ee6e2",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "at-1_smt.a",
                        "description": "<ul><li>a. Develop, document, and disseminate to {{ insert: param, AT-1(a) }}:</li><ul><li>1. {{ insert: param, AT-1(a)(1) }} awareness and training policy that:</li><ul><li>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</li><li>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</li></ul><li>2. Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;</li></ul>"
                    },
                    {
                        "uuid": "20d714a1-c623-4a3c-ab01-29898b25aac7",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "at-1_smt.b",
                        "description": "<ul><li>b. Designate an {{ insert: param, AT-1(b) }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and</li></ul>"
                    },
                    {
                        "uuid": "2f8b62bb-c2ce-4fb6-9f40-5b206448051b",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "at-1_smt.c",
                        "description": "<ul><li>c. Review and update the current awareness and training:</li><ul><li>1. Policy {{ insert: param, AT-1(c)(1)-1 }} and following {{ insert: param, AT-1(c)(1)-2 }} ; and</li><li>2. Procedures {{ insert: param, AT-1(c)(2)-1 }} and following {{ insert: param, AT-1(c)(2)-2 }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "e28aca67-8e46-4b27-a196-f8023665f97d",
                        "testId": "AT-01a.[01]",
                        "test": "Determine if an awareness and training policy is developed and documented; <br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Awareness and training policy and procedures.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with awareness and training responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c9d364ce-8f0f-4615-98be-7fa796c99d87",
                        "testId": "AT-01a.[02]",
                        "test": "Determine if the awareness and training policy is disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Awareness and training policy and procedures.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with awareness and training responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0fe42c4d-4a26-424a-a1ff-c1b6ea80044c",
                        "testId": "AT-01a.[03]",
                        "test": "Determine if awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Awareness and training policy and procedures.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with awareness and training responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "eb62b88d-bb91-4f26-9562-5870e0f9f4de",
                        "testId": "AT-01a.[04]",
                        "test": "Determine if the awareness and training procedures are disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Awareness and training policy and procedures.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with awareness and training responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a7efcc44-ac4c-407c-bdc6-e6876054b47f",
                        "testId": "AT-01a.01(a)[01]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  awareness and training policy addresses purpose;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Awareness and training policy and procedures.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with awareness and training responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "91aa4749-fa34-4f81-87ea-b6d0daad4834",
                        "testId": "AT-01a.01(a)[02]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  awareness and training policy addresses scope;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Awareness and training policy and procedures.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with awareness and training responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9d398aa5-7cbf-4fdd-b0eb-f1465e0005aa",
                        "testId": "AT-01a.01(a)[03]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  awareness and training policy addresses roles;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Awareness and training policy and procedures.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with awareness and training responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "fec1fa69-97c4-4836-b558-9d26242b3d79",
                        "testId": "AT-01a.01(a)[04]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  awareness and training policy addresses responsibilities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Awareness and training policy and procedures.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with awareness and training responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "12715c11-2166-4987-a3b0-456c9b93f0b1",
                        "testId": "AT-01a.01(a)[05]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  awareness and training policy addresses management commitment;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Awareness and training policy and procedures.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with awareness and training responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3c75d102-18e3-4f55-870b-9c3d9617eabd",
                        "testId": "AT-01a.01(a)[06]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  awareness and training policy addresses coordination among organizational entities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Awareness and training policy and procedures.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with awareness and training responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "bcdfe143-bb03-4214-895b-b97c24269e0f",
                        "testId": "AT-01a.01(a)[07]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  awareness and training policy addresses compliance; and<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Awareness and training policy and procedures.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with awareness and training responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "16bce4d6-09ad-42bc-921a-4ac930c38b9d",
                        "testId": "AT-01a.01(b)",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  awareness and training policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Awareness and training policy and procedures.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with awareness and training responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d97c1768-db63-4982-bf75-2eb17af4eedb",
                        "testId": "AT-01b.",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): official ]  is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Awareness and training policy and procedures.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with awareness and training responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "93bb5e22-8ca0-4e9f-a938-c00f6ce169a2",
                        "testId": "AT-01c.01[01]",
                        "test": "Determine if the current awareness and training policy is reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ]; <br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Awareness and training policy and procedures.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with awareness and training responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "50cd157b-cf23-4a71-b984-adef49b1ec09",
                        "testId": "AT-01c.01[02]",
                        "test": "Determine if the current awareness and training policy is reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Awareness and training policy and procedures.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with awareness and training responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e3c3d595-3652-4ba2-b076-bcd2753e8b90",
                        "testId": "AT-01c.02[01]",
                        "test": "Determine if the current awareness and training procedures are reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Awareness and training policy and procedures.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with awareness and training responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "edf2b917-5155-4668-b411-e4301d4cd0a0",
                        "testId": "AT-01c.02[02]",
                        "test": "Determine if the current awareness and training procedures are reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Awareness and training policy and procedures.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with awareness and training responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c946ac5d-1b49-47ee-80ae-cda627598d8a",
                        "testId": "AT-01-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Awareness and training policy and procedures.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3e7acd90-ea33-4413-ad74-20342eff9861",
                        "testId": "AT-01-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with awareness and training responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "7f7f1c7f-db12-40e0-ae37-9592c00334d3",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "AT-01 - Policy and Procedures",
                "description": "<ul><li><p>a. Develop, document, and disseminate to {{ insert: param, AT-1(a) }}:</p><ul><li><p>1. {{ insert: param, AT-1(a)(1) }} awareness and training policy that:</p><ul><li><p>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p></li><li><p>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p></li></ul></li><li><p>2. Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;</p></li></ul></li><li><p>b. Designate an {{ insert: param, AT-1(b) }} to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and</p></li><li><p>c. Review and update the current awareness and training:</p><ul><li><p>1. Policy {{ insert: param, AT-1(c)(1)-1 }} and following {{ insert: param, AT-1(c)(1)-2 }} ; and</p></li><li><p>2. Procedures {{ insert: param, AT-1(c)(2)-1 }} and following {{ insert: param, AT-1(c)(2)-2 }}.</p></li></ul></li><li><p><br><strong>Discussion</strong><br></p><p>Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.</p></li></ul><p><strong>OT Discussion</strong></p><p>The policy specifically addresses the unique properties and requirements of OT and the relationship to non-OT systems.</p>",
                "controlId": "AT-1",
                "family": "Awareness and Training",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "fc9ecd31-fc54-4351-aac6-b1237f8656ec",
                        "parameterId": "AT-2(a)(1)",
                        "text": "organization-defined frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "at-2_prm_1"
                    },
                    {
                        "uuid": "973d7a92-6f5b-4018-9f23-e796ca7715dc",
                        "parameterId": "AT-2(a)(2)",
                        "text": "organization-defined events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "at-2_prm_2"
                    },
                    {
                        "uuid": "39adb57b-0d58-4887-982b-8d8e0ef926e3",
                        "parameterId": "AT-2(b)",
                        "text": "awareness techniques",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined awareness techniques] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "at-02_odp.05"
                    },
                    {
                        "uuid": "60c1b124-03eb-438f-a67e-6d02460d5a4f",
                        "parameterId": "AT-2(c)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "at-02_odp.06"
                    },
                    {
                        "uuid": "0def8d19-6b43-49d3-8256-2ee5054c8618",
                        "parameterId": "AT-2(c)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "at-02_odp.07"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "e9cfc641-dd30-4739-ad36-51a61c24ead2",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "at-2_smt.a",
                        "description": "<ul><li>a. Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):</li><ul><li>1. As part of initial training for new users and {{ insert: param, AT-2(a)(1) }} thereafter; and</li><li>2. When required by system changes or following {{ insert: param, AT-2(a)(2) }};</li></ul>"
                    },
                    {
                        "uuid": "bf237043-35d5-4295-b8ed-444f8f5a8d16",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "at-2_smt.b",
                        "description": "<ul><li>b. Employ the following techniques to increase the security and privacy awareness of system users {{ insert: param, AT-2(b) }};</li></ul>"
                    },
                    {
                        "uuid": "90cc4e3d-d19b-4bd6-aefa-825dce493bc6",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "at-2_smt.c",
                        "description": "<ul><li>c. Update literacy training and awareness content {{ insert: param, AT-2(c)-1 }} and following {{ insert: param, AT-2(c)-2 }} ; and</li></ul>"
                    },
                    {
                        "uuid": "0e33e07a-85d5-4bfa-8144-6d9a24712aa4",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "at-2_smt.d",
                        "description": "<ul><li>d. Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "0b07c2dc-32b3-4f98-8208-3c25b8157314",
                        "testId": "AT-02-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Literacy training and awareness policy.</li><li>Procedures addressing literacy training and awareness implementation.</li><li>Appropriate codes of federal regulations.</li><li>Security and privacy literacy training curriculum.</li><li>Security and privacy literacy training materials.</li><li>Training records.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d56bf615-ad15-4ee4-ac2d-e66df4cc55ea",
                        "testId": "AT-02-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with responsibilities for literacy training and awareness.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel comprising the general system user community.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "fd6a6623-4501-4c26-ba32-1b2f75fd300e",
                        "testId": "AT-02-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms managing information security and privacy literacy training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "eceb2ea1-49c5-4506-a12d-8904df61001f",
                        "testId": "AT-02a.01[01]",
                        "test": "Determine if security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Literacy training and awareness policy.</li><li>Procedures addressing literacy training and awareness implementation.</li><li>Appropriate codes of federal regulations.</li><li>Security and privacy literacy training curriculum.</li><li>Security and privacy literacy training materials.</li><li>Training records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for literacy training and awareness.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel comprising the general system user community.</li></ul><br><h5>Test</h5><ul><li>Mechanisms managing information security and privacy literacy training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "053d44c5-7545-4bae-9d86-3c504d09a141",
                        "testId": "AT-02a.01[02]",
                        "test": "Determine if privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Literacy training and awareness policy.</li><li>Procedures addressing literacy training and awareness implementation.</li><li>Appropriate codes of federal regulations.</li><li>Security and privacy literacy training curriculum.</li><li>Security and privacy literacy training materials.</li><li>Training records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for literacy training and awareness.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel comprising the general system user community.</li></ul><br><h5>Test</h5><ul><li>Mechanisms managing information security and privacy literacy training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "29cbf954-b335-44b9-9b22-017334d59100",
                        "testId": "AT-02a.01[03]",
                        "test": "Determine if security literacy training is provided to system users (including managers, senior executives, and contractors)  [SELECTED PARAMETER VALUE(S): frequency ]  thereafter;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Literacy training and awareness policy.</li><li>Procedures addressing literacy training and awareness implementation.</li><li>Appropriate codes of federal regulations.</li><li>Security and privacy literacy training curriculum.</li><li>Security and privacy literacy training materials.</li><li>Training records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for literacy training and awareness.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel comprising the general system user community.</li></ul><br><h5>Test</h5><ul><li>Mechanisms managing information security and privacy literacy training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "215d934c-0e43-4d06-82da-ae9e76ce10a2",
                        "testId": "AT-02a.01[04]",
                        "test": "Determine if privacy literacy training is provided to system users (including managers, senior executives, and contractors)  [SELECTED PARAMETER VALUE(S): frequency ]  thereafter;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Literacy training and awareness policy.</li><li>Procedures addressing literacy training and awareness implementation.</li><li>Appropriate codes of federal regulations.</li><li>Security and privacy literacy training curriculum.</li><li>Security and privacy literacy training materials.</li><li>Training records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for literacy training and awareness.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel comprising the general system user community.</li></ul><br><h5>Test</h5><ul><li>Mechanisms managing information security and privacy literacy training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c9ef669b-1635-4d01-b955-dab6b5eee534",
                        "testId": "AT-02a.02[01]",
                        "test": "Determine if security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following  [SELECTED PARAMETER VALUE(S): events ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Literacy training and awareness policy.</li><li>Procedures addressing literacy training and awareness implementation.</li><li>Appropriate codes of federal regulations.</li><li>Security and privacy literacy training curriculum.</li><li>Security and privacy literacy training materials.</li><li>Training records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for literacy training and awareness.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel comprising the general system user community.</li></ul><br><h5>Test</h5><ul><li>Mechanisms managing information security and privacy literacy training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e5afa81b-563e-49a2-8446-39a986ec7fa8",
                        "testId": "AT-02a.02[02]",
                        "test": "Determine if privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following  [SELECTED PARAMETER VALUE(S): events ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Literacy training and awareness policy.</li><li>Procedures addressing literacy training and awareness implementation.</li><li>Appropriate codes of federal regulations.</li><li>Security and privacy literacy training curriculum.</li><li>Security and privacy literacy training materials.</li><li>Training records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for literacy training and awareness.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel comprising the general system user community.</li></ul><br><h5>Test</h5><ul><li>Mechanisms managing information security and privacy literacy training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "da9b974b-3819-459a-8588-040a8f8de256",
                        "testId": "AT-02b.",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): awareness techniques ]  are employed to increase the security and privacy awareness of system users;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Literacy training and awareness policy.</li><li>Procedures addressing literacy training and awareness implementation.</li><li>Appropriate codes of federal regulations.</li><li>Security and privacy literacy training curriculum.</li><li>Security and privacy literacy training materials.</li><li>Training records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for literacy training and awareness.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel comprising the general system user community.</li></ul><br><h5>Test</h5><ul><li>Mechanisms managing information security and privacy literacy training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c0fd50cd-b5a7-4704-8e31-e620f9d072b2",
                        "testId": "AT-02c.[01]",
                        "test": "Determine if literacy training and awareness content is updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Literacy training and awareness policy.</li><li>Procedures addressing literacy training and awareness implementation.</li><li>Appropriate codes of federal regulations.</li><li>Security and privacy literacy training curriculum.</li><li>Security and privacy literacy training materials.</li><li>Training records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for literacy training and awareness.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel comprising the general system user community.</li></ul><br><h5>Test</h5><ul><li>Mechanisms managing information security and privacy literacy training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "81bd1ef2-34d7-42d0-b5d9-dee2db375545",
                        "testId": "AT-02c.[02]",
                        "test": "Determine if literacy training and awareness content is updated following  [SELECTED PARAMETER VALUE(S): events ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Literacy training and awareness policy.</li><li>Procedures addressing literacy training and awareness implementation.</li><li>Appropriate codes of federal regulations.</li><li>Security and privacy literacy training curriculum.</li><li>Security and privacy literacy training materials.</li><li>Training records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for literacy training and awareness.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel comprising the general system user community.</li></ul><br><h5>Test</h5><ul><li>Mechanisms managing information security and privacy literacy training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8362b6b6-735f-4324-b4b8-46bafb3930e8",
                        "testId": "AT-02d.",
                        "test": "Determine if lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Literacy training and awareness policy.</li><li>Procedures addressing literacy training and awareness implementation.</li><li>Appropriate codes of federal regulations.</li><li>Security and privacy literacy training curriculum.</li><li>Security and privacy literacy training materials.</li><li>Training records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for literacy training and awareness.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel comprising the general system user community.</li></ul><br><h5>Test</h5><ul><li>Mechanisms managing information security and privacy literacy training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "4057bb7a-2bea-4230-8ab2-a93fca449165",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "AT-02 - Literacy Training and Awareness",
                "description": "<ul><li><p>a. Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):</p><ul><li><p>1. As part of initial training for new users and {{ insert: param, AT-2(a)(1) }} thereafter; and</p></li><li><p>2. When required by system changes or following {{ insert: param, AT-2(a)(2) }};</p></li></ul></li><li><p>b. Employ the following techniques to increase the security and privacy awareness of system users {{ insert: param, AT-2(b) }};</p></li><li><p>c. Update literacy training and awareness content {{ insert: param, AT-2(c)-1 }} and following {{ insert: param, AT-2(c)-2 }} ; and</p></li><li><p>d. Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.</p><p>Awareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in <a href=\"#at-2_smt.a.1\">AT-2a.1</a> is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.</p><p></p><p><strong>OT Discussion</strong></p><p>Security awareness training includes initial and periodic review of OT-specific policies, standard operating procedures, security trends, and vulnerabilities. The OT security awareness program is consistent with the requirements of the security awareness and training policy established by the organization.</p>",
                "controlId": "AT-2",
                "family": "Awareness and Training",
                "enhancements": "<strong>Enhancements</strong><ul><li>AT-2(1) - Practical Exercises</li><li>AT-2(2) - Insider Threat</li><li>AT-2(3) - Social Engineering and Mining</li><li>AT-2(4) - Suspicious Communications and Anomalous System Behavior</li><li>AT-2(5) - Advanced Persistent Threat</li><li>AT-2(6) - Cyber Threat Environment</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "eeb6c62b-3a46-492c-be40-b66d4ad2cac7",
                        "name": "AT-2(2)",
                        "objectiveType": "",
                        "otherId": "at-2.2_smt",
                        "description": "Provide literacy training on recognizing and reporting potential indicators of insider threat."
                    }
                ],
                "tests": [
                    {
                        "uuid": "765797c5-6e02-4cd6-b865-b320584469a3",
                        "testId": "AT-02(02)-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Literacy training and awareness policy.</li><li>Procedures addressing literacy training and awareness implementation.</li><li>Literacy training and awareness curriculum.</li><li>Literacy training and awareness materials.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "32482d3e-b3cd-420a-a85f-3ca3515a4b5c",
                        "testId": "AT-02(02)-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel who receive literacy training and awareness.</li><li>Organizational personnel with responsibilities for literacy training and awareness.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b553ff15-cc2c-47e0-91fb-6a674f716dd7",
                        "testId": "AT-02(02)[01]",
                        "test": "Determine if literacy training on recognizing potential indicators of insider threat is provided;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Literacy training and awareness policy.</li><li>Procedures addressing literacy training and awareness implementation.</li><li>Literacy training and awareness curriculum.</li><li>Literacy training and awareness materials.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel who receive literacy training and awareness.</li><li>Organizational personnel with responsibilities for literacy training and awareness.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e6daaeba-c59b-461e-815c-112c2a1ec423",
                        "testId": "AT-02(02)[02]",
                        "test": "Determine if literacy training on reporting potential indicators of insider threat is provided.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Literacy training and awareness policy.</li><li>Procedures addressing literacy training and awareness implementation.</li><li>Literacy training and awareness curriculum.</li><li>Literacy training and awareness materials.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel who receive literacy training and awareness.</li><li>Organizational personnel with responsibilities for literacy training and awareness.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "f7850388-4200-4556-8f3b-44373c0a1410",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "AT-02(02) - Insider Threat",
                "description": "Provide literacy training on recognizing and reporting potential indicators of insider threat.<br/><strong>Discussion</strong><br/><p>Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behavior of team members, while training for employees may be focused on more general observations.</p>",
                "controlId": "AT-2(2)",
                "family": "Awareness and Training",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "81300e8d-285e-4cf3-a59d-589e746bbcf5",
                        "parameterId": "AT-3(a)",
                        "text": "organization-defined roles and responsibilities",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined roles and responsibilities] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "at-3_prm_1"
                    },
                    {
                        "uuid": "48697d1c-9716-4666-820a-c3a0949aedf5",
                        "parameterId": "AT-3(a)(1)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "at-03_odp.03"
                    },
                    {
                        "uuid": "feb73d32-3cb8-4b5f-a7ca-ecba2da14728",
                        "parameterId": "AT-3(b)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "at-03_odp.04"
                    },
                    {
                        "uuid": "b2ea6942-4432-4cec-b56a-dff2beba5d64",
                        "parameterId": "AT-3(b)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "at-03_odp.05"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "3764766b-7a9c-4df8-81aa-56b6f3238641",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "at-3_smt.a",
                        "description": "<ul><li>a. Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ insert: param, AT-3(a) }}:</li><ul><li>1. Before authorizing access to the system, information, or performing assigned duties, and {{ insert: param, AT-3(a)(1) }} thereafter; and</li><li>2. When required by system changes;</li></ul>"
                    },
                    {
                        "uuid": "bb7ba2a9-f3f9-40f5-9a6d-86e4765228e8",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "at-3_smt.b",
                        "description": "<ul><li>b. Update role-based training content {{ insert: param, AT-3(b)-1 }} and following {{ insert: param, AT-3(b)-2 }} ; and</li></ul>"
                    },
                    {
                        "uuid": "983e1309-27bb-42bb-9ad2-8c7e209b025f",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "at-3_smt.c",
                        "description": "<ul><li>c. Incorporate lessons learned from internal or external security incidents or breaches into role-based training.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "594c4357-d6d5-434d-b3e6-96cdb36083b0",
                        "testId": "AT-03a.01[01]",
                        "test": "Determine if role-based security training is provided to  [SELECTED PARAMETER VALUE(S): roles and responsibilities ]  before authorizing access to the system, information, or performing assigned duties;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Security and privacy awareness and training policy.</li><li>Procedures addressing security and privacy training implementation.</li><li>Codes of federal regulations.</li><li>Security and privacy training curriculum.</li><li>Security and privacy training materials.</li><li>Training records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for role-based security and privacy training.</li><li>Organizational personnel with assigned system security and privacy roles and responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms managing role-based security and privacy training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "107377df-0d94-468b-b46c-f1b1e656926d",
                        "testId": "AT-03a.01[02]",
                        "test": "Determine if role-based privacy training is provided to  [SELECTED PARAMETER VALUE(S): roles and responsibilities ]  before authorizing access to the system, information, or performing assigned duties;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Security and privacy awareness and training policy.</li><li>Procedures addressing security and privacy training implementation.</li><li>Codes of federal regulations.</li><li>Security and privacy training curriculum.</li><li>Security and privacy training materials.</li><li>Training records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for role-based security and privacy training.</li><li>Organizational personnel with assigned system security and privacy roles and responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms managing role-based security and privacy training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d17eb27e-8382-43f6-9658-c5863bb54577",
                        "testId": "AT-03a.01[03]",
                        "test": "Determine if role-based security training is provided to  [SELECTED PARAMETER VALUE(S): roles and responsibilities ], [SELECTED PARAMETER VALUE(S): frequency ]  thereafter;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Security and privacy awareness and training policy.</li><li>Procedures addressing security and privacy training implementation.</li><li>Codes of federal regulations.</li><li>Security and privacy training curriculum.</li><li>Security and privacy training materials.</li><li>Training records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for role-based security and privacy training.</li><li>Organizational personnel with assigned system security and privacy roles and responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms managing role-based security and privacy training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c43d1840-7c6c-4f17-a7cd-d8a3c3c224b6",
                        "testId": "AT-03a.01[04]",
                        "test": "Determine if role-based privacy training is provided to  [SELECTED PARAMETER VALUE(S): roles and responsibilities ], [SELECTED PARAMETER VALUE(S): frequency ]  thereafter;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Security and privacy awareness and training policy.</li><li>Procedures addressing security and privacy training implementation.</li><li>Codes of federal regulations.</li><li>Security and privacy training curriculum.</li><li>Security and privacy training materials.</li><li>Training records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for role-based security and privacy training.</li><li>Organizational personnel with assigned system security and privacy roles and responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms managing role-based security and privacy training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "81d92465-7766-45b5-b9bc-b00fc3805ebe",
                        "testId": "AT-03a.02[01]",
                        "test": "Determine if role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Security and privacy awareness and training policy.</li><li>Procedures addressing security and privacy training implementation.</li><li>Codes of federal regulations.</li><li>Security and privacy training curriculum.</li><li>Security and privacy training materials.</li><li>Training records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for role-based security and privacy training.</li><li>Organizational personnel with assigned system security and privacy roles and responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms managing role-based security and privacy training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4567e7a4-5612-4138-8a50-3cc55461ab4c",
                        "testId": "AT-03a.02[02]",
                        "test": "Determine if role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Security and privacy awareness and training policy.</li><li>Procedures addressing security and privacy training implementation.</li><li>Codes of federal regulations.</li><li>Security and privacy training curriculum.</li><li>Security and privacy training materials.</li><li>Training records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for role-based security and privacy training.</li><li>Organizational personnel with assigned system security and privacy roles and responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms managing role-based security and privacy training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "bcb66914-8eb3-4509-a55f-9e7498b06082",
                        "testId": "AT-03b.[01]",
                        "test": "Determine if role-based training content is updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Security and privacy awareness and training policy.</li><li>Procedures addressing security and privacy training implementation.</li><li>Codes of federal regulations.</li><li>Security and privacy training curriculum.</li><li>Security and privacy training materials.</li><li>Training records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for role-based security and privacy training.</li><li>Organizational personnel with assigned system security and privacy roles and responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms managing role-based security and privacy training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6cae168b-0a9a-41bf-8e59-9a17d3730a34",
                        "testId": "AT-03b.[02]",
                        "test": "Determine if role-based training content is updated following  [SELECTED PARAMETER VALUE(S): events ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Security and privacy awareness and training policy.</li><li>Procedures addressing security and privacy training implementation.</li><li>Codes of federal regulations.</li><li>Security and privacy training curriculum.</li><li>Security and privacy training materials.</li><li>Training records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for role-based security and privacy training.</li><li>Organizational personnel with assigned system security and privacy roles and responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms managing role-based security and privacy training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c981986c-2ece-49db-9b3a-b89370a29b29",
                        "testId": "AT-03c.",
                        "test": "Determine if lessons learned from internal or external security incidents or breaches are incorporated into role-based training.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Security and privacy awareness and training policy.</li><li>Procedures addressing security and privacy training implementation.</li><li>Codes of federal regulations.</li><li>Security and privacy training curriculum.</li><li>Security and privacy training materials.</li><li>Training records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for role-based security and privacy training.</li><li>Organizational personnel with assigned system security and privacy roles and responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms managing role-based security and privacy training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "79d8949f-cc13-46d6-9084-e9bf911ab2d8",
                        "testId": "AT-03-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System security plan.</li><li>Privacy plan.</li><li>Security and privacy awareness and training policy.</li><li>Procedures addressing security and privacy training implementation.</li><li>Codes of federal regulations.</li><li>Security and privacy training curriculum.</li><li>Security and privacy training materials.</li><li>Training records.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "86657db9-a39e-4330-a933-5bf401c4dc34",
                        "testId": "AT-03-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with responsibilities for role-based security and privacy training.</li><li>Organizational personnel with assigned system security and privacy roles and responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b07e13a5-1051-4001-85e6-3c805c4a718d",
                        "testId": "AT-03-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms managing role-based security and privacy training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "2c4e7b11-1ff7-4aa3-825b-19eb6bbd794d",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "AT-03 - Role-based Training",
                "description": "<ul><li><p>a. Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ insert: param, AT-3(a) }}:</p><ul><li><p>1. Before authorizing access to the system, information, or performing assigned duties, and {{ insert: param, AT-3(a)(1) }} thereafter; and</p></li><li><p>2. When required by system changes;</p></li></ul></li><li><p>b. Update role-based training content {{ insert: param, AT-3(b)-1 }} and following {{ insert: param, AT-3(b)-2 }} ; and</p></li><li><p>c. Incorporate lessons learned from internal or external security incidents or breaches into role-based training.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information.</p><p>Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.</p><p></p><p><strong>OT Discussion</strong></p><p>Security training includes initial and periodic review of OT-specific policies, standard operating procedures, security trends, and vulnerabilities. The OT security training program is consistent with the requirements of the security awareness and training policy established by the organization. The training may be customized for specific OT roles, which could include operators, maintainers, engineers, supervisors, and administrators.</p>",
                "controlId": "AT-3",
                "family": "Awareness and Training",
                "enhancements": "<strong>Enhancements</strong><ul><li>AT-3(1) - Environmental Controls</li><li>AT-3(2) - Physical Security Controls</li><li>AT-3(3) - Practical Exercises</li><li>AT-3(5) - Processing Personally Identifiable Information</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "a2256464-cfc2-4a4f-9d52-0b51fad650c1",
                        "parameterId": "AT-4(b)",
                        "text": "time period",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined time period] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "at-04_odp"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "f5b89481-ca37-415b-8cc1-b992a0f011bb",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "at-4_smt.a",
                        "description": "<ul><li>a. Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and</li></ul>"
                    },
                    {
                        "uuid": "be6ac945-7019-43a2-bdd8-e9af77b82a0c",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "at-4_smt.b",
                        "description": "<ul><li>b. Retain individual training records for {{ insert: param, AT-4(b) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "5a7b91cb-8924-4ac6-adf3-3d70d629f195",
                        "testId": "AT-04-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Security and privacy awareness and training policy.</li><li>Procedures addressing security and privacy training records.</li><li>Security and privacy awareness and training records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ba38f53e-adbd-42a8-ac49-28576460caaa",
                        "testId": "AT-04-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with information security and privacy training record retention responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7554e242-59e9-4c95-b100-68eabb968b57",
                        "testId": "AT-04-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting the management of security and privacy training records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9f7b635b-2172-4223-a614-524e149ed39c",
                        "testId": "AT-04a.[01]",
                        "test": "Determine if information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy awareness and training policy.</li><li>Procedures addressing security and privacy training records.</li><li>Security and privacy awareness and training records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information security and privacy training record retention responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting the management of security and privacy training records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ebb6b28b-bd1c-407d-a7aa-54a2aba8ce36",
                        "testId": "AT-04a.[02]",
                        "test": "Determine if information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy awareness and training policy.</li><li>Procedures addressing security and privacy training records.</li><li>Security and privacy awareness and training records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information security and privacy training record retention responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting the management of security and privacy training records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3936fa7b-b23b-492e-93cd-64e0104641f1",
                        "testId": "AT-04b.",
                        "test": "Determine if individual training records are retained for  [SELECTED PARAMETER VALUE(S): time period ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy awareness and training policy.</li><li>Procedures addressing security and privacy training records.</li><li>Security and privacy awareness and training records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information security and privacy training record retention responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting the management of security and privacy training records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "c68ce9cc-8b4f-4f20-8223-7f1aedf6b7cb",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "AT-04 - Training Records",
                "description": "<ul><li>a. Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and</li><li>b. Retain individual training records for  {{ insert: param, AT-4(b) }}.</li></ul><br/><strong>Discussion</strong><br/><p>Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies.</p>",
                "controlId": "AT-4",
                "family": "Awareness and Training",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "cc659b66-5d37-4958-885c-24c25afffcd6",
                        "parameterId": "AU-1(a)",
                        "text": "organization-defined personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "au-1_prm_1"
                    },
                    {
                        "uuid": "8cebcd39-fdaf-40c5-9a59-5eb5ca52ab9d",
                        "parameterId": "AU-1(a)(1)",
                        "text": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "au-01_odp.03"
                    },
                    {
                        "uuid": "d58c7f8d-d0ab-4933-80fa-b63305d6f016",
                        "parameterId": "AU-1(b)",
                        "text": "official",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined official] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "au-01_odp.04"
                    },
                    {
                        "uuid": "82d70e25-9ed4-4461-9e24-bb24d9b6d6c6",
                        "parameterId": "AU-1(c)(1)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "au-01_odp.05"
                    },
                    {
                        "uuid": "2bd4b3a9-067c-4f82-8a81-a60b309ab528",
                        "parameterId": "AU-1(c)(1)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "au-01_odp.06"
                    },
                    {
                        "uuid": "5d977288-7e34-47e1-aa91-1c59274821fc",
                        "parameterId": "AU-1(c)(2)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "au-01_odp.07"
                    },
                    {
                        "uuid": "749d8555-f76d-4b09-ab5e-36743231afdf",
                        "parameterId": "AU-1(c)(2)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "au-01_odp.08"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "defe558d-c8a0-4ab0-bb7a-2de939d888bc",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "au-1_smt.a",
                        "description": "<ul><li>a. Develop, document, and disseminate to {{ insert: param, AU-1(a) }}:</li><ul><li>1. {{ insert: param, AU-1(a)(1) }} audit and accountability policy that:</li><ul><li>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</li><li>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</li></ul><li>2. Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;</li></ul>"
                    },
                    {
                        "uuid": "1600dda5-fa87-4066-bf1d-10abc7836b16",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "au-1_smt.b",
                        "description": "<ul><li>b. Designate an {{ insert: param, AU-1(b) }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and</li></ul>"
                    },
                    {
                        "uuid": "e6a01297-de89-4d75-8004-80515bee34de",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "au-1_smt.c",
                        "description": "<ul><li>c. Review and update the current audit and accountability:</li><ul><li>1. Policy {{ insert: param, AU-1(c)(1)-1 }} and following {{ insert: param, AU-1(c)(1)-2 }} ; and</li><li>2. Procedures {{ insert: param, AU-1(c)(2)-1 }} and following {{ insert: param, AU-1(c)(2)-2 }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "fbd2f3c5-be62-442d-8a8d-8baede90957c",
                        "testId": "AU-01-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Audit and accountability policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "78cc2e1e-606e-4552-95c7-c2a1df2b2e50",
                        "testId": "AU-01-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3524d644-f927-400e-b247-6b1699949fb5",
                        "testId": "AU-01a.[01]",
                        "test": "Determine if an audit and accountability policy is developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8c22ed48-c302-4ff5-b9e3-dfc87e3984a0",
                        "testId": "AU-01a.[02]",
                        "test": "Determine if the audit and accountability policy is disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "bd57a336-4007-433f-b33f-7f74a0675575",
                        "testId": "AU-01a.[03]",
                        "test": "Determine if audit and accountability procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls are developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "47c56e81-1d42-4f53-a337-dff4f97af059",
                        "testId": "AU-01a.[04]",
                        "test": "Determine if the audit and accountability procedures are disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f01db5bf-c0b3-4246-92da-0a169ac51e58",
                        "testId": "AU-01a.01(a)[01]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  of the audit and accountability policy addresses purpose;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c349c674-85cf-4c8a-82cf-564f790f9497",
                        "testId": "AU-01a.01(a)[02]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  of the audit and accountability policy addresses scope;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2b795b7c-d10d-4be1-b648-31f5deeb035f",
                        "testId": "AU-01a.01(a)[03]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  of the audit and accountability policy addresses roles;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "750e9b78-03e9-4d9f-a6ca-697b61329ac4",
                        "testId": "AU-01a.01(a)[04]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  of the audit and accountability policy addresses responsibilities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5dad4b76-f948-48e4-a512-e7168bf85fe4",
                        "testId": "AU-01a.01(a)[05]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  of the audit and accountability policy addresses management commitment;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6849e009-7a92-45ce-99cf-71563c4d7940",
                        "testId": "AU-01a.01(a)[06]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  of the audit and accountability policy addresses coordination among organizational entities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "291e798a-8af7-4e32-90ea-fe6965647ce0",
                        "testId": "AU-01a.01(a)[07]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  of the audit and accountability policy addresses compliance;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "86cc265e-0bbd-4720-ad52-9c4b0fab57e1",
                        "testId": "AU-01a.01(b)",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "671cb61a-b8b6-4a64-afc0-548fee07565a",
                        "testId": "AU-01b.",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): official ]  is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8d1d5d27-8b44-42a5-bebe-e6684854b9ea",
                        "testId": "AU-01c.01[01]",
                        "test": "Determine if the current audit and accountability policy is reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4fde6b80-ef23-46fc-ac1e-85dadfbc8007",
                        "testId": "AU-01c.01[02]",
                        "test": "Determine if the current audit and accountability policy is reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "48ded580-b606-4c44-b7d9-dcdee616422b",
                        "testId": "AU-01c.02[01]",
                        "test": "Determine if the current audit and accountability procedures are reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b27bb480-f832-4b28-836f-5a40b77a6888",
                        "testId": "AU-01c.02[02]",
                        "test": "Determine if the current audit and accountability procedures are reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "42296b66-fabf-4d50-84fb-587b20e88a68",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "AU-01 - Policy and Procedures",
                "description": "<ul><li><p>a. Develop, document, and disseminate to {{ insert: param, AU-1(a) }}:</p><ul><li><p>1. {{ insert: param, AU-1(a)(1) }} audit and accountability policy that:</p><ul><li><p>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p></li><li><p>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p></li></ul></li><li><p>2. Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;</p></li></ul></li><li><p>b. Designate an {{ insert: param, AU-1(b) }} to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and</p></li><li><p>c. Review and update the current audit and accountability:</p><ul><li><p>1. Policy {{ insert: param, AU-1(c)(1)-1 }} and following {{ insert: param, AU-1(c)(1)-2 }} ; and</p></li><li><p>2. Procedures {{ insert: param, AU-1(c)(2)-1 }} and following {{ insert: param, AU-1(c)(2)-2 }}.</p></li></ul></li><li><p><br><strong>Discussion</strong><br></p><p>Audit and accountability policy and procedures address the controls in the AU family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of audit and accountability policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to audit and accountability policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.</p></li></ul><p></p><p><strong>OT Discussion</strong></p><p>The policy specifically addresses the unique properties and requirements of OT and the relationship to non-OT systems.</p>",
                "controlId": "AU-1",
                "family": "Audit and Accountability",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "5cab91e5-6f26-4d9c-a5b9-a9d6ca456dfa",
                        "parameterId": "AU-2(c)",
                        "text": "organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "au-2_prm_2"
                    },
                    {
                        "uuid": "c33fde4a-123f-43af-8ffe-8d929e5ab591",
                        "parameterId": "AU-2(a)",
                        "text": "event types",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined event types] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "au-02_odp.01"
                    },
                    {
                        "uuid": "97342f41-8790-4603-b49a-6ff9b46ef5df",
                        "parameterId": "AU-2(e)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "au-02_odp.04"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "8a3401ec-eda1-47fa-b4df-439a95e68cbc",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "au-2_smt.a",
                        "description": "<ul><li>a. Identify the types of events that the system is capable of logging in support of the audit function: {{ insert: param, AU-2(a) }};</li></ul>"
                    },
                    {
                        "uuid": "ba8c87ce-3aba-4dbe-afce-896e3ef77f84",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "au-2_smt.b",
                        "description": "<ul><li>b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;</li></ul>"
                    },
                    {
                        "uuid": "02efdc00-16c4-4f73-bfc8-f39c3a5fa7dc",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "au-2_smt.c",
                        "description": "<ul><li>c. Specify the following event types for logging within the system: {{ insert: param, AU-2(c) }};</li></ul>"
                    },
                    {
                        "uuid": "5305bf82-5fdb-4630-a5ec-20cbdee7e8d5",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "au-2_smt.d",
                        "description": "<ul><li>d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and</li></ul>"
                    },
                    {
                        "uuid": "14760f19-ce3e-4d02-8a44-7da90bf89dae",
                        "name": "e.",
                        "objectiveType": "",
                        "otherId": "au-2_smt.e",
                        "description": "<ul><li>e. Review and update the event types selected for logging {{ insert: param, AU-2(e) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "d554d0d1-88ef-40f0-923f-67c3b2f2b8e7",
                        "testId": "AU-02a.",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): event types ]  that the system is capable of logging are identified in support of the audit logging function;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy.</li><li>Procedures addressing auditable events.</li><li>System security plan.</li><li>Privacy plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System auditable events.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing system auditing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "bc78662b-5f35-4b6c-8ff8-04443b9c6b11",
                        "testId": "AU-02b.",
                        "test": "Determine if the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy.</li><li>Procedures addressing auditable events.</li><li>System security plan.</li><li>Privacy plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System auditable events.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing system auditing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "99b739cc-6747-495d-bc91-a213ffec5401",
                        "testId": "AU-02c.[01]",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): event types (subset of AU-02_ODP[01]) ]  are specified for logging within the system;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy.</li><li>Procedures addressing auditable events.</li><li>System security plan.</li><li>Privacy plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System auditable events.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing system auditing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e20ad998-c1d1-49ae-be91-a9600744546d",
                        "testId": "AU-02c.[02]",
                        "test": "Determine if the specified event types are logged within the system  [SELECTED PARAMETER VALUE(S): frequency or situation ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy.</li><li>Procedures addressing auditable events.</li><li>System security plan.</li><li>Privacy plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System auditable events.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing system auditing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "98aabbb3-04c6-4655-9900-bd1e159dd129",
                        "testId": "AU-02d.",
                        "test": "Determine if a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy.</li><li>Procedures addressing auditable events.</li><li>System security plan.</li><li>Privacy plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System auditable events.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing system auditing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ca2cbe7f-ac56-46b3-8a3d-32ea7aca9f47",
                        "testId": "AU-02e.",
                        "test": "Determine if the event types selected for logging are reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy.</li><li>Procedures addressing auditable events.</li><li>System security plan.</li><li>Privacy plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System auditable events.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing system auditing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a1e40ee6-b048-4634-8425-2bdf1819fd73",
                        "testId": "AU-02-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Audit and accountability policy.</li><li>Procedures addressing auditable events.</li><li>System security plan.</li><li>Privacy plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System auditable events.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d6089a03-0b9f-484a-8350-62e9e61f95aa",
                        "testId": "AU-02-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a5bfeffd-0a8d-4c18-9bfc-6c14a30eba46",
                        "testId": "AU-02-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms implementing system auditing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "f80535b8-f5f1-42c8-ada4-ffc2eea479d6",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "AU-02 - Event Logging",
                "description": "<ul><li><p>a. Identify the types of events that the system is capable of logging in support of the audit function: {{ insert: param, AU-2(a) }};</p></li><li><p>b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;</p></li><li><p>c. Specify the following event types for logging within the system: {{ insert: param, AU-2(c) }};</p></li><li><p>d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and</p></li><li><p>e. Review and update the event types selected for logging {{ insert: param, AU-2(e) }}.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.</p><p>To balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.</p><p>Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include <a href=\"#ac-2.4\">AC-2(4)</a>, <a href=\"#ac-3.10\">AC-3(10)</a>, <a href=\"#ac-6.9\">AC-6(9)</a>, <a href=\"#ac-17.1\">AC-17(1)</a>, <a href=\"#cm-3_smt.f\">CM-3f</a>, <a href=\"#cm-5.1\">CM-5(1)</a>, <a href=\"#ia-3.3_smt.b\">IA-3(3)(b)</a>, <a href=\"#ma-4.1\">MA-4(1)</a>, <a href=\"#mp-4.2\">MP-4(2)</a>, <a href=\"#pe-3\">PE-3</a>, <a href=\"#pm-21\">PM-21</a>, <a href=\"#pt-7\">PT-7</a>, <a href=\"#ra-8\">RA-8</a>, <a href=\"#sc-7.9\">SC-7(9)</a>, <a href=\"#sc-7.15\">SC-7(15)</a>, <a href=\"#si-3.8\">SI-3(8)</a>, <a href=\"#si-4.22\">SI-4(22)</a>, <a href=\"#si-7.8\">SI-7(8)</a> , and <a href=\"#si-10.1\">SI-10(1)</a> . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures.</p><p></p><p><strong>OT Discussion</strong></p><p>Organizations may want to include relevant OT events (e.g., alerts, alarms, configuration and status changes, operator actions) in their event logging, which may be designated as audit events.</p>",
                "controlId": "AU-2",
                "family": "Audit and Accountability",
                "enhancements": "<strong>Enhancements</strong><ul></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "44d81f5c-34f8-4a0c-aa72-08a238edc337",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "au-3_smt.a",
                        "description": "<ul><li>a. Ensure that audit records contain information that establishes the following: What type of event occurred;</li></ul>"
                    },
                    {
                        "uuid": "2e2fa468-fe9c-43f1-9be6-b7ce86fe7319",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "au-3_smt.b",
                        "description": "<ul><li>b. Ensure that audit records contain information that establishes the following: When the event occurred;</li></ul>"
                    },
                    {
                        "uuid": "0eaed4bb-84ea-49fd-abc1-5c1be451905c",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "au-3_smt.c",
                        "description": "<ul><li>c. Ensure that audit records contain information that establishes the following: Where the event occurred;</li></ul>"
                    },
                    {
                        "uuid": "48cb61da-9baa-4e97-aad3-b874c5fb385d",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "au-3_smt.d",
                        "description": "<ul><li>d. Ensure that audit records contain information that establishes the following: Source of the event;</li></ul>"
                    },
                    {
                        "uuid": "c75a87e4-e01a-4260-9aca-606ec590acde",
                        "name": "e.",
                        "objectiveType": "",
                        "otherId": "au-3_smt.e",
                        "description": "<ul><li>e. Ensure that audit records contain information that establishes the following: Outcome of the event; and</li></ul>"
                    },
                    {
                        "uuid": "e4aa6488-6f9e-4bc6-8721-6839b9391dae",
                        "name": "f.",
                        "objectiveType": "",
                        "otherId": "au-3_smt.f",
                        "description": "<ul><li>f. Ensure that audit records contain information that establishes the following: Identity of any individuals, subjects, or objects/entities associated with the event.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "705b8a19-37a4-4afd-8943-21301e2f3b7a",
                        "testId": "AU-03-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Audit and accountability policy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Procedures addressing content of audit records.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of organization-defined auditable events.</li><li>System audit records.</li><li>System incident reports.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2f19c783-8ff4-4b0d-932d-0911c7a17a5c",
                        "testId": "AU-03-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "322472ce-9d0a-4b9c-96e5-4f6fc19a0e76",
                        "testId": "AU-03-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms implementing system auditing of auditable events.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c8c60b1f-b9bd-49f2-a296-120e84621b3a",
                        "testId": "AU-03a.",
                        "test": "Determine if audit records contain information that establishes what type of event occurred;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Procedures addressing content of audit records.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of organization-defined auditable events.</li><li>System audit records.</li><li>System incident reports.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing system auditing of auditable events.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "642935a0-b830-415d-95e2-1b8a2a1591e1",
                        "testId": "AU-03b.",
                        "test": "Determine if audit records contain information that establishes when the event occurred;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Procedures addressing content of audit records.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of organization-defined auditable events.</li><li>System audit records.</li><li>System incident reports.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing system auditing of auditable events.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d2c3efdd-9dd1-405b-b972-0c0a64395472",
                        "testId": "AU-03c.",
                        "test": "Determine if audit records contain information that establishes where the event occurred;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Procedures addressing content of audit records.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of organization-defined auditable events.</li><li>System audit records.</li><li>System incident reports.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing system auditing of auditable events.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d0732599-a303-4b45-92ad-ee7bb98e7216",
                        "testId": "AU-03d.",
                        "test": "Determine if audit records contain information that establishes the source of the event;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Procedures addressing content of audit records.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of organization-defined auditable events.</li><li>System audit records.</li><li>System incident reports.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing system auditing of auditable events.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9a6815a6-8b68-4192-baea-50b503cc5473",
                        "testId": "AU-03e.",
                        "test": "Determine if audit records contain information that establishes the outcome of the event;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Procedures addressing content of audit records.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of organization-defined auditable events.</li><li>System audit records.</li><li>System incident reports.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing system auditing of auditable events.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c401f5e5-c19d-4ded-bfed-0ae90595db53",
                        "testId": "AU-03f.",
                        "test": "Determine if audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Procedures addressing content of audit records.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of organization-defined auditable events.</li><li>System audit records.</li><li>System incident reports.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing system auditing of auditable events.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "31f0384e-0f66-4a2e-bd36-1f397160c1d5",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "AU-03 - Content of Audit Records",
                "description": "Ensure that audit records contain information that establishes the following:<ul><li>a. What type of event occurred;</li><li>b. When the event occurred;</li><li>c. Where the event occurred;</li><li>d. Source of the event;</li><li>e. Outcome of the event; and</li><li>f. Identity of any individuals, subjects, or objects/entities associated with the event.</li></ul><br/><strong>Discussion</strong><br/><p>Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage.</p>",
                "controlId": "AU-3",
                "family": "Audit and Accountability",
                "enhancements": "<strong>Enhancements</strong><ul><li>AU-3(1) - Additional Audit Information</li><li>AU-3(3) - Limit Personally Identifiable Information Elements</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "65a5d0b3-34de-4cb1-8a59-022581d1b67e",
                        "parameterId": "AU-4",
                        "text": "audit log retention requirements",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined audit log retention requirements] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "au-04_odp"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "a25f0a83-767c-4ce0-9b50-349c1a168676",
                        "name": "AU-4",
                        "objectiveType": "",
                        "otherId": "au-4_smt",
                        "description": "Allocate audit log storage capacity to accommodate {{ insert: param, AU-4 }}."
                    }
                ],
                "tests": [
                    {
                        "uuid": "c0095026-7d60-42ac-8d63-19dbffc5a284",
                        "testId": "AU-04",
                        "test": "Determine if audit log storage capacity is allocated to accommodate  [SELECTED PARAMETER VALUE(S): audit log retention requirements ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy.</li><li>Procedures addressing audit storage capacity.</li><li>System security plan.</li><li>Privacy plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Audit record storage requirements.</li><li>Audit record storage capability for system components.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Audit record storage capacity and related configuration settings.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b3cbf85d-3b95-49e5-8978-46d2c59c2ced",
                        "testId": "AU-04-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Audit and accountability policy.</li><li>Procedures addressing audit storage capacity.</li><li>System security plan.</li><li>Privacy plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Audit record storage requirements.</li><li>Audit record storage capability for system components.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "eee3f045-107e-45bb-8d73-c6bce5ecbf4e",
                        "testId": "AU-04-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "fa0e3d3b-2e2f-4907-a424-c6d0c283173b",
                        "testId": "AU-04-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Audit record storage capacity and related configuration settings.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "21247519-ad90-4bc1-a4e9-3c28ca02dc69",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "AU-04 - Audit Log Storage Capacity",
                "description": "Allocate audit log storage capacity to accommodate  {{ insert: param, AU-4 }}.<br/><strong>Discussion</strong><br/><p>Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability.</p>",
                "controlId": "AU-4",
                "family": "Audit and Accountability",
                "enhancements": "<strong>Enhancements</strong><ul><li>AU-4(1) - Transfer to Alternate Storage</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "2f1f6bf7-d7fc-42d2-b260-d32862146ed2",
                        "parameterId": "AU-4(1)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "au-04.01_odp"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "7eecdbc6-992a-4ef9-b28b-ca5110845cd3",
                        "name": "AU-4(1)",
                        "objectiveType": "",
                        "otherId": "au-4.1_smt",
                        "description": "Transfer audit logs {{ insert: param, AU-4(1) }} to a different system, system component, or media other than the system or system component conducting the logging."
                    }
                ],
                "tests": [
                    {
                        "uuid": "d28b15d1-aa6a-4f0d-b2bc-f62e6a8cda0b",
                        "testId": "AU-04(01)-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Audit and accountability policy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Procedures addressing audit storage capacity.</li><li>Procedures addressing transfer of system audit records to secondary or alternate systems.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Logs of audit record transfers to secondary or alternate systems.</li><li>System audit records transferred to secondary or alternate systems.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a7d7c57b-f081-407e-a621-1dee13403878",
                        "testId": "AU-04(01)-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with audit storage capacity planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "52a73de7-e3b9-47b0-82bf-582cae364496",
                        "testId": "AU-04(01)-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting the transfer of audit records onto a different system.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "30716e5f-609d-446e-b06f-a705e1fa7422",
                        "testId": "AU-04(01)",
                        "test": "Determine if audit logs are transferred  [SELECTED PARAMETER VALUE(S): frequency ]  to a different system, system component, or media other than the system or system component conducting the logging.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Procedures addressing audit storage capacity.</li><li>Procedures addressing transfer of system audit records to secondary or alternate systems.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Logs of audit record transfers to secondary or alternate systems.</li><li>System audit records transferred to secondary or alternate systems.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit storage capacity planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting the transfer of audit records onto a different system.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "d4a35e68-58db-4488-944b-8186c0b2df51",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "AU-04(01) - Transfer to Alternate Storage",
                "description": "Transfer audit logs  {{ insert: param, AU-4(1) }}  to a different system, system component, or media other than the system or system component conducting the logging.<br/><strong>Discussion</strong><br/><p>Audit log transfer, also known as off-loading, is a common process in systems with limited audit log storage capacity and thus supports availability of the audit logs. The initial audit log storage is only used in a transitory fashion until the system can communicate with the secondary or alternate system allocated to audit log storage, at which point the audit logs are transferred. Transferring audit logs to alternate storage is similar to  <a href=\"#au-9.2\">AU-9(2)</a>  in that audit logs are transferred to a different entity. However, the purpose of selecting  <a href=\"#au-9.2\">AU-9(2)</a>  is to protect the confidentiality and integrity of audit records. Organizations can select either control enhancement to obtain the benefit of increased audit log storage capacity and preserving the confidentiality, integrity, and availability of audit records and logs.</p>",
                "controlId": "AU-4(1)",
                "family": "Audit and Accountability",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "dfa0c759-e60e-4a43-95fa-4be621751d59",
                        "parameterId": "AU-5(a)-1",
                        "text": "personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "au-05_odp.01"
                    },
                    {
                        "uuid": "9f2b64de-9dd0-4e28-9f7a-895750edb0ce",
                        "parameterId": "AU-5(a)-2",
                        "text": "time period",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined time period] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "au-05_odp.02"
                    },
                    {
                        "uuid": "02dee322-9c62-4270-b297-d38d943aec39",
                        "parameterId": "AU-5(b)",
                        "text": "additional actions",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined additional actions] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "au-05_odp.03"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "bf93d358-eaea-4544-91a2-b818f3317163",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "au-5_smt.a",
                        "description": "<ul><li>a. Alert {{ insert: param, AU-5(a)-1 }} within {{ insert: param, AU-5(a)-2 }} in the event of an audit logging process failure; and</li></ul>"
                    },
                    {
                        "uuid": "eca6c8c5-ff5a-4578-ae18-66f5c43871ee",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "au-5_smt.b",
                        "description": "<ul><li>b. Take the following additional actions: {{ insert: param, AU-5(b) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "7f9ceb31-8e4f-4f77-81e6-674e0a8446b3",
                        "testId": "AU-05a.",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): personnel or roles ]  are alerted in the event of an audit logging process failure within  [SELECTED PARAMETER VALUE(S): time period ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy.</li><li>Procedures addressing response to audit processing failures.</li><li>System design documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>System configuration settings and associated documentation.</li><li>List of personnel to be notified in case of an audit processing failure.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing system response to audit processing failures.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "942e3f5c-638c-4abc-ab90-888c69c071cc",
                        "testId": "AU-05b.",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): additional actions ]  are taken in the event of an audit logging process failure.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy.</li><li>Procedures addressing response to audit processing failures.</li><li>System design documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>System configuration settings and associated documentation.</li><li>List of personnel to be notified in case of an audit processing failure.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing system response to audit processing failures.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "fff2985c-3047-49a7-aff7-b6b848a2f295",
                        "testId": "AU-05-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Audit and accountability policy.</li><li>Procedures addressing response to audit processing failures.</li><li>System design documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>System configuration settings and associated documentation.</li><li>List of personnel to be notified in case of an audit processing failure.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1bd08a60-b7a7-4b2c-8bcf-6feba71143a4",
                        "testId": "AU-05-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d7409bd4-06ab-41a0-b92b-2d919d686a73",
                        "testId": "AU-05-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms implementing system response to audit processing failures.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "2dac3f70-cedb-43ec-bbad-220789e4f395",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "AU-05 - Response to Audit Logging Process Failures",
                "description": "<ul><li>a. Alert  {{ insert: param, AU-5(a)-1 }}  within  {{ insert: param, AU-5(a)-2 }}  in the event of an audit logging process failure; and</li><li>b. Take the following additional actions:  {{ insert: param, AU-5(b) }}.</li></ul><br/><strong>Discussion</strong><br/><p>Audit logging process failures include software and hardware errors, failures in audit log capturing mechanisms, and reaching or exceeding audit log storage capacity. Organization-defined actions include overwriting oldest audit records, shutting down the system, and stopping the generation of audit records. Organizations may choose to define additional actions for audit logging process failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. When the audit logging process failure is related to storage, the response is carried out for the audit log storage repository (i.e., the distinct system component where the audit logs are stored), the system on which the audit logs reside, the total audit log storage capacity of the organization (i.e., all audit log storage repositories combined), or all three. Organizations may decide to take no additional actions after alerting designated roles or personnel.</p>",
                "controlId": "AU-5",
                "family": "Audit and Accountability",
                "enhancements": "<strong>Enhancements</strong><ul><li>AU-5(1) - Storage Capacity Warning</li><li>AU-5(2) - Real-time Alerts</li><li>AU-5(3) - Configurable Traffic Volume Thresholds</li><li>AU-5(4) - Shutdown on Failure</li><li>AU-5(5) - Alternate Audit Logging Capability</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "ea7b661a-7918-4131-9095-8220578d9e74",
                        "parameterId": "AU-6(a)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "au-06_odp.01"
                    },
                    {
                        "uuid": "6287206e-3fc5-4247-b815-456f8484dcfe",
                        "parameterId": "AU-6(a)-2",
                        "text": "inappropriate or unusual activity",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined inappropriate or unusual activity] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "au-06_odp.02"
                    },
                    {
                        "uuid": "3be35fd4-db2c-4dda-872e-a44b7604ff04",
                        "parameterId": "AU-6(b)",
                        "text": "personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "au-06_odp.03"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "a213f974-8427-4c68-8f34-26bcfcc74fe0",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "au-6_smt.a",
                        "description": "<ul><li>a. Review and analyze system audit records {{ insert: param, AU-6(a)-1 }} for indications of {{ insert: param, AU-6(a)-2 }} and the potential impact of the inappropriate or unusual activity;</li></ul>"
                    },
                    {
                        "uuid": "d7a4bdd2-40bf-438b-9e1a-d881f4c3a434",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "au-6_smt.b",
                        "description": "<ul><li>b. Report findings to {{ insert: param, AU-6(b) }} ; and</li></ul>"
                    },
                    {
                        "uuid": "d8027e0c-77c9-401f-b279-c911ffcdb2a1",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "au-6_smt.c",
                        "description": "<ul><li>c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "b3814441-46d9-4bcc-b0f5-0a1433698ea7",
                        "testId": "AU-06a.",
                        "test": "Determine if system audit records are reviewed and analyzed  [SELECTED PARAMETER VALUE(S): frequency ]  for indications of  [SELECTED PARAMETER VALUE(S): inappropriate or unusual activity ]  and the potential impact of the inappropriate or unusual activity;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Procedures addressing audit review, analysis, and reporting.</li><li>Reports of audit findings.</li><li>Records of actions taken in response to reviews/analyses of audit records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit review, analysis, and reporting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0fc40a3c-2b9f-47f4-9712-93f4ee6134ab",
                        "testId": "AU-06b.",
                        "test": "Determine if findings are reported to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Procedures addressing audit review, analysis, and reporting.</li><li>Reports of audit findings.</li><li>Records of actions taken in response to reviews/analyses of audit records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit review, analysis, and reporting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "bd9a07db-feb4-4b62-8dab-828aa573f0dc",
                        "testId": "AU-06c.",
                        "test": "Determine if the level of audit record review, analysis, and reporting within the system is adjusted when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Procedures addressing audit review, analysis, and reporting.</li><li>Reports of audit findings.</li><li>Records of actions taken in response to reviews/analyses of audit records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit review, analysis, and reporting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "63f5aa15-89bd-46e4-b221-9a5e2ba74dc8",
                        "testId": "AU-06-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Audit and accountability policy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Procedures addressing audit review, analysis, and reporting.</li><li>Reports of audit findings.</li><li>Records of actions taken in response to reviews/analyses of audit records.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4a504699-575a-4a61-9bcf-a5919c0f5905",
                        "testId": "AU-06-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with audit review, analysis, and reporting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "4abb599e-92f8-4d32-925e-3261ad1b012b",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "AU-06 - Audit Record Review, Analysis, and Reporting",
                "description": "<ul><li>a. Review and analyze system audit records  {{ insert: param, AU-6(a)-1 }}  for indications of  {{ insert: param, AU-6(a)-2 }}  and the potential impact of the inappropriate or unusual activity;</li><li>b. Report findings to  {{ insert: param, AU-6(b) }} ; and</li><li>c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.</li></ul><br/><strong>Discussion</strong><br/><p>Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received.</p>",
                "controlId": "AU-6",
                "family": "Audit and Accountability",
                "enhancements": "<strong>Enhancements</strong><ul><li>AU-6(1) - Automated Process Integration</li><li>AU-6(3) - Correlate Audit Record Repositories</li><li>AU-6(4) - Central Review and Analysis</li><li>AU-6(5) - Integrated Analysis of Audit Records</li><li>AU-6(6) - Correlation with Physical Monitoring</li><li>AU-6(7) - Permitted Actions</li><li>AU-6(8) - Full Text Analysis of Privileged Commands</li><li>AU-6(9) - Correlation with Information from Nontechnical Sources</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "d466f74a-b5dd-48b9-94d8-810ec022042c",
                        "parameterId": "AU-8(b)",
                        "text": "granularity of time measurement",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined granularity of time measurement] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "au-08_odp"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "75b20f06-84c1-432a-a6b6-573a842cf4bf",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "au-8_smt.a",
                        "description": "<ul><li>a. Use internal system clocks to generate time stamps for audit records; and</li></ul>"
                    },
                    {
                        "uuid": "af7bd1ff-b683-4f00-8fc5-233139a683e4",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "au-8_smt.b",
                        "description": "<ul><li>b. Record time stamps for audit records that meet {{ insert: param, AU-8(b) }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "041b3773-6cab-4fb4-8f84-b571b1fdab6d",
                        "testId": "AU-08-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Audit and accountability policy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Procedures addressing timestamp generation.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "77ca0531-66bf-4a3a-bf5a-c62ae0b7054c",
                        "testId": "AU-08-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c9f14ec5-50bc-4340-9e14-5e5c78ec6edc",
                        "testId": "AU-08-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms implementing timestamp generation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2a425eb3-a799-4b5a-9cce-058727c8359c",
                        "testId": "AU-08a.",
                        "test": "Determine if internal system clocks are used to generate timestamps for audit records;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Procedures addressing timestamp generation.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing timestamp generation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3c2f1fc8-005b-475c-9693-2110c00af13c",
                        "testId": "AU-08b.",
                        "test": "Determine if timestamps are recorded for audit records that meet  [SELECTED PARAMETER VALUE(S): granularity of time measurement ]  and that use coordinated universal time, have a fixed local time offset from coordinated universal time, or include the local time offset as part of the timestamp.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Procedures addressing timestamp generation.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing timestamp generation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "74cd56f8-0b68-4998-b517-1fd4de8b135e",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "AU-08 - Time Stamps",
                "description": "<ul><li><p>a. Use internal system clocks to generate time stamps for audit records; and</p></li><li><p>b. Record time stamps for audit records that meet {{ insert: param, AU-8(b) }} and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>Time stamps generated by the system include date and time. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. Granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks (e.g., clocks synchronizing within hundreds of milliseconds or tens of milliseconds). Organizations may define different time granularities for different system components. Time service can be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities.</p><p></p><p><strong>OT Discussion</strong></p><p>Example compensating controls include using a separate system designated as an authoritative time source. See related control SC-45.</p>",
                "controlId": "AU-8",
                "family": "Audit and Accountability",
                "enhancements": "<strong>Enhancements</strong><ul></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "f4880a25-b018-462f-ac4c-da6accc1ac53",
                        "parameterId": "AU-9(b)",
                        "text": "personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "au-09_odp"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "da9afae4-8e3b-400d-a584-d4e940c40baf",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "au-9_smt.a",
                        "description": "<ul><li>a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and</li></ul>"
                    },
                    {
                        "uuid": "8a2a64a8-0019-46e4-a55f-6bd4b958a32a",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "au-9_smt.b",
                        "description": "<ul><li>b. Alert {{ insert: param, AU-9(b) }} upon detection of unauthorized access, modification, or deletion of audit information.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "07a6cff2-7410-4519-a31a-c22c5fa06e4d",
                        "testId": "AU-09a.",
                        "test": "Determine if audit information and audit logging tools are protected from unauthorized access, modification, and deletion;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Access control policy and procedures.</li><li>Procedures addressing protection of audit information.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>Audit tools.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing audit information protection.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b357f9a2-8e5e-47a7-aa20-a6f6a58e1fad",
                        "testId": "AU-09b.",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): personnel or roles ]  are alerted upon detection of unauthorized access, modification, or deletion of audit information.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Access control policy and procedures.</li><li>Procedures addressing protection of audit information.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>Audit tools.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing audit information protection.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6c17c42a-956f-4c4a-a67c-59b1b0924d8b",
                        "testId": "AU-09-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Audit and accountability policy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Access control policy and procedures.</li><li>Procedures addressing protection of audit information.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>Audit tools.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d6f0ac6c-ddce-4ecd-bed0-b0377f2a1771",
                        "testId": "AU-09-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with audit and accountability responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e8be9e7c-9313-424c-b139-53b0b822de05",
                        "testId": "AU-09-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms implementing audit information protection.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "20ad23e3-310d-49b4-bddc-789a266a44c6",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "AU-09 - Protection of Audit Information",
                "description": "<ul><li>a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and</li><li>b. Alert  {{ insert: param, AU-9(b) }}  upon detection of unauthorized access, modification, or deletion of audit information.</li></ul><br/><strong>Discussion</strong><br/><p>Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls.</p>",
                "controlId": "AU-9",
                "family": "Audit and Accountability",
                "enhancements": "<strong>Enhancements</strong><ul><li>AU-9(1) - Hardware Write-once Media</li><li>AU-9(2) - Store on Separate Physical Systems or Components</li><li>AU-9(3) - Cryptographic Protection</li><li>AU-9(4) - Access by Subset of Privileged Users</li><li>AU-9(5) - Dual Authorization</li><li>AU-9(6) - Read-only Access</li><li>AU-9(7) - Store on Component with Different Operating System</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "1656c78f-986b-435e-a858-69b8539f48fd",
                        "parameterId": "AU-11",
                        "text": "time period",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined time period] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "au-11_odp"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "6b3e363e-81db-4717-908c-38649d87cfca",
                        "name": "AU-11",
                        "objectiveType": "",
                        "otherId": "au-11_smt",
                        "description": "Retain audit records for {{ insert: param, AU-11 }} to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements."
                    }
                ],
                "tests": [
                    {
                        "uuid": "b9f2a355-5833-46b2-9619-a3a06ccc7b3f",
                        "testId": "AU-11-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Audit and accountability policy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Audit record retention policy and procedures.</li><li>Security plan.</li><li>Organization-defined retention period for audit records.</li><li>Audit record archives.</li><li>Audit logs.</li><li>Audit records.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "cc56d3fb-b088-4eec-b6e8-ea845249daeb",
                        "testId": "AU-11-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with audit record retention responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "41cb08de-b427-4a34-b846-2724b64b72d8",
                        "testId": "AU-11",
                        "test": "Determine if audit records are retained for  [SELECTED PARAMETER VALUE(S): time period ]  to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Audit record retention policy and procedures.</li><li>Security plan.</li><li>Organization-defined retention period for audit records.</li><li>Audit record archives.</li><li>Audit logs.</li><li>Audit records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit record retention responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "ee024f9a-1d56-45c8-9549-9133dd0df155",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "AU-11 - Audit Record Retention",
                "description": "Retain audit records for  {{ insert: param, AU-11 }}  to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.<br/><strong>Discussion</strong><br/><p>Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention.</p>",
                "controlId": "AU-11",
                "family": "Audit and Accountability",
                "enhancements": "<strong>Enhancements</strong><ul><li>AU-11(1) - Long-term Retrieval Capability</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "352d75d1-d4c7-496a-9376-719430a10d88",
                        "parameterId": "AU-12(a)",
                        "text": "system components",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined system components] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "au-12_odp.01"
                    },
                    {
                        "uuid": "792fc2f8-351f-48c0-ba45-0528f44efe38",
                        "parameterId": "AU-12(b)",
                        "text": "personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "au-12_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "458ecb0c-204a-4060-a789-d7421fbd1aa1",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "au-12_smt.a",
                        "description": "<ul><li>a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on {{ insert: param, AU-12(a) }};</li></ul>"
                    },
                    {
                        "uuid": "93c46717-3e60-43f3-9b0e-24e00aaa320c",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "au-12_smt.b",
                        "description": "<ul><li>b. Allow {{ insert: param, AU-12(b) }} to select the event types that are to be logged by specific components of the system; and</li></ul>"
                    },
                    {
                        "uuid": "5cd063ef-8edc-4851-8b4c-4dd8753d041b",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "au-12_smt.c",
                        "description": "<ul><li>c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "750d46e2-4c04-43b0-bb20-b81a725bd610",
                        "testId": "AU-12-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Audit and accountability policy.</li><li>Procedures addressing audit record generation.</li><li>System security plan.</li><li>Privacy plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of auditable events.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "718788b6-757b-4579-8e18-a35f00cba803",
                        "testId": "AU-12-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with audit record generation responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f35fdf0a-f513-4849-b266-f24f6665daf2",
                        "testId": "AU-12-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms implementing audit record generation capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "bda9de2b-c86c-4cde-9228-abf75514b209",
                        "testId": "AU-12a.",
                        "test": "Determine if audit record generation capability for the event types the system is capable of auditing (defined in au-02_odp[01]) is provided by  [SELECTED PARAMETER VALUE(S): system components ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy.</li><li>Procedures addressing audit record generation.</li><li>System security plan.</li><li>Privacy plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of auditable events.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit record generation responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing audit record generation capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "92bef866-da18-4ffe-9afb-bfdb163eeaac",
                        "testId": "AU-12b.",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): personnel or roles ]  is/are allowed to select the event types that are to be logged by specific components of the system;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy.</li><li>Procedures addressing audit record generation.</li><li>System security plan.</li><li>Privacy plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of auditable events.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit record generation responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing audit record generation capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "68c2c932-352d-4e1e-9000-eb19479563fb",
                        "testId": "AU-12c.",
                        "test": "Determine if audit records for the event types defined in au-02_odp[02] that include the audit record content defined in au-03 are generated.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Audit and accountability policy.</li><li>Procedures addressing audit record generation.</li><li>System security plan.</li><li>Privacy plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of auditable events.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with audit record generation responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing audit record generation capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "507c9968-390e-4d89-8f8e-1eb3e8d2fd10",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "AU-12 - Audit Record Generation",
                "description": "<ul><li>a. Provide audit record generation capability for the event types the system is capable of auditing as defined in  AU-2a  on  {{ insert: param, AU-12(a) }};</li><li>b. Allow  {{ insert: param, AU-12(b) }}  to select the event types that are to be logged by specific components of the system; and</li><li>c. Generate audit records for the event types defined in  AU-2c  that include the audit record content defined in  AU-3.</li></ul><br/><strong>Discussion</strong><br/><p>Audit records can be generated from many different system components. The event types specified in  <a href=\"#au-2_smt.d\">AU-2d</a>  are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records.</p>",
                "controlId": "AU-12",
                "family": "Audit and Accountability",
                "enhancements": "<strong>Enhancements</strong><ul><li>AU-12(1) - System-wide and Time-correlated Audit Trail</li><li>AU-12(2) - Standardized Formats</li><li>AU-12(3) - Changes by Authorized Individuals</li><li>AU-12(4) - Query Parameter Audits of Personally Identifiable Information</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "b0ce3d70-da17-469a-a597-da5c47a97b90",
                        "parameterId": "CA-1(a)",
                        "text": "organization-defined personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ca-1_prm_1"
                    },
                    {
                        "uuid": "71d97a01-7ace-460a-b321-84e1aa05e7ba",
                        "parameterId": "CA-1(a)(1)",
                        "text": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ca-01_odp.03"
                    },
                    {
                        "uuid": "2a719135-f1f8-4d12-86bb-ab2354862e49",
                        "parameterId": "CA-1(b)",
                        "text": "official",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined official] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ca-01_odp.04"
                    },
                    {
                        "uuid": "a19b3070-4bed-446e-a31f-62c17d2e2f8b",
                        "parameterId": "CA-1(c)(1)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ca-01_odp.05"
                    },
                    {
                        "uuid": "da09262b-8832-4bb0-857a-9a7bcba0dc8c",
                        "parameterId": "CA-1(c)(1)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ca-01_odp.06"
                    },
                    {
                        "uuid": "ae4a9bfb-5b1d-468a-9830-836e948ceeb0",
                        "parameterId": "CA-1(c)(2)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ca-01_odp.07"
                    },
                    {
                        "uuid": "a839dde8-99e9-4331-bb62-dbedb80193ce",
                        "parameterId": "CA-1(c)(2)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ca-01_odp.08"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "55f46d30-4266-45b9-8591-1e40ae57f0b7",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ca-1_smt.a",
                        "description": "<ul><li>a. Develop, document, and disseminate to {{ insert: param, CA-1(a) }}:</li><ul><li>1. {{ insert: param, CA-1(a)(1) }} assessment, authorization, and monitoring policy that:</li><ul><li>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</li><li>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</li></ul><li>2. Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;</li></ul>"
                    },
                    {
                        "uuid": "beace6d8-d909-4a54-8aa7-98d0bc874aa3",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ca-1_smt.b",
                        "description": "<ul><li>b. Designate an {{ insert: param, CA-1(b) }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and</li></ul>"
                    },
                    {
                        "uuid": "320b8eb9-cb0b-4c6d-b69e-9a3cd38f07f0",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ca-1_smt.c",
                        "description": "<ul><li>c. Review and update the current assessment, authorization, and monitoring:</li><ul><li>1. Policy {{ insert: param, CA-1(c)(1)-1 }} and following {{ insert: param, CA-1(c)(1)-2 }} ; and</li><li>2. Procedures {{ insert: param, CA-1(c)(2)-1 }} and following {{ insert: param, CA-1(c)(2)-2 }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "06833879-bcd8-42d4-967b-e2e13b2ec178",
                        "testId": "CA-01-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Assessment, authorization, and monitoring policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0a24f6c2-3b95-46b8-9f34-304e6d71731c",
                        "testId": "CA-01-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with assessment, authorization, and monitoring policy responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9274013c-90d1-4ba1-b0c5-7992fda7bea4",
                        "testId": "CA-01a.[01]",
                        "test": "Determine if an assessment, authorization, and monitoring policy is developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with assessment, authorization, and monitoring policy responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c8d747fe-640a-4a28-a854-d36a6b1ef933",
                        "testId": "CA-01a.[02]",
                        "test": "Determine if the assessment, authorization, and monitoring policy is disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with assessment, authorization, and monitoring policy responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a7cb38f2-a922-4e2c-98cd-7701e89bdcac",
                        "testId": "CA-01a.[03]",
                        "test": "Determine if assessment, authorization, and monitoring procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and associated assessment, authorization, and monitoring controls are developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with assessment, authorization, and monitoring policy responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "40c9485c-86f7-43c0-aa0c-0b509acbf142",
                        "testId": "CA-01a.[04]",
                        "test": "Determine if the assessment, authorization, and monitoring procedures are disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with assessment, authorization, and monitoring policy responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "506b4210-3496-4647-b793-d74ef468d08c",
                        "testId": "CA-01a.01(a)[01]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  assessment, authorization, and monitoring policy addresses purpose;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with assessment, authorization, and monitoring policy responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "fdad32a2-5cdc-4775-9b50-397372716caa",
                        "testId": "CA-01a.01(a)[02]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  assessment, authorization, and monitoring policy addresses scope;[03] selected parameter(s)&gt; assessment, authorization, and monitoring policy addresses scope;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with assessment, authorization, and monitoring policy responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "859a8c08-8ed8-400c-a408-9c49e13250ba",
                        "testId": "CA-01a.01(a)[03]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  assessment, authorization, and monitoring policy addresses roles;[03] selected parameter(s)&gt; assessment, authorization, and monitoring policy addresses roles;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with assessment, authorization, and monitoring policy responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "acda0abd-b8c5-495f-8be5-9516106dae86",
                        "testId": "CA-01a.01(a)[04]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  assessment, authorization, and monitoring policy addresses responsibilities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with assessment, authorization, and monitoring policy responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9a4b28b3-1635-4ce5-b98f-dae3db571ac3",
                        "testId": "CA-01a.01(a)[05]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  assessment, authorization, and monitoring policy addresses management commitment;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with assessment, authorization, and monitoring policy responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "659cfb97-f60d-42b8-9456-0f4c9c304396",
                        "testId": "CA-01a.01(a)[06]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  assessment, authorization, and monitoring policy addresses coordination among organizational entities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with assessment, authorization, and monitoring policy responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9dc36b4f-4e8e-4cc0-b938-106bd53849b1",
                        "testId": "CA-01a.01(a)[07]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  assessment, authorization, and monitoring policy addresses compliance;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with assessment, authorization, and monitoring policy responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "12f4342e-fce4-4fd6-a934-cadad214b8de",
                        "testId": "CA-01a.01(b)",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with assessment, authorization, and monitoring policy responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d892f0d3-20bf-4a94-984d-cc1bf44fe9f5",
                        "testId": "CA-01b.",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): official ]  is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with assessment, authorization, and monitoring policy responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d687ba62-b502-4f50-8e67-b180ad3fd415",
                        "testId": "CA-01c.01[01]",
                        "test": "Determine if the current assessment, authorization, and monitoring policy is reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ]; <br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with assessment, authorization, and monitoring policy responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a2b5e6f1-c209-4b0c-88d0-278dcb42b7e8",
                        "testId": "CA-01c.01[02]",
                        "test": "Determine if the current assessment, authorization, and monitoring policy is reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with assessment, authorization, and monitoring policy responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "17b7c8bc-fe85-467b-860c-a5c4a53e6f55",
                        "testId": "CA-01c.02[01]",
                        "test": "Determine if the current assessment, authorization, and monitoring procedures are reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ]; <br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with assessment, authorization, and monitoring policy responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "da054c80-41c2-4d2e-b61d-97b454d9e3be",
                        "testId": "CA-01c.02[02]",
                        "test": "Determine if the current assessment, authorization, and monitoring procedures are reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with assessment, authorization, and monitoring policy responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "62b6c80d-4a6d-4286-b418-36d865f3e4cf",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "CA-01 - Policy and Procedures",
                "description": "<ul><li><p>a. Develop, document, and disseminate to {{ insert: param, CA-1(a) }}:</p><ul><li><p>1. {{ insert: param, CA-1(a)(1) }} assessment, authorization, and monitoring policy that:</p><ul><li><p>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p></li><li><p>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p></li></ul></li><li><p>2. Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;</p></li></ul></li><li><p>b. Designate an {{ insert: param, CA-1(b) }} to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and</p></li><li><p>c. Review and update the current assessment, authorization, and monitoring:</p><ul><li><p>1. Policy {{ insert: param, CA-1(c)(1)-1 }} and following {{ insert: param, CA-1(c)(1)-2 }} ; and</p></li><li><p>2. Procedures {{ insert: param, CA-1(c)(2)-1 }} and following {{ insert: param, CA-1(c)(2)-2 }}.</p></li></ul></li><li><p><br><strong>Discussion</strong><br></p><p>Assessment, authorization, and monitoring policy and procedures address the controls in the CA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of assessment, authorization, and monitoring policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to assessment, authorization, and monitoring policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.</p></li></ul><p></p><p><strong>OT Discussion</strong></p><p>The policy specifically addresses the unique properties and requirements of OT and the relationship to non-OT systems.</p>",
                "controlId": "CA-1",
                "family": "Assessment, Authorization, and Monitoring",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "506af71e-3928-4fd2-b88e-fd596e27332e",
                        "parameterId": "CA-2(d)",
                        "text": "assessment frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined assessment frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ca-02_odp.01"
                    },
                    {
                        "uuid": "3bd8ed2b-659e-4142-8979-470381107ca4",
                        "parameterId": "CA-2(f)",
                        "text": "individuals or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined individuals or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ca-02_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "16dac0b3-6a31-4a4c-bf32-9ac8cc2aaa8e",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ca-2_smt.a",
                        "description": "<ul><li>a. Select the appropriate assessor or assessment team for the type of assessment to be conducted;</li></ul>"
                    },
                    {
                        "uuid": "7b3d11b4-9714-46af-badd-4c5302ea1426",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ca-2_smt.b",
                        "description": "<ul><li>b. Develop a control assessment plan that describes the scope of the assessment including:</li><ul><li>1. Controls and control enhancements under assessment;</li><li>2. Assessment procedures to be used to determine control effectiveness; and</li><li>3. Assessment environment, assessment team, and assessment roles and responsibilities;</li></ul>"
                    },
                    {
                        "uuid": "04e97420-fe0e-4e99-9f1b-12f7e53482a0",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ca-2_smt.c",
                        "description": "<ul><li>c. Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;</li></ul>"
                    },
                    {
                        "uuid": "13efa180-a00d-4321-a1be-41d25e124ce2",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "ca-2_smt.d",
                        "description": "<ul><li>d. Assess the controls in the system and its environment of operation {{ insert: param, CA-2(d) }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;</li></ul>"
                    },
                    {
                        "uuid": "3c654584-09d0-4c62-9768-4243cb19e535",
                        "name": "e.",
                        "objectiveType": "",
                        "otherId": "ca-2_smt.e",
                        "description": "<ul><li>e. Produce a control assessment report that document the results of the assessment; and</li></ul>"
                    },
                    {
                        "uuid": "c48ee16e-76a0-4639-9ec8-b436acb709a9",
                        "name": "f.",
                        "objectiveType": "",
                        "otherId": "ca-2_smt.f",
                        "description": "<ul><li>f. Provide the results of the control assessment to {{ insert: param, CA-2(f) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "68c8de88-dad5-4d06-ab71-0a15d51d81aa",
                        "testId": "CA-02a.",
                        "test": "Determine if an appropriate assessor or assessment team is selected for the type of assessment to be conducted;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Procedures addressing assessment planning.</li><li>Procedures addressing control assessments.</li><li>Control assessment plan.</li><li>Control assessment report.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with control assessment responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6ed3e949-7c49-4c57-b1fc-9c5d6599c05b",
                        "testId": "CA-02b.01",
                        "test": "Determine if a control assessment plan is developed that describes the scope of the assessment, including controls and control enhancements under assessment;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Procedures addressing assessment planning.</li><li>Procedures addressing control assessments.</li><li>Control assessment plan.</li><li>Control assessment report.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with control assessment responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0f79c78e-85e7-4b7a-bc3c-524db1e0cdbc",
                        "testId": "CA-02b.02",
                        "test": "Determine if a control assessment plan is developed that describes the scope of the assessment, including assessment procedures to be used to determine control effectiveness;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Procedures addressing assessment planning.</li><li>Procedures addressing control assessments.</li><li>Control assessment plan.</li><li>Control assessment report.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with control assessment responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8509949b-9ead-4cd3-aa5c-7b2221e6a22a",
                        "testId": "CA-02b.03[01]",
                        "test": "Determine if a control assessment plan is developed that describes the scope of the assessment, including the assessment environment;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Procedures addressing assessment planning.</li><li>Procedures addressing control assessments.</li><li>Control assessment plan.</li><li>Control assessment report.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with control assessment responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1d2d4b5c-9500-4466-b02f-2405193b85e6",
                        "testId": "CA-02b.03[02]",
                        "test": "Determine if a control assessment plan is developed that describes the scope of the assessment, including the assessment team;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Procedures addressing assessment planning.</li><li>Procedures addressing control assessments.</li><li>Control assessment plan.</li><li>Control assessment report.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with control assessment responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b798e50f-9030-4a47-aff1-9e2e80c73095",
                        "testId": "CA-02b.03[03]",
                        "test": "Determine if a control assessment plan is developed that describes the scope of the assessment, including assessment roles and responsibilities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Procedures addressing assessment planning.</li><li>Procedures addressing control assessments.</li><li>Control assessment plan.</li><li>Control assessment report.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with control assessment responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "364d499a-2b56-4671-afb7-3f1325b03e67",
                        "testId": "CA-02c.",
                        "test": "Determine if the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Procedures addressing assessment planning.</li><li>Procedures addressing control assessments.</li><li>Control assessment plan.</li><li>Control assessment report.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with control assessment responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f0b70f6c-8cba-4eaa-abf4-efe8f680ce83",
                        "testId": "CA-02d.[01]",
                        "test": "Determine if controls are assessed in the system and its environment of operation  [SELECTED PARAMETER VALUE(S): assessment frequency ]  to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Procedures addressing assessment planning.</li><li>Procedures addressing control assessments.</li><li>Control assessment plan.</li><li>Control assessment report.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with control assessment responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7ca239bc-a5a2-4383-bd77-d23c5456d7e7",
                        "testId": "CA-02d.[02]",
                        "test": "Determine if controls are assessed in the system and its environment of operation  [SELECTED PARAMETER VALUE(S): assessment frequency ]  to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Procedures addressing assessment planning.</li><li>Procedures addressing control assessments.</li><li>Control assessment plan.</li><li>Control assessment report.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with control assessment responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "53cc9c70-10ff-4f2b-8bff-ee4d3f858fc8",
                        "testId": "CA-02e.",
                        "test": "Determine if a control assessment report is produced that documents the results of the assessment;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Procedures addressing assessment planning.</li><li>Procedures addressing control assessments.</li><li>Control assessment plan.</li><li>Control assessment report.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with control assessment responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c3563bac-86c2-43c3-8de4-c09acab42872",
                        "testId": "CA-02f.",
                        "test": "Determine if the results of the control assessment are provided to  [SELECTED PARAMETER VALUE(S): individuals or roles ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Procedures addressing assessment planning.</li><li>Procedures addressing control assessments.</li><li>Control assessment plan.</li><li>Control assessment report.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with control assessment responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "673f0235-bc0f-4687-9b37-49f01a1fd298",
                        "testId": "CA-02-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Procedures addressing assessment planning.</li><li>Procedures addressing control assessments.</li><li>Control assessment plan.</li><li>Control assessment report.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "524c79cf-c0ef-475c-8ece-a442051a93cb",
                        "testId": "CA-02-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with control assessment responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6ef30fd8-e595-446d-a0fa-f8e26257517b",
                        "testId": "CA-02-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting control assessment, control assessment plan development, and/or control assessment reporting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "3efe28f8-337f-4483-b7c2-c38afb912762",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "CA-02 - Control Assessments",
                "description": "<ul><li><p>a. Select the appropriate assessor or assessment team for the type of assessment to be conducted;</p></li><li><p>b. Develop a control assessment plan that describes the scope of the assessment including:</p><ul><li><p>1. Controls and control enhancements under assessment;</p></li><li><p>2. Assessment procedures to be used to determine control effectiveness; and</p></li><li><p>3. Assessment environment, assessment team, and assessment roles and responsibilities;</p></li></ul></li><li><p>c. Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;</p></li><li><p>d. Assess the controls in the system and its environment of operation {{ insert: param, CA-2(d) }} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;</p></li><li><p>e. Produce a control assessment report that document the results of the assessment; and</p></li><li><p>f. Provide the results of the control assessment to {{ insert: param, CA-2(f) }}.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>Organizations ensure that control assessors possess the required skills and technical expertise to develop effective assessment plans and to conduct assessments of system-specific, hybrid, common, and program management controls, as appropriate. The required skills include general knowledge of risk management concepts and approaches as well as comprehensive knowledge of and experience with the hardware, software, and firmware system components implemented.</p><p>Organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.</p><p>Organizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.</p><p>Organizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.</p><p>To satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of <a href=\"#ca-2\">CA-2</a>.</p><p></p><p><strong>OT Discussion </strong></p><p>Assessments are performed and documented by qualified assessors (i.e., experienced in assessing OT) authorized by the organization. The individual or group conducting the assessment fully understands the organizational information security policies and procedures, the OT security policies and procedures, and the specific health, safety, and environmental risks associated with a particular facility and/or process. The organization ensures that the assessment does not affect system operation or result in unintentional system modification. If assessment activities must be performed on the production OT, it may need to be taken offline before an assessment can be conducted, or the assessment should be scheduled to occur during planned OT outages whenever possible.</p>",
                "controlId": "CA-2",
                "family": "Assessment, Authorization, and Monitoring",
                "enhancements": "<strong>Enhancements</strong><ul><li>CA-2(1) - Independent Assessors</li><li>CA-2(2) - Specialized Assessments</li><li>CA-2(3) - Leveraging Results from External Organizations</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "ba64f51a-b965-450e-beac-6fa6aec8ee54",
                        "parameterId": "CA-3(a)",
                        "text": "[Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; non-disclosure agreements; [(NESTED PARAMETER) Assignment for ca-03_odp.02: type of agreement]]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; non-disclosure agreements; [(NESTED PARAMETER) Assignment for ca-03_odp.02: type of agreement]]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ca-03_odp.01"
                    },
                    {
                        "uuid": "70425328-9300-445a-8fdd-9e99292cc30d",
                        "parameterId": "CA-3(c)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ca-03_odp.03"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "f23c95e2-aac1-46e5-bfe2-54ef1db991c0",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ca-3_smt.a",
                        "description": "<ul><li>a. Approve and manage the exchange of information between the system and other systems using {{ insert: param, CA-3(a) }};</li></ul>"
                    },
                    {
                        "uuid": "d0065839-5802-4504-a211-3e280d46754b",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ca-3_smt.b",
                        "description": "<ul><li>b. Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and</li></ul>"
                    },
                    {
                        "uuid": "a1727388-eeda-48da-a247-c71b74a65a46",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ca-3_smt.c",
                        "description": "<ul><li>c. Review and update the agreements {{ insert: param, CA-3(c) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "2c7ade03-ef94-4aaf-adae-06553fb6136c",
                        "testId": "CA-03a.",
                        "test": "Determine if the exchange of information between the system and other systems is approved and managed using  [SELECTED PARAMETER VALUE(S): [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; non-disclosure agreements; [(NESTED PARAMETER) Assignment for ca-03_odp.02: type of agreement]] ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing system connections.</li><li>System and communications protection policy.</li><li>System interconnection security agreements.</li><li>Information exchange security agreements.</li><li>Memoranda of understanding or agreements.</li><li>Service level agreements.</li><li>Non-disclosure agreements.</li><li>System design documentation.</li><li>Enterprise architecture.</li><li>System architecture.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Personnel managing the system(s) to which the interconnection security agreement applies.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5127f99a-cdd5-400b-b7a5-f8b218ddd6da",
                        "testId": "CA-03b.[01]",
                        "test": "Determine if the interface characteristics are documented as part of each exchange agreement;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing system connections.</li><li>System and communications protection policy.</li><li>System interconnection security agreements.</li><li>Information exchange security agreements.</li><li>Memoranda of understanding or agreements.</li><li>Service level agreements.</li><li>Non-disclosure agreements.</li><li>System design documentation.</li><li>Enterprise architecture.</li><li>System architecture.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Personnel managing the system(s) to which the interconnection security agreement applies.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4311df9c-9158-479b-b571-e93e044ce3ab",
                        "testId": "CA-03b.[02]",
                        "test": "Determine if security requirements are documented as part of each exchange agreement;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing system connections.</li><li>System and communications protection policy.</li><li>System interconnection security agreements.</li><li>Information exchange security agreements.</li><li>Memoranda of understanding or agreements.</li><li>Service level agreements.</li><li>Non-disclosure agreements.</li><li>System design documentation.</li><li>Enterprise architecture.</li><li>System architecture.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Personnel managing the system(s) to which the interconnection security agreement applies.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e0e847fa-de26-4a04-b33d-c0a50c44664c",
                        "testId": "CA-03b.[03]",
                        "test": "Determine if privacy requirements are documented as part of each exchange agreement;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing system connections.</li><li>System and communications protection policy.</li><li>System interconnection security agreements.</li><li>Information exchange security agreements.</li><li>Memoranda of understanding or agreements.</li><li>Service level agreements.</li><li>Non-disclosure agreements.</li><li>System design documentation.</li><li>Enterprise architecture.</li><li>System architecture.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Personnel managing the system(s) to which the interconnection security agreement applies.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "61e5b31e-64d8-4c6b-86d7-b2b3704c1d39",
                        "testId": "CA-03b.[04]",
                        "test": "Determine if controls are documented as part of each exchange agreement;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing system connections.</li><li>System and communications protection policy.</li><li>System interconnection security agreements.</li><li>Information exchange security agreements.</li><li>Memoranda of understanding or agreements.</li><li>Service level agreements.</li><li>Non-disclosure agreements.</li><li>System design documentation.</li><li>Enterprise architecture.</li><li>System architecture.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Personnel managing the system(s) to which the interconnection security agreement applies.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "103c93e6-d165-409d-880d-960c7f9465e6",
                        "testId": "CA-03b.[05]",
                        "test": "Determine if responsibilities for each system are documented as part of each exchange agreement;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing system connections.</li><li>System and communications protection policy.</li><li>System interconnection security agreements.</li><li>Information exchange security agreements.</li><li>Memoranda of understanding or agreements.</li><li>Service level agreements.</li><li>Non-disclosure agreements.</li><li>System design documentation.</li><li>Enterprise architecture.</li><li>System architecture.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Personnel managing the system(s) to which the interconnection security agreement applies.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2651484d-3d53-4a3e-b281-59b4b2c0aa65",
                        "testId": "CA-03b.[06]",
                        "test": "Determine if the impact level of the information communicated is documented as part of each exchange agreement;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing system connections.</li><li>System and communications protection policy.</li><li>System interconnection security agreements.</li><li>Information exchange security agreements.</li><li>Memoranda of understanding or agreements.</li><li>Service level agreements.</li><li>Non-disclosure agreements.</li><li>System design documentation.</li><li>Enterprise architecture.</li><li>System architecture.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Personnel managing the system(s) to which the interconnection security agreement applies.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a1b31ef3-f23c-4ef6-9e9e-29697ad279da",
                        "testId": "CA-03c.",
                        "test": "Determine if agreements are reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Access control policy.</li><li>Procedures addressing system connections.</li><li>System and communications protection policy.</li><li>System interconnection security agreements.</li><li>Information exchange security agreements.</li><li>Memoranda of understanding or agreements.</li><li>Service level agreements.</li><li>Non-disclosure agreements.</li><li>System design documentation.</li><li>Enterprise architecture.</li><li>System architecture.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Personnel managing the system(s) to which the interconnection security agreement applies.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3ce2bb09-6348-4a07-aed8-66ab05995dfd",
                        "testId": "CA-03-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Access control policy.</li><li>Procedures addressing system connections.</li><li>System and communications protection policy.</li><li>System interconnection security agreements.</li><li>Information exchange security agreements.</li><li>Memoranda of understanding or agreements.</li><li>Service level agreements.</li><li>Non-disclosure agreements.</li><li>System design documentation.</li><li>Enterprise architecture.</li><li>System architecture.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1f34c706-18f1-48ff-aa7e-5b3b58fd772e",
                        "testId": "CA-03-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with responsibilities for developing, implementing, or approving system interconnection agreements.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Personnel managing the system(s) to which the interconnection security agreement applies.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "6edf8204-9a19-43bf-b432-d97bbd8d755d",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "CA-03 - Information Exchange",
                "description": "<ul><li><p>a. Approve and manage the exchange of information between the system and other systems using {{ insert: param, CA-3(a) }};</p></li><li><p>b. Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and</p></li><li><p>c. Review and update the agreements {{ insert: param, CA-3(c) }}.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in <a href=\"#ca-6.1\">CA-6(1)</a> or <a href=\"#ca-6.2\">CA-6(2)</a> , may help to communicate and reduce risk.</p><p>Authorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from <a href=\"#ca-3_smt.a\">CA-3a</a> in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks.</p><p></p><p><strong>OT Discussion</strong></p><p>Organizations perform risk-benefit analysis to determine whether an OT should be connected to other systems. The authorizing official (AO) fully understands the organizational information security policies and procedures; the OT security policies and procedures; the risks to organizational operations and assets, individuals, other organizations, and the Nation associated with the connection to other systems; the individuals and organizations that operate and maintain the systems, including maintenance contractors or service providers; and the specific health, safety, and environmental risks associated with a particular interconnection. Connections from the OT environment to other security zones may cross the authorization boundary such that two different authorizing officials may be required to approve the connection. Decisions to accept risk are documented.</p>",
                "controlId": "CA-3",
                "family": "Assessment, Authorization, and Monitoring",
                "enhancements": "<strong>Enhancements</strong><ul><li>CA-3(6) - Transfer Authorizations</li><li>CA-3(7) - Transitive Information Exchanges</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "f1439d72-91b3-417e-9cd8-094045250ade",
                        "parameterId": "CA-5(b)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ca-05_odp"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "6a256fc0-7515-42d3-a4bb-5b14ab7283c4",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ca-5_smt.a",
                        "description": "<ul><li>a. Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and</li></ul>"
                    },
                    {
                        "uuid": "6f3afea9-a48a-4472-aeb5-2727058382d9",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ca-5_smt.b",
                        "description": "<ul><li>b. Update existing plan of action and milestones {{ insert: param, CA-5(b) }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "a7c9a73d-1529-4f72-a9df-2d83d9999493",
                        "testId": "CA-05-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Procedures addressing plan of action and milestones.</li><li>Control assessment plan.</li><li>Control assessment report.</li><li>Control assessment evidence.</li><li>Plan of action and milestones.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e1f935d7-9472-4cf2-8fc0-5e89723501b3",
                        "testId": "CA-05-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with plan of action and milestones development and implementation responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "252a65be-d791-4434-8941-1fba21779c24",
                        "testId": "CA-05-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms for developing, implementing, and maintaining plan of action and milestones.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "aa6fc841-ab33-466b-861b-05a5952b44d6",
                        "testId": "CA-05a.",
                        "test": "Determine if a plan of action and milestones for the system is developed to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Procedures addressing plan of action and milestones.</li><li>Control assessment plan.</li><li>Control assessment report.</li><li>Control assessment evidence.</li><li>Plan of action and milestones.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with plan of action and milestones development and implementation responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms for developing, implementing, and maintaining plan of action and milestones.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "82a2bb2b-ca42-4327-960f-ed6b1976c44f",
                        "testId": "CA-05b.",
                        "test": "Determine if existing plan of action and milestones are updated  [SELECTED PARAMETER VALUE(S): frequency ]  based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Procedures addressing plan of action and milestones.</li><li>Control assessment plan.</li><li>Control assessment report.</li><li>Control assessment evidence.</li><li>Plan of action and milestones.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with plan of action and milestones development and implementation responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms for developing, implementing, and maintaining plan of action and milestones.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "97450633-6180-4a4d-9028-eecd0f535eb8",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "CA-05 - Plan of Action and Milestones",
                "description": "<ul><li><p>a. Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and</p></li><li><p>b. Update existing plan of action and milestones {{ insert: param, CA-5(b) }} based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>Plans of action and milestones are useful for any type of organization to track planned remedial actions. Plans of action and milestones are required in authorization packages and subject to federal reporting requirements established by OMB.</p><p></p><p><strong>OT Discussion</strong></p><p>Corrective actions identified in assessments may not be immediately actionable in an OT environment. Therefore, short-term mitigations may be implemented to reduce risk as part of the gap closure plan or plan of action and milestones.</p>",
                "controlId": "CA-5",
                "family": "Assessment, Authorization, and Monitoring",
                "enhancements": "<strong>Enhancements</strong><ul><li>CA-5(1) - Automation Support for Accuracy and Currency</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "43902be2-055a-475c-839d-fe7939fda07f",
                        "parameterId": "CA-6(e)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ca-06_odp"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "34f7198e-645f-431b-9d19-3360f9667106",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ca-6_smt.a",
                        "description": "<ul><li>a. Assign a senior official as the authorizing official for the system;</li></ul>"
                    },
                    {
                        "uuid": "8ef2a0e3-79b8-45ee-92ae-907124156dd8",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ca-6_smt.b",
                        "description": "<ul><li>b. Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;</li></ul>"
                    },
                    {
                        "uuid": "01d338ce-ace2-4967-b15a-dcf5743812c4",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ca-6_smt.c",
                        "description": "<ul><li>c. Ensure that the authorizing official for the system, before commencing operations:</li><ul><li>1. Accepts the use of common controls inherited by the system; and</li><li>2. Authorizes the system to operate;</li></ul>"
                    },
                    {
                        "uuid": "37e99732-eb5e-46da-9ec5-a1e97a6d8aa8",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "ca-6_smt.d",
                        "description": "<ul><li>d. Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;</li></ul>"
                    },
                    {
                        "uuid": "a27d91f1-8bfb-4e1e-a2ca-4c53ded6b785",
                        "name": "e.",
                        "objectiveType": "",
                        "otherId": "ca-6_smt.e",
                        "description": "<ul><li>e. Update the authorizations {{ insert: param, CA-6(e) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "c52b5904-b06c-4565-bf71-180a903f07b4",
                        "testId": "CA-06-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Procedures addressing authorization.</li><li>System security plan, privacy plan, assessment report, plan of action and milestones.</li><li>Authorization statement.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "11900a2d-e977-45ea-b0a2-8fb3465e3d76",
                        "testId": "CA-06-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with authorization responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "93b94974-2d21-4493-bd24-5bc825644036",
                        "testId": "CA-06-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms that facilitate authorizations and updates.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0cf5b5f3-7691-421f-b59d-6b49aa47a2b9",
                        "testId": "CA-06a.",
                        "test": "Determine if a senior official is assigned as the authorizing official for the system;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Procedures addressing authorization.</li><li>System security plan, privacy plan, assessment report, plan of action and milestones.</li><li>Authorization statement.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with authorization responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms that facilitate authorizations and updates.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "726aeae7-9e73-42ff-81a3-a6652480ac57",
                        "testId": "CA-06b.",
                        "test": "Determine if a senior official is assigned as the authorizing official for common controls available for inheritance by organizational systems;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Procedures addressing authorization.</li><li>System security plan, privacy plan, assessment report, plan of action and milestones.</li><li>Authorization statement.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with authorization responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms that facilitate authorizations and updates.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e91eeac1-4a06-4aab-b5ef-89bda416f58f",
                        "testId": "CA-06c.01",
                        "test": "Determine if before commencing operations, the authorizing official for the system accepts the use of common controls inherited by the system;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Procedures addressing authorization.</li><li>System security plan, privacy plan, assessment report, plan of action and milestones.</li><li>Authorization statement.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with authorization responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms that facilitate authorizations and updates.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "23fc0381-7f19-4a80-b92d-c9ad593c1e57",
                        "testId": "CA-06c.02",
                        "test": "Determine if before commencing operations, the authorizing official for the system authorizes the system to operate;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Procedures addressing authorization.</li><li>System security plan, privacy plan, assessment report, plan of action and milestones.</li><li>Authorization statement.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with authorization responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms that facilitate authorizations and updates.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "daf7ffdf-f078-4656-ae0c-5fd3085c3635",
                        "testId": "CA-06d.",
                        "test": "Determine if the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Procedures addressing authorization.</li><li>System security plan, privacy plan, assessment report, plan of action and milestones.</li><li>Authorization statement.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with authorization responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms that facilitate authorizations and updates.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "41a7a059-70f7-4ab5-8683-365cb75929e9",
                        "testId": "CA-06e.",
                        "test": "Determine if the authorizations are updated  [SELECTED PARAMETER VALUE(S): frequency ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Procedures addressing authorization.</li><li>System security plan, privacy plan, assessment report, plan of action and milestones.</li><li>Authorization statement.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with authorization responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms that facilitate authorizations and updates.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "998fde29-a2fa-4c27-876f-a3c1989ca600",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "CA-06 - Authorization",
                "description": "<ul><li>a. Assign a senior official as the authorizing official for the system;</li><li>b. Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;</li><li>c. Ensure that the authorizing official for the system, before commencing operations:</li><ul><li>1. Accepts the use of common controls inherited by the system; and</li><li>2. Authorizes the system to operate;</li></ul><li>d. Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;</li><li>e. Update the authorizations  {{ insert: param, CA-6(e) }}.</li></ul><br/><strong>Discussion</strong><br/><p>Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees. Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities.</p><p>Authorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs. Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments. To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions.</p>",
                "controlId": "CA-6",
                "family": "Assessment, Authorization, and Monitoring",
                "enhancements": "<strong>Enhancements</strong><ul><li>CA-6(1) - Joint Authorization \u00e2\u20ac\u201d Intra-organization</li><li>CA-6(2) - Joint Authorization \u00e2\u20ac\u201d Inter-organization</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "ef2a810f-872e-41ff-bdc0-4a9a65101f87",
                        "parameterId": "CA-7(g)-1",
                        "text": "organization-defined personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ca-7_prm_4"
                    },
                    {
                        "uuid": "c1a4cda9-d5ad-45c4-9b94-b1ad0b7fe91c",
                        "parameterId": "CA-7(g)-2",
                        "text": "organization-defined frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ca-7_prm_5"
                    },
                    {
                        "uuid": "d0f10140-63a6-4e2a-8977-0af0b6e19379",
                        "parameterId": "CA-7(a)",
                        "text": "system-level metrics",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined system-level metrics] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ca-07_odp.01"
                    },
                    {
                        "uuid": "70f8da20-2b78-49c5-a0cf-0dd2397c57da",
                        "parameterId": "CA-7(b)-1",
                        "text": "frequencies",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequencies] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ca-07_odp.02"
                    },
                    {
                        "uuid": "930e1fb8-4e27-4c21-ae61-d78a164c58b5",
                        "parameterId": "CA-7(b)-2",
                        "text": "frequencies",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequencies] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ca-07_odp.03"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "43a1c50c-835d-4b2c-90b9-22c87534171d",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ca-7_smt.a",
                        "description": "<ul><li>a. Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Establishing the following system-level metrics to be monitored: {{ insert: param, CA-7(a) }};</li></ul>"
                    },
                    {
                        "uuid": "ee50e828-d90a-42bb-9a38-125ad9c76077",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ca-7_smt.b",
                        "description": "<ul><li>b. Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Establishing {{ insert: param, CA-7(b)-1 }} for monitoring and {{ insert: param, CA-7(b)-2 }} for assessment of control effectiveness;</li></ul>"
                    },
                    {
                        "uuid": "2bf74dc4-26fb-4350-a6df-b6604e7a267a",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ca-7_smt.c",
                        "description": "<ul><li>c. Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Ongoing control assessments in accordance with the continuous monitoring strategy;</li></ul>"
                    },
                    {
                        "uuid": "c0f7a628-7202-4946-ba23-1f612697a440",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "ca-7_smt.d",
                        "description": "<ul><li>d. Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;</li></ul>"
                    },
                    {
                        "uuid": "78250032-451d-4918-a8ac-dcb0459698c9",
                        "name": "e.",
                        "objectiveType": "",
                        "otherId": "ca-7_smt.e",
                        "description": "<ul><li>e. Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Correlation and analysis of information generated by control assessments and monitoring;</li></ul>"
                    },
                    {
                        "uuid": "9b8bdaa8-a9e7-4d79-b8a4-4c94662eacd4",
                        "name": "f.",
                        "objectiveType": "",
                        "otherId": "ca-7_smt.f",
                        "description": "<ul><li>f. Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Response actions to address results of the analysis of control assessment and monitoring information; and</li></ul>"
                    },
                    {
                        "uuid": "33f8a2f7-5776-495d-9119-881636f9897d",
                        "name": "g.",
                        "objectiveType": "",
                        "otherId": "ca-7_smt.g",
                        "description": "<ul><li>g. Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Reporting the security and privacy status of the system to {{ insert: param, CA-7(g)-1 }} {{ insert: param, CA-7(g)-2 }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "730ef601-a41b-4e37-9d37-2e701b9db0d9",
                        "testId": "CA-07[01]",
                        "test": "Determine if a system-level continuous monitoring strategy is developed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Organizational continuous monitoring strategy.</li><li>System-level continuous monitoring strategy.</li><li>Procedures addressing continuous monitoring of system controls.</li><li>Procedures addressing configuration management.</li><li>Control assessment report.</li><li>Plan of action and milestones.</li><li>System monitoring records.</li><li>Configuration management records.</li><li>Impact analyses.</li><li>Status reports.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with continuous monitoring responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing continuous monitoring.</li><li>Mechanisms supporting response actions to address assessment and monitoring results.</li><li>Mechanisms supporting security and privacy status reporting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "219c56ee-3eab-463f-8fc4-8b153e552184",
                        "testId": "CA-07[02]",
                        "test": "Determine if system-level continuous monitoring is implemented in accordance with the organization-level continuous monitoring strategy;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Organizational continuous monitoring strategy.</li><li>System-level continuous monitoring strategy.</li><li>Procedures addressing continuous monitoring of system controls.</li><li>Procedures addressing configuration management.</li><li>Control assessment report.</li><li>Plan of action and milestones.</li><li>System monitoring records.</li><li>Configuration management records.</li><li>Impact analyses.</li><li>Status reports.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with continuous monitoring responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing continuous monitoring.</li><li>Mechanisms supporting response actions to address assessment and monitoring results.</li><li>Mechanisms supporting security and privacy status reporting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3beb8b84-d351-4071-bd5f-b1f955405ac4",
                        "testId": "CA-07a.",
                        "test": "Determine if system-level continuous monitoring includes establishment of the following system-level metrics to be monitored:  [SELECTED PARAMETER VALUE(S): system-level metrics ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Organizational continuous monitoring strategy.</li><li>System-level continuous monitoring strategy.</li><li>Procedures addressing continuous monitoring of system controls.</li><li>Procedures addressing configuration management.</li><li>Control assessment report.</li><li>Plan of action and milestones.</li><li>System monitoring records.</li><li>Configuration management records.</li><li>Impact analyses.</li><li>Status reports.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with continuous monitoring responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing continuous monitoring.</li><li>Mechanisms supporting response actions to address assessment and monitoring results.</li><li>Mechanisms supporting security and privacy status reporting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8e653b46-fad2-4816-85a9-c659e8097e10",
                        "testId": "CA-07b.[01]",
                        "test": "Determine if system-level continuous monitoring includes established  [SELECTED PARAMETER VALUE(S): frequencies ]  for monitoring;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Organizational continuous monitoring strategy.</li><li>System-level continuous monitoring strategy.</li><li>Procedures addressing continuous monitoring of system controls.</li><li>Procedures addressing configuration management.</li><li>Control assessment report.</li><li>Plan of action and milestones.</li><li>System monitoring records.</li><li>Configuration management records.</li><li>Impact analyses.</li><li>Status reports.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with continuous monitoring responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing continuous monitoring.</li><li>Mechanisms supporting response actions to address assessment and monitoring results.</li><li>Mechanisms supporting security and privacy status reporting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "69470ec5-f96b-4f40-945f-77ea9c38656f",
                        "testId": "CA-07b.[02]",
                        "test": "Determine if system-level continuous monitoring includes established  [SELECTED PARAMETER VALUE(S): frequencies ]  for assessment of control effectiveness;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Organizational continuous monitoring strategy.</li><li>System-level continuous monitoring strategy.</li><li>Procedures addressing continuous monitoring of system controls.</li><li>Procedures addressing configuration management.</li><li>Control assessment report.</li><li>Plan of action and milestones.</li><li>System monitoring records.</li><li>Configuration management records.</li><li>Impact analyses.</li><li>Status reports.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with continuous monitoring responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing continuous monitoring.</li><li>Mechanisms supporting response actions to address assessment and monitoring results.</li><li>Mechanisms supporting security and privacy status reporting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2678b15c-c064-4084-b24e-af6b62952690",
                        "testId": "CA-07c.",
                        "test": "Determine if system-level continuous monitoring includes ongoing control assessments in accordance with the continuous monitoring strategy;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Organizational continuous monitoring strategy.</li><li>System-level continuous monitoring strategy.</li><li>Procedures addressing continuous monitoring of system controls.</li><li>Procedures addressing configuration management.</li><li>Control assessment report.</li><li>Plan of action and milestones.</li><li>System monitoring records.</li><li>Configuration management records.</li><li>Impact analyses.</li><li>Status reports.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with continuous monitoring responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing continuous monitoring.</li><li>Mechanisms supporting response actions to address assessment and monitoring results.</li><li>Mechanisms supporting security and privacy status reporting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "623473aa-6441-4de6-a0c2-4e54c915fd46",
                        "testId": "CA-07d.",
                        "test": "Determine if system-level continuous monitoring includes ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Organizational continuous monitoring strategy.</li><li>System-level continuous monitoring strategy.</li><li>Procedures addressing continuous monitoring of system controls.</li><li>Procedures addressing configuration management.</li><li>Control assessment report.</li><li>Plan of action and milestones.</li><li>System monitoring records.</li><li>Configuration management records.</li><li>Impact analyses.</li><li>Status reports.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with continuous monitoring responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing continuous monitoring.</li><li>Mechanisms supporting response actions to address assessment and monitoring results.</li><li>Mechanisms supporting security and privacy status reporting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "67b15c05-344f-483c-b019-8b884300aa46",
                        "testId": "CA-07e.",
                        "test": "Determine if system-level continuous monitoring includes correlation and analysis of information generated by control assessments and monitoring;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Organizational continuous monitoring strategy.</li><li>System-level continuous monitoring strategy.</li><li>Procedures addressing continuous monitoring of system controls.</li><li>Procedures addressing configuration management.</li><li>Control assessment report.</li><li>Plan of action and milestones.</li><li>System monitoring records.</li><li>Configuration management records.</li><li>Impact analyses.</li><li>Status reports.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with continuous monitoring responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing continuous monitoring.</li><li>Mechanisms supporting response actions to address assessment and monitoring results.</li><li>Mechanisms supporting security and privacy status reporting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "528dba8a-827e-4b30-b76e-7fe9f191211c",
                        "testId": "CA-07f.",
                        "test": "Determine if system-level continuous monitoring includes response actions to address the results of the analysis of control assessment and monitoring information;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Organizational continuous monitoring strategy.</li><li>System-level continuous monitoring strategy.</li><li>Procedures addressing continuous monitoring of system controls.</li><li>Procedures addressing configuration management.</li><li>Control assessment report.</li><li>Plan of action and milestones.</li><li>System monitoring records.</li><li>Configuration management records.</li><li>Impact analyses.</li><li>Status reports.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with continuous monitoring responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing continuous monitoring.</li><li>Mechanisms supporting response actions to address assessment and monitoring results.</li><li>Mechanisms supporting security and privacy status reporting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3559eb00-ca6a-435b-a759-c782c2d3777d",
                        "testId": "CA-07g.[01]",
                        "test": "Determine if system-level continuous monitoring includes reporting the security status of the system to  [SELECTED PARAMETER VALUE(S): personnel or roles ], [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Organizational continuous monitoring strategy.</li><li>System-level continuous monitoring strategy.</li><li>Procedures addressing continuous monitoring of system controls.</li><li>Procedures addressing configuration management.</li><li>Control assessment report.</li><li>Plan of action and milestones.</li><li>System monitoring records.</li><li>Configuration management records.</li><li>Impact analyses.</li><li>Status reports.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with continuous monitoring responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing continuous monitoring.</li><li>Mechanisms supporting response actions to address assessment and monitoring results.</li><li>Mechanisms supporting security and privacy status reporting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "02bbfed3-ed18-41e5-8f64-55facce9436b",
                        "testId": "CA-07g.[02]",
                        "test": "Determine if system-level continuous monitoring includes reporting the privacy status of the system to  [SELECTED PARAMETER VALUE(S): personnel or roles ], [SELECTED PARAMETER VALUE(S): frequency ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Organizational continuous monitoring strategy.</li><li>System-level continuous monitoring strategy.</li><li>Procedures addressing continuous monitoring of system controls.</li><li>Procedures addressing configuration management.</li><li>Control assessment report.</li><li>Plan of action and milestones.</li><li>System monitoring records.</li><li>Configuration management records.</li><li>Impact analyses.</li><li>Status reports.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with continuous monitoring responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing continuous monitoring.</li><li>Mechanisms supporting response actions to address assessment and monitoring results.</li><li>Mechanisms supporting security and privacy status reporting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "cbf28b1a-014f-4792-87cd-a3f186acb065",
                        "testId": "CA-07-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Organizational continuous monitoring strategy.</li><li>System-level continuous monitoring strategy.</li><li>Procedures addressing continuous monitoring of system controls.</li><li>Procedures addressing configuration management.</li><li>Control assessment report.</li><li>Plan of action and milestones.</li><li>System monitoring records.</li><li>Configuration management records.</li><li>Impact analyses.</li><li>Status reports.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7699e61f-f992-497a-9735-53a1b71de1e8",
                        "testId": "CA-07-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with continuous monitoring responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "058e92dd-78cd-49e7-a835-691906d99873",
                        "testId": "CA-07-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms implementing continuous monitoring.</li><li>Mechanisms supporting response actions to address assessment and monitoring results.</li><li>Mechanisms supporting security and privacy status reporting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "34dd10ce-80f2-46a5-be32-0c91d28241a8",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "CA-07 - Continuous Monitoring",
                "description": "<p>Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:</p><ul><li><p>a. Establishing the following system-level metrics to be monitored: {{ insert: param, CA-7(a) }};</p></li><li><p>b. Establishing {{ insert: param, CA-7(b)-1 }} for monitoring and {{ insert: param, CA-7(b)-2 }} for assessment of control effectiveness;</p></li><li><p>c. Ongoing control assessments in accordance with the continuous monitoring strategy;</p></li><li><p>d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;</p></li><li><p>e. Correlation and analysis of information generated by control assessments and monitoring;</p></li><li><p>f. Response actions to address results of the analysis of control assessment and monitoring information; and</p></li><li><p>g. Reporting the security and privacy status of the system to {{ insert: param, CA-7(g)-1 }}{{ insert: param, CA-7(g)-2 }}.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.</p><p>Automation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as <a href=\"#ac-2_smt.g\">AC-2g</a>, <a href=\"#ac-2.7\">AC-2(7)</a>, <a href=\"#ac-2.12_smt.a\">AC-2(12)(a)</a>, <a href=\"#ac-2.7_smt.b\">AC-2(7)(b)</a>, <a href=\"#ac-2.7_smt.c\">AC-2(7)(c)</a>, <a href=\"#ac-17.1\">AC-17(1)</a>, <a href=\"#at-4_smt.a\">AT-4a</a>, <a href=\"#au-13\">AU-13</a>, <a href=\"#au-13.1\">AU-13(1)</a>, <a href=\"#au-13.2\">AU-13(2)</a>, <a href=\"#cm-3_smt.f\">CM-3f</a>, <a href=\"#cm-6_smt.d\">CM-6d</a>, <a href=\"#cm-11_smt.c\">CM-11c</a>, <a href=\"#ir-5\">IR-5</a>, <a href=\"#ma-2_smt.b\">MA-2b</a>, <a href=\"#ma-3_smt.a\">MA-3a</a>, <a href=\"#ma-4_smt.a\">MA-4a</a>, <a href=\"#pe-3_smt.d\">PE-3d</a>, <a href=\"#pe-6\">PE-6</a>, <a href=\"#pe-14_smt.b\">PE-14b</a>, <a href=\"#pe-16\">PE-16</a>, <a href=\"#pe-20\">PE-20</a>, <a href=\"#pm-6\">PM-6</a>, <a href=\"#pm-23\">PM-23</a>, <a href=\"#pm-31\">PM-31</a>, <a href=\"#ps-7_smt.e\">PS-7e</a>, <a href=\"#sa-9_smt.c\">SA-9c</a>, <a href=\"#sr-4\">SR-4</a>, <a href=\"#sc-5.3_smt.b\">SC-5(3)(b)</a>, <a href=\"#sc-7_smt.a\">SC-7a</a>, <a href=\"#sc-7.24_smt.b\">SC-7(24)(b)</a>, <a href=\"#sc-18_smt.b\">SC-18b</a>, <a href=\"#sc-43_smt.b\">SC-43b</a> , and <a href=\"#si-4\">SI-4</a>.</p><p></p><p><strong>OT Discussion</strong></p><p>Continuous monitoring programs for OT are designed, documented, and implemented with input from OT personnel. The organization ensures that continuous monitoring does not interfere with OT functions. The individual or group designing and conducting the continuous monitoring for the OT systems implements a monitoring program that is consistent with the organizational information security policies and procedures, the OT security policies and procedures, and the specific health, safety, and environmental risks associated with a particular facility and/or process. Continuous monitoring can be automated or manual at a frequency sufficient to support risk-based decisions. For example, the organization may monitor event logs manually on a specified frequency less often for lower-risk, isolated systems than for higher-risk, networked systems.</p>",
                "controlId": "CA-7",
                "family": "Assessment, Authorization, and Monitoring",
                "enhancements": "<strong>Enhancements</strong><ul><li>CA-7(1) - Independent Assessment</li><li>CA-7(3) - Trend Analyses</li><li>CA-7(4) - Risk Monitoring</li><li>CA-7(5) - Consistency Analysis</li><li>CA-7(6) - Automation Support for Monitoring</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "bab9b095-5c39-4c82-8904-c4e50e838c30",
                        "name": "(a)",
                        "objectiveType": "",
                        "otherId": "ca-7.4_smt.a",
                        "description": "<ul><li>(a) Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: Effectiveness monitoring;</li></ul>"
                    },
                    {
                        "uuid": "aa2209b5-d482-4c8e-a294-8b207dd127a8",
                        "name": "(b)",
                        "objectiveType": "",
                        "otherId": "ca-7.4_smt.b",
                        "description": "<ul><li>(b) Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: Compliance monitoring; and</li></ul>"
                    },
                    {
                        "uuid": "11b64a53-760c-4101-9be1-98666cb175bb",
                        "name": "(c)",
                        "objectiveType": "",
                        "otherId": "ca-7.4_smt.c",
                        "description": "<ul><li>(c) Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: Change monitoring.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "a79526cf-2082-442b-b660-c0197c6fb574",
                        "testId": "CA-07(04)-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Organizational continuous monitoring strategy.</li><li>System-level continuous monitoring strategy.</li><li>Procedures addressing continuous monitoring of system controls.</li><li>Assessment report.</li><li>Plan of action and milestones.</li><li>System monitoring records.</li><li>Impact analyses.</li><li>Status reports.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a0f48620-ddea-4c53-8d8e-602fe4666c35",
                        "testId": "CA-07(04)-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with continuous monitoring responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "efde1818-f2dd-4e56-9d8e-9f298c8ed1e7",
                        "testId": "CA-07(04)-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting risk monitoring.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5ad11d64-e093-4870-959f-0d565409c4b8",
                        "testId": "CA-07(04)(a)",
                        "test": "Determine if effectiveness monitoring is included in risk monitoring;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Organizational continuous monitoring strategy.</li><li>System-level continuous monitoring strategy.</li><li>Procedures addressing continuous monitoring of system controls.</li><li>Assessment report.</li><li>Plan of action and milestones.</li><li>System monitoring records.</li><li>Impact analyses.</li><li>Status reports.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with continuous monitoring responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting risk monitoring.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3f8ed27e-3015-438e-ab83-80697b6315d7",
                        "testId": "CA-07(04)(b)",
                        "test": "Determine if compliance monitoring is included in risk monitoring;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Organizational continuous monitoring strategy.</li><li>System-level continuous monitoring strategy.</li><li>Procedures addressing continuous monitoring of system controls.</li><li>Assessment report.</li><li>Plan of action and milestones.</li><li>System monitoring records.</li><li>Impact analyses.</li><li>Status reports.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with continuous monitoring responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting risk monitoring.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "39cd0265-fb4b-438c-bc3c-a8996f358832",
                        "testId": "CA-07(04)(c)",
                        "test": "Determine if change monitoring is included in risk monitoring.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Organizational continuous monitoring strategy.</li><li>System-level continuous monitoring strategy.</li><li>Procedures addressing continuous monitoring of system controls.</li><li>Assessment report.</li><li>Plan of action and milestones.</li><li>System monitoring records.</li><li>Impact analyses.</li><li>Status reports.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with continuous monitoring responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting risk monitoring.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "cef60c85-8d44-4236-aa54-849d890da5a7",
                        "testId": "CA-07(04)",
                        "test": "Determine if risk monitoring is an integral part of the continuous monitoring strategy;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Organizational continuous monitoring strategy.</li><li>System-level continuous monitoring strategy.</li><li>Procedures addressing continuous monitoring of system controls.</li><li>Assessment report.</li><li>Plan of action and milestones.</li><li>System monitoring records.</li><li>Impact analyses.</li><li>Status reports.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with continuous monitoring responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting risk monitoring.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "4089687c-d3e6-448f-a9d2-12b2308dcd28",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "CA-07(04) - Risk Monitoring",
                "description": "Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:<ul><li>(a) Effectiveness monitoring;</li><li>(b) Compliance monitoring; and</li><li>(c) Change monitoring.</li></ul><br/><strong>Discussion</strong><br/><p>Risk monitoring is informed by the established organizational risk tolerance. Effectiveness monitoring determines the ongoing effectiveness of the implemented risk response measures. Compliance monitoring verifies that required risk response measures are implemented. It also verifies that security and privacy requirements are satisfied. Change monitoring identifies changes to organizational systems and environments of operation that may affect security and privacy risk.</p>",
                "controlId": "CA-7(4)",
                "family": "Assessment, Authorization, and Monitoring",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "092d49ed-22cd-4d99-aeaf-2c743306d829",
                        "parameterId": "CA-9(a)",
                        "text": "system components",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined system components] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ca-09_odp.01"
                    },
                    {
                        "uuid": "a7d7b8a1-7352-4779-b923-09994bbf9cd2",
                        "parameterId": "CA-9(c)",
                        "text": "conditions",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined conditions] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ca-09_odp.02"
                    },
                    {
                        "uuid": "23a806f1-b2d7-410e-9242-2c3a5ec3dc74",
                        "parameterId": "CA-9(d)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ca-09_odp.03"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "03c2320b-ddc9-4416-bc54-acb1b7b7f012",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ca-9_smt.a",
                        "description": "<ul><li>a. Authorize internal connections of {{ insert: param, CA-9(a) }} to the system;</li></ul>"
                    },
                    {
                        "uuid": "2a94c0f4-896d-4ef7-b5d4-f5d0d4dd29bb",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ca-9_smt.b",
                        "description": "<ul><li>b. Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;</li></ul>"
                    },
                    {
                        "uuid": "c17bb9e3-d1c8-4711-9b0c-a4148d08c35a",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ca-9_smt.c",
                        "description": "<ul><li>c. Terminate internal system connections after {{ insert: param, CA-9(c) }} ; and</li></ul>"
                    },
                    {
                        "uuid": "edd063d5-3951-40f7-b47d-fe6d6163067f",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "ca-9_smt.d",
                        "description": "<ul><li>d. Review {{ insert: param, CA-9(d) }} the continued need for each internal connection.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "5d60d9a6-0977-490e-a416-02ec23f375ab",
                        "testId": "CA-09a.",
                        "test": "Determine if internal connections of  [SELECTED PARAMETER VALUE(S): system components ]  to the system are authorized;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Access control policy.</li><li>Procedures addressing system connections.</li><li>System and communications protection policy.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of components or classes of components authorized as internal system connections.</li><li>Assessment report.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting internal system connections.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7d1d4e08-a85a-4fcc-8e49-d89a9ef26945",
                        "testId": "CA-09b.[01]",
                        "test": "Determine if for each internal connection, the interface characteristics are documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Access control policy.</li><li>Procedures addressing system connections.</li><li>System and communications protection policy.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of components or classes of components authorized as internal system connections.</li><li>Assessment report.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting internal system connections.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "de5f722f-7868-46b4-9a2f-06a6827abcb6",
                        "testId": "CA-09b.[02]",
                        "test": "Determine if for each internal connection, the security requirements are documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Access control policy.</li><li>Procedures addressing system connections.</li><li>System and communications protection policy.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of components or classes of components authorized as internal system connections.</li><li>Assessment report.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting internal system connections.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "bb61c011-b807-42df-b8de-99891145c2ae",
                        "testId": "CA-09b.[03]",
                        "test": "Determine if for each internal connection, the privacy requirements are documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Access control policy.</li><li>Procedures addressing system connections.</li><li>System and communications protection policy.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of components or classes of components authorized as internal system connections.</li><li>Assessment report.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting internal system connections.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d55a72b7-7563-4a7c-b8ef-7ccf48440ff8",
                        "testId": "CA-09b.[04]",
                        "test": "Determine if for each internal connection, the nature of the information communicated is documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Access control policy.</li><li>Procedures addressing system connections.</li><li>System and communications protection policy.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of components or classes of components authorized as internal system connections.</li><li>Assessment report.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting internal system connections.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "569ecad2-9d37-4376-b62e-b7cca1b72008",
                        "testId": "CA-09c.",
                        "test": "Determine if internal system connections are terminated after  [SELECTED PARAMETER VALUE(S): conditions ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Access control policy.</li><li>Procedures addressing system connections.</li><li>System and communications protection policy.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of components or classes of components authorized as internal system connections.</li><li>Assessment report.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting internal system connections.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f96c481e-4696-478a-9311-8d0e3407a1df",
                        "testId": "CA-09d.",
                        "test": "Determine if the continued need for each internal connection is reviewed  [SELECTED PARAMETER VALUE(S): frequency ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Access control policy.</li><li>Procedures addressing system connections.</li><li>System and communications protection policy.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of components or classes of components authorized as internal system connections.</li><li>Assessment report.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting internal system connections.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "bc709990-dd31-40d8-8bb6-9649e21cc738",
                        "testId": "CA-09-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Assessment, authorization, and monitoring policy.</li><li>Access control policy.</li><li>Procedures addressing system connections.</li><li>System and communications protection policy.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of components or classes of components authorized as internal system connections.</li><li>Assessment report.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4ca6459c-665a-4cb5-a42c-2758e2793954",
                        "testId": "CA-09-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with responsibilities for developing, implementing, or authorizing internal system connections.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d309819d-e9d0-438c-9b27-f49543e43337",
                        "testId": "CA-09-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting internal system connections.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "351791c8-5016-4e95-ba3e-c198e35bc2b5",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "CA-09 - Internal System Connections",
                "description": "<ul><li><p>a. Authorize internal connections of {{ insert: param, CA-9(a) }} to the system;</p></li><li><p>b. Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;</p></li><li><p>c. Terminate internal system connections after {{ insert: param, CA-9(c) }} ; and</p></li><li><p>d. Review {{ insert: param, CA-9(d) }} the continued need for each internal connection.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>Internal system connections are connections between organizational systems and separate constituent system components (i.e., connections between components that are part of the same system) including components used for system development. Intra-system connections include connections with mobile devices, notebook and desktop computers, tablets, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each internal system connection individually, organizations can authorize internal connections for a class of system components with common characteristics and/or configurations, including printers, scanners, and copiers with a specified processing, transmission, and storage capability or smart phones and tablets with a specific baseline configuration. The continued need for an internal system connection is reviewed from the perspective of whether it provides support for organizational missions or business functions.</p><p></p><p><strong>OT Discussion</strong></p><p>Organizations perform risk-benefit analysis to determine whether OT equipment should be connected to other internal system components and then document those connections. The AO fully understands the potential risks associated with approving individual connections or approving a class of components to be connected. For example, the AO may broadly approve the connection of any sensors limited to 4 to 20 milliamp (mA) communication, while other connection types (e.g., serial or Ethernet) require individual approval. Decisions to accept risk are documented.</p>",
                "controlId": "CA-9",
                "family": "Assessment, Authorization, and Monitoring",
                "enhancements": "<strong>Enhancements</strong><ul><li>CA-9(1) - Compliance Checks</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "ec141f88-5e5a-41ba-8e34-a2e043ae3902",
                        "parameterId": "CM-1(a)",
                        "text": "organization-defined personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cm-1_prm_1"
                    },
                    {
                        "uuid": "0bff6c61-a51f-4f71-98e7-0986d951d350",
                        "parameterId": "CM-1(a)(1)",
                        "text": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cm-01_odp.03"
                    },
                    {
                        "uuid": "8cddf3a4-53d2-4c82-b8e5-c61f383c5a9d",
                        "parameterId": "CM-1(b)",
                        "text": "official",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined official] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cm-01_odp.04"
                    },
                    {
                        "uuid": "6f7dde27-67ae-4f76-bf80-dabe423f6580",
                        "parameterId": "CM-1(c)(1)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cm-01_odp.05"
                    },
                    {
                        "uuid": "db288e64-769e-4552-bcef-2b2990910a89",
                        "parameterId": "CM-1(c)(1)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cm-01_odp.06"
                    },
                    {
                        "uuid": "75c6a0b6-d823-4b16-bcda-b3ea7a5698a0",
                        "parameterId": "CM-1(c)(2)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cm-01_odp.07"
                    },
                    {
                        "uuid": "9616b4bd-4070-4876-89f6-1f89e3fe6373",
                        "parameterId": "CM-1(c)(2)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cm-01_odp.08"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "7513fcf2-04a9-4e34-b739-6ba6b685a428",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "cm-1_smt.a",
                        "description": "<ul><li>a. Develop, document, and disseminate to {{ insert: param, CM-1(a) }}:</li><ul><li>1. {{ insert: param, CM-1(a)(1) }} configuration management policy that:</li><ul><li>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</li><li>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</li></ul><li>2. Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;</li></ul>"
                    },
                    {
                        "uuid": "c7302b53-ac35-4f17-9486-beb5fb2e1970",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "cm-1_smt.b",
                        "description": "<ul><li>b. Designate an {{ insert: param, CM-1(b) }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and</li></ul>"
                    },
                    {
                        "uuid": "bb48fa3a-ac17-455c-b637-fea9119736f1",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "cm-1_smt.c",
                        "description": "<ul><li>c. Review and update the current configuration management:</li><ul><li>1. Policy {{ insert: param, CM-1(c)(1)-1 }} and following {{ insert: param, CM-1(c)(1)-2 }} ; and</li><li>2. Procedures {{ insert: param, CM-1(c)(2)-1 }} and following {{ insert: param, CM-1(c)(2)-2 }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "c3c35b36-0516-4794-a427-4320814f4e82",
                        "testId": "CM-01a.[01]",
                        "test": "Determine if a configuration management policy is developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy and procedures.</li><li>Security and privacy program policies and procedures.</li><li>Assessment or audit findings.</li><li>Documentation of security incidents or breaches.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy.</li><li>Other relevant artifacts, documents, or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "cd07432b-29d3-4abe-bf1f-1add8dc3f896",
                        "testId": "CM-01a.[02]",
                        "test": "Determine if the configuration management policy is disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy and procedures.</li><li>Security and privacy program policies and procedures.</li><li>Assessment or audit findings.</li><li>Documentation of security incidents or breaches.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy.</li><li>Other relevant artifacts, documents, or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "37362731-06ac-457c-b033-9d6dc53af022",
                        "testId": "CM-01a.[03]",
                        "test": "Determine if configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy and procedures.</li><li>Security and privacy program policies and procedures.</li><li>Assessment or audit findings.</li><li>Documentation of security incidents or breaches.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy.</li><li>Other relevant artifacts, documents, or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "571aa6f0-131c-443f-b285-8909406037eb",
                        "testId": "CM-01a.[04]",
                        "test": "Determine if the configuration management procedures are disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy and procedures.</li><li>Security and privacy program policies and procedures.</li><li>Assessment or audit findings.</li><li>Documentation of security incidents or breaches.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy.</li><li>Other relevant artifacts, documents, or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8e060e29-5439-4c6e-a753-68b977056631",
                        "testId": "CM-01a.01(a)[01]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  of the configuration management policy addresses purpose;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy and procedures.</li><li>Security and privacy program policies and procedures.</li><li>Assessment or audit findings.</li><li>Documentation of security incidents or breaches.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy.</li><li>Other relevant artifacts, documents, or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8b8c6766-e18b-411c-ad66-1629a2348708",
                        "testId": "CM-01a.01(a)[02]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  of the configuration management policy addresses scope;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy and procedures.</li><li>Security and privacy program policies and procedures.</li><li>Assessment or audit findings.</li><li>Documentation of security incidents or breaches.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy.</li><li>Other relevant artifacts, documents, or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c25345ef-0463-4a96-b07b-ef549d27713b",
                        "testId": "CM-01a.01(a)[03]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  of the configuration management policy addresses roles;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy and procedures.</li><li>Security and privacy program policies and procedures.</li><li>Assessment or audit findings.</li><li>Documentation of security incidents or breaches.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy.</li><li>Other relevant artifacts, documents, or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4bd06304-60e9-4281-8ea2-f8abfdfc8b0e",
                        "testId": "CM-01a.01(a)[04]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  of the configuration management policy addresses responsibilities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy and procedures.</li><li>Security and privacy program policies and procedures.</li><li>Assessment or audit findings.</li><li>Documentation of security incidents or breaches.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy.</li><li>Other relevant artifacts, documents, or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c4cc5a23-71d6-4ac2-9597-29aa930e3aeb",
                        "testId": "CM-01a.01(a)[05]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  of the configuration management policy addresses management commitment;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy and procedures.</li><li>Security and privacy program policies and procedures.</li><li>Assessment or audit findings.</li><li>Documentation of security incidents or breaches.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy.</li><li>Other relevant artifacts, documents, or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "cad26cfb-b9f2-4632-bbbb-0a7da2c1d09d",
                        "testId": "CM-01a.01(a)[06]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  of the configuration management policy addresses coordination among organizational entities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy and procedures.</li><li>Security and privacy program policies and procedures.</li><li>Assessment or audit findings.</li><li>Documentation of security incidents or breaches.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy.</li><li>Other relevant artifacts, documents, or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "52fe341f-bc0d-445e-a2ca-4e22e42bbff3",
                        "testId": "CM-01a.01(a)[07]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  of the configuration management policy addresses compliance;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy and procedures.</li><li>Security and privacy program policies and procedures.</li><li>Assessment or audit findings.</li><li>Documentation of security incidents or breaches.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy.</li><li>Other relevant artifacts, documents, or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0a4ca33f-a8a7-42c2-96bd-0953b435fcbd",
                        "testId": "CM-01a.01(b)",
                        "test": "Determine if the configuration management policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy and procedures.</li><li>Security and privacy program policies and procedures.</li><li>Assessment or audit findings.</li><li>Documentation of security incidents or breaches.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy.</li><li>Other relevant artifacts, documents, or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "552f70a5-0394-4c6b-81d1-792430c6e80d",
                        "testId": "CM-01b.",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): official ]  is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy and procedures.</li><li>Security and privacy program policies and procedures.</li><li>Assessment or audit findings.</li><li>Documentation of security incidents or breaches.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy.</li><li>Other relevant artifacts, documents, or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6571fafa-d87e-4d24-a035-f45ada9804d8",
                        "testId": "CM-01c.01[01]",
                        "test": "Determine if the current configuration management policy is reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ]; <br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy and procedures.</li><li>Security and privacy program policies and procedures.</li><li>Assessment or audit findings.</li><li>Documentation of security incidents or breaches.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy.</li><li>Other relevant artifacts, documents, or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "53083ce4-1f7f-4a95-9d00-3d114b6a7b2a",
                        "testId": "CM-01c.01[02]",
                        "test": "Determine if the current configuration management policy is reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy and procedures.</li><li>Security and privacy program policies and procedures.</li><li>Assessment or audit findings.</li><li>Documentation of security incidents or breaches.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy.</li><li>Other relevant artifacts, documents, or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "fc81e0e2-b040-4c85-a5ea-2a461c292183",
                        "testId": "CM-01c.02[01]",
                        "test": "Determine if the current configuration management procedures are reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ]; <br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy and procedures.</li><li>Security and privacy program policies and procedures.</li><li>Assessment or audit findings.</li><li>Documentation of security incidents or breaches.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy.</li><li>Other relevant artifacts, documents, or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e108e3e6-fc88-4d23-855d-c841d4831120",
                        "testId": "CM-01c.02[02]",
                        "test": "Determine if the current configuration management procedures are reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy and procedures.</li><li>Security and privacy program policies and procedures.</li><li>Assessment or audit findings.</li><li>Documentation of security incidents or breaches.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy.</li><li>Other relevant artifacts, documents, or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "bb58ee60-a599-451d-b9a3-8f63ded38f5b",
                        "testId": "CM-01-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Configuration management policy and procedures.</li><li>Security and privacy program policies and procedures.</li><li>Assessment or audit findings.</li><li>Documentation of security incidents or breaches.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy.</li><li>Other relevant artifacts, documents, or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4037f337-8370-44cb-9bef-6928cb95f674",
                        "testId": "CM-01-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "5b8111c1-28cc-4d26-9c5f-db3fd367aa37",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "CM-01 - Policy and Procedures",
                "description": "<ul><li><p>a. Develop, document, and disseminate to {{ insert: param, CM-1(a) }}:</p><ul><li><p>1. {{ insert: param, CM-1(a)(1) }} configuration management policy that:</p><ul><li><p>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p></li><li><p>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p></li></ul></li><li><p>2. Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;</p></li></ul></li><li><p>b. Designate an {{ insert: param, CM-1(b) }} to manage the development, documentation, and dissemination of the configuration management policy and procedures; and</p></li><li><p>c. Review and update the current configuration management:</p><ul><li><p>1. Policy {{ insert: param, CM-1(c)(1)-1 }} and following {{ insert: param, CM-1(c)(1)-2 }} ; and</p></li><li><p>2. Procedures {{ insert: param, CM-1(c)(2)-1 }} and following {{ insert: param, CM-1(c)(2)-2 }}.</p></li></ul></li><li><p><br><strong>Discussion</strong><br></p><p>Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.</p></li></ul><p></p><p><strong>OT Discussion</strong></p><p>The policy specifically addresses the unique properties and requirements of OT and the relationship to non-OT systems.</p>",
                "controlId": "CM-1",
                "family": "Configuration Management",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "ee5a90a5-260c-400e-bdbf-06a3083b436f",
                        "parameterId": "CM-2(b)(1)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cm-02_odp.01"
                    },
                    {
                        "uuid": "f1f91dca-23ef-49cf-bb55-ec804c46fc32",
                        "parameterId": "CM-2(b)(2)",
                        "text": "circumstances",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined circumstances] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cm-02_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "29d5ce7d-fa11-4541-a4ee-cd8e5afd87a0",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "cm-2_smt.a",
                        "description": "<ul><li>a. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and</li></ul>"
                    },
                    {
                        "uuid": "f9dd1c0d-9010-457c-bded-a36f2b9eb469",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "cm-2_smt.b",
                        "description": "<ul><li>b. Review and update the baseline configuration of the system:</li><ul><li>1. {{ insert: param, CM-2(b)(1) }};</li><li>2. When required due to {{ insert: param, CM-2(b)(2) }} ; and</li><li>3. When system components are installed or upgraded.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "da4ab268-6dbd-4b83-b9b9-897ea7651c38",
                        "testId": "CM-02-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Configuration management policy.</li><li>Procedures addressing the baseline configuration of the system.</li><li>Configuration management plan.</li><li>Enterprise architecture documentation.</li><li>System design documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>System architecture and configuration documentation.</li><li>System configuration settings and associated documentation.</li><li>System component inventory.</li><li>Change control records.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "fe8fe5a5-668d-425a-ba57-7b06db0e80ab",
                        "testId": "CM-02-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4c3eb9d0-68e9-4091-bca4-3fb6ee8ab5e8",
                        "testId": "CM-02-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for managing baseline configurations.</li><li>Mechanisms supporting configuration control of the baseline configuration.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0944d0e9-3e14-4fd4-8ff4-971c84e484cc",
                        "testId": "CM-02a.[01]",
                        "test": "Determine if a current baseline configuration of the system is developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing the baseline configuration of the system.</li><li>Configuration management plan.</li><li>Enterprise architecture documentation.</li><li>System design documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>System architecture and configuration documentation.</li><li>System configuration settings and associated documentation.</li><li>System component inventory.</li><li>Change control records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing baseline configurations.</li><li>Mechanisms supporting configuration control of the baseline configuration.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "22375ab2-e0c0-4798-8464-b5d5a55529a5",
                        "testId": "CM-02a.[02]",
                        "test": "Determine if a current baseline configuration of the system is maintained under configuration control;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing the baseline configuration of the system.</li><li>Configuration management plan.</li><li>Enterprise architecture documentation.</li><li>System design documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>System architecture and configuration documentation.</li><li>System configuration settings and associated documentation.</li><li>System component inventory.</li><li>Change control records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing baseline configurations.</li><li>Mechanisms supporting configuration control of the baseline configuration.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "cd20cfe3-da63-4248-aa39-a6edde9733ea",
                        "testId": "CM-02b.01",
                        "test": "Determine if the baseline configuration of the system is reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing the baseline configuration of the system.</li><li>Configuration management plan.</li><li>Enterprise architecture documentation.</li><li>System design documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>System architecture and configuration documentation.</li><li>System configuration settings and associated documentation.</li><li>System component inventory.</li><li>Change control records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing baseline configurations.</li><li>Mechanisms supporting configuration control of the baseline configuration.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "07f71bf8-89bd-41f8-983f-d4254d09c425",
                        "testId": "CM-02b.02",
                        "test": "Determine if the baseline configuration of the system is reviewed and updated when required due to  [SELECTED PARAMETER VALUE(S): circumstances ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing the baseline configuration of the system.</li><li>Configuration management plan.</li><li>Enterprise architecture documentation.</li><li>System design documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>System architecture and configuration documentation.</li><li>System configuration settings and associated documentation.</li><li>System component inventory.</li><li>Change control records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing baseline configurations.</li><li>Mechanisms supporting configuration control of the baseline configuration.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f4691586-047b-449e-8207-df258eb156a3",
                        "testId": "CM-02b.03",
                        "test": "Determine if the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing the baseline configuration of the system.</li><li>Configuration management plan.</li><li>Enterprise architecture documentation.</li><li>System design documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>System architecture and configuration documentation.</li><li>System configuration settings and associated documentation.</li><li>System component inventory.</li><li>Change control records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing baseline configurations.</li><li>Mechanisms supporting configuration control of the baseline configuration.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "04bb97ca-34c9-477f-be29-764534a97557",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "CM-02 - Baseline Configuration",
                "description": "<ul><li>a. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and</li><li>b. Review and update the baseline configuration of the system:</li><ul><li>1. {{ insert: param, CM-2(b)(1) }};</li><li>2. When required due to  {{ insert: param, CM-2(b)(2) }} ; and</li><li>3. When system components are installed or upgraded.</li></ul><br/><strong>Discussion</strong><br/><p>Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture.</p>",
                "controlId": "CM-2",
                "family": "Configuration Management",
                "enhancements": "<strong>Enhancements</strong><ul><li>CM-2(2) - Automation Support for Accuracy and Currency</li><li>CM-2(3) - Retention of Previous Configurations</li><li>CM-2(6) - Development and Test Environments</li><li>CM-2(7) - Configure Systems and Components for High-risk Areas</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "fca91f17-0131-4ba1-b3e0-f6e0baba61fa",
                        "name": "CM-4",
                        "objectiveType": "",
                        "otherId": "cm-4_smt",
                        "description": "Analyze changes to the system to determine potential security and privacy impacts prior to change implementation."
                    }
                ],
                "tests": [
                    {
                        "uuid": "7458a4be-259d-462c-bb85-67c0e73d3c1d",
                        "testId": "CM-04-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Configuration management policy.</li><li>Procedures addressing security impact analyses for changes to the system.</li><li>Procedures addressing privacy impact analyses for changes to the system.</li><li>Configuration management plan.</li><li>Security impact analysis documentation.</li><li>Privacy impact analysis documentation.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation, system design documentation.</li><li>Analysis tools and associated outputs.</li><li>Change control records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6e353c23-c4ec-43d4-b2ef-7bdc7dbdf91f",
                        "testId": "CM-04-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with responsibility for conducting security impact analyses.</li><li>Organizational personnel with responsibility for conducting privacy impact analyses.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System developer.</li><li>System/network administrators.</li><li>Members of change control board or similar.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b5b6ef64-dbfd-49df-9b64-84c696d86b96",
                        "testId": "CM-04-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for security impact analyses.</li><li>Organizational processes for privacy impact analyses.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5cf6555d-30ba-425b-8607-1f94aea17cc1",
                        "testId": "CM-04[01]",
                        "test": "Determine if changes to the system are analyzed to determine potential security impacts prior to change implementation;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing security impact analyses for changes to the system.</li><li>Procedures addressing privacy impact analyses for changes to the system.</li><li>Configuration management plan.</li><li>Security impact analysis documentation.</li><li>Privacy impact analysis documentation.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation, system design documentation.</li><li>Analysis tools and associated outputs.</li><li>Change control records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibility for conducting security impact analyses.</li><li>Organizational personnel with responsibility for conducting privacy impact analyses.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System developer.</li><li>System/network administrators.</li><li>Members of change control board or similar.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for security impact analyses.</li><li>Organizational processes for privacy impact analyses.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ee96b7fa-84e1-44e1-ae5b-da3029f575b3",
                        "testId": "CM-04[02]",
                        "test": "Determine if changes to the system are analyzed to determine potential privacy impacts prior to change implementation.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing security impact analyses for changes to the system.</li><li>Procedures addressing privacy impact analyses for changes to the system.</li><li>Configuration management plan.</li><li>Security impact analysis documentation.</li><li>Privacy impact analysis documentation.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation, system design documentation.</li><li>Analysis tools and associated outputs.</li><li>Change control records.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibility for conducting security impact analyses.</li><li>Organizational personnel with responsibility for conducting privacy impact analyses.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System developer.</li><li>System/network administrators.</li><li>Members of change control board or similar.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for security impact analyses.</li><li>Organizational processes for privacy impact analyses.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "5704362c-1772-4de2-a2ec-2838dd4d7dcf",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "CM-04 - Impact Analyses",
                "description": "<p>Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.<br><strong>Discussion</strong><br></p><p>Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required.</p><p></p><p><strong>OT Discussion</strong></p><p>The organization considers OT safety and security interdependencies. OT security and safety personnel are included in change process management if the change to the system may impact safety or security.</p>",
                "controlId": "CM-4",
                "family": "Configuration Management",
                "enhancements": "<strong>Enhancements</strong><ul><li>CM-4(1) - Separate Test Environments</li><li>CM-4(2) - Verification of Controls</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "0be1acf6-5786-48b6-a3ce-7f3505b8f837",
                        "name": "CM-5",
                        "objectiveType": "",
                        "otherId": "cm-5_smt",
                        "description": "Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system."
                    }
                ],
                "tests": [
                    {
                        "uuid": "1a5389a4-f204-4d38-b02d-f84e119b0f4f",
                        "testId": "CM-05[01]",
                        "test": "Determine if physical access restrictions associated with changes to the system are defined and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing access restrictions for changes to the system.</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System architecture and configuration documentation.</li><li>System configuration settings and associated documentation.</li><li>Logical access approvals.</li><li>Physical access approvals.</li><li>Access credentials.</li><li>Change control records.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with logical access control responsibilities.</li><li>Organizational personnel with physical access control responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing access restrictions to change.</li><li>Mechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0dbeabc8-33ea-485b-ae11-34560d30406d",
                        "testId": "CM-05[02]",
                        "test": "Determine if physical access restrictions associated with changes to the system are approved;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing access restrictions for changes to the system.</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System architecture and configuration documentation.</li><li>System configuration settings and associated documentation.</li><li>Logical access approvals.</li><li>Physical access approvals.</li><li>Access credentials.</li><li>Change control records.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with logical access control responsibilities.</li><li>Organizational personnel with physical access control responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing access restrictions to change.</li><li>Mechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e5fdfa85-35ab-4399-8784-0a547956755e",
                        "testId": "CM-05[03]",
                        "test": "Determine if physical access restrictions associated with changes to the system are enforced;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing access restrictions for changes to the system.</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System architecture and configuration documentation.</li><li>System configuration settings and associated documentation.</li><li>Logical access approvals.</li><li>Physical access approvals.</li><li>Access credentials.</li><li>Change control records.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with logical access control responsibilities.</li><li>Organizational personnel with physical access control responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing access restrictions to change.</li><li>Mechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5ef55aeb-0a1c-40ee-b4c4-591119a39f1f",
                        "testId": "CM-05[04]",
                        "test": "Determine if logical access restrictions associated with changes to the system are defined and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing access restrictions for changes to the system.</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System architecture and configuration documentation.</li><li>System configuration settings and associated documentation.</li><li>Logical access approvals.</li><li>Physical access approvals.</li><li>Access credentials.</li><li>Change control records.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with logical access control responsibilities.</li><li>Organizational personnel with physical access control responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing access restrictions to change.</li><li>Mechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "786f6589-3402-4b57-ac67-fa09419c4011",
                        "testId": "CM-05[05]",
                        "test": "Determine if logical access restrictions associated with changes to the system are approved;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing access restrictions for changes to the system.</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System architecture and configuration documentation.</li><li>System configuration settings and associated documentation.</li><li>Logical access approvals.</li><li>Physical access approvals.</li><li>Access credentials.</li><li>Change control records.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with logical access control responsibilities.</li><li>Organizational personnel with physical access control responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing access restrictions to change.</li><li>Mechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6556a26d-ac31-460e-9100-01737b912415",
                        "testId": "CM-05[06]",
                        "test": "Determine if logical access restrictions associated with changes to the system are enforced.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing access restrictions for changes to the system.</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System architecture and configuration documentation.</li><li>System configuration settings and associated documentation.</li><li>Logical access approvals.</li><li>Physical access approvals.</li><li>Access credentials.</li><li>Change control records.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with logical access control responsibilities.</li><li>Organizational personnel with physical access control responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing access restrictions to change.</li><li>Mechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "78b9cb0f-e080-45f0-9f12-abbef7d0e553",
                        "testId": "CM-05-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Configuration management policy.</li><li>Procedures addressing access restrictions for changes to the system.</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System architecture and configuration documentation.</li><li>System configuration settings and associated documentation.</li><li>Logical access approvals.</li><li>Physical access approvals.</li><li>Access credentials.</li><li>Change control records.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "69f48b32-f275-4fe0-b85c-3975cf021589",
                        "testId": "CM-05-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with logical access control responsibilities.</li><li>Organizational personnel with physical access control responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8f4c6907-8d61-449b-9cfc-9ab925dcda62",
                        "testId": "CM-05-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for managing access restrictions to change.</li><li>Mechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "16999e98-d7a5-4a76-ad0f-93a47618882f",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "CM-05 - Access Restrictions for Change",
                "description": "<p>Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.<br><strong>Discussion</strong><br></p><p>Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals\u00e2\u20ac\u2122 privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see <a href=\"#ac-3\">AC-3</a> and <a href=\"#pe-3\">PE-3</a> ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times).</p><p></p><p><strong>OT Discussion</strong></p><p>Some OT devices allow for the configuration and use of mode change switches. Where available, these should be used to prevent unauthorized changes. For example, many PLCs have key switches that allow the device to be placed in a programming mode or a running mode. Those PLCs should be placed in a running or remote mode to prevent unauthorized programming changes, and the key should be removed from the key switch and managed appropriately.</p>",
                "controlId": "CM-5",
                "family": "Configuration Management",
                "enhancements": "<strong>Enhancements</strong><ul><li>CM-5(1) - Automated Access Enforcement and Audit Records</li><li>CM-5(4) - Dual Authorization</li><li>CM-5(5) - Privilege Limitation for Production and Operation</li><li>CM-5(6) - Limit Library Privileges</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "b6cb6a3e-f319-4642-af7d-94b871149fc4",
                        "parameterId": "CM-6(a)",
                        "text": "common secure configurations",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined common secure configurations] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cm-06_odp.01"
                    },
                    {
                        "uuid": "5f1c8820-3533-401d-98d7-f3fccba4006f",
                        "parameterId": "CM-6(c)-1",
                        "text": "system components",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined system components] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cm-06_odp.02"
                    },
                    {
                        "uuid": "79f629d3-5075-4adc-a081-cffc3e85d8e2",
                        "parameterId": "CM-6(c)-2",
                        "text": "operational requirements",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined operational requirements] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cm-06_odp.03"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "0787830e-ff44-4e1e-bb01-3de78ac5a146",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "cm-6_smt.a",
                        "description": "<ul><li>a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using {{ insert: param, CM-6(a) }};</li></ul>"
                    },
                    {
                        "uuid": "2ae11e37-428e-4ccd-bf65-b82d65478977",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "cm-6_smt.b",
                        "description": "<ul><li>b. Implement the configuration settings;</li></ul>"
                    },
                    {
                        "uuid": "dfc1b015-a1ea-4ed2-9e7f-75e13f331c01",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "cm-6_smt.c",
                        "description": "<ul><li>c. Identify, document, and approve any deviations from established configuration settings for {{ insert: param, CM-6(c)-1 }} based on {{ insert: param, CM-6(c)-2 }} ; and</li></ul>"
                    },
                    {
                        "uuid": "4d39a757-4f23-41f0-ad30-9faf3423e8c0",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "cm-6_smt.d",
                        "description": "<ul><li>d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "6b4aef08-115f-4b88-90fc-aa4a16d8058b",
                        "testId": "CM-06-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Configuration management policy.</li><li>Procedures addressing configuration settings for the system.</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Common secure configuration checklists.</li><li>System component inventory.</li><li>Evidence supporting approved deviations from established configuration settings.</li><li>Change control records.</li><li>System data processing and retention permissions.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b2373807-affa-48b6-87b9-48eeaf6c9a0e",
                        "testId": "CM-06-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with security configuration management responsibilities.</li><li>Organizational personnel with privacy configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5d402b34-b53b-45ff-a639-3352310445aa",
                        "testId": "CM-06-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for managing configuration settings.</li><li>Mechanisms that implement, monitor, and/or control system configuration settings.</li><li>Mechanisms that identify and/or document deviations from established configuration settings.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d1b37155-f1a5-4e28-a736-addc4b4e6271",
                        "testId": "CM-06a.",
                        "test": "Determine if configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using  [SELECTED PARAMETER VALUE(S): common secure configurations ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing configuration settings for the system.</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Common secure configuration checklists.</li><li>System component inventory.</li><li>Evidence supporting approved deviations from established configuration settings.</li><li>Change control records.</li><li>System data processing and retention permissions.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with security configuration management responsibilities.</li><li>Organizational personnel with privacy configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing configuration settings.</li><li>Mechanisms that implement, monitor, and/or control system configuration settings.</li><li>Mechanisms that identify and/or document deviations from established configuration settings.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "307f12fc-4645-4aab-bbfc-8b04372ca980",
                        "testId": "CM-06b.",
                        "test": "Determine if the configuration settings documented in cm-06a are implemented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing configuration settings for the system.</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Common secure configuration checklists.</li><li>System component inventory.</li><li>Evidence supporting approved deviations from established configuration settings.</li><li>Change control records.</li><li>System data processing and retention permissions.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with security configuration management responsibilities.</li><li>Organizational personnel with privacy configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing configuration settings.</li><li>Mechanisms that implement, monitor, and/or control system configuration settings.</li><li>Mechanisms that identify and/or document deviations from established configuration settings.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "99844b95-c64b-43a6-933e-8f42393088ff",
                        "testId": "CM-06c.[01]",
                        "test": "Determine if any deviations from established configuration settings for  [SELECTED PARAMETER VALUE(S): system components ]  are identified and documented based on  [SELECTED PARAMETER VALUE(S): operational requirements ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing configuration settings for the system.</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Common secure configuration checklists.</li><li>System component inventory.</li><li>Evidence supporting approved deviations from established configuration settings.</li><li>Change control records.</li><li>System data processing and retention permissions.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with security configuration management responsibilities.</li><li>Organizational personnel with privacy configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing configuration settings.</li><li>Mechanisms that implement, monitor, and/or control system configuration settings.</li><li>Mechanisms that identify and/or document deviations from established configuration settings.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "92de0c53-6cf8-4344-aa00-b0d415287ef9",
                        "testId": "CM-06c.[02]",
                        "test": "Determine if any deviations from established configuration settings for  [SELECTED PARAMETER VALUE(S): system components ]  are approved;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing configuration settings for the system.</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Common secure configuration checklists.</li><li>System component inventory.</li><li>Evidence supporting approved deviations from established configuration settings.</li><li>Change control records.</li><li>System data processing and retention permissions.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with security configuration management responsibilities.</li><li>Organizational personnel with privacy configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing configuration settings.</li><li>Mechanisms that implement, monitor, and/or control system configuration settings.</li><li>Mechanisms that identify and/or document deviations from established configuration settings.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "94259159-9656-449d-ae87-3c1bae16059c",
                        "testId": "CM-06d.[01]",
                        "test": "Determine if changes to the configuration settings are monitored in accordance with organizational policies and procedures;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing configuration settings for the system.</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Common secure configuration checklists.</li><li>System component inventory.</li><li>Evidence supporting approved deviations from established configuration settings.</li><li>Change control records.</li><li>System data processing and retention permissions.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with security configuration management responsibilities.</li><li>Organizational personnel with privacy configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing configuration settings.</li><li>Mechanisms that implement, monitor, and/or control system configuration settings.</li><li>Mechanisms that identify and/or document deviations from established configuration settings.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "edff516c-85b4-4b4c-a9a2-90fc69b86bc7",
                        "testId": "CM-06d.[02]",
                        "test": "Determine if changes to the configuration settings are controlled in accordance with organizational policies and procedures.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing configuration settings for the system.</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Common secure configuration checklists.</li><li>System component inventory.</li><li>Evidence supporting approved deviations from established configuration settings.</li><li>Change control records.</li><li>System data processing and retention permissions.</li><li>System audit records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with security configuration management responsibilities.</li><li>Organizational personnel with privacy configuration management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing configuration settings.</li><li>Mechanisms that implement, monitor, and/or control system configuration settings.</li><li>Mechanisms that identify and/or document deviations from established configuration settings.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "76418ae2-3cf1-46d9-95bc-0be43ac14d90",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "CM-06 - Configuration Settings",
                "description": "<ul><li>a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using  {{ insert: param, CM-6(a) }};</li><li>b. Implement the configuration settings;</li><li>c. Identify, document, and approve any deviations from established configuration settings for  {{ insert: param, CM-6(c)-1 }}  based on  {{ insert: param, CM-6(c)-2 }} ; and</li><li>d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.</li></ul><br/><strong>Discussion</strong><br/><p>Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.</p><p>Common secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.</p><p>Implementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline  <a href=\"#98498928-3ca3-44b3-8b1e-f48685373087\">USGCB</a>  and security technical implementation guides (STIGs), which affect the implementation of  <a href=\"#cm-6\">CM-6</a>  and other controls such as  <a href=\"#ac-19\">AC-19</a>  and  <a href=\"#cm-7\">CM-7</a> . The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings.</p>",
                "controlId": "CM-6",
                "family": "Configuration Management",
                "enhancements": "<strong>Enhancements</strong><ul><li>CM-6(1) - Automated Management, Application, and Verification</li><li>CM-6(2) - Respond to Unauthorized Changes</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "d3744a6e-d020-4e9f-b0c4-e56da5df4c1c",
                        "parameterId": "CM-7(b)",
                        "text": "organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cm-7_prm_2"
                    },
                    {
                        "uuid": "2eea9562-09b1-4062-a921-373d9ff06b00",
                        "parameterId": "CM-7(a)",
                        "text": "mission-essential capabilities",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined mission-essential capabilities] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cm-07_odp.01"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "3110d6fe-0a2e-4951-8ac6-1b333e4f99cf",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "cm-7_smt.a",
                        "description": "<ul><li>a. Configure the system to provide only {{ insert: param, CM-7(a) }} ; and</li></ul>"
                    },
                    {
                        "uuid": "6f49f7f2-7a44-4a98-9e62-ae02c769ac0f",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "cm-7_smt.b",
                        "description": "<ul><li>b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: {{ insert: param, CM-7(b) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "58cd8d47-3250-4c3d-8840-5569311e71fa",
                        "testId": "CM-07a.",
                        "test": "Determine if the system is configured to provide only  [SELECTED PARAMETER VALUE(S): mission-essential capabilities ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing least functionality in the system.</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System component inventory.</li><li>Common secure configuration checklists.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with security configuration management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes prohibiting or restricting functions, ports, protocols, software, and/or services.</li><li>Mechanisms implementing restrictions or prohibition of functions, ports, protocols, software, and/or services.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4f1514c8-2ba2-4d68-a226-d2a92a9a1dbe",
                        "testId": "CM-07b.[01]",
                        "test": "Determine if the use of  [SELECTED PARAMETER VALUE(S): functions ]  is prohibited or restricted;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing least functionality in the system.</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System component inventory.</li><li>Common secure configuration checklists.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with security configuration management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes prohibiting or restricting functions, ports, protocols, software, and/or services.</li><li>Mechanisms implementing restrictions or prohibition of functions, ports, protocols, software, and/or services.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8c5cd750-83f1-4b6e-92b6-3fd41da6d582",
                        "testId": "CM-07b.[02]",
                        "test": "Determine if the use of  [SELECTED PARAMETER VALUE(S): ports ]  is prohibited or restricted;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing least functionality in the system.</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System component inventory.</li><li>Common secure configuration checklists.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with security configuration management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes prohibiting or restricting functions, ports, protocols, software, and/or services.</li><li>Mechanisms implementing restrictions or prohibition of functions, ports, protocols, software, and/or services.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4de1384c-3948-43bb-ab76-e1e0619c8760",
                        "testId": "CM-07b.[03]",
                        "test": "Determine if the use of  [SELECTED PARAMETER VALUE(S): protocols ]  is prohibited or restricted;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing least functionality in the system.</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System component inventory.</li><li>Common secure configuration checklists.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with security configuration management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes prohibiting or restricting functions, ports, protocols, software, and/or services.</li><li>Mechanisms implementing restrictions or prohibition of functions, ports, protocols, software, and/or services.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b61a7f74-46dc-4332-be62-46e46e841e71",
                        "testId": "CM-07b.[04]",
                        "test": "Determine if the use of  [SELECTED PARAMETER VALUE(S): software ]  is prohibited or restricted;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing least functionality in the system.</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System component inventory.</li><li>Common secure configuration checklists.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with security configuration management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes prohibiting or restricting functions, ports, protocols, software, and/or services.</li><li>Mechanisms implementing restrictions or prohibition of functions, ports, protocols, software, and/or services.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8623e805-9566-4b2c-8335-71d12d2950ee",
                        "testId": "CM-07b.[05]",
                        "test": "Determine if the use of  [SELECTED PARAMETER VALUE(S): services ]  is prohibited or restricted.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing least functionality in the system.</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System component inventory.</li><li>Common secure configuration checklists.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with security configuration management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes prohibiting or restricting functions, ports, protocols, software, and/or services.</li><li>Mechanisms implementing restrictions or prohibition of functions, ports, protocols, software, and/or services.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "66248120-9bcd-4bba-94c4-7de034416b3b",
                        "testId": "CM-07-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Configuration management policy.</li><li>Procedures addressing least functionality in the system.</li><li>Configuration management plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System component inventory.</li><li>Common secure configuration checklists.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c79a9f7a-6da4-4e99-b6f0-011d1be29e3c",
                        "testId": "CM-07-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with security configuration management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "001a5d32-2a59-4440-a6e0-24d658577429",
                        "testId": "CM-07-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes prohibiting or restricting functions, ports, protocols, software, and/or services.</li><li>Mechanisms implementing restrictions or prohibition of functions, ports, protocols, software, and/or services.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "4f054503-f9ee-4d2b-a520-dce5bbc534ab",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "CM-07 - Least Functionality",
                "description": "<ul><li><p>a. Configure the system to provide only {{ insert: param, CM-7(a) }} ; and</p></li><li><p>b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: {{ insert: param, CM-7(b) }}.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see <a href=\"#sa-8\">SA-8</a>, <a href=\"#sc-2\">SC-2</a> , and <a href=\"#sc-3\">SC-3</a>).</p><p></p><p><strong>OT Discussion</strong></p><p>The organization implements least functionality by allowing only the specified functions, protocols, and/or services required for OT operations. For non-routable protocols, such as serial communications, interrupts could be disabled or set points could be made read-only except for privileged users to limit functionality. Ports are part of the address space in network protocols and are often associated with specific protocols or functions. For routable protocols, ports can be disabled on many networking devices to limit functionality to the minimum required for operation.</p>",
                "controlId": "CM-7",
                "family": "Configuration Management",
                "enhancements": "<strong>Enhancements</strong><ul><li>CM-7(1) - Periodic Review</li><li>CM-7(2) - Prevent Program Execution</li><li>CM-7(3) - Registration Compliance</li><li>CM-7(4) - Unauthorized Software \u00e2\u20ac\u201d Deny-by-exception</li><li>CM-7(5) - Authorized Software \u00e2\u20ac\u201d Allow-by-exception</li><li>CM-7(6) - Confined Environments with Limited Privileges</li><li>CM-7(7) - Code Execution in Protected Environments</li><li>CM-7(8) - Binary or Machine Executable Code</li><li>CM-7(9) - Prohibiting The Use of Unauthorized Hardware</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "b06afb86-f664-416b-90f7-74fdf9ebe864",
                        "parameterId": "CM-8(a)(5)",
                        "text": "information",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined information] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cm-08_odp.01"
                    },
                    {
                        "uuid": "da504f9c-6108-4667-8af6-478cae93f220",
                        "parameterId": "CM-8(b)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cm-08_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "b71e450a-f2f1-4bd5-b67b-fa46b4074750",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "cm-8_smt.a",
                        "description": "<ul><li>a. Develop and document an inventory of system components that:</li><ul><li>1. Accurately reflects the system;</li><li>2. Includes all components within the system;</li><li>3. Does not include duplicate accounting of components or components assigned to any other system;</li><li>4. Is at the level of granularity deemed necessary for tracking and reporting; and</li><li>5. Includes the following information to achieve system component accountability: {{ insert: param, CM-8(a)(5) }} ; and</li></ul>"
                    },
                    {
                        "uuid": "b194bd42-7217-4d82-88ca-a4596545f1ef",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "cm-8_smt.b",
                        "description": "<ul><li>b. Review and update the system component inventory {{ insert: param, CM-8(b) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "0332b0cc-ab9d-4125-bf8a-bfe7b9a39aff",
                        "testId": "CM-08a.01",
                        "test": "Determine if an inventory of system components that accurately reflects the system is developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing system component inventory.</li><li>Configuration management plan.</li><li>System security plan.</li><li>System design documentation.</li><li>System component inventory.</li><li>Inventory reviews and update records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with component inventory management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing the system component inventory.</li><li>Mechanisms supporting and/or implementing system component inventory.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a383d8be-2483-44b8-a795-4e7889e7d3da",
                        "testId": "CM-08a.02",
                        "test": "Determine if an inventory of system components that includes all components within the system is developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing system component inventory.</li><li>Configuration management plan.</li><li>System security plan.</li><li>System design documentation.</li><li>System component inventory.</li><li>Inventory reviews and update records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with component inventory management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing the system component inventory.</li><li>Mechanisms supporting and/or implementing system component inventory.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "beb18d89-1342-4109-8cd8-386894407b11",
                        "testId": "CM-08a.03",
                        "test": "Determine if an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing system component inventory.</li><li>Configuration management plan.</li><li>System security plan.</li><li>System design documentation.</li><li>System component inventory.</li><li>Inventory reviews and update records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with component inventory management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing the system component inventory.</li><li>Mechanisms supporting and/or implementing system component inventory.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "76273bd4-ed79-4e2e-b50f-6a9f94cfb3d9",
                        "testId": "CM-08a.04",
                        "test": "Determine if an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing system component inventory.</li><li>Configuration management plan.</li><li>System security plan.</li><li>System design documentation.</li><li>System component inventory.</li><li>Inventory reviews and update records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with component inventory management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing the system component inventory.</li><li>Mechanisms supporting and/or implementing system component inventory.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6b1a9bc2-514a-4231-825d-3e4a1fc746c3",
                        "testId": "CM-08a.05",
                        "test": "Determine if an inventory of system components that includes  [SELECTED PARAMETER VALUE(S): information ]  is developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing system component inventory.</li><li>Configuration management plan.</li><li>System security plan.</li><li>System design documentation.</li><li>System component inventory.</li><li>Inventory reviews and update records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with component inventory management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing the system component inventory.</li><li>Mechanisms supporting and/or implementing system component inventory.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "30b264bc-1680-4bde-857a-5207d8899609",
                        "testId": "CM-08b.",
                        "test": "Determine if the system component inventory is reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing system component inventory.</li><li>Configuration management plan.</li><li>System security plan.</li><li>System design documentation.</li><li>System component inventory.</li><li>Inventory reviews and update records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with component inventory management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing the system component inventory.</li><li>Mechanisms supporting and/or implementing system component inventory.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b9a5d030-f520-48d3-b8d4-18e084c301a5",
                        "testId": "CM-08-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Configuration management policy.</li><li>Procedures addressing system component inventory.</li><li>Configuration management plan.</li><li>System security plan.</li><li>System design documentation.</li><li>System component inventory.</li><li>Inventory reviews and update records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "dc3bf943-ab25-446c-b124-f77c32b6304e",
                        "testId": "CM-08-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with component inventory management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "02a81882-723c-4233-9959-0a9f6d667c8c",
                        "testId": "CM-08-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for managing the system component inventory.</li><li>Mechanisms supporting and/or implementing system component inventory.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "708e2d1b-df92-4388-b729-4c4b4555bf5a",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "CM-08 - System Component Inventory",
                "description": "<ul><li>a. Develop and document an inventory of system components that:</li><ul><li>1. Accurately reflects the system;</li><li>2. Includes all components within the system;</li><li>3. Does not include duplicate accounting of components or components assigned to any other system;</li><li>4. Is at the level of granularity deemed necessary for tracking and reporting; and</li><li>5. Includes the following information to achieve system component accountability:  {{ insert: param, CM-8(a)(5) }} ; and</li></ul><li>b. Review and update the system component inventory  {{ insert: param, CM-8(b) }}.</li></ul><br/><strong>Discussion</strong><br/><p>System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.</p><p>Preventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of  <a href=\"#cm-8.7\">CM-8(7)</a>  can help to eliminate duplicate accounting of components.</p>",
                "controlId": "CM-8",
                "family": "Configuration Management",
                "enhancements": "<strong>Enhancements</strong><ul><li>CM-8(1) - Updates During Installation and Removal</li><li>CM-8(2) - Automated Maintenance</li><li>CM-8(3) - Automated Unauthorized Component Detection</li><li>CM-8(4) - Accountability Information</li><li>CM-8(6) - Assessed Configurations and Approved Deviations</li><li>CM-8(7) - Centralized Repository</li><li>CM-8(8) - Automated Location Tracking</li><li>CM-8(9) - Assignment of Components to Systems</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "5c8cb967-adeb-4004-a9c1-5ccb4594319c",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "cm-10_smt.a",
                        "description": "<ul><li>a. Use software and associated documentation in accordance with contract agreements and copyright laws;</li></ul>"
                    },
                    {
                        "uuid": "36023c3c-8178-4304-9a77-d825c1886d79",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "cm-10_smt.b",
                        "description": "<ul><li>b. Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and</li></ul>"
                    },
                    {
                        "uuid": "5b80212e-e7d3-4832-b10e-680d9713493b",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "cm-10_smt.c",
                        "description": "<ul><li>c. Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "1a9aae7f-02a4-4273-8a80-c0010641f523",
                        "testId": "CM-10-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Configuration management policy.</li><li>Software usage restrictions.</li><li>Software contract agreements and copyright laws.</li><li>Site license documentation.</li><li>List of software usage restrictions.</li><li>Software license tracking reports.</li><li>Configuration management plan.</li><li>System security plan.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0e3baa6c-f880-445e-88d1-d4bd5f100cfb",
                        "testId": "CM-10-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel operating, using, and/or maintaining the system.</li><li>Organizational personnel with software license management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6781a185-d8ed-4ac3-95a8-b729236ce673",
                        "testId": "CM-10-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for tracking the use of software protected by quantity licenses.</li><li>Organizational processes for controlling/documenting the use of peer-to-peer file sharing technology.</li><li>Mechanisms implementing software license tracking.</li><li>Mechanisms implementing and controlling the use of peer-to-peer files sharing technology.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8a594c44-a731-4c92-837e-1e152b0a68a7",
                        "testId": "CM-10a.",
                        "test": "Determine if software and associated documentation are used in accordance with contract agreements and copyright laws;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Software usage restrictions.</li><li>Software contract agreements and copyright laws.</li><li>Site license documentation.</li><li>List of software usage restrictions.</li><li>Software license tracking reports.</li><li>Configuration management plan.</li><li>System security plan.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel operating, using, and/or maintaining the system.</li><li>Organizational personnel with software license management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for tracking the use of software protected by quantity licenses.</li><li>Organizational processes for controlling/documenting the use of peer-to-peer file sharing technology.</li><li>Mechanisms implementing software license tracking.</li><li>Mechanisms implementing and controlling the use of peer-to-peer files sharing technology.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "71016377-3e6c-4c4b-8363-37a08be88ac6",
                        "testId": "CM-10b.",
                        "test": "Determine if the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Software usage restrictions.</li><li>Software contract agreements and copyright laws.</li><li>Site license documentation.</li><li>List of software usage restrictions.</li><li>Software license tracking reports.</li><li>Configuration management plan.</li><li>System security plan.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel operating, using, and/or maintaining the system.</li><li>Organizational personnel with software license management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for tracking the use of software protected by quantity licenses.</li><li>Organizational processes for controlling/documenting the use of peer-to-peer file sharing technology.</li><li>Mechanisms implementing software license tracking.</li><li>Mechanisms implementing and controlling the use of peer-to-peer files sharing technology.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7efecaf5-014e-487e-942b-f2d9112ba3cf",
                        "testId": "CM-10c.",
                        "test": "Determine if the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Software usage restrictions.</li><li>Software contract agreements and copyright laws.</li><li>Site license documentation.</li><li>List of software usage restrictions.</li><li>Software license tracking reports.</li><li>Configuration management plan.</li><li>System security plan.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel operating, using, and/or maintaining the system.</li><li>Organizational personnel with software license management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for tracking the use of software protected by quantity licenses.</li><li>Organizational processes for controlling/documenting the use of peer-to-peer file sharing technology.</li><li>Mechanisms implementing software license tracking.</li><li>Mechanisms implementing and controlling the use of peer-to-peer files sharing technology.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "40c2e457-26dd-4e9e-923b-25cbfea9fcbc",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "CM-10 - Software Usage Restrictions",
                "description": "<ul><li>a. Use software and associated documentation in accordance with contract agreements and copyright laws;</li><li>b. Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and</li><li>c. Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.</li></ul><br/><strong>Discussion</strong><br/><p>Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements.</p>",
                "controlId": "CM-10",
                "family": "Configuration Management",
                "enhancements": "<strong>Enhancements</strong><ul><li>CM-10(1) - Open-source Software</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "8013ba4d-d629-4f1d-9390-0392518d2224",
                        "parameterId": "CM-11(a)",
                        "text": "policies",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined policies] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cm-11_odp.01"
                    },
                    {
                        "uuid": "3584dce6-6463-45c0-bd2b-72b531d87e28",
                        "parameterId": "CM-11(b)",
                        "text": "methods",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined methods] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cm-11_odp.02"
                    },
                    {
                        "uuid": "cd55bd97-ece0-4409-9d75-3e9cf2bc4678",
                        "parameterId": "CM-11(c)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cm-11_odp.03"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "19bfeae5-b1e1-47d6-b5fa-8bd778180064",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "cm-11_smt.a",
                        "description": "<ul><li>a. Establish {{ insert: param, CM-11(a) }} governing the installation of software by users;</li></ul>"
                    },
                    {
                        "uuid": "ebeba97c-4a90-4fe2-baa3-948e80c2ee2c",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "cm-11_smt.b",
                        "description": "<ul><li>b. Enforce software installation policies through the following methods: {{ insert: param, CM-11(b) }} ; and</li></ul>"
                    },
                    {
                        "uuid": "82e969e4-9bc7-47e1-8b8d-a8886c6935a8",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "cm-11_smt.c",
                        "description": "<ul><li>c. Monitor policy compliance {{ insert: param, CM-11(c) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "d06f7482-d6ce-46e7-97bb-e8dfbb81453b",
                        "testId": "CM-11-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Configuration management policy.</li><li>Procedures addressing user-installed software.</li><li>Configuration management plan.</li><li>System security plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of rules governing user installed software.</li><li>System monitoring records.</li><li>System audit records.</li><li>Continuous monitoring strategy.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "519f93fe-f905-4c79-99bb-ec686333abdb",
                        "testId": "CM-11-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with responsibilities for governing user-installed software.</li><li>Organizational personnel operating, using, and/or maintaining the system.</li><li>Organizational personnel monitoring compliance with user-installed software policy.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4cb86d3d-0b8b-4359-96de-728461f5cbc1",
                        "testId": "CM-11-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes governing user-installed software on the system.</li><li>Mechanisms enforcing policies and methods for governing the installation of software by users.</li><li>Mechanisms monitoring policy compliance.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3e480b96-241e-433a-b9ae-82c47c708d38",
                        "testId": "CM-11a.",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): policies ]  governing the installation of software by users are established;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing user-installed software.</li><li>Configuration management plan.</li><li>System security plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of rules governing user installed software.</li><li>System monitoring records.</li><li>System audit records.</li><li>Continuous monitoring strategy.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for governing user-installed software.</li><li>Organizational personnel operating, using, and/or maintaining the system.</li><li>Organizational personnel monitoring compliance with user-installed software policy.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes governing user-installed software on the system.</li><li>Mechanisms enforcing policies and methods for governing the installation of software by users.</li><li>Mechanisms monitoring policy compliance.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "070c4210-4b99-405a-9f30-fa4a3feb316f",
                        "testId": "CM-11b.",
                        "test": "Determine if software installation policies are enforced through  [SELECTED PARAMETER VALUE(S): methods ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing user-installed software.</li><li>Configuration management plan.</li><li>System security plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of rules governing user installed software.</li><li>System monitoring records.</li><li>System audit records.</li><li>Continuous monitoring strategy.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for governing user-installed software.</li><li>Organizational personnel operating, using, and/or maintaining the system.</li><li>Organizational personnel monitoring compliance with user-installed software policy.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes governing user-installed software on the system.</li><li>Mechanisms enforcing policies and methods for governing the installation of software by users.</li><li>Mechanisms monitoring policy compliance.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1025c981-10a5-4778-baea-5092af0f75cb",
                        "testId": "CM-11c.",
                        "test": "Determine if compliance with  [SELECTED PARAMETER VALUE(S): policies ]  is monitored  [SELECTED PARAMETER VALUE(S): frequency ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Configuration management policy.</li><li>Procedures addressing user-installed software.</li><li>Configuration management plan.</li><li>System security plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of rules governing user installed software.</li><li>System monitoring records.</li><li>System audit records.</li><li>Continuous monitoring strategy.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for governing user-installed software.</li><li>Organizational personnel operating, using, and/or maintaining the system.</li><li>Organizational personnel monitoring compliance with user-installed software policy.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes governing user-installed software on the system.</li><li>Mechanisms enforcing policies and methods for governing the installation of software by users.</li><li>Mechanisms monitoring policy compliance.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "b7e94fd4-c716-49e9-b139-e8469ed43a0d",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "CM-11 - User-installed Software",
                "description": "<ul><li>a. Establish  {{ insert: param, CM-11(a) }}  governing the installation of software by users;</li><li>b. Enforce software installation policies through the following methods:  {{ insert: param, CM-11(b) }} ; and</li><li>c. Monitor policy compliance  {{ insert: param, CM-11(c) }}.</li></ul><br/><strong>Discussion</strong><br/><p>If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved  <q>app stores.</q>  Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods.</p>",
                "controlId": "CM-11",
                "family": "Configuration Management",
                "enhancements": "<strong>Enhancements</strong><ul><li>CM-11(2) - Software Installation with Privileged Status</li><li>CM-11(3) - Automated Enforcement and Monitoring</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "d431b90f-c908-4b74-bcee-f30d02688181",
                        "parameterId": "CP-1(a)",
                        "text": "organization-defined personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cp-1_prm_1"
                    },
                    {
                        "uuid": "2e81ee8c-49e0-45d4-8828-3849cdf02797",
                        "parameterId": "CP-1(a)(1)",
                        "text": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cp-01_odp.03"
                    },
                    {
                        "uuid": "86b070a7-0c1c-4cc1-ac68-e0a8f76fcd39",
                        "parameterId": "CP-1(b)",
                        "text": "official",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined official] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cp-01_odp.04"
                    },
                    {
                        "uuid": "bf84d315-b5d5-4fe5-ac8c-29ed96b25108",
                        "parameterId": "CP-1(c)(1)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cp-01_odp.05"
                    },
                    {
                        "uuid": "354ddb32-87a4-40b5-b56f-e43d0bde584b",
                        "parameterId": "CP-1(c)(1)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cp-01_odp.06"
                    },
                    {
                        "uuid": "36a8c728-4e36-4914-86a4-fbe2af204b85",
                        "parameterId": "CP-1(c)(2)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cp-01_odp.07"
                    },
                    {
                        "uuid": "4cbbb213-e427-4fb2-a8f6-bd033b18f105",
                        "parameterId": "CP-1(c)(2)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cp-01_odp.08"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "640a0659-8dce-41fa-8bc1-2b0050ef03c9",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "cp-1_smt.a",
                        "description": "<ul><li>a. Develop, document, and disseminate to {{ insert: param, CP-1(a) }}:</li><ul><li>1. {{ insert: param, CP-1(a)(1) }} contingency planning policy that:</li><ul><li>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</li><li>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</li></ul><li>2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;</li></ul>"
                    },
                    {
                        "uuid": "6c55a45e-d58f-44a1-b23c-b1fcc642dbc8",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "cp-1_smt.b",
                        "description": "<ul><li>b. Designate an {{ insert: param, CP-1(b) }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and</li></ul>"
                    },
                    {
                        "uuid": "95a629f9-d3bb-47d1-a86e-05d16b875174",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "cp-1_smt.c",
                        "description": "<ul><li>c. Review and update the current contingency planning:</li><ul><li>1. Policy {{ insert: param, CP-1(c)(1)-1 }} and following {{ insert: param, CP-1(c)(1)-2 }} ; and</li><li>2. Procedures {{ insert: param, CP-1(c)(2)-1 }} and following {{ insert: param, CP-1(c)(2)-2 }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "f804da54-7431-4321-b7a9-7e3812b690b0",
                        "testId": "CP-01a.[01]",
                        "test": "Determine if a contingency planning policy is developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7bc66b21-aaa1-4530-a7f6-f2ead63afdab",
                        "testId": "CP-01a.[02]",
                        "test": "Determine if the contingency planning policy is disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "64b86841-9ef6-44a9-a7ae-7733ae1a1722",
                        "testId": "CP-01a.[03]",
                        "test": "Determine if contingency planning procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls are developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "18cf902d-3be4-4946-8b8b-475a21abd3dc",
                        "testId": "CP-01a.[04]",
                        "test": "Determine if the contingency planning procedures are disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "28e1333d-bf7d-43d5-9a7e-6fe0f9a588fd",
                        "testId": "CP-01a.01(a)[01]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  contingency planning policy addresses purpose;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "26ae20bb-c6fc-4894-8063-72ca1218f444",
                        "testId": "CP-01a.01(a)[02]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  contingency planning policy addresses scope;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "47963460-0e17-4b31-b93c-2eef2fcbbac8",
                        "testId": "CP-01a.01(a)[03]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  contingency planning policy addresses roles;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "461f15ed-18f9-47ac-a1d2-037687936484",
                        "testId": "CP-01a.01(a)[04]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  contingency planning policy addresses responsibilities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7ac93e61-2aea-4901-8a7f-cf8a305414d6",
                        "testId": "CP-01a.01(a)[05]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  contingency planning policy addresses management commitment;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1786b605-fc3d-48e7-b59e-7e896223dc8e",
                        "testId": "CP-01a.01(a)[06]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  contingency planning policy addresses coordination among organizational entities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0bc176a3-c907-4299-a803-c45c8d455fb9",
                        "testId": "CP-01a.01(a)[07]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  contingency planning policy addresses compliance;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8f7778fc-ad05-4889-bb77-cf9d0e669610",
                        "testId": "CP-01a.01(b)",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  contingency planning policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c3d3a505-401c-4704-92fc-1cc7cd430b4d",
                        "testId": "CP-01b.",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): official ]  is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b83819c0-89aa-4900-a97d-4c428747a999",
                        "testId": "CP-01c.01[01]",
                        "test": "Determine if the current contingency planning policy is reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "92518138-442b-4151-b1c8-b68c8308ae54",
                        "testId": "CP-01c.01[02]",
                        "test": "Determine if the current contingency planning policy is reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "39166507-129a-4775-8611-85b20a0d68ae",
                        "testId": "CP-01c.02[01]",
                        "test": "Determine if the current contingency planning procedures are reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "fe7166e0-2cf6-40e7-8bde-767499738853",
                        "testId": "CP-01c.02[02]",
                        "test": "Determine if the current contingency planning procedures are reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ea372bfc-9ae3-4dd1-8dfa-8c4d400615e4",
                        "testId": "CP-01-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Contingency planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4070f246-d45e-4f4b-9608-c34d7ce0b461",
                        "testId": "CP-01-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "14831c4f-2d1e-4092-ae22-a0331cd71219",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "CP-01 - Policy and Procedures",
                "description": "<ul><li><p>a. Develop, document, and disseminate to {{ insert: param, CP-1(a) }}:</p><ul><li><p>1. {{ insert: param, CP-1(a)(1) }} contingency planning policy that:</p><ul><li><p>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p></li><li><p>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p></li></ul></li><li><p>2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;</p></li></ul></li><li><p>b. Designate an {{ insert: param, CP-1(b) }} to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and</p></li><li><p>c. Review and update the current contingency planning:</p><ul><li><p>1. Policy {{ insert: param, CP-1(c)(1)-1 }} and following {{ insert: param, CP-1(c)(1)-2 }} ; and</p></li><li><p>2. Procedures {{ insert: param, CP-1(c)(2)-1 }} and following {{ insert: param, CP-1(c)(2)-2 }}.</p></li></ul></li><li><p><br><strong>Discussion</strong><br></p><p>Contingency planning policy and procedures address the controls in the CP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of contingency planning policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to contingency planning policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.</p></li></ul><p></p><p><strong>OT Discussion</strong></p><p>The policy specifically addresses the unique properties and requirements of OT and the relationship to non-OT systems.</p>",
                "controlId": "CP-1",
                "family": "Contingency Planning",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "73c1beb4-c1f0-4cc6-8ab7-cefc884d7acb",
                        "parameterId": "CP-2(a)(7)",
                        "text": "organization-defined personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cp-2_prm_1"
                    },
                    {
                        "uuid": "5ac596ca-1837-4530-8909-79e8199991f1",
                        "parameterId": "CP-2(b)",
                        "text": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cp-2_prm_2"
                    },
                    {
                        "uuid": "eb91b730-3375-491d-b194-ab56ff97a9d5",
                        "parameterId": "CP-2(f)",
                        "text": "organization-defined key contingency personnel (identified by name and/or by role) and organizational elements",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cp-2_prm_4"
                    },
                    {
                        "uuid": "3ec334a3-ee11-42cb-a1aa-68956db312b5",
                        "parameterId": "CP-2(d)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cp-02_odp.05"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "559b9abc-12ef-44f9-9d18-dab4900dbc43",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "cp-2_smt.a",
                        "description": "<ul><li>a. Develop a contingency plan for the system that:</li><ul><li>1. Identifies essential mission and business functions and associated contingency requirements;</li><li>2. Provides recovery objectives, restoration priorities, and metrics;</li><li>3. Addresses contingency roles, responsibilities, assigned individuals with contact information;</li><li>4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;</li><li>5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;</li><li>6. Addresses the sharing of contingency information; and</li><li>7. Is reviewed and approved by {{ insert: param, CP-2(a)(7) }};</li></ul>"
                    },
                    {
                        "uuid": "c61d92f5-ff21-428b-a035-647876f8affc",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "cp-2_smt.b",
                        "description": "<ul><li>b. Distribute copies of the contingency plan to {{ insert: param, CP-2(b) }};</li></ul>"
                    },
                    {
                        "uuid": "59b759a8-0af1-4a15-a2c9-32257410e806",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "cp-2_smt.c",
                        "description": "<ul><li>c. Coordinate contingency planning activities with incident handling activities;</li></ul>"
                    },
                    {
                        "uuid": "77ce81f3-96cc-4385-a461-03867ef1a05b",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "cp-2_smt.d",
                        "description": "<ul><li>d. Review the contingency plan for the system {{ insert: param, CP-2(d) }};</li></ul>"
                    },
                    {
                        "uuid": "ed3fe685-90d7-47c5-8339-c6936f88b240",
                        "name": "e.",
                        "objectiveType": "",
                        "otherId": "cp-2_smt.e",
                        "description": "<ul><li>e. Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;</li></ul>"
                    },
                    {
                        "uuid": "25a2db20-b545-47bb-a3f6-1a23b7d86d95",
                        "name": "f.",
                        "objectiveType": "",
                        "otherId": "cp-2_smt.f",
                        "description": "<ul><li>f. Communicate contingency plan changes to {{ insert: param, CP-2(f) }};</li></ul>"
                    },
                    {
                        "uuid": "ce4e6a54-30ca-4036-acd2-1d664a86dcfe",
                        "name": "g.",
                        "objectiveType": "",
                        "otherId": "cp-2_smt.g",
                        "description": "<ul><li>g. Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and</li></ul>"
                    },
                    {
                        "uuid": "a652e9f3-3547-42e6-b5a8-8decf47b1b81",
                        "name": "h.",
                        "objectiveType": "",
                        "otherId": "cp-2_smt.h",
                        "description": "<ul><li>h. Protect the contingency plan from unauthorized disclosure and modification.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "8b7f30ac-6b9f-4f53-b92d-a4ac59bed26b",
                        "testId": "CP-02-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency operations for the system.</li><li>Contingency plan.</li><li>Evidence of contingency plan reviews and updates.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1cc19445-2998-453f-bb28-8d6cf84974c6",
                        "testId": "CP-02-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with contingency planning and plan implementation responsibilities.</li><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with knowledge of requirements for mission and business functions.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "051baaa7-53ac-4648-892b-f0029d2a320f",
                        "testId": "CP-02-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for contingency plan development, review, update, and protection.</li><li>Mechanisms for developing, reviewing, updating, and/or protecting the contingency plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d02f4815-825f-4476-b43f-a12d9a019d48",
                        "testId": "CP-02a.01",
                        "test": "Determine if a contingency plan for the system is developed that identifies essential mission and business functions and associated contingency requirements;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency operations for the system.</li><li>Contingency plan.</li><li>Evidence of contingency plan reviews and updates.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning and plan implementation responsibilities.</li><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with knowledge of requirements for mission and business functions.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency plan development, review, update, and protection.</li><li>Mechanisms for developing, reviewing, updating, and/or protecting the contingency plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "00e9644f-41a3-400d-b4c3-14964d1188d4",
                        "testId": "CP-02a.02[01]",
                        "test": "Determine if a contingency plan for the system is developed that provides recovery objectives;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency operations for the system.</li><li>Contingency plan.</li><li>Evidence of contingency plan reviews and updates.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning and plan implementation responsibilities.</li><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with knowledge of requirements for mission and business functions.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency plan development, review, update, and protection.</li><li>Mechanisms for developing, reviewing, updating, and/or protecting the contingency plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e1f2f08d-d34d-41d2-ae41-e6e61f0c2c33",
                        "testId": "CP-02a.02[02]",
                        "test": "Determine if a contingency plan for the system is developed that provides restoration priorities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency operations for the system.</li><li>Contingency plan.</li><li>Evidence of contingency plan reviews and updates.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning and plan implementation responsibilities.</li><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with knowledge of requirements for mission and business functions.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency plan development, review, update, and protection.</li><li>Mechanisms for developing, reviewing, updating, and/or protecting the contingency plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7785cff8-fbfb-484f-ad08-3a7102ce5197",
                        "testId": "CP-02a.02[03]",
                        "test": "Determine if a contingency plan for the system is developed that provides metrics;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency operations for the system.</li><li>Contingency plan.</li><li>Evidence of contingency plan reviews and updates.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning and plan implementation responsibilities.</li><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with knowledge of requirements for mission and business functions.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency plan development, review, update, and protection.</li><li>Mechanisms for developing, reviewing, updating, and/or protecting the contingency plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "fcb8d1bc-b123-45af-b596-5119efb43248",
                        "testId": "CP-02a.03[01]",
                        "test": "Determine if a contingency plan for the system is developed that addresses contingency roles;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency operations for the system.</li><li>Contingency plan.</li><li>Evidence of contingency plan reviews and updates.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning and plan implementation responsibilities.</li><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with knowledge of requirements for mission and business functions.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency plan development, review, update, and protection.</li><li>Mechanisms for developing, reviewing, updating, and/or protecting the contingency plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ab642026-e3b9-4b4c-87d8-a27041a29a76",
                        "testId": "CP-02a.03[02]",
                        "test": "Determine if a contingency plan for the system is developed that addresses contingency responsibilities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency operations for the system.</li><li>Contingency plan.</li><li>Evidence of contingency plan reviews and updates.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning and plan implementation responsibilities.</li><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with knowledge of requirements for mission and business functions.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency plan development, review, update, and protection.</li><li>Mechanisms for developing, reviewing, updating, and/or protecting the contingency plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b3eeb397-a2d5-4cc9-8bef-324594037545",
                        "testId": "CP-02a.03[03]",
                        "test": "Determine if a contingency plan for the system is developed that addresses assigned individuals with contact information;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency operations for the system.</li><li>Contingency plan.</li><li>Evidence of contingency plan reviews and updates.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning and plan implementation responsibilities.</li><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with knowledge of requirements for mission and business functions.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency plan development, review, update, and protection.</li><li>Mechanisms for developing, reviewing, updating, and/or protecting the contingency plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "46900677-a233-4e5e-9844-96edef147997",
                        "testId": "CP-02a.04",
                        "test": "Determine if a contingency plan for the system is developed that addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency operations for the system.</li><li>Contingency plan.</li><li>Evidence of contingency plan reviews and updates.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning and plan implementation responsibilities.</li><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with knowledge of requirements for mission and business functions.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency plan development, review, update, and protection.</li><li>Mechanisms for developing, reviewing, updating, and/or protecting the contingency plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5e5063b0-4d56-4e52-bd0f-a11ca329472c",
                        "testId": "CP-02a.05",
                        "test": "Determine if a contingency plan for the system is developed that addresses eventual, full-system restoration without deterioration of the controls originally planned and implemented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency operations for the system.</li><li>Contingency plan.</li><li>Evidence of contingency plan reviews and updates.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning and plan implementation responsibilities.</li><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with knowledge of requirements for mission and business functions.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency plan development, review, update, and protection.</li><li>Mechanisms for developing, reviewing, updating, and/or protecting the contingency plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d27245c9-2a49-4f9c-85b5-83f902a116d9",
                        "testId": "CP-02a.06",
                        "test": "Determine if a contingency plan for the system is developed that addresses the sharing of contingency information;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency operations for the system.</li><li>Contingency plan.</li><li>Evidence of contingency plan reviews and updates.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning and plan implementation responsibilities.</li><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with knowledge of requirements for mission and business functions.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency plan development, review, update, and protection.</li><li>Mechanisms for developing, reviewing, updating, and/or protecting the contingency plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d34f58cd-6e9b-4709-b115-ca485cb02533",
                        "testId": "CP-02a.07[01]",
                        "test": "Determine if a contingency plan for the system is developed that is reviewed by  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency operations for the system.</li><li>Contingency plan.</li><li>Evidence of contingency plan reviews and updates.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning and plan implementation responsibilities.</li><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with knowledge of requirements for mission and business functions.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency plan development, review, update, and protection.</li><li>Mechanisms for developing, reviewing, updating, and/or protecting the contingency plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3313b8ec-b3da-449f-aed2-bdc8bfd697e6",
                        "testId": "CP-02a.07[02]",
                        "test": "Determine if a contingency plan for the system is developed that is approved by  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency operations for the system.</li><li>Contingency plan.</li><li>Evidence of contingency plan reviews and updates.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning and plan implementation responsibilities.</li><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with knowledge of requirements for mission and business functions.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency plan development, review, update, and protection.</li><li>Mechanisms for developing, reviewing, updating, and/or protecting the contingency plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a36c7b1b-4e78-4056-b2f4-d617bf109221",
                        "testId": "CP-02b.[01]",
                        "test": "Determine if copies of the contingency plan are distributed to  [SELECTED PARAMETER VALUE(S): key contingency personnel ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency operations for the system.</li><li>Contingency plan.</li><li>Evidence of contingency plan reviews and updates.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning and plan implementation responsibilities.</li><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with knowledge of requirements for mission and business functions.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency plan development, review, update, and protection.</li><li>Mechanisms for developing, reviewing, updating, and/or protecting the contingency plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "cebfd8a3-00c4-4c28-a89d-ba08e35f6181",
                        "testId": "CP-02b.[02]",
                        "test": "Determine if copies of the contingency plan are distributed to  [SELECTED PARAMETER VALUE(S): organizational elements ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency operations for the system.</li><li>Contingency plan.</li><li>Evidence of contingency plan reviews and updates.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning and plan implementation responsibilities.</li><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with knowledge of requirements for mission and business functions.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency plan development, review, update, and protection.</li><li>Mechanisms for developing, reviewing, updating, and/or protecting the contingency plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1b0847fa-b65d-43b1-a50c-4d0c54841ed6",
                        "testId": "CP-02c.",
                        "test": "Determine if contingency planning activities are coordinated with incident handling activities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency operations for the system.</li><li>Contingency plan.</li><li>Evidence of contingency plan reviews and updates.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning and plan implementation responsibilities.</li><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with knowledge of requirements for mission and business functions.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency plan development, review, update, and protection.</li><li>Mechanisms for developing, reviewing, updating, and/or protecting the contingency plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "aaaa9c7e-aea4-4901-840a-abc5073cb4d2",
                        "testId": "CP-02d.",
                        "test": "Determine if the contingency plan for the system is reviewed  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency operations for the system.</li><li>Contingency plan.</li><li>Evidence of contingency plan reviews and updates.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning and plan implementation responsibilities.</li><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with knowledge of requirements for mission and business functions.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency plan development, review, update, and protection.</li><li>Mechanisms for developing, reviewing, updating, and/or protecting the contingency plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "95284bd4-a2e7-4bf9-a21f-94d57e1eabe2",
                        "testId": "CP-02e.[01]",
                        "test": "Determine if the contingency plan is updated to address changes to the organization, system, or environment of operation;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency operations for the system.</li><li>Contingency plan.</li><li>Evidence of contingency plan reviews and updates.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning and plan implementation responsibilities.</li><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with knowledge of requirements for mission and business functions.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency plan development, review, update, and protection.</li><li>Mechanisms for developing, reviewing, updating, and/or protecting the contingency plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "24f09d2a-f1d5-48c2-aaa7-3aa957e78de6",
                        "testId": "CP-02e.[02]",
                        "test": "Determine if the contingency plan is updated to address problems encountered during contingency plan implementation, execution, or testing;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency operations for the system.</li><li>Contingency plan.</li><li>Evidence of contingency plan reviews and updates.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning and plan implementation responsibilities.</li><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with knowledge of requirements for mission and business functions.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency plan development, review, update, and protection.</li><li>Mechanisms for developing, reviewing, updating, and/or protecting the contingency plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f440260e-8bee-43c8-9ecc-7c85f3adf7b0",
                        "testId": "CP-02f.[01]",
                        "test": "Determine if contingency plan changes are communicated to  [SELECTED PARAMETER VALUE(S): key contingency personnel ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency operations for the system.</li><li>Contingency plan.</li><li>Evidence of contingency plan reviews and updates.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning and plan implementation responsibilities.</li><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with knowledge of requirements for mission and business functions.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency plan development, review, update, and protection.</li><li>Mechanisms for developing, reviewing, updating, and/or protecting the contingency plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "50913ad7-9567-445e-82ba-8a8c6e728985",
                        "testId": "CP-02f.[02]",
                        "test": "Determine if contingency plan changes are communicated to  [SELECTED PARAMETER VALUE(S): organizational elements ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency operations for the system.</li><li>Contingency plan.</li><li>Evidence of contingency plan reviews and updates.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning and plan implementation responsibilities.</li><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with knowledge of requirements for mission and business functions.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency plan development, review, update, and protection.</li><li>Mechanisms for developing, reviewing, updating, and/or protecting the contingency plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2791e9eb-4e46-4630-a671-9fc0be933f96",
                        "testId": "CP-02g.[01]",
                        "test": "Determine if lessons learned from contingency plan testing or actual contingency activities are incorporated into contingency testing;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency operations for the system.</li><li>Contingency plan.</li><li>Evidence of contingency plan reviews and updates.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning and plan implementation responsibilities.</li><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with knowledge of requirements for mission and business functions.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency plan development, review, update, and protection.</li><li>Mechanisms for developing, reviewing, updating, and/or protecting the contingency plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5286ce2a-2dc9-4e96-9b57-b296f2bca4a1",
                        "testId": "CP-02g.[02]",
                        "test": "Determine if lessons learned from contingency plan training or actual contingency activities are incorporated into contingency testing and training;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency operations for the system.</li><li>Contingency plan.</li><li>Evidence of contingency plan reviews and updates.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning and plan implementation responsibilities.</li><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with knowledge of requirements for mission and business functions.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency plan development, review, update, and protection.</li><li>Mechanisms for developing, reviewing, updating, and/or protecting the contingency plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f5ede02d-1491-4623-873a-360222f0ff45",
                        "testId": "CP-02h.[01]",
                        "test": "Determine if the contingency plan is protected from unauthorized disclosure;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency operations for the system.</li><li>Contingency plan.</li><li>Evidence of contingency plan reviews and updates.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning and plan implementation responsibilities.</li><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with knowledge of requirements for mission and business functions.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency plan development, review, update, and protection.</li><li>Mechanisms for developing, reviewing, updating, and/or protecting the contingency plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "11ce497a-0964-40a7-8ecb-c08f89b726d6",
                        "testId": "CP-02h.[02]",
                        "test": "Determine if the contingency plan is protected from unauthorized modification.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency operations for the system.</li><li>Contingency plan.</li><li>Evidence of contingency plan reviews and updates.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning and plan implementation responsibilities.</li><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with knowledge of requirements for mission and business functions.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency plan development, review, update, and protection.</li><li>Mechanisms for developing, reviewing, updating, and/or protecting the contingency plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "03482310-a8cc-4053-a241-70a7c1d37c24",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "CP-02 - Contingency Plan",
                "description": "<ul><li><p>a. Develop a contingency plan for the system that:</p><ul><li><p>1. Identifies essential mission and business functions and associated contingency requirements;</p></li><li><p>2. Provides recovery objectives, restoration priorities, and metrics;</p></li><li><p>3. Addresses contingency roles, responsibilities, assigned individuals with contact information;</p></li><li><p>4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;</p></li><li><p>5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;</p></li><li><p>6. Addresses the sharing of contingency information; and</p></li><li><p>7. Is reviewed and approved by {{ insert: param, CP-2(a)(7) }};</p></li></ul></li><li><p>b. Distribute copies of the contingency plan to {{ insert: param, CP-2(b) }};</p></li><li><p>c. Coordinate contingency planning activities with incident handling activities;</p></li><li><p>d. Review the contingency plan for the system {{ insert: param, CP-2(d) }};</p></li><li><p>e. Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;</p></li><li><p>f. Communicate contingency plan changes to {{ insert: param, CP-2(f) }};</p></li><li><p>g. Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and</p></li><li><p>h. Protect the contingency plan from unauthorized disclosure and modification.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level.</p><p>Actions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in <a href=\"#ir-4.5\">IR-4(5)</a> . Incident response planning is part of contingency planning for organizations and is addressed in the <a href=\"#ir\">IR</a> (Incident Response) family.</p><p></p><p><strong>OT Discussion</strong></p><p>The organization defines contingency plans for categories of disruptions or failures. In the case of a contingency, the OT equipment executes preprogrammed functions, such as alerting the operator of the failure and then doing nothing, alerting the operator and then safely shutting down the industrial process, or alerting the operator and then maintaining the last operational setting prior to failure. Contingency plans for widespread disruption may involve specialized organizations (e.g., FEMA, emergency services, regulatory authorities).</p>",
                "controlId": "CP-2",
                "family": "Contingency Planning",
                "enhancements": "<strong>Enhancements</strong><ul><li>CP-2(1) - Coordinate with Related Plans</li><li>CP-2(2) - Capacity Planning</li><li>CP-2(3) - Resume Mission and Business Functions</li><li>CP-2(5) - Continue Mission and Business Functions</li><li>CP-2(6) - Alternate Processing and Storage Sites</li><li>CP-2(7) - Coordinate with External Service Providers</li><li>CP-2(8) - Identify Critical Assets</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "aab1ca20-fe72-4376-bee0-d010c01e6340",
                        "parameterId": "CP-3(a)(1)",
                        "text": "time period",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined time period] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cp-03_odp.01"
                    },
                    {
                        "uuid": "8c006192-ff10-430d-8b84-379b769c2ebb",
                        "parameterId": "CP-3(a)(3)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cp-03_odp.02"
                    },
                    {
                        "uuid": "0e102944-40ad-47b8-a806-a029c9f6078e",
                        "parameterId": "CP-3(b)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cp-03_odp.03"
                    },
                    {
                        "uuid": "aacf96d8-f565-40dc-80f0-d73c4694c836",
                        "parameterId": "CP-3(b)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cp-03_odp.04"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "f0dd4dad-a922-430d-b418-d8c239d8812e",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "cp-3_smt.a",
                        "description": "<ul><li>a. Provide contingency training to system users consistent with assigned roles and responsibilities:</li><ul><li>1. Within {{ insert: param, CP-3(a)(1) }} of assuming a contingency role or responsibility;</li><li>2. When required by system changes; and</li><li>3. {{ insert: param, CP-3(a)(3) }} thereafter; and</li></ul>"
                    },
                    {
                        "uuid": "6e9daca9-a8b4-4d73-93f7-1766c5dcef1f",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "cp-3_smt.b",
                        "description": "<ul><li>b. Review and update contingency training content {{ insert: param, CP-3(b)-1 }} and following {{ insert: param, CP-3(b)-2 }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "844dd616-aad3-4f57-bb0d-d75ae2954647",
                        "testId": "CP-03-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency training.</li><li>Contingency plan.</li><li>Contingency training curriculum.</li><li>Contingency training material.</li><li>Contingency training records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9de9467f-5a5a-43d7-81eb-ceb55ad4dd7c",
                        "testId": "CP-03-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with contingency planning, plan implementation, and training responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e9237c1a-147d-4a5d-8b08-bc64ec96d652",
                        "testId": "CP-03-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for contingency training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8873db4c-8bee-4846-b530-f5788a64be1b",
                        "testId": "CP-03a.01",
                        "test": "Determine if contingency training is provided to system users consistent with assigned roles and responsibilities within  [SELECTED PARAMETER VALUE(S): time period ]  of assuming a contingency role or responsibility;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency training.</li><li>Contingency plan.</li><li>Contingency training curriculum.</li><li>Contingency training material.</li><li>Contingency training records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning, plan implementation, and training responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "204bdb37-1811-4ff7-9f0e-dda534655880",
                        "testId": "CP-03a.02",
                        "test": "Determine if contingency training is provided to system users consistent with assigned roles and responsibilities when required by system changes;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency training.</li><li>Contingency plan.</li><li>Contingency training curriculum.</li><li>Contingency training material.</li><li>Contingency training records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning, plan implementation, and training responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d0aae5b1-454c-4a55-9a50-5650aff56ff7",
                        "testId": "CP-03a.03",
                        "test": "Determine if contingency training is provided to system users consistent with assigned roles and responsibilities  [SELECTED PARAMETER VALUE(S): frequency ]  thereafter;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency training.</li><li>Contingency plan.</li><li>Contingency training curriculum.</li><li>Contingency training material.</li><li>Contingency training records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning, plan implementation, and training responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4db7e46d-0bf1-4fff-900e-3509c6faa86e",
                        "testId": "CP-03b.[01]",
                        "test": "Determine if the contingency plan training content is reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency training.</li><li>Contingency plan.</li><li>Contingency training curriculum.</li><li>Contingency training material.</li><li>Contingency training records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning, plan implementation, and training responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2c40fca9-7181-47f0-95d0-ad65741f6705",
                        "testId": "CP-03b.[02]",
                        "test": "Determine if the contingency plan training content is reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency training.</li><li>Contingency plan.</li><li>Contingency training curriculum.</li><li>Contingency training material.</li><li>Contingency training records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning, plan implementation, and training responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "8f10e947-9b9e-43b2-b2cc-3e39e4a720c4",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "CP-03 - Contingency Training",
                "description": "<ul><li>a. Provide contingency training to system users consistent with assigned roles and responsibilities:</li><ul><li>1. Within  {{ insert: param, CP-3(a)(1) }}  of assuming a contingency role or responsibility;</li><li>2. When required by system changes; and</li><li>3. {{ insert: param, CP-3(a)(3) }}  thereafter; and</li></ul><li>b. Review and update contingency training content  {{ insert: param, CP-3(b)-1 }}  and following  {{ insert: param, CP-3(b)-2 }}.</li></ul><br/><strong>Discussion</strong><br/><p>Contingency training provided by organizations is linked to the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail is included in such training. For example, some individuals may only need to know when and where to report for duty during contingency operations and if normal duties are affected; system administrators may require additional training on how to establish systems at alternate processing and storage sites; and organizational officials may receive more specific training on how to conduct mission-essential functions in designated off-site locations and how to establish communications with other governmental entities for purposes of coordination on contingency-related activities. Training for contingency roles or responsibilities reflects the specific continuity requirements in the contingency plan. Events that may precipitate an update to contingency training content include, but are not limited to, contingency plan testing or an actual contingency (lessons learned), assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. At the discretion of the organization, participation in a contingency plan test or exercise, including lessons learned sessions subsequent to the test or exercise, may satisfy contingency plan training requirements.</p>",
                "controlId": "CP-3",
                "family": "Contingency Planning",
                "enhancements": "<strong>Enhancements</strong><ul><li>CP-3(1) - Simulated Events</li><li>CP-3(2) - Mechanisms Used in Training Environments</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "3906d9e8-47fd-42b2-a7c9-d22d28ad6548",
                        "parameterId": "CP-4(a)-2",
                        "text": "organization-defined tests",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined tests] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cp-4_prm_2"
                    },
                    {
                        "uuid": "a5c3ada4-3096-4e68-88b3-89ce1035eb64",
                        "parameterId": "CP-4(a)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cp-04_odp.01"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "e8e8410d-5aa7-42f0-affb-aeff4b6a659a",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "cp-4_smt.a",
                        "description": "<ul><li>a. Test the contingency plan for the system {{ insert: param, CP-4(a)-1 }} using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: {{ insert: param, CP-4(a)-2 }}.</li></ul>"
                    },
                    {
                        "uuid": "04629c56-ac82-4d90-8cb9-f76657b87359",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "cp-4_smt.b",
                        "description": "<ul><li>b. Review the contingency plan test results; and</li></ul>"
                    },
                    {
                        "uuid": "77ec584b-927c-49d8-8946-817dab58221e",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "cp-4_smt.c",
                        "description": "<ul><li>c. Initiate corrective actions, if needed.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "b35af927-2193-4027-b8f8-c4016d208206",
                        "testId": "CP-04a.[01]",
                        "test": "Determine if the contingency plan for the system is tested  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency plan testing.</li><li>Contingency plan.</li><li>Contingency plan test documentation.</li><li>Contingency plan test results.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for contingency plan testing, reviewing, or responding to contingency plan tests.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency plan testing.</li><li>Mechanisms supporting the contingency plan and/or contingency plan testing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "850e9d4e-623e-4586-a0c0-857aa8db9287",
                        "testId": "CP-04a.[02]",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): tests ]  are used to determine the effectiveness of the plan;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency plan testing.</li><li>Contingency plan.</li><li>Contingency plan test documentation.</li><li>Contingency plan test results.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for contingency plan testing, reviewing, or responding to contingency plan tests.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency plan testing.</li><li>Mechanisms supporting the contingency plan and/or contingency plan testing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "31162574-4b6f-41cd-a445-1a6ab8630317",
                        "testId": "CP-04a.[03]",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): tests ]  are used to determine the readiness to execute the plan;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency plan testing.</li><li>Contingency plan.</li><li>Contingency plan test documentation.</li><li>Contingency plan test results.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for contingency plan testing, reviewing, or responding to contingency plan tests.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency plan testing.</li><li>Mechanisms supporting the contingency plan and/or contingency plan testing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "88eef0c2-ec7d-4059-ad0e-f6ac5daccb0b",
                        "testId": "CP-04b.",
                        "test": "Determine if the contingency plan test results are reviewed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency plan testing.</li><li>Contingency plan.</li><li>Contingency plan test documentation.</li><li>Contingency plan test results.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for contingency plan testing, reviewing, or responding to contingency plan tests.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency plan testing.</li><li>Mechanisms supporting the contingency plan and/or contingency plan testing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "60f014d2-ff3b-48e6-9ac9-f5446186f83e",
                        "testId": "CP-04c.",
                        "test": "Determine if corrective actions are initiated, if needed.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency plan testing.</li><li>Contingency plan.</li><li>Contingency plan test documentation.</li><li>Contingency plan test results.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for contingency plan testing, reviewing, or responding to contingency plan tests.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for contingency plan testing.</li><li>Mechanisms supporting the contingency plan and/or contingency plan testing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1a22e5fb-eddf-4b01-82fc-bfa565a28fe6",
                        "testId": "CP-04-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing contingency plan testing.</li><li>Contingency plan.</li><li>Contingency plan test documentation.</li><li>Contingency plan test results.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3040f340-185a-4829-bd97-e9445e85eaaa",
                        "testId": "CP-04-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with responsibilities for contingency plan testing, reviewing, or responding to contingency plan tests.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c50ded09-7631-495d-90d0-94ef24996b17",
                        "testId": "CP-04-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for contingency plan testing.</li><li>Mechanisms supporting the contingency plan and/or contingency plan testing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "b5a61f9d-44b7-48c6-a730-8ad0a494de62",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "CP-04 - Contingency Plan Testing",
                "description": "<ul><li>a. Test the contingency plan for the system  {{ insert: param, CP-4(a)-1 }}  using  the following tests to determine the effectiveness of the plan and the readiness to execute the plan:  {{ insert: param, CP-4(a)-2 }}.</li><li>b. Review the contingency plan test results; and</li><li>c. Initiate corrective actions, if needed.</li></ul><br/><strong>Discussion</strong><br/><p>Methods for testing contingency plans to determine the effectiveness of the plans and identify potential weaknesses include checklists, walk-through and tabletop exercises, simulations (parallel or full interrupt), and comprehensive exercises. Organizations conduct testing based on the requirements in contingency plans and include a determination of the effects on organizational operations, assets, and individuals due to contingency operations. Organizations have flexibility and discretion in the breadth, depth, and timelines of corrective actions.</p>",
                "controlId": "CP-4",
                "family": "Contingency Planning",
                "enhancements": "<strong>Enhancements</strong><ul><li>CP-4(1) - Coordinate with Related Plans</li><li>CP-4(2) - Alternate Processing Site</li><li>CP-4(3) - Automated Testing</li><li>CP-4(4) - Full Recovery and Reconstitution</li><li>CP-4(5) - Self-challenge</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "5515d9f7-b5ae-4e3e-bead-0cb5699b186b",
                        "parameterId": "CP-9(a)-1",
                        "text": "system components",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined system components] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cp-09_odp.01"
                    },
                    {
                        "uuid": "145ffc27-c9dd-42c9-9c70-74ae97584c83",
                        "parameterId": "CP-9(a)-2",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cp-09_odp.02"
                    },
                    {
                        "uuid": "b25dc169-6839-4b76-9278-ea46467b2a83",
                        "parameterId": "CP-9(b)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cp-09_odp.03"
                    },
                    {
                        "uuid": "00c0a94a-41ac-4cf1-97ea-5dc8bedd9d17",
                        "parameterId": "CP-9(c)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cp-09_odp.04"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "78d7aec8-0b49-4ee3-bf97-6115988e47a9",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "cp-9_smt.a",
                        "description": "<ul><li>a. Conduct backups of user-level information contained in {{ insert: param, CP-9(a)-1 }} {{ insert: param, CP-9(a)-2 }};</li></ul>"
                    },
                    {
                        "uuid": "3b541825-4333-4e0c-983f-7b2bea5d7d11",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "cp-9_smt.b",
                        "description": "<ul><li>b. Conduct backups of system-level information contained in the system {{ insert: param, CP-9(b) }};</li></ul>"
                    },
                    {
                        "uuid": "da1b46a6-2278-401b-8878-75e81b45da55",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "cp-9_smt.c",
                        "description": "<ul><li>c. Conduct backups of system documentation, including security- and privacy-related documentation {{ insert: param, CP-9(c) }} ; and</li></ul>"
                    },
                    {
                        "uuid": "646a9349-e465-4b62-a5b3-3bf2ac721fb3",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "cp-9_smt.d",
                        "description": "<ul><li>d. Protect the confidentiality, integrity, and availability of backup information.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "33449a20-f76b-4ab8-a8a5-36551db9d193",
                        "testId": "CP-09a.",
                        "test": "Determine if backups of user-level information contained in  [SELECTED PARAMETER VALUE(S): system components ]  are conducted  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing system backup.</li><li>Contingency plan.</li><li>Backup storage location(s).</li><li>System backup logs or records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system backup responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for conducting system backups.</li><li>Mechanisms supporting and/or implementing system backups.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6dbcd362-6b02-44a4-804a-87c28320979a",
                        "testId": "CP-09b.",
                        "test": "Determine if backups of system-level information contained in the system are conducted  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing system backup.</li><li>Contingency plan.</li><li>Backup storage location(s).</li><li>System backup logs or records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system backup responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for conducting system backups.</li><li>Mechanisms supporting and/or implementing system backups.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "17b694f1-c544-4bad-b372-5089f1411912",
                        "testId": "CP-09c.",
                        "test": "Determine if backups of system documentation, including security- and privacy-related documentation are conducted  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing system backup.</li><li>Contingency plan.</li><li>Backup storage location(s).</li><li>System backup logs or records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system backup responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for conducting system backups.</li><li>Mechanisms supporting and/or implementing system backups.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ea56934e-ca08-4c14-8719-80cfff4bded7",
                        "testId": "CP-09d.[01]",
                        "test": "Determine if the confidentiality of backup information is protected;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing system backup.</li><li>Contingency plan.</li><li>Backup storage location(s).</li><li>System backup logs or records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system backup responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for conducting system backups.</li><li>Mechanisms supporting and/or implementing system backups.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c38f87d8-2aec-4715-b2d9-6b131ddde8c3",
                        "testId": "CP-09d.[02]",
                        "test": "Determine if the integrity of backup information is protected;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing system backup.</li><li>Contingency plan.</li><li>Backup storage location(s).</li><li>System backup logs or records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system backup responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for conducting system backups.</li><li>Mechanisms supporting and/or implementing system backups.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "22c90f9c-f246-4663-88b0-1ae00e5ba8b0",
                        "testId": "CP-09d.[03]",
                        "test": "Determine if the availability of backup information is protected.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing system backup.</li><li>Contingency plan.</li><li>Backup storage location(s).</li><li>System backup logs or records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system backup responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for conducting system backups.</li><li>Mechanisms supporting and/or implementing system backups.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8712045a-5d1c-4824-815f-55c433621d37",
                        "testId": "CP-09-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing system backup.</li><li>Contingency plan.</li><li>Backup storage location(s).</li><li>System backup logs or records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d301620a-f73d-4d52-aea0-537900a27fcb",
                        "testId": "CP-09-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with system backup responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "40ad0f14-847f-4135-9a79-b8530dd5d126",
                        "testId": "CP-09-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for conducting system backups.</li><li>Mechanisms supporting and/or implementing system backups.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "e3c05e26-3237-4af9-a86b-35a7cee2589d",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "CP-09 - System Backup",
                "description": "<ul><li>a. Conduct backups of user-level information contained in  {{ insert: param, CP-9(a)-1 }}{{ insert: param, CP-9(a)-2 }};</li><li>b. Conduct backups of system-level information contained in the system  {{ insert: param, CP-9(b) }};</li><li>c. Conduct backups of system documentation, including security- and privacy-related documentation  {{ insert: param, CP-9(c) }} ; and</li><li>d. Protect the confidentiality, integrity, and availability of backup information.</li></ul><br/><strong>Discussion</strong><br/><p>System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by  <a href=\"#mp-5\">MP-5</a>  and  <a href=\"#sc-8\">SC-8</a> . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.</p>",
                "controlId": "CP-9",
                "family": "Contingency Planning",
                "enhancements": "<strong>Enhancements</strong><ul><li>CP-9(1) - Testing for Reliability and Integrity</li><li>CP-9(2) - Test Restoration Using Sampling</li><li>CP-9(3) - Separate Storage for Critical Information</li><li>CP-9(5) - Transfer to Alternate Storage Site</li><li>CP-9(6) - Redundant Secondary System</li><li>CP-9(7) - Dual Authorization for Deletion or Destruction</li><li>CP-9(8) - Cryptographic Protection</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "b7515ffc-f184-47b4-a010-f2ac55f95a7b",
                        "parameterId": "CP-10",
                        "text": "organization-defined time period consistent with recovery time and recovery point objectives",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cp-10_prm_1"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "01aa3e2d-15b8-4192-8f64-cf0d040c44ab",
                        "name": "CP-10",
                        "objectiveType": "",
                        "otherId": "cp-10_smt",
                        "description": "Provide for the recovery and reconstitution of the system to a known state within {{ insert: param, CP-10 }} after a disruption, compromise, or failure."
                    }
                ],
                "tests": [
                    {
                        "uuid": "ed89941d-c326-457a-9dba-ed8f814f260c",
                        "testId": "CP-10[01]",
                        "test": "Determine if the recovery of the system to a known state is provided within  [SELECTED PARAMETER VALUE(S): time period ]  after a disruption, compromise, or failure;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing system backup.</li><li>Contingency plan.</li><li>System backup test results.</li><li>Contingency plan test results.</li><li>Contingency plan test documentation.</li><li>Redundant secondary system for system backups.</li><li>Location(s) of redundant secondary backup system(s).</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning, recovery, and/or reconstitution responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes implementing system recovery and reconstitution operations.</li><li>Mechanisms supporting and/or implementing system recovery and reconstitution operations.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "413b6a79-b7e5-4d94-8a1b-259d6595d82f",
                        "testId": "CP-10[02]",
                        "test": "Determine if a reconstitution of the system to a known state is provided within  [SELECTED PARAMETER VALUE(S): time period ]  after a disruption, compromise, or failure.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing system backup.</li><li>Contingency plan.</li><li>System backup test results.</li><li>Contingency plan test results.</li><li>Contingency plan test documentation.</li><li>Redundant secondary system for system backups.</li><li>Location(s) of redundant secondary backup system(s).</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with contingency planning, recovery, and/or reconstitution responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes implementing system recovery and reconstitution operations.</li><li>Mechanisms supporting and/or implementing system recovery and reconstitution operations.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c6b24f39-62e9-43ab-9786-375541a82d23",
                        "testId": "CP-10-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing system backup.</li><li>Contingency plan.</li><li>System backup test results.</li><li>Contingency plan test results.</li><li>Contingency plan test documentation.</li><li>Redundant secondary system for system backups.</li><li>Location(s) of redundant secondary backup system(s).</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0608ec92-32c1-4118-9814-129a3c9b9751",
                        "testId": "CP-10-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with contingency planning, recovery, and/or reconstitution responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "090d2a49-ed0d-405a-8db2-1236c895cb3f",
                        "testId": "CP-10-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes implementing system recovery and reconstitution operations.</li><li>Mechanisms supporting and/or implementing system recovery and reconstitution operations.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "0e203621-efba-447c-9220-01f71e380b63",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "CP-10 - System Recovery and Reconstitution",
                "description": "<p>Provide for the recovery and reconstitution of the system to a known state within {{ insert: param, CP-10 }} after a disruption, compromise, or failure.<br><strong>Discussion</strong><br></p><p>Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning.</p><p></p><p><strong>OT Discussion</strong></p><p>Reconstitution of the OT includes considering whether system state variables should be restored to initial values or the values before disruption (e.g., are valves restored to full open, full closed, or settings prior to disruption). Restoring system state variables may be disruptive to ongoing physical processes (e.g., valves initially closed may adversely affect system cooling).</p>",
                "controlId": "CP-10",
                "family": "Contingency Planning",
                "enhancements": "<strong>Enhancements</strong><ul><li>CP-10(2) - Transaction Recovery</li><li>CP-10(4) - Restore Within Time Period</li><li>CP-10(6) - Component Protection</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "77753dad-1279-49dc-bdf1-27491fd2eb5a",
                        "parameterId": "CP-12-2",
                        "text": "restrictions",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined restrictions] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cp-12_odp.01"
                    },
                    {
                        "uuid": "17c77424-bac5-4419-addc-dee8a87bc990",
                        "parameterId": "CP-12-1",
                        "text": "conditions",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined conditions] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "cp-12_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "dab2f219-be7a-4caa-bd39-1f75b52d3455",
                        "name": "CP-12",
                        "objectiveType": "",
                        "otherId": "cp-12_smt",
                        "description": "When {{ insert: param, CP-12-1 }} are detected, enter a safe mode of operation with {{ insert: param, CP-12-2 }}."
                    }
                ],
                "tests": [
                    {
                        "uuid": "bb45061b-7ad9-46e9-9417-5cbb030b1922",
                        "testId": "CP-12-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing safe mode of operation for the system.</li><li>Contingency plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System administration manuals.</li><li>System operation manuals.</li><li>System installation manuals.</li><li>Contingency plan test records.</li><li>Incident handling records.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1adf252b-96ee-46ae-91c6-6916d013c39a",
                        "testId": "CP-12-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with system operation responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "26185b1c-e88f-4cf0-81c7-2130989c8542",
                        "testId": "CP-12-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms implementing safe mode of operation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b943e626-ca21-4f38-a5b1-e77a5adfa5a4",
                        "testId": "CP-12",
                        "test": "Determine if a safe mode of operation is entered with  [SELECTED PARAMETER VALUE(S): restrictions ]  when  [SELECTED PARAMETER VALUE(S): conditions ]  are detected.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Contingency planning policy.</li><li>Procedures addressing safe mode of operation for the system.</li><li>Contingency plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System administration manuals.</li><li>System operation manuals.</li><li>System installation manuals.</li><li>Contingency plan test records.</li><li>Incident handling records.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system operation responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing safe mode of operation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "3a04d244-6cad-46c2-bdab-2e1cca8c5a36",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "CP-12 - Safe Mode",
                "description": "When  {{ insert: param, CP-12-1 }}  are detected, enter a safe mode of operation with  {{ insert: param, CP-12-2 }}.<br/><strong>Discussion</strong><br/><p>For systems that support critical mission and business functions\u00e2\u20ac\u201dincluding military operations, civilian space operations, nuclear power plant operations, and air traffic control operations (especially real-time operational environments)\u00e2\u20ac\u201dorganizations can identify certain conditions under which those systems revert to a predefined safe mode of operation. The safe mode of operation, which can be activated either automatically or manually, restricts the operations that systems can execute when those conditions are encountered. Restriction includes allowing only selected functions to execute that can be carried out under limited power or with reduced communications bandwidth.</p>",
                "controlId": "CP-12",
                "family": "Contingency Planning",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "ccca78cc-835b-4620-bb89-738670e80ae5",
                        "parameterId": "IA-1(a)",
                        "text": "organization-defined personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ia-1_prm_1"
                    },
                    {
                        "uuid": "14ac8064-7bf7-4c64-a935-0b4497185ff0",
                        "parameterId": "IA-1(a)(1)",
                        "text": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ia-01_odp.03"
                    },
                    {
                        "uuid": "e1f8eb33-e012-439b-82ad-e7fc5766a554",
                        "parameterId": "IA-1(b)",
                        "text": "official",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined official] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ia-01_odp.04"
                    },
                    {
                        "uuid": "db4b084d-7041-489c-81cd-a802f4a0eefc",
                        "parameterId": "IA-1(c)(1)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ia-01_odp.05"
                    },
                    {
                        "uuid": "f5d8c271-55c0-4b59-ba1a-c6388edd6cf9",
                        "parameterId": "IA-1(c)(1)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ia-01_odp.06"
                    },
                    {
                        "uuid": "4ed096bd-c20b-47b0-a6c7-d0e6b4595137",
                        "parameterId": "IA-1(c)(2)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ia-01_odp.07"
                    },
                    {
                        "uuid": "8f9d3861-2d6d-44e7-830a-4c4ea7dbad62",
                        "parameterId": "IA-1(c)(2)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ia-01_odp.08"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "fb8f85d9-9b23-4c7f-9a2c-aaef18e2a386",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ia-1_smt.a",
                        "description": "<ul><li>a. Develop, document, and disseminate to {{ insert: param, IA-1(a) }}:</li><ul><li>1. {{ insert: param, IA-1(a)(1) }} identification and authentication policy that:</li><ul><li>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</li><li>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</li></ul><li>2. Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;</li></ul>"
                    },
                    {
                        "uuid": "19921aee-1306-4cdd-a8d0-85e1534ff22d",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ia-1_smt.b",
                        "description": "<ul><li>b. Designate an {{ insert: param, IA-1(b) }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and</li></ul>"
                    },
                    {
                        "uuid": "d6b6c3a4-4989-4f16-bd4e-dd819e384df9",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ia-1_smt.c",
                        "description": "<ul><li>c. Review and update the current identification and authentication:</li><ul><li>1. Policy {{ insert: param, IA-1(c)(1)-1 }} and following {{ insert: param, IA-1(c)(1)-2 }} ; and</li><li>2. Procedures {{ insert: param, IA-1(c)(2)-1 }} and following {{ insert: param, IA-1(c)(2)-2 }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "dd511610-6087-40ea-9593-7ef9060dcb6f",
                        "testId": "IA-01-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Identification and authentication policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>List of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings).</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "41eef9d7-6a66-4985-915a-f9bf7dad14d3",
                        "testId": "IA-01-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with identification and authentication responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "46bfa0c1-256d-4a1a-884a-adf3a8095779",
                        "testId": "IA-01a.[01]",
                        "test": "Determine if an identification and authentication policy is developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>List of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings).</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with identification and authentication responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "89d21891-9009-4724-a6ae-95a604bc5c5e",
                        "testId": "IA-01a.[02]",
                        "test": "Determine if the identification and authentication policy is disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>List of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings).</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with identification and authentication responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1a9f3d16-033c-4b57-a072-cccdbd350373",
                        "testId": "IA-01a.[03]",
                        "test": "Determine if identification and authentication procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls are developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>List of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings).</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with identification and authentication responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "121e84ee-3680-4c30-a112-fffa93f736d3",
                        "testId": "IA-01a.[04]",
                        "test": "Determine if the identification and authentication procedures are disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>List of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings).</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with identification and authentication responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "51f1624e-6a89-45b1-8976-59ac6327c713",
                        "testId": "IA-01a.01(a)[01]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  identification and authentication policy addresses purpose;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>List of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings).</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with identification and authentication responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "deccbdce-8019-421d-b7f3-c0b54f62b9db",
                        "testId": "IA-01a.01(a)[02]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  identification and authentication policy addresses scope;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>List of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings).</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with identification and authentication responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b37e9bed-dae9-47ff-a986-0da57ff80aa3",
                        "testId": "IA-01a.01(a)[03]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  identification and authentication policy addresses roles;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>List of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings).</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with identification and authentication responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ac7d44fd-96f3-4a16-b323-e6b89d5956bf",
                        "testId": "IA-01a.01(a)[04]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  identification and authentication policy addresses responsibilities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>List of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings).</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with identification and authentication responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "37b87519-e8cd-4272-830e-65da6cade754",
                        "testId": "IA-01a.01(a)[05]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  identification and authentication policy addresses management commitment;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>List of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings).</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with identification and authentication responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2f4b98c2-216d-46ac-a951-aa7fb9a8f776",
                        "testId": "IA-01a.01(a)[06]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  identification and authentication policy addresses coordination among organizational entities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>List of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings).</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with identification and authentication responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6133a001-d57e-4dab-9727-5e9b53fa30a2",
                        "testId": "IA-01a.01(a)[07]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  identification and authentication policy addresses compliance;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>List of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings).</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with identification and authentication responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6729bbe8-52dc-4e5f-a2a8-fa23ad7e9168",
                        "testId": "IA-01a.01(b)",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>List of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings).</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with identification and authentication responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "96d36538-160e-4c35-8f42-721b7de949d7",
                        "testId": "IA-01b.",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): official ]  is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>List of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings).</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with identification and authentication responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "af8907c3-4cff-46a3-986b-34860b7a4306",
                        "testId": "IA-01c.01[01]",
                        "test": "Determine if the current identification and authentication policy is reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>List of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings).</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with identification and authentication responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9015284a-27dc-45c9-b7ee-9658a587e168",
                        "testId": "IA-01c.01[02]",
                        "test": "Determine if the current identification and authentication policy is reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>List of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings).</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with identification and authentication responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ea4364bb-cc9f-4614-9b44-fba5d0d47775",
                        "testId": "IA-01c.02[01]",
                        "test": "Determine if the current identification and authentication procedures are reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>List of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings).</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with identification and authentication responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "00f65125-3763-4589-9921-bf9f449bb0a2",
                        "testId": "IA-01c.02[02]",
                        "test": "Determine if the current identification and authentication procedures are reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>List of events requiring identification and authentication procedures to be reviewed and updated (e.g., audit findings).</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with identification and authentication responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "6206d1fe-7f59-408d-a7a5-369c93c55701",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "IA-01 - Policy and Procedures",
                "description": "<ul><li><p>a. Develop, document, and disseminate to {{ insert: param, IA-1(a) }}:</p><ul><li><p>1. {{ insert: param, IA-1(a)(1) }} identification and authentication policy that:</p><ul><li><p>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p></li><li><p>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p></li></ul></li><li><p>2. Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;</p></li></ul></li><li><p>b. Designate an {{ insert: param, IA-1(b) }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and</p></li><li><p>c. Review and update the current identification and authentication:</p><ul><li><p>1. Policy {{ insert: param, IA-1(c)(1)-1 }} and following {{ insert: param, IA-1(c)(1)-2 }} ; and</p></li><li><p>2. Procedures {{ insert: param, IA-1(c)(2)-1 }} and following {{ insert: param, IA-1(c)(2)-2 }}.</p></li></ul></li><li><p><br><strong>Discussion</strong><br></p><p>Identification and authentication policy and procedures address the controls in the IA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of identification and authentication policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to identification and authentication policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.</p></li></ul><p></p><p><strong>OT Discussion</strong></p><p>The policy specifically addresses the unique properties and requirements of OT and the relationship to non-OT systems.</p>",
                "controlId": "IA-1",
                "family": "Identification and Authentication",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "7e8835af-b3c4-4dd0-8515-c522e23f8709",
                        "name": "IA-2",
                        "objectiveType": "",
                        "otherId": "ia-2_smt",
                        "description": "Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users."
                    }
                ],
                "tests": [
                    {
                        "uuid": "e90e9e80-851c-4252-9d7f-9b8e8c5b01fc",
                        "testId": "IA-02[01]",
                        "test": "Determine if organizational users are uniquely identified and authenticated;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>Procedures addressing user identification and authentication.</li><li>System security plan, system design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>List of system accounts.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system operations responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with account management responsibilities.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for uniquely identifying and authenticating users.</li><li>Mechanisms supporting and/or implementing identification and authentication capabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ec270e90-031a-4f20-a9d0-6914245c65f1",
                        "testId": "IA-02[02]",
                        "test": "Determine if the unique identification of authenticated organizational users is associated with processes acting on behalf of those users.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>Procedures addressing user identification and authentication.</li><li>System security plan, system design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>List of system accounts.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system operations responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with account management responsibilities.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for uniquely identifying and authenticating users.</li><li>Mechanisms supporting and/or implementing identification and authentication capabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "69e81358-5f64-455c-a017-a6fedcf04faf",
                        "testId": "IA-02-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Identification and authentication policy.</li><li>Procedures addressing user identification and authentication.</li><li>System security plan, system design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>List of system accounts.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b839e9b9-05e7-4386-855c-d677a6c1b664",
                        "testId": "IA-02-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with system operations responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with account management responsibilities.</li><li>System developers.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4a8e72b6-7920-4f59-903e-ba5ed70eb4fe",
                        "testId": "IA-02-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for uniquely identifying and authenticating users.</li><li>Mechanisms supporting and/or implementing identification and authentication capabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "9f1bf6d4-96fc-41f0-ab17-b654e3a9433f",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "IA-02 - Identification and Authentication (Organizational Users)",
                "description": "<p>Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.<br><strong>Discussion</strong><br></p><p>Organizations can satisfy the identification and authentication requirements by complying with the requirements in <a href=\"#f16e438e-7114-4144-bfe2-2dfcad8cb2d0\">HSPD 12</a> . Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in <a href=\"#ac-14\">AC-14</a> and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.</p><p>Organizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.</p><p>The use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in <a href=\"#ia-8\">IA-8</a>.</p><p></p><p><strong>OT Discussion</strong></p><p>When shared accounts are required, compensating controls include providing increased physical security, personnel security, and auditing measures. For certain OT, the capability for immediate operator interaction is critical. Local emergency actions for OT are not hampered by identification or authentication requirements. Access to these systems may be restricted by appropriate physical controls.</p>",
                "controlId": "IA-2",
                "family": "Identification and Authentication",
                "enhancements": "<strong>Enhancements</strong><ul><li>IA-2(1) - Multi-factor Authentication to Privileged Accounts</li><li>IA-2(2) - Multi-factor Authentication to Non-privileged Accounts</li><li>IA-2(5) - Individual Authentication with Group Authentication</li><li>IA-2(6) - Access to Accounts \u00e2\u20ac\u201dseparate Device</li><li>IA-2(8) - Access to Accounts \u00e2\u20ac\u201d Replay Resistant</li><li>IA-2(10) - Single Sign-on</li><li>IA-2(12) - Acceptance of PIV Credentials</li><li>IA-2(13) - Out-of-band Authentication</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "c4629071-93c3-48b5-9b0e-c3a897ae9c0f",
                        "name": "IA-2(1)",
                        "objectiveType": "",
                        "otherId": "ia-2.1_smt",
                        "description": "Implement multi-factor authentication for access to privileged accounts."
                    }
                ],
                "tests": [
                    {
                        "uuid": "d0fd41ff-793d-4f09-9893-0d3b5e5c57cd",
                        "testId": "IA-02(01)-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Identification and authentication policy.</li><li>Procedures addressing user identification and authentication.</li><li>System security plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>List of system accounts.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6e77b128-a236-4365-b939-15ca7c82b66c",
                        "testId": "IA-02(01)-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with system operations responsibilities.</li><li>Organizational personnel with account management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "29aa4dff-8636-472b-b95a-d865e6354c06",
                        "testId": "IA-02(01)-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting and/or implementing a multi-factor authentication capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0a66dca4-e278-46ec-8878-c40f71dbc217",
                        "testId": "IA-02(01)",
                        "test": "Determine if multi-factor authentication is implemented for access to privileged accounts.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>Procedures addressing user identification and authentication.</li><li>System security plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>List of system accounts.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system operations responsibilities.</li><li>Organizational personnel with account management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing a multi-factor authentication capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "d8698082-5396-4cec-8c63-405b49d13027",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "IA-02(01) - Multi-factor Authentication to Privileged Accounts",
                "description": "<p>Implement multi-factor authentication for access to privileged accounts.<br><strong>Discussion</strong><br></p><p>Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification (PIV) card or the Department of Defense (DoD) Common Access Card (CAC). In addition to authenticating users at the system level (i.e., at logon), organizations may employ authentication mechanisms at the application level, at their discretion, to provide increased security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access.</p><p></p><p><strong>OT Discussion</strong></p><p>As a compensating control, physical access restrictions may sufficiently represent one authentication factor, provided that the system is not remotely accessible.</p>",
                "controlId": "IA-2(1)",
                "family": "Identification and Authentication",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "cd610858-0ab9-4fcc-87b5-1bc39341d243",
                        "name": "IA-2(2)",
                        "objectiveType": "",
                        "otherId": "ia-2.2_smt",
                        "description": "Implement multi-factor authentication for access to non-privileged accounts."
                    }
                ],
                "tests": [
                    {
                        "uuid": "85efebf4-c615-472b-a523-8e6a59d870d8",
                        "testId": "IA-02(02)",
                        "test": "Determine if multi-factor authentication for access to non-privileged accounts is implemented.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Procedures addressing user identification and authentication.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>List of system accounts.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system operations responsibilities.</li><li>Organizational personnel with account management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing a multi-factor authentication capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8556c9a2-30df-43a4-a7a3-f58bbbaecc6f",
                        "testId": "IA-02(02)-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Procedures addressing user identification and authentication.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>List of system accounts.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4b982329-18fd-49e2-9a4c-7d02557986f8",
                        "testId": "IA-02(02)-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with system operations responsibilities.</li><li>Organizational personnel with account management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "757b8685-dd96-4de8-8cb9-dc28e7414ec4",
                        "testId": "IA-02(02)-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting and/or implementing a multi-factor authentication capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "35dd7494-16d7-4dc0-a0ac-2ab827305a1d",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "IA-02(02) - Multi-factor Authentication to Non-privileged Accounts",
                "description": "<p>Implement multi-factor authentication for access to non-privileged accounts.<br><strong>Discussion</strong><br></p><p>Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification card or the DoD Common Access Card. In addition to authenticating users at the system level, organizations may also employ authentication mechanisms at the application level, at their discretion, to provide increased information security. Regardless of the type of access (i.e., local, network, remote), non-privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can provide additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access.</p><p></p><p><strong>OT Discussion</strong></p><p>As a compensating control, physical access restrictions may sufficiently represent one authentication factor, provided that the system is not remotely accessible.</p>",
                "controlId": "IA-2(2)",
                "family": "Identification and Authentication",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "59f00c58-dff0-46c7-90cd-6e5d7cd98bfb",
                        "parameterId": "IA-2(8)",
                        "text": "[Selection (one or more): privileged accounts; non-privileged accounts]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): privileged accounts; non-privileged accounts]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ia-02.08_odp"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "b7c1aee5-1a9f-4177-b087-ded395d1cd5e",
                        "name": "IA-2(8)",
                        "objectiveType": "",
                        "otherId": "ia-2.8_smt",
                        "description": "Implement replay-resistant authentication mechanisms for access to {{ insert: param, IA-2(8) }}."
                    }
                ],
                "tests": [
                    {
                        "uuid": "36176955-0226-4c07-929f-b3a83e005f87",
                        "testId": "IA-02(08)-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Procedures addressing user identification and authentication.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>List of privileged system accounts.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a4002d63-eab2-4679-ac92-059549c9f4ed",
                        "testId": "IA-02(08)-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with system operations responsibilities.</li><li>Organizational personnel with account management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "dc59f690-d350-4e01-b487-07d39059fe1f",
                        "testId": "IA-02(08)-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting and/or implementing identification and authentication capabilities.</li><li>Mechanisms supporting and/or implementing replay-resistant authentication mechanisms.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b85e89e1-b89f-4bfb-a49e-49554a1b4c82",
                        "testId": "IA-02(08)",
                        "test": "Determine if replay-resistant authentication mechanisms for access to  [SELECTED PARAMETER VALUE(S): [Selection (one or more): privileged accounts; non-privileged accounts] ]  are implemented.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Procedures addressing user identification and authentication.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>List of privileged system accounts.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system operations responsibilities.</li><li>Organizational personnel with account management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing identification and authentication capabilities.</li><li>Mechanisms supporting and/or implementing replay-resistant authentication mechanisms.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "e059a8f1-9b70-40a8-8a7a-fa26eb982945",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "IA-02(08) - Access to Accounts \u00e2\u20ac\u201d Replay Resistant",
                "description": "Implement replay-resistant authentication mechanisms for access to  {{ insert: param, IA-2(8) }}.<br/><strong>Discussion</strong><br/><p>Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or cryptographic authenticators.</p>",
                "controlId": "IA-2(8)",
                "family": "Identification and Authentication",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "25174bf0-ab14-41f7-97e5-7ba125908ebd",
                        "name": "IA-2(12)",
                        "objectiveType": "",
                        "otherId": "ia-2.12_smt",
                        "description": "Accept and electronically verify Personal Identity Verification-compliant credentials."
                    }
                ],
                "tests": [
                    {
                        "uuid": "8b266a97-2a10-4231-ba60-13b89e38c924",
                        "testId": "IA-02(12)-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Procedures addressing user identification and authentication.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>Piv verification records.</li><li>Evidence of piv credentials.</li><li>Piv credential authorizations.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "02c580cf-e193-47fb-af4c-552536f66075",
                        "testId": "IA-02(12)-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with system operations responsibilities.</li><li>Organizational personnel with account management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "06aaa677-bb32-4147-b5a8-ff6ba0b753c1",
                        "testId": "IA-02(12)-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting and/or implementing acceptance and verification of piv credentials.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5979b84e-9607-4943-86af-e3fcee0b7f67",
                        "testId": "IA-02(12)",
                        "test": "Determine if personal identity verification-compliant credentials are accepted and electronically verified.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Procedures addressing user identification and authentication.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>Piv verification records.</li><li>Evidence of piv credentials.</li><li>Piv credential authorizations.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system operations responsibilities.</li><li>Organizational personnel with account management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing acceptance and verification of piv credentials.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "0c548ef3-2a5a-4b44-ae7c-95c45ec7de8b",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "IA-02(12) - Acceptance of PIV Credentials",
                "description": "<p>Accept and electronically verify Personal Identity Verification-compliant credentials.<br><strong>Discussion</strong><br></p><p>Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using <a href=\"#10963761-58fc-4b20-b3d6-b44a54daba03\">SP 800-79-2</a> . Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in <a href=\"#e8552d48-cf41-40aa-8b06-f45f7fb4706c\">SP 800-166</a> . The DOD Common Access Card (CAC) is an example of a PIV credential.</p><p></p><p><strong>OT Discussion</strong></p><p>The acceptance of PIV credentials is only required for federal organizations, as defined by OMB Memorandum M-19-17 [OMB-M1917]. Non-federal organizations should refer to IA-2 (1) (2) for guidance on multi-factor authentication credentials. Furthermore, many OT systems do not have the ability to accept PIV credentials and will require compensating controls.</p>",
                "controlId": "IA-2(12)",
                "family": "Identification and Authentication",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "92be5891-9472-4319-8870-d15d16bbbe6a",
                        "parameterId": "IA-3-1",
                        "text": "devices and/or types of devices",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined devices and/or types of devices] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ia-03_odp.01"
                    },
                    {
                        "uuid": "bfbbfe27-c6f4-46f7-a790-47adcf7e4998",
                        "parameterId": "IA-3-2",
                        "text": "[Selection (one or more): local; remote; network]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): local; remote; network]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ia-03_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "95b9927f-9bc1-428d-8b14-4bfacb340a0d",
                        "name": "IA-3",
                        "objectiveType": "",
                        "otherId": "ia-3_smt",
                        "description": "Uniquely identify and authenticate {{ insert: param, IA-3-1 }} before establishing a {{ insert: param, IA-3-2 }} connection."
                    }
                ],
                "tests": [
                    {
                        "uuid": "319417d8-1a3b-4694-9845-5201d7c090f8",
                        "testId": "IA-03-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Procedures addressing device identification and authentication.</li><li>System design documentation.</li><li>List of devices requiring unique identification and authentication.</li><li>Device connection reports.</li><li>System configuration settings and associated documentation.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ab035012-8d09-4f29-9dca-57fdbdcec3f8",
                        "testId": "IA-03-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with operational responsibilities for device identification and authentication.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f0805476-6fc4-40d4-800f-612c8fadbb8e",
                        "testId": "IA-03-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting and/or implementing device identification and authentication capabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f05333b2-0343-456d-a8fe-87eec327af51",
                        "testId": "IA-03",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): devices and/or types of devices ]  are uniquely identified and authenticated before establishing a  [SELECTED PARAMETER VALUE(S): [Selection (one or more): local; remote; network] ]  connection.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Procedures addressing device identification and authentication.</li><li>System design documentation.</li><li>List of devices requiring unique identification and authentication.</li><li>Device connection reports.</li><li>System configuration settings and associated documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with operational responsibilities for device identification and authentication.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing device identification and authentication capabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "0884bbd7-fed6-48a5-9517-dd80fff49996",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "IA-03 - Device Identification and Authentication",
                "description": "Uniquely identify and authenticate  {{ insert: param, IA-3-1 }}  before establishing a  {{ insert: param, IA-3-2 }}  connection.<br/><strong>Discussion</strong><br/><p>Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination of type and device. Organization-defined device types include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., Institute of Electrical and Electronics Engineers (IEEE) 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the required strength of authentication mechanisms based on the security categories of systems and mission or business requirements. Because of the challenges of implementing device authentication on a large scale, organizations can restrict the application of the control to a limited number/type of devices based on mission or business needs.</p>",
                "controlId": "IA-3",
                "family": "Identification and Authentication",
                "enhancements": "<strong>Enhancements</strong><ul><li>IA-3(1) - Cryptographic Bidirectional Authentication</li><li>IA-3(3) - Dynamic Address Allocation</li><li>IA-3(4) - Device Attestation</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "9744a7de-37d8-4f08-afc5-e3bbae3b53e0",
                        "parameterId": "IA-4(a)",
                        "text": "personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ia-04_odp.01"
                    },
                    {
                        "uuid": "092740a7-fe25-4648-84db-e3edef8904ff",
                        "parameterId": "IA-4(d)",
                        "text": "time period",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined time period] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ia-04_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "ad4ff9f2-533d-4536-907e-18a6a2ca75a2",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ia-4_smt.a",
                        "description": "<ul><li>a. Manage system identifiers by: Receiving authorization from {{ insert: param, IA-4(a) }} to assign an individual, group, role, service, or device identifier;</li></ul>"
                    },
                    {
                        "uuid": "0b432d8a-408f-4b45-9031-8a6c50db9d9a",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ia-4_smt.b",
                        "description": "<ul><li>b. Manage system identifiers by: Selecting an identifier that identifies an individual, group, role, service, or device;</li></ul>"
                    },
                    {
                        "uuid": "862adc09-2dab-4429-aa36-57d59b8c09d7",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ia-4_smt.c",
                        "description": "<ul><li>c. Manage system identifiers by: Assigning the identifier to the intended individual, group, role, service, or device; and</li></ul>"
                    },
                    {
                        "uuid": "62872236-de07-4739-89d6-9008ed1a3e56",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "ia-4_smt.d",
                        "description": "<ul><li>d. Manage system identifiers by: Preventing reuse of identifiers for {{ insert: param, IA-4(d) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "8451cc09-7eb0-4b80-84f5-0c89ef00ae0d",
                        "testId": "IA-04-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Identification and authentication policy.</li><li>Procedures addressing identifier management.</li><li>Procedures addressing account management.</li><li>System security plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of system accounts.</li><li>List of identifiers generated from physical access control devices.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d999127d-37c6-4e23-849d-95e3e810606b",
                        "testId": "IA-04-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with identifier management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "acdde535-8064-474e-a2d5-e2d7c7754e0d",
                        "testId": "IA-04-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting and/or implementing identifier management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "37c0de7c-8297-428e-90a6-3f92b99fd74e",
                        "testId": "IA-04a.",
                        "test": "Determine if system identifiers are managed by receiving authorization from  [SELECTED PARAMETER VALUE(S): personnel or roles ]  to assign to an individual, group, role, or device identifier;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>Procedures addressing identifier management.</li><li>Procedures addressing account management.</li><li>System security plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of system accounts.</li><li>List of identifiers generated from physical access control devices.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with identifier management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing identifier management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a9cd750b-0fec-4676-b9c6-06e95b5a0c79",
                        "testId": "IA-04b.",
                        "test": "Determine if system identifiers are managed by selecting an identifier that identifies an individual, group, role, service, or device;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>Procedures addressing identifier management.</li><li>Procedures addressing account management.</li><li>System security plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of system accounts.</li><li>List of identifiers generated from physical access control devices.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with identifier management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing identifier management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "78acce00-d8d6-4df4-aef4-45eff29dc5a3",
                        "testId": "IA-04c.",
                        "test": "Determine if system identifiers are managed by assigning the identifier to the intended individual, group, role, service, or device;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>Procedures addressing identifier management.</li><li>Procedures addressing account management.</li><li>System security plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of system accounts.</li><li>List of identifiers generated from physical access control devices.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with identifier management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing identifier management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d7bd0747-43c8-41b9-a2e7-b54bcc27c169",
                        "testId": "IA-04d.",
                        "test": "Determine if system identifiers are managed by preventing reuse of identifiers for  [SELECTED PARAMETER VALUE(S): time period ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>Procedures addressing identifier management.</li><li>Procedures addressing account management.</li><li>System security plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of system accounts.</li><li>List of identifiers generated from physical access control devices.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with identifier management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing identifier management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "6d5273a3-3a3d-44c7-ae8c-5c0b8a10afb8",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "IA-04 - Identifier Management",
                "description": "Manage system identifiers by:<ul><li>a. Receiving authorization from  {{ insert: param, IA-4(a) }}  to assign an individual, group, role, service, or device identifier;</li><li>b. Selecting an identifier that identifies an individual, group, role, service, or device;</li><li>c. Assigning the identifier to the intended individual, group, role, service, or device; and</li><li>d. Preventing reuse of identifiers for  {{ insert: param, IA-4(d) }}.</li></ul><br/><strong>Discussion</strong><br/><p>Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of  <a href=\"#ac-2\">AC-2</a>  use account names provided by  <a href=\"#ia-4\">IA-4</a> . Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices.</p>",
                "controlId": "IA-4",
                "family": "Identification and Authentication",
                "enhancements": "<strong>Enhancements</strong><ul><li>IA-4(1) - Prohibit Account Identifiers as Public Identifiers</li><li>IA-4(4) - Identify User Status</li><li>IA-4(5) - Dynamic Management</li><li>IA-4(6) - Cross-organization Management</li><li>IA-4(8) - Pairwise Pseudonymous Identifiers</li><li>IA-4(9) - Attribute Maintenance and Protection</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "28825e30-17cd-43d0-bb55-f702ef5afb88",
                        "parameterId": "IA-5(f)-1",
                        "text": "time period by authenticator type",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined time period by authenticator type] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ia-05_odp.01"
                    },
                    {
                        "uuid": "9ab4fcac-c420-4e7b-8246-455cf4d5898e",
                        "parameterId": "IA-5(f)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ia-05_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "1097d9bd-2341-4606-9e4f-85318a43cbb6",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ia-5_smt.a",
                        "description": "<ul><li>a. Manage system authenticators by: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;</li></ul>"
                    },
                    {
                        "uuid": "ba307dc0-d140-4c86-8d4e-3ddf2e5a4a51",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ia-5_smt.b",
                        "description": "<ul><li>b. Manage system authenticators by: Establishing initial authenticator content for any authenticators issued by the organization;</li></ul>"
                    },
                    {
                        "uuid": "5e2b8137-eb70-469a-9d9f-0dfbbdbc1dad",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ia-5_smt.c",
                        "description": "<ul><li>c. Manage system authenticators by: Ensuring that authenticators have sufficient strength of mechanism for their intended use;</li></ul>"
                    },
                    {
                        "uuid": "582e6362-e6e6-4f6f-9d16-7c21ffc7ed62",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "ia-5_smt.d",
                        "description": "<ul><li>d. Manage system authenticators by: Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;</li></ul>"
                    },
                    {
                        "uuid": "b46d933a-7a1a-48da-a3a2-016971cab21d",
                        "name": "e.",
                        "objectiveType": "",
                        "otherId": "ia-5_smt.e",
                        "description": "<ul><li>e. Manage system authenticators by: Changing default authenticators prior to first use;</li></ul>"
                    },
                    {
                        "uuid": "feee98d6-6917-442c-be39-911d94b88613",
                        "name": "f.",
                        "objectiveType": "",
                        "otherId": "ia-5_smt.f",
                        "description": "<ul><li>f. Manage system authenticators by: Changing or refreshing authenticators {{ insert: param, IA-5(f)-1 }} or when {{ insert: param, IA-5(f)-2 }} occur;</li></ul>"
                    },
                    {
                        "uuid": "01a59530-fb4a-4466-a849-1e23258bb8c1",
                        "name": "g.",
                        "objectiveType": "",
                        "otherId": "ia-5_smt.g",
                        "description": "<ul><li>g. Manage system authenticators by: Protecting authenticator content from unauthorized disclosure and modification;</li></ul>"
                    },
                    {
                        "uuid": "3da3a56d-86a7-46cb-bbfe-0360350ca58e",
                        "name": "h.",
                        "objectiveType": "",
                        "otherId": "ia-5_smt.h",
                        "description": "<ul><li>h. Manage system authenticators by: Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and</li></ul>"
                    },
                    {
                        "uuid": "0bcaf3df-5fa0-4286-b81a-f86174821b70",
                        "name": "i.",
                        "objectiveType": "",
                        "otherId": "ia-5_smt.i",
                        "description": "<ul><li>i. Manage system authenticators by: Changing authenticators for group or role accounts when membership to those accounts changes.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "942db52d-011a-4505-841c-bdbcc97e2833",
                        "testId": "IA-05a.",
                        "test": "Determine if system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Addressing authenticator management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of system authenticator types.</li><li>Change control records associated with managing system authenticators.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with authenticator management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing authenticator management capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "827d175e-31d4-46ca-91b5-df9e39752de9",
                        "testId": "IA-05b.",
                        "test": "Determine if system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Addressing authenticator management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of system authenticator types.</li><li>Change control records associated with managing system authenticators.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with authenticator management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing authenticator management capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "91d5f3fc-89b1-4fbe-835a-20430721973a",
                        "testId": "IA-05c.",
                        "test": "Determine if system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Addressing authenticator management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of system authenticator types.</li><li>Change control records associated with managing system authenticators.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with authenticator management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing authenticator management capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e3ac1637-6124-40df-b556-e287d4b65293",
                        "testId": "IA-05d.",
                        "test": "Determine if system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Addressing authenticator management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of system authenticator types.</li><li>Change control records associated with managing system authenticators.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with authenticator management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing authenticator management capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b4178b80-f0c1-4d41-9013-00b12b097dbb",
                        "testId": "IA-05e.",
                        "test": "Determine if system authenticators are managed through the change of default authenticators prior to first use;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Addressing authenticator management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of system authenticator types.</li><li>Change control records associated with managing system authenticators.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with authenticator management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing authenticator management capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "464acf24-4892-462d-90b2-638e1691b6d4",
                        "testId": "IA-05f.",
                        "test": "Determine if system authenticators are managed through the change or refreshment of authenticators  [SELECTED PARAMETER VALUE(S): time period by authenticator type ]  or when  [SELECTED PARAMETER VALUE(S): events ]  occur;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Addressing authenticator management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of system authenticator types.</li><li>Change control records associated with managing system authenticators.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with authenticator management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing authenticator management capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "175595dc-002f-41c8-bb93-09ec862ae2a1",
                        "testId": "IA-05g.",
                        "test": "Determine if system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Addressing authenticator management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of system authenticator types.</li><li>Change control records associated with managing system authenticators.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with authenticator management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing authenticator management capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8fc23443-5468-497a-8249-e021a97a185f",
                        "testId": "IA-05h.[01]",
                        "test": "Determine if system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Addressing authenticator management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of system authenticator types.</li><li>Change control records associated with managing system authenticators.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with authenticator management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing authenticator management capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "13e92e73-e31f-4a58-9866-9d620ff41474",
                        "testId": "IA-05h.[02]",
                        "test": "Determine if system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Addressing authenticator management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of system authenticator types.</li><li>Change control records associated with managing system authenticators.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with authenticator management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing authenticator management capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a9b26577-1528-4a07-8ea8-2a521e503c22",
                        "testId": "IA-05i.",
                        "test": "Determine if system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Addressing authenticator management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of system authenticator types.</li><li>Change control records associated with managing system authenticators.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with authenticator management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing authenticator management capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6a4a58e9-28bc-40b5-b3be-29b0d1c3d068",
                        "testId": "IA-05-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Addressing authenticator management.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of system authenticator types.</li><li>Change control records associated with managing system authenticators.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "bd9e7c06-ea07-455b-81a8-5b3436795307",
                        "testId": "IA-05-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with authenticator management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6f75a0e8-6b88-48b0-afc6-dd934c0136b9",
                        "testId": "IA-05-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting and/or implementing authenticator management capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "202ea754-5fc6-4318-85fe-8ffeb8856ccc",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "IA-05 - Authenticator Management",
                "description": "<p>Manage system authenticators by:</p><ul><li><p>a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;</p></li><li><p>b. Establishing initial authenticator content for any authenticators issued by the organization;</p></li><li><p>c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;</p></li><li><p>d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;</p></li><li><p>e. Changing default authenticators prior to first use;</p></li><li><p>f. Changing or refreshing authenticators {{ insert: param, IA-5(f)-1 }} or when {{ insert: param, IA-5(f)-2 }} occur;</p></li><li><p>g. Protecting authenticator content from unauthorized disclosure and modification;</p></li><li><p>h. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and</p></li><li><p>i. Changing authenticators for group or role accounts when membership to those accounts changes.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control <a href=\"#pl-4\">PL-4</a> or <a href=\"#ps-6\">PS-6</a> for authenticators in the possession of individuals and by controls <a href=\"#ac-3\">AC-3</a>, <a href=\"#ac-6\">AC-6</a> , and <a href=\"#sc-28\">SC-28</a> for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.</p><p>Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed.</p><p></p><p><strong>OT Discussion</strong></p><p>Example compensating controls include physical access control and encapsulating the OT to provide authentication external to the OT.</p>",
                "controlId": "IA-5",
                "family": "Identification and Authentication",
                "enhancements": "<strong>Enhancements</strong><ul><li>IA-5(1) - Password-based Authentication</li><li>IA-5(2) - Public Key-based Authentication</li><li>IA-5(5) - Change Authenticators Prior to Delivery</li><li>IA-5(6) - Protection of Authenticators</li><li>IA-5(7) - No Embedded Unencrypted Static Authenticators</li><li>IA-5(8) - Multiple System Accounts</li><li>IA-5(9) - Federated Credential Management</li><li>IA-5(10) - Dynamic Credential Binding</li><li>IA-5(12) - Biometric Authentication Performance</li><li>IA-5(13) - Expiration of Cached Authenticators</li><li>IA-5(14) - Managing Content of PKI Trust Stores</li><li>IA-5(15) - Gsa-approved Products and Services</li><li>IA-5(16) - In-person or Trusted External Party Authenticator Issuance</li><li>IA-5(17) - Presentation Attack Detection for Biometric Authenticators</li><li>IA-5(18) - Password Managers</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "424f92d6-022a-44c1-bb12-5fc3c4a42e85",
                        "parameterId": "IA-5(1)(a)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ia-05.01_odp.01"
                    },
                    {
                        "uuid": "8a4796eb-11ef-4687-8388-0e3a8480ce3a",
                        "parameterId": "IA-5(1)(h)",
                        "text": "composition and complexity rules",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined composition and complexity rules] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ia-05.01_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "ea7efec3-4885-48cf-b66b-959dca781c5a",
                        "name": "(a)",
                        "objectiveType": "",
                        "otherId": "ia-5.1_smt.a",
                        "description": "<ul><li>(a) For password-based authentication: Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ insert: param, IA-5(1)(a) }} and when organizational passwords are suspected to have been compromised directly or indirectly;</li></ul>"
                    },
                    {
                        "uuid": "d6893746-9af0-4e28-88c8-8043236aafc0",
                        "name": "(b)",
                        "objectiveType": "",
                        "otherId": "ia-5.1_smt.b",
                        "description": "<ul><li>(b) For password-based authentication: Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);</li></ul>"
                    },
                    {
                        "uuid": "eee4fb2e-5797-4f58-aac9-143d6c11e922",
                        "name": "(c)",
                        "objectiveType": "",
                        "otherId": "ia-5.1_smt.c",
                        "description": "<ul><li>(c) For password-based authentication: Transmit passwords only over cryptographically-protected channels;</li></ul>"
                    },
                    {
                        "uuid": "9298ddc2-a7fd-42bd-9bf8-d1b029f60aed",
                        "name": "(d)",
                        "objectiveType": "",
                        "otherId": "ia-5.1_smt.d",
                        "description": "<ul><li>(d) For password-based authentication: Store passwords using an approved salted key derivation function, preferably using a keyed hash;</li></ul>"
                    },
                    {
                        "uuid": "9da17714-2090-4aae-b150-004ee62f9b22",
                        "name": "(e)",
                        "objectiveType": "",
                        "otherId": "ia-5.1_smt.e",
                        "description": "<ul><li>(e) For password-based authentication: Require immediate selection of a new password upon account recovery;</li></ul>"
                    },
                    {
                        "uuid": "75b0d244-16f6-49d9-9dd9-53aa89412044",
                        "name": "(f)",
                        "objectiveType": "",
                        "otherId": "ia-5.1_smt.f",
                        "description": "<ul><li>(f) For password-based authentication: Allow user selection of long passwords and passphrases, including spaces and all printable characters;</li></ul>"
                    },
                    {
                        "uuid": "333bc4a2-16f0-4ef4-9a90-731fdf1a8751",
                        "name": "(g)",
                        "objectiveType": "",
                        "otherId": "ia-5.1_smt.g",
                        "description": "<ul><li>(g) For password-based authentication: Employ automated tools to assist the user in selecting strong password authenticators; and</li></ul>"
                    },
                    {
                        "uuid": "e2d9b229-7065-445b-96ad-65ef36b3d2ef",
                        "name": "(h)",
                        "objectiveType": "",
                        "otherId": "ia-5.1_smt.h",
                        "description": "<ul><li>(h) For password-based authentication: Enforce the following composition and complexity rules: {{ insert: param, IA-5(1)(h) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "d420dcd5-9a77-47dc-8947-f0845daf1774",
                        "testId": "IA-05(01)-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Identification and authentication policy.</li><li>Password policy.</li><li>Procedures addressing authenticator management.</li><li>System security plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Password configurations and associated documentation.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7f37859c-9a5a-4d97-9ae3-e7fe77b3b93d",
                        "testId": "IA-05(01)-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with authenticator management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a28f53d5-a4cb-4590-9661-6ab62d0f9fa4",
                        "testId": "IA-05(01)-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting and/or implementing password-based authenticator management capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8ecc1675-2632-4f42-a523-c0bd6ed1d87a",
                        "testId": "IA-05(01)(a)",
                        "test": "Determine if for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated  [SELECTED PARAMETER VALUE(S): frequency ]  and when organizational passwords are suspected to have been compromised directly or indirectly;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>Password policy.</li><li>Procedures addressing authenticator management.</li><li>System security plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Password configurations and associated documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with authenticator management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing password-based authenticator management capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ac8bd182-2a15-4f5e-b389-3f1a896d2d4a",
                        "testId": "IA-05(01)(b)",
                        "test": "Determine if for password-based authentication when passwords are created or updated by users, the passwords are verified not to be found on the list of commonly used, expected, or compromised passwords in ia-05(01)(a);<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>Password policy.</li><li>Procedures addressing authenticator management.</li><li>System security plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Password configurations and associated documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with authenticator management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing password-based authenticator management capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5ff5da89-ed1d-4bf9-9a67-0b6fab5df829",
                        "testId": "IA-05(01)(c)",
                        "test": "Determine if for password-based authentication, passwords are only transmitted over cryptographically protected channels;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>Password policy.</li><li>Procedures addressing authenticator management.</li><li>System security plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Password configurations and associated documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with authenticator management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing password-based authenticator management capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2b44b66f-5fc0-4eb7-84b2-6a5d99f58fa7",
                        "testId": "IA-05(01)(d)",
                        "test": "Determine if for password-based authentication, passwords are stored using an approved salted key derivation function, preferably using a keyed hash;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>Password policy.</li><li>Procedures addressing authenticator management.</li><li>System security plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Password configurations and associated documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with authenticator management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing password-based authenticator management capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5156353d-50f3-491c-b8bb-93a2d9ee6153",
                        "testId": "IA-05(01)(e)",
                        "test": "Determine if for password-based authentication, immediate selection of a new password is required upon account recovery;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>Password policy.</li><li>Procedures addressing authenticator management.</li><li>System security plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Password configurations and associated documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with authenticator management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing password-based authenticator management capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "27bdf0d1-23a9-4523-b9e1-511b81f5d4a1",
                        "testId": "IA-05(01)(f)",
                        "test": "Determine if for password-based authentication, user selection of long passwords and passphrases is allowed, including spaces and all printable characters;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>Password policy.</li><li>Procedures addressing authenticator management.</li><li>System security plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Password configurations and associated documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with authenticator management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing password-based authenticator management capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0e550b93-5bc5-48c9-bd50-f3d2acacf16b",
                        "testId": "IA-05(01)(g)",
                        "test": "Determine if for password-based authentication, automated tools are employed to assist the user in selecting strong password authenticators;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>Password policy.</li><li>Procedures addressing authenticator management.</li><li>System security plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Password configurations and associated documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with authenticator management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing password-based authenticator management capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d05924f0-7cb0-4eea-bd31-eb6b242f1ca4",
                        "testId": "IA-05(01)(h)",
                        "test": "Determine if for password-based authentication,  [SELECTED PARAMETER VALUE(S): composition and complexity rules ]  are enforced.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>Password policy.</li><li>Procedures addressing authenticator management.</li><li>System security plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Password configurations and associated documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with authenticator management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing password-based authenticator management capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "0ad00d4a-bc36-42ac-ba58-a6baa5deaf87",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "IA-05(01) - Password-based Authentication",
                "description": "For password-based authentication:<ul><li>(a) Maintain a list of commonly-used, expected, or compromised passwords and update the list  {{ insert: param, IA-5(1)(a) }}  and when organizational passwords are suspected to have been compromised directly or indirectly;</li><li>(b) Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);</li><li>(c) Transmit passwords only over cryptographically-protected channels;</li><li>(d) Store passwords using an approved salted key derivation function, preferably using a keyed hash;</li><li>(e) Require immediate selection of a new password upon account recovery;</li><li>(f) Allow user selection of long passwords and passphrases, including spaces and all printable characters;</li><li>(g) Employ automated tools to assist the user in selecting strong password authenticators; and</li><li>(h) Enforce the following composition and complexity rules:  {{ insert: param, IA-5(1)(h) }}.</li></ul><br/><strong>Discussion</strong><br/><p>Password-based authentication applies to passwords regardless of whether they are used in single-factor or multi-factor authentication. Long passwords or passphrases are preferable over shorter passwords. Enforced composition rules provide marginal security benefits while decreasing usability. However, organizations may choose to establish certain rules for password generation (e.g., minimum character length for long passwords) under certain circumstances and can enforce this requirement in IA-5(1)(h). Account recovery can occur, for example, in situations when a password is forgotten. Cryptographically protected passwords include salted one-way cryptographic hashes of passwords. The list of commonly used, compromised, or expected passwords includes passwords obtained from previous breach corpuses, dictionary words, and repetitive or sequential characters. The list includes context-specific words, such as the name of the service, username, and derivatives thereof.</p>",
                "controlId": "IA-5(1)",
                "family": "Identification and Authentication",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "6b0ba506-9a3e-4099-87e0-466ce98f4087",
                        "name": "IA-6",
                        "objectiveType": "",
                        "otherId": "ia-6_smt",
                        "description": "Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals."
                    }
                ],
                "tests": [
                    {
                        "uuid": "b4d8db95-53d5-4786-9409-ac537c452f10",
                        "testId": "IA-06",
                        "test": "Determine if the feedback of authentication information is obscured during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Procedures addressing authenticator feedback.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing the obscuring of feedback of authentication information during authentication.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "eb1728b3-6191-408a-8391-c68d57a767cc",
                        "testId": "IA-06-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Procedures addressing authenticator feedback.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4b3a82ed-5dc3-47b5-94f7-c53177c74a8e",
                        "testId": "IA-06-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "987a71e6-76bb-40e0-847a-dda7ff33c95e",
                        "testId": "IA-06-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting and/or implementing the obscuring of feedback of authentication information during authentication.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "017f47f6-ee3b-4d8b-b9bf-4d006a46f27a",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "IA-06 - Authentication Feedback",
                "description": "<p>Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.<br><strong>Discussion</strong><br></p><p>Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it.</p><p></p><p><strong>OT Discussion</strong></p><p>This control assumes a visual interface that provides feedback about authentication information during the authentication process. When OT authentication uses an interface that does not support visual feedback (e.g., protocol-based authentication), this control may be tailored out.</p>",
                "controlId": "IA-6",
                "family": "Identification and Authentication",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "b319b4ce-51d8-48f1-b5e0-4e2c9d286c0d",
                        "name": "IA-7",
                        "objectiveType": "",
                        "otherId": "ia-7_smt",
                        "description": "Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication."
                    }
                ],
                "tests": [
                    {
                        "uuid": "c7b297ea-7927-483f-b421-699b941450a0",
                        "testId": "IA-07-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Procedures addressing cryptographic module authentication.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "425403e3-5d5c-44cd-9d23-88d40af838ff",
                        "testId": "IA-07-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with responsibility for cryptographic module authentication.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6950c202-1829-45f8-8f3b-26759971c06f",
                        "testId": "IA-07-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting and/or implementing cryptographic module authentication.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0bb4c15a-9242-4ae4-8d45-506a69a2c83d",
                        "testId": "IA-07",
                        "test": "Determine if mechanisms for authentication to a cryptographic module are implemented that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Procedures addressing cryptographic module authentication.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibility for cryptographic module authentication.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing cryptographic module authentication.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "927ca906-5050-4c42-904c-266b0a62bddb",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "IA-07 - Cryptographic Module Authentication",
                "description": "Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.<br/><strong>Discussion</strong><br/><p>Authentication mechanisms may be required within a cryptographic module to authenticate an operator accessing the module and to verify that the operator is authorized to assume the requested role and perform services within that role.</p>",
                "controlId": "IA-7",
                "family": "Identification and Authentication",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "c2595888-0462-4b90-aed9-55588a8f6854",
                        "name": "IA-8",
                        "objectiveType": "",
                        "otherId": "ia-8_smt",
                        "description": "Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users."
                    }
                ],
                "tests": [
                    {
                        "uuid": "0f1ba3b0-0f7c-49a1-93b3-1ec237a42602",
                        "testId": "IA-08",
                        "test": "Determine if non-organizational users or processes acting on behalf of non-organizational users are uniquely identified and authenticated.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Procedures addressing user identification and authentication.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>List of system accounts.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system operations responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with account management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing identification and authentication capabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "abf7c109-ec63-4ae2-a8f7-c69db380c569",
                        "testId": "IA-08-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Procedures addressing user identification and authentication.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>List of system accounts.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3d10792e-0d84-43da-9736-19f8a3ea0ab6",
                        "testId": "IA-08-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with system operations responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with account management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0da7201e-7605-43a1-83fa-b0991d5fd02a",
                        "testId": "IA-08-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting and/or implementing identification and authentication capabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "799b6347-8dc7-49a2-9867-08226736c7c9",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "IA-08 - Identification and Authentication (Non-organizational Users)",
                "description": "<p>Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.<br><strong>Discussion</strong><br></p><p>Non-organizational users include system users other than organizational users explicitly covered by <a href=\"#ia-2\">IA-2</a> . Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in <a href=\"#ac-14\">AC-14</a> . Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors\u00e2\u20ac\u201dincluding security, privacy, scalability, and practicality\u00e2\u20ac\u201dwhen balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk.</p><p></p><p><strong>OT Discussion</strong></p><p>The OT Discussion for IA-2, Identification and Authentication (Organizational Users) is applicable for non-organizational users.</p>",
                "controlId": "IA-8",
                "family": "Identification and Authentication",
                "enhancements": "<strong>Enhancements</strong><ul><li>IA-8(1) - Acceptance of PIV Credentials from Other Agencies</li><li>IA-8(2) - Acceptance of External Authenticators</li><li>IA-8(4) - Use of Defined Profiles</li><li>IA-8(5) - Acceptance of PIV-I Credentials</li><li>IA-8(6) - Disassociability</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "197cd7eb-f79c-4d9b-9744-b67dfe275b05",
                        "name": "IA-8(1)",
                        "objectiveType": "",
                        "otherId": "ia-8.1_smt",
                        "description": "Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies."
                    }
                ],
                "tests": [
                    {
                        "uuid": "4c0010b3-fe20-4f28-9c21-a8ca335f031f",
                        "testId": "IA-08(01)-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Procedures addressing user identification and authentication.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>Piv verification records.</li><li>Evidence of piv credentials.</li><li>Piv credential authorizations.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "31bbbe99-c5b3-49f5-8884-e8580ecb7f10",
                        "testId": "IA-08(01)-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with system operations responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li><li>Organizational personnel with account management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0aac21ac-13bf-452d-90a3-00b8c32d4b97",
                        "testId": "IA-08(01)-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting and/or implementing identification and authentication capabilities.</li><li>Mechanisms that accept and verify piv credentials.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "90de4db6-47cf-45e4-bb12-b0e5f9b2c8a8",
                        "testId": "IA-08(01)[01]",
                        "test": "Determine if personal identity verification-compliant credentials from other federal agencies are accepted;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Procedures addressing user identification and authentication.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>Piv verification records.</li><li>Evidence of piv credentials.</li><li>Piv credential authorizations.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system operations responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li><li>Organizational personnel with account management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing identification and authentication capabilities.</li><li>Mechanisms that accept and verify piv credentials.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "58f6692d-a08a-40a9-99f5-1a954c6ff076",
                        "testId": "IA-08(01)[02]",
                        "test": "Determine if personal identity verification-compliant credentials from other federal agencies are electronically verified.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Procedures addressing user identification and authentication.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>Piv verification records.</li><li>Evidence of piv credentials.</li><li>Piv credential authorizations.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system operations responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li><li>Organizational personnel with account management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing identification and authentication capabilities.</li><li>Mechanisms that accept and verify piv credentials.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "897ec432-f85c-448a-9b44-a657f36eda26",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "IA-08(01) - Acceptance of PIV Credentials from Other Agencies",
                "description": "<p>Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies.<br><strong>Discussion</strong><br></p><p>Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using <a href=\"#10963761-58fc-4b20-b3d6-b44a54daba03\">SP 800-79-2</a>.</p><p></p><p><strong>OT Discussion</strong></p><p>Acceptance of PIV credentials is only required for organizations that follow OMB Memorandum M-19-17 [OMB-M1917] (e.g., federal agencies and contractors).</p>",
                "controlId": "IA-8(1)",
                "family": "Identification and Authentication",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "a4613950-7512-4e27-8aae-751ad3d05600",
                        "name": "(a)",
                        "objectiveType": "",
                        "otherId": "ia-8.2_smt.a",
                        "description": "<ul><li>(a) Accept only external authenticators that are NIST-compliant; and</li></ul>"
                    },
                    {
                        "uuid": "683a506b-21d7-4169-9ab6-294ae73a8a4c",
                        "name": "(b)",
                        "objectiveType": "",
                        "otherId": "ia-8.2_smt.b",
                        "description": "<ul><li>(b) Document and maintain a list of accepted external authenticators.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "7dc542ae-fbcb-44f7-bd28-453dca4dd2bc",
                        "testId": "IA-08(02)(a)",
                        "test": "Determine if only external authenticators that are nist-compliant are accepted;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Procedures addressing user identification and authentication.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>List of third-party credentialing products, components, or services procured and implemented by organization.</li><li>Third-party credential verification records.</li><li>Evidence of third-party credentials.</li><li>Third-party credential authorizations.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system operations responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li><li>Organizational personnel with account management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing identification and authentication capabilities.</li><li>Mechanisms that accept external credentials.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8f1a3379-cb94-4389-9704-b2e20a9977f3",
                        "testId": "IA-08(02)(b)[01]",
                        "test": "Determine if a list of accepted external authenticators is documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Procedures addressing user identification and authentication.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>List of third-party credentialing products, components, or services procured and implemented by organization.</li><li>Third-party credential verification records.</li><li>Evidence of third-party credentials.</li><li>Third-party credential authorizations.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system operations responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li><li>Organizational personnel with account management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing identification and authentication capabilities.</li><li>Mechanisms that accept external credentials.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1bd477df-27c3-4878-8dfc-b763337f55f4",
                        "testId": "IA-08(02)(b)[02]",
                        "test": "Determine if a list of accepted external authenticators is maintained.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Procedures addressing user identification and authentication.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>List of third-party credentialing products, components, or services procured and implemented by organization.</li><li>Third-party credential verification records.</li><li>Evidence of third-party credentials.</li><li>Third-party credential authorizations.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system operations responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li><li>Organizational personnel with account management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing identification and authentication capabilities.</li><li>Mechanisms that accept external credentials.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "bd81a76e-870c-43ab-b68f-7a86d87b5d1f",
                        "testId": "IA-08(02)-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>Procedures addressing user identification and authentication.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>List of third-party credentialing products, components, or services procured and implemented by organization.</li><li>Third-party credential verification records.</li><li>Evidence of third-party credentials.</li><li>Third-party credential authorizations.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "48604fe6-4dfa-4ec9-a7a6-1c69d0012ccb",
                        "testId": "IA-08(02)-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with system operations responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li><li>Organizational personnel with account management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "88b50db9-3a67-4a95-b5f6-a2f5b8def070",
                        "testId": "IA-08(02)-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting and/or implementing identification and authentication capabilities.</li><li>Mechanisms that accept external credentials.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "c382e676-d091-44b7-8e66-7c76cbc92b86",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "IA-08(02) - Acceptance of External Authenticators",
                "description": "<ul><li><p>(a) Accept only external authenticators that are NIST-compliant; and</p></li><li><p>(b) Document and maintain a list of accepted external authenticators.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with <a href=\"#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce\">SP 800-63B</a> . Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level.</p><p></p><p><strong>OT Discussion</strong></p><p>Example compensating controls include implementing support external to the OT and multi-factor authentication.</p>",
                "controlId": "IA-8(2)",
                "family": "Identification and Authentication",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "e2668fce-5dd8-4ec3-a019-e252f965d7a9",
                        "parameterId": "IA-8(4)",
                        "text": "identity management profiles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined identity management profiles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ia-08.04_odp"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "eb162b3c-c2aa-4c6c-810a-5fa4afe3c73d",
                        "name": "IA-8(4)",
                        "objectiveType": "",
                        "otherId": "ia-8.4_smt",
                        "description": "Conform to the following profiles for identity management {{ insert: param, IA-8(4) }}."
                    }
                ],
                "tests": [
                    {
                        "uuid": "4900d786-5b58-436b-9f11-e87b96d91842",
                        "testId": "IA-08(04)-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a3be4185-b1c6-4bba-8131-f39654eecd5d",
                        "testId": "IA-08(04)-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with system operations responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li><li>Organizational personnel with account management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "bcc2b01a-77da-4821-a753-4ba42f71c805",
                        "testId": "IA-08(04)-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting and/or implementing identification and authentication capabilities.</li><li>Mechanisms supporting and/or implementing conformance with profiles.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c127a6d0-3b36-4c98-89c9-111586d8d0fb",
                        "testId": "IA-08(04)",
                        "test": "Determine if there is conformance with  [SELECTED PARAMETER VALUE(S): identity management profiles ]  for identity management.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>System security plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system operations responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li><li>Organizational personnel with account management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing identification and authentication capabilities.</li><li>Mechanisms supporting and/or implementing conformance with profiles.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "ab3c5512-4871-4a72-bb14-f7ea6356982e",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "IA-08(04) - Use of Defined Profiles",
                "description": "<p>Conform to the following profiles for identity management {{ insert: param, IA-8(4) }}.<br><strong>Discussion</strong><br></p><p>Organizations define profiles for identity management based on open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the Federal Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.</p><p></p><p><strong>OT Discussion</strong></p><p>Example compensating controls include implementing support external to the OT and multi-factor authentication.</p>",
                "controlId": "IA-8(4)",
                "family": "Identification and Authentication",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "fb9fbe81-16ee-416b-9b0a-30fab99fe1f8",
                        "parameterId": "IA-11",
                        "text": "circumstances or situations",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined circumstances or situations] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ia-11_odp"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "4a5682ad-6cf6-4d17-80ea-e2f655305411",
                        "name": "IA-11",
                        "objectiveType": "",
                        "otherId": "ia-11_smt",
                        "description": "Require users to re-authenticate when {{ insert: param, IA-11 }}."
                    }
                ],
                "tests": [
                    {
                        "uuid": "623dfb73-217f-4df5-88b3-5b8f3ea050d5",
                        "testId": "IA-11",
                        "test": "Determine if users are required to re-authenticate when  [SELECTED PARAMETER VALUE(S): circumstances or situations ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Identification and authentication policy.</li><li>Procedures addressing user and device re-authentication.</li><li>System security plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of circumstances or situations requiring re-authentication.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system operations responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li><li>Organizational personnel with identification and authentication responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing identification and authentication capabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4a5f8317-a8d7-4947-858d-a4964209f6f3",
                        "testId": "IA-11-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Identification and authentication policy.</li><li>Procedures addressing user and device re-authentication.</li><li>System security plan.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of circumstances or situations requiring re-authentication.</li><li>System audit records.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "00cc6b17-6245-4618-a658-0876db5229a7",
                        "testId": "IA-11-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with system operations responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developers.</li><li>Organizational personnel with identification and authentication responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "58371fc5-9f90-410a-b643-31e91cb3fe3d",
                        "testId": "IA-11-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting and/or implementing identification and authentication capabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "aee4787c-7475-4cb2-aa7a-1982ab9aacf0",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "IA-11 - Re-authentication",
                "description": "Require users to re-authenticate when  {{ insert: param, IA-11 }}.<br/><strong>Discussion</strong><br/><p>In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically.</p>",
                "controlId": "IA-11",
                "family": "Identification and Authentication",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "408c1d24-8c8a-459a-b420-eb4198c81c19",
                        "parameterId": "IR-1(a)",
                        "text": "organization-defined personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ir-1_prm_1"
                    },
                    {
                        "uuid": "6e6c4b20-c7fe-48b4-8d65-f51ba9466e2f",
                        "parameterId": "IR-1(a)(1)",
                        "text": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ir-01_odp.03"
                    },
                    {
                        "uuid": "c1147e9b-1584-46aa-90d8-384962e72407",
                        "parameterId": "IR-1(b)",
                        "text": "official",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined official] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ir-01_odp.04"
                    },
                    {
                        "uuid": "a357e900-8eb3-4bbd-87d8-6af1583d9499",
                        "parameterId": "IR-1(c)(1)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ir-01_odp.05"
                    },
                    {
                        "uuid": "33e1c477-94c0-4d48-8522-bf6a38960c20",
                        "parameterId": "IR-1(c)(1)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ir-01_odp.06"
                    },
                    {
                        "uuid": "873c83ef-3643-49d8-b837-2c69200fd1cf",
                        "parameterId": "IR-1(c)(2)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ir-01_odp.07"
                    },
                    {
                        "uuid": "cf5d33b7-0e75-4e7d-95ad-e800b0846c53",
                        "parameterId": "IR-1(c)(2)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ir-01_odp.08"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "6b10aabe-f3ec-42fc-b9f4-45d580b024a9",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ir-1_smt.a",
                        "description": "<ul><li>a. Develop, document, and disseminate to {{ insert: param, IR-1(a) }}:</li><ul><li>1. {{ insert: param, IR-1(a)(1) }} incident response policy that:</li><ul><li>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</li><li>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</li></ul><li>2. Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;</li></ul>"
                    },
                    {
                        "uuid": "a40e78a0-3264-4415-9999-f0bdcb117fd3",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ir-1_smt.b",
                        "description": "<ul><li>b. Designate an {{ insert: param, IR-1(b) }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and</li></ul>"
                    },
                    {
                        "uuid": "5db1a53e-73d6-478e-b3ca-59ba042c1a3b",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ir-1_smt.c",
                        "description": "<ul><li>c. Review and update the current incident response:</li><ul><li>1. Policy {{ insert: param, IR-1(c)(1)-1 }} and following {{ insert: param, IR-1(c)(1)-2 }} ; and</li><li>2. Procedures {{ insert: param, IR-1(c)(2)-1 }} and following {{ insert: param, IR-1(c)(2)-2 }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "4d7790b7-71bb-44fb-b2b5-84df7d7b6e2a",
                        "testId": "IR-01a.[01]",
                        "test": "Determine if an incident response policy is developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2644c505-8e55-49d3-aeb5-b8129532ccd3",
                        "testId": "IR-01a.[02]",
                        "test": "Determine if the incident response policy is disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c8c2dda1-77c2-4513-a86f-a77733ace3b5",
                        "testId": "IR-01a.[03]",
                        "test": "Determine if incident response procedures to facilitate the implementation of the incident response policy and associated incident response controls are developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3873b7ad-2889-4528-8c9f-3d6fa287af0e",
                        "testId": "IR-01a.[04]",
                        "test": "Determine if the incident response procedures are disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d8180457-c0d7-4996-a17d-eb11eefea5f0",
                        "testId": "IR-01a.01(a)[01]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  incident response policy addresses purpose;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a7834dc3-73ad-4c48-8532-394077b960f5",
                        "testId": "IR-01a.01(a)[02]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  incident response policy addresses scope;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3a8e9f3c-65a0-44f2-be9f-103cf16fbac6",
                        "testId": "IR-01a.01(a)[03]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  incident response policy addresses roles;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "066c3e90-bd9e-40b8-a65b-8e70633e1239",
                        "testId": "IR-01a.01(a)[04]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  incident response policy addresses responsibilities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d37e36b3-7c64-48cc-a459-34d8a8b0f25d",
                        "testId": "IR-01a.01(a)[05]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  incident response policy addresses management commitment;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b540de3a-261d-43e7-ace5-fb67efa4da09",
                        "testId": "IR-01a.01(a)[06]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  incident response policy addresses coordination among organizational entities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a4e7859d-8e79-4a8d-adba-dd3c18e19748",
                        "testId": "IR-01a.01(a)[07]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  incident response policy addresses compliance;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "25fb164c-8800-4309-abd2-4c589f705088",
                        "testId": "IR-01a.01(b)",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  incident response policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "14a8f1a3-e793-48ec-a4a9-a7b2d2eaafa2",
                        "testId": "IR-01b.",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): official ]  is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "65521f92-37ac-4662-85bd-7f03b303f7d0",
                        "testId": "IR-01c.01[01]",
                        "test": "Determine if the current incident response policy is reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "98e71392-fb8a-4eaf-a731-f877501be775",
                        "testId": "IR-01c.01[02]",
                        "test": "Determine if the current incident response policy is reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "07ab196d-449d-403f-bcd1-c15e11113844",
                        "testId": "IR-01c.02[01]",
                        "test": "Determine if the current incident response procedures are reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "05970503-f19f-4feb-ae85-c444118812d3",
                        "testId": "IR-01c.02[02]",
                        "test": "Determine if the current incident response procedures are reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3501113d-076e-410c-a91c-cd3913ae346b",
                        "testId": "IR-01-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Incident response policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a5ca5178-6b67-496b-8aaa-713ed2ad07ac",
                        "testId": "IR-01-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with incident response responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "57c21e5d-9a15-4259-bf35-24ccabafcb37",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "IR-01 - Policy and Procedures",
                "description": "<ul><li><p>a. Develop, document, and disseminate to {{ insert: param, IR-1(a) }}:</p><ul><li><p>1. {{ insert: param, IR-1(a)(1) }} incident response policy that:</p><ul><li><p>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p></li><li><p>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p></li></ul></li><li><p>2. Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;</p></li></ul></li><li><p>b. Designate an {{ insert: param, IR-1(b) }} to manage the development, documentation, and dissemination of the incident response policy and procedures; and</p></li><li><p>c. Review and update the current incident response:</p><ul><li><p>1. Policy {{ insert: param, IR-1(c)(1)-1 }} and following {{ insert: param, IR-1(c)(1)-2 }} ; and</p></li><li><p>2. Procedures {{ insert: param, IR-1(c)(2)-1 }} and following {{ insert: param, IR-1(c)(2)-2 }}.</p></li></ul></li><li><p><br><strong>Discussion</strong><br></p><p>Incident response policy and procedures address the controls in the IR family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of incident response policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to incident response policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.</p></li></ul><p></p><p><strong>OT Discussion</strong></p><p>The policy specifically addresses the unique properties and requirements of OT and the relationship to non-OT systems.</p>",
                "controlId": "IR-1",
                "family": "Incident Response",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "2174a568-c4c4-4bca-9889-040e62f9b246",
                        "parameterId": "IR-2(a)(1)",
                        "text": "time period",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined time period] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ir-02_odp.01"
                    },
                    {
                        "uuid": "5478d2ff-57f7-465b-98b1-f3e5b4b96994",
                        "parameterId": "IR-2(a)(3)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ir-02_odp.02"
                    },
                    {
                        "uuid": "2ec9726c-7e6a-40ea-a3a9-d6f75298b735",
                        "parameterId": "IR-2(b)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ir-02_odp.03"
                    },
                    {
                        "uuid": "4e67aefc-5515-4bf0-a60c-649980df6525",
                        "parameterId": "IR-2(b)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ir-02_odp.04"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "3252e163-e1cd-4267-9d61-4bec70475fc7",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ir-2_smt.a",
                        "description": "<ul><li>a. Provide incident response training to system users consistent with assigned roles and responsibilities:</li><ul><li>1. Within {{ insert: param, IR-2(a)(1) }} of assuming an incident response role or responsibility or acquiring system access;</li><li>2. When required by system changes; and</li><li>3. {{ insert: param, IR-2(a)(3) }} thereafter; and</li></ul>"
                    },
                    {
                        "uuid": "fc68b243-bd9a-4526-bef3-31a98552f8ce",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ir-2_smt.b",
                        "description": "<ul><li>b. Review and update incident response training content {{ insert: param, IR-2(b)-1 }} and following {{ insert: param, IR-2(b)-2 }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "04163a6e-50e8-47b6-8232-1a83b20b69d7",
                        "testId": "IR-02-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident response training.</li><li>Incident response training curriculum.</li><li>Incident response training materials.</li><li>Privacy plan.</li><li>Incident response plan.</li><li>Incident response training records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "473d0657-983a-42e6-a165-73ddab0ece7f",
                        "testId": "IR-02-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with incident response training and operational responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "75f65afc-6ef6-4cbd-a501-9147deb2496e",
                        "testId": "IR-02a.01",
                        "test": "Determine if incident response training is provided to system users consistent with assigned roles and responsibilities within  [SELECTED PARAMETER VALUE(S): time period ]  of assuming an incident response role or responsibility or acquiring system access;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident response training.</li><li>Incident response training curriculum.</li><li>Incident response training materials.</li><li>Privacy plan.</li><li>Incident response plan.</li><li>Incident response training records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response training and operational responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5ef45769-a5ff-40b3-bdb6-5739b63e871b",
                        "testId": "IR-02a.02",
                        "test": "Determine if incident response training is provided to system users consistent with assigned roles and responsibilities when required by system changes;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident response training.</li><li>Incident response training curriculum.</li><li>Incident response training materials.</li><li>Privacy plan.</li><li>Incident response plan.</li><li>Incident response training records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response training and operational responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "674b6bdd-16a6-40f6-80d6-009691575fff",
                        "testId": "IR-02a.03",
                        "test": "Determine if incident response training is provided to system users consistent with assigned roles and responsibilities  [SELECTED PARAMETER VALUE(S): frequency ]  thereafter;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident response training.</li><li>Incident response training curriculum.</li><li>Incident response training materials.</li><li>Privacy plan.</li><li>Incident response plan.</li><li>Incident response training records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response training and operational responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "732e851c-d28b-436b-9bd4-226bfd6b7896",
                        "testId": "IR-02b.[01]",
                        "test": "Determine if incident response training content is reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident response training.</li><li>Incident response training curriculum.</li><li>Incident response training materials.</li><li>Privacy plan.</li><li>Incident response plan.</li><li>Incident response training records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response training and operational responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "fde13ff4-4272-4a30-9d52-7de4c9ced7ef",
                        "testId": "IR-02b.[02]",
                        "test": "Determine if incident response training content is reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident response training.</li><li>Incident response training curriculum.</li><li>Incident response training materials.</li><li>Privacy plan.</li><li>Incident response plan.</li><li>Incident response training records.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response training and operational responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "50039198-53e0-47a8-9802-634b0e688ea1",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "IR-02 - Incident Response Training",
                "description": "<ul><li>a. Provide incident response training to system users consistent with assigned roles and responsibilities:</li><ul><li>1. Within  {{ insert: param, IR-2(a)(1) }}  of assuming an incident response role or responsibility or acquiring system access;</li><li>2. When required by system changes; and</li><li>3. {{ insert: param, IR-2(a)(3) }}  thereafter; and</li></ul><li>b. Review and update incident response training content  {{ insert: param, IR-2(b)-1 }}  and following  {{ insert: param, IR-2(b)-2 }}.</li></ul><br/><strong>Discussion</strong><br/><p>Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of  <a href=\"#at-2\">AT-2</a>  or  <a href=\"#at-3\">AT-3</a> . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.</p>",
                "controlId": "IR-2",
                "family": "Incident Response",
                "enhancements": "<strong>Enhancements</strong><ul><li>IR-2(1) - Simulated Events</li><li>IR-2(2) - Automated Training Environments</li><li>IR-2(3) - Breach</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "0820182a-7641-45c9-8ac7-62f8c81a082b",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ir-4_smt.a",
                        "description": "<ul><li>a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;</li></ul>"
                    },
                    {
                        "uuid": "301291e6-8e07-4555-a820-aa15582b10ff",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ir-4_smt.b",
                        "description": "<ul><li>b. Coordinate incident handling activities with contingency planning activities;</li></ul>"
                    },
                    {
                        "uuid": "8ab9028a-0939-4a0a-8508-e57c201c26a0",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ir-4_smt.c",
                        "description": "<ul><li>c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and</li></ul>"
                    },
                    {
                        "uuid": "6e8e0152-e9a7-4a9e-b0ba-a684ebeb609c",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "ir-4_smt.d",
                        "description": "<ul><li>d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "95419dd8-fa80-4806-bb72-7abe6a34d32a",
                        "testId": "IR-04-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Incident response policy.</li><li>Contingency planning policy.</li><li>Procedures addressing incident handling.</li><li>Incident response plan.</li><li>Contingency plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "cda7228d-d006-4311-83ca-0fe416db79b2",
                        "testId": "IR-04-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a8cffe04-de91-42ad-b90f-7b9647570123",
                        "testId": "IR-04-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Incident handling capability for the organization.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6711ba0d-7a5d-4435-b0ef-a1fef701b144",
                        "testId": "IR-04a.[01]",
                        "test": "Determine if an incident handling capability for incidents is implemented that is consistent with the incident response plan;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Contingency planning policy.</li><li>Procedures addressing incident handling.</li><li>Incident response plan.</li><li>Contingency plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Incident handling capability for the organization.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "57d55a9b-33fb-42d5-8a65-62d4eba57cc2",
                        "testId": "IR-04a.[02]",
                        "test": "Determine if the incident handling capability for incidents includes preparation;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Contingency planning policy.</li><li>Procedures addressing incident handling.</li><li>Incident response plan.</li><li>Contingency plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Incident handling capability for the organization.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "fb2e6f80-8ba0-4678-b7b2-f1933ac044c8",
                        "testId": "IR-04a.[03]",
                        "test": "Determine if the incident handling capability for incidents includes detection and analysis;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Contingency planning policy.</li><li>Procedures addressing incident handling.</li><li>Incident response plan.</li><li>Contingency plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Incident handling capability for the organization.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "eca19784-8119-47d4-ab2c-24ec2488cda0",
                        "testId": "IR-04a.[04]",
                        "test": "Determine if the incident handling capability for incidents includes containment;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Contingency planning policy.</li><li>Procedures addressing incident handling.</li><li>Incident response plan.</li><li>Contingency plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Incident handling capability for the organization.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5b8b860b-e8ec-4489-89f8-529e5a8cf379",
                        "testId": "IR-04a.[05]",
                        "test": "Determine if the incident handling capability for incidents includes eradication;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Contingency planning policy.</li><li>Procedures addressing incident handling.</li><li>Incident response plan.</li><li>Contingency plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Incident handling capability for the organization.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b36a3dc5-d994-43fd-b52b-5a95b69c04c8",
                        "testId": "IR-04a.[06]",
                        "test": "Determine if the incident handling capability for incidents includes recovery;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Contingency planning policy.</li><li>Procedures addressing incident handling.</li><li>Incident response plan.</li><li>Contingency plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Incident handling capability for the organization.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1a9ffd06-29ee-4ccb-b26c-e83c8b0522f4",
                        "testId": "IR-04b.",
                        "test": "Determine if incident handling activities are coordinated with contingency planning activities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Contingency planning policy.</li><li>Procedures addressing incident handling.</li><li>Incident response plan.</li><li>Contingency plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Incident handling capability for the organization.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5dd821e6-60e6-4f3a-8614-31ab53b66c85",
                        "testId": "IR-04c.[01]",
                        "test": "Determine if lessons learned from ongoing incident handling activities are incorporated into incident response procedures, training, and testing;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Contingency planning policy.</li><li>Procedures addressing incident handling.</li><li>Incident response plan.</li><li>Contingency plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Incident handling capability for the organization.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "96767332-0e33-459e-9919-0e0d9ff2023b",
                        "testId": "IR-04c.[02]",
                        "test": "Determine if the changes resulting from the incorporated lessons learned are implemented accordingly;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Contingency planning policy.</li><li>Procedures addressing incident handling.</li><li>Incident response plan.</li><li>Contingency plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Incident handling capability for the organization.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8a60d7c5-656d-4cfe-8585-388f667e2bc0",
                        "testId": "IR-04d.[01]",
                        "test": "Determine if the rigor of incident handling activities is comparable and predictable across the organization;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Contingency planning policy.</li><li>Procedures addressing incident handling.</li><li>Incident response plan.</li><li>Contingency plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Incident handling capability for the organization.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f9986e1f-5735-4b1d-a5dc-51d50488d178",
                        "testId": "IR-04d.[02]",
                        "test": "Determine if the intensity of incident handling activities is comparable and predictable across the organization;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Contingency planning policy.</li><li>Procedures addressing incident handling.</li><li>Incident response plan.</li><li>Contingency plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Incident handling capability for the organization.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9cb9e787-c03b-4786-8439-95f7953ad11a",
                        "testId": "IR-04d.[03]",
                        "test": "Determine if the scope of incident handling activities is comparable and predictable across the organization;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Contingency planning policy.</li><li>Procedures addressing incident handling.</li><li>Incident response plan.</li><li>Contingency plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Incident handling capability for the organization.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "79afa0af-97a6-41be-8695-f1c3c8c60416",
                        "testId": "IR-04d.[04]",
                        "test": "Determine if the results of incident handling activities are comparable and predictable across the organization.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Contingency planning policy.</li><li>Procedures addressing incident handling.</li><li>Incident response plan.</li><li>Contingency plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident handling responsibilities.</li><li>Organizational personnel with contingency planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Incident handling capability for the organization.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "455a24f4-5b82-4087-8042-79fabb5707e7",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "IR-04 - Incident Handling",
                "description": "<ul><li><p>a. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;</p></li><li><p>b. Coordinate incident handling activities with contingency planning activities;</p></li><li><p>c. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and</p></li><li><p>d. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes.</p><p></p><p><strong>OT Discussion</strong></p><p>As part of the incident handling capability, the organization coordinates with external vendors, integrators, or suppliers as necessary to ensure that they have the capability to address events that are specific to embedded components and devices.</p>",
                "controlId": "IR-4",
                "family": "Incident Response",
                "enhancements": "<strong>Enhancements</strong><ul><li>IR-4(1) - Automated Incident Handling Processes</li><li>IR-4(2) - Dynamic Reconfiguration</li><li>IR-4(3) - Continuity of Operations</li><li>IR-4(4) - Information Correlation</li><li>IR-4(5) - Automatic Disabling of System</li><li>IR-4(6) - Insider Threats</li><li>IR-4(7) - Insider Threats \u00e2\u20ac\u201d Intra-organization Coordination</li><li>IR-4(8) - Correlation with External Organizations</li><li>IR-4(9) - Dynamic Response Capability</li><li>IR-4(10) - Supply Chain Coordination</li><li>IR-4(11) - Integrated Incident Response Team</li><li>IR-4(12) - Malicious Code and Forensic Analysis</li><li>IR-4(13) - Behavior Analysis</li><li>IR-4(14) - Security Operations Center</li><li>IR-4(15) - Public Relations and Reputation Repair</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "aa2291d1-770a-49a9-8098-621d207db192",
                        "name": "IR-5",
                        "objectiveType": "",
                        "otherId": "ir-5_smt",
                        "description": "Track and document incidents."
                    }
                ],
                "tests": [
                    {
                        "uuid": "e9ff7c10-241f-4f25-ab0e-e522a14c7d30",
                        "testId": "IR-05-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident monitoring.</li><li>Incident response records and documentation.</li><li>Incident response plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8c87f573-7e37-4d21-a949-b747304b5bb9",
                        "testId": "IR-05-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with incident monitoring responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "23887669-9858-4634-86c4-903808054711",
                        "testId": "IR-05-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Incident monitoring capability for the organization.</li><li>Mechanisms supporting and/or implementing the tracking and documenting of system security incidents.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "414a9088-54ee-4baa-9409-0d6720d86c0a",
                        "testId": "IR-05[01]",
                        "test": "Determine if incidents are tracked;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident monitoring.</li><li>Incident response records and documentation.</li><li>Incident response plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident monitoring responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Incident monitoring capability for the organization.</li><li>Mechanisms supporting and/or implementing the tracking and documenting of system security incidents.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c59e128b-23ef-4f28-a462-c62209475356",
                        "testId": "IR-05[02]",
                        "test": "Determine if incidents are documented.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident monitoring.</li><li>Incident response records and documentation.</li><li>Incident response plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident monitoring responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Incident monitoring capability for the organization.</li><li>Mechanisms supporting and/or implementing the tracking and documenting of system security incidents.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "92e5ada6-530d-451a-9658-10e767dd473e",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "IR-05 - Incident Monitoring",
                "description": "Track and document incidents.<br/><strong>Discussion</strong><br/><p>Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports.  <a href=\"#ir-4\">IR-4</a>  provides information on the types of incidents that are appropriate for monitoring.</p>",
                "controlId": "IR-5",
                "family": "Incident Response",
                "enhancements": "<strong>Enhancements</strong><ul><li>IR-5(1) - Automated Tracking, Data Collection, and Analysis</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "967232ce-3bc9-4048-ba9f-f1f74e09a076",
                        "parameterId": "IR-6(a)",
                        "text": "time period",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined time period] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ir-06_odp.01"
                    },
                    {
                        "uuid": "f6ec727c-2b09-49b9-82ab-c72fa753e070",
                        "parameterId": "IR-6(b)",
                        "text": "authorities",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined authorities] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ir-06_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "d98b4209-e858-4be4-8053-caf0db61b11f",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ir-6_smt.a",
                        "description": "<ul><li>a. Require personnel to report suspected incidents to the organizational incident response capability within {{ insert: param, IR-6(a) }} ; and</li></ul>"
                    },
                    {
                        "uuid": "81331083-44d2-47cc-8bee-dc5ed24616ad",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ir-6_smt.b",
                        "description": "<ul><li>b. Report incident information to {{ insert: param, IR-6(b) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "a8f3d4bb-a5d2-40c7-a682-ff7100acfc7f",
                        "testId": "IR-06-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident reporting.</li><li>Incident reporting records and documentation.</li><li>Incident response plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "93b9e376-462d-4e60-8983-f1fa3a3557e5",
                        "testId": "IR-06-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with incident reporting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Personnel who have/should have reported incidents.</li><li>Personnel (authorities) to whom incident information is to be reported.</li><li>System users.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ab4482cc-9155-45fa-b1a7-7f2c7a3dc7e8",
                        "testId": "IR-06-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for incident reporting.</li><li>Mechanisms supporting and/or implementing incident reporting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "bb5794b6-61d6-4870-92ab-ff9f6584aac7",
                        "testId": "IR-06a.",
                        "test": "Determine if personnel is/are required to report suspected incidents to the organizational incident response capability within  [SELECTED PARAMETER VALUE(S): time period ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident reporting.</li><li>Incident reporting records and documentation.</li><li>Incident response plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident reporting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Personnel who have/should have reported incidents.</li><li>Personnel (authorities) to whom incident information is to be reported.</li><li>System users.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for incident reporting.</li><li>Mechanisms supporting and/or implementing incident reporting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "20d6d330-ed8c-4838-a427-aaeec346879d",
                        "testId": "IR-06b.",
                        "test": "Determine if incident information is reported to  [SELECTED PARAMETER VALUE(S): authorities ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident reporting.</li><li>Incident reporting records and documentation.</li><li>Incident response plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident reporting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Personnel who have/should have reported incidents.</li><li>Personnel (authorities) to whom incident information is to be reported.</li><li>System users.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for incident reporting.</li><li>Mechanisms supporting and/or implementing incident reporting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "3ea3e8fe-ef9c-4892-a388-44545968c3b1",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "IR-06 - Incident Reporting",
                "description": "<ul><li><p>a. Require personnel to report suspected incidents to the organizational incident response capability within {{ insert: param, IR-6(a) }} ; and</p></li><li><p>b. Report incident information to {{ insert: param, IR-6(b) }}.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>The types of incidents reported, the content and timeliness of the reports, and the designated reporting authorities reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Incident information can inform risk assessments, control effectiveness assessments, security requirements for acquisitions, and selection criteria for technology products.</p><p></p><p><strong>OT Discussion</strong></p><p>The organization should report incidents on a timely basis. CISA collaborates with international and private-sector computer emergency response teams (CERTs) to share control systems-related security incidents and mitigation measures.</p><p></p>",
                "controlId": "IR-6",
                "family": "Incident Response",
                "enhancements": "<strong>Enhancements</strong><ul><li>IR-6(1) - Automated Reporting</li><li>IR-6(2) - Vulnerabilities Related to Incidents</li><li>IR-6(3) - Supply Chain Coordination</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "2f237fd2-a985-400e-a475-0d86777cf37b",
                        "name": "IR-7",
                        "objectiveType": "",
                        "otherId": "ir-7_smt",
                        "description": "Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents."
                    }
                ],
                "tests": [
                    {
                        "uuid": "54e945d3-6633-41b7-b72c-594ef63f416a",
                        "testId": "IR-07-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident response assistance.</li><li>Incident response plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "07efaa27-0d5a-45cf-ab4f-93888dfd7289",
                        "testId": "IR-07-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with incident response assistance and support responsibilities.</li><li>Organizational personnel with access to incident response support and assistance capability.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b32cbffc-4ee3-40dc-9444-8775dcd66159",
                        "testId": "IR-07-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for incident response assistance.</li><li>Mechanisms supporting and/or implementing incident response assistance.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e9981ffd-3ee6-42bb-a975-e35a42f6d3d1",
                        "testId": "IR-07[01]",
                        "test": "Determine if an incident response support resource, integral to the organizational incident response capability, is provided;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident response assistance.</li><li>Incident response plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response assistance and support responsibilities.</li><li>Organizational personnel with access to incident response support and assistance capability.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for incident response assistance.</li><li>Mechanisms supporting and/or implementing incident response assistance.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "39d2a73a-0193-4625-acd8-635d24d71258",
                        "testId": "IR-07[02]",
                        "test": "Determine if the incident response support resource offers advice and assistance to users of the system for the response and reporting of incidents.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident response assistance.</li><li>Incident response plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response assistance and support responsibilities.</li><li>Organizational personnel with access to incident response support and assistance capability.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for incident response assistance.</li><li>Mechanisms supporting and/or implementing incident response assistance.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "3e913b48-0aec-4822-91ed-4eb2d2d4421f",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "IR-07 - Incident Response Assistance",
                "description": "Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of incidents.<br/><strong>Discussion</strong><br/><p>Incident response support resources provided by organizations include help desks, assistance groups, automated ticketing systems to open and track incident response tickets, and access to forensics services or consumer redress services, when required.</p>",
                "controlId": "IR-7",
                "family": "Incident Response",
                "enhancements": "<strong>Enhancements</strong><ul><li>IR-7(1) - Automation Support for Availability of Information and Support</li><li>IR-7(2) - Coordination with External Providers</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "5334d267-c622-4bb5-9663-6905e34fd2f2",
                        "parameterId": "IR-8(d)",
                        "text": "organization-defined incident response personnel (identified by name and/or by role) and organizational elements",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ir-8_prm_5"
                    },
                    {
                        "uuid": "c3e25f51-7d7f-41bc-8d71-2bae4c05aef4",
                        "parameterId": "IR-8(a)(9)-1",
                        "text": "personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ir-08_odp.01"
                    },
                    {
                        "uuid": "d4033d83-6910-4f28-b335-f4e404e3600a",
                        "parameterId": "IR-8(a)(9)-2",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ir-08_odp.02"
                    },
                    {
                        "uuid": "fcd299ec-6510-4664-83e2-49edf21c1054",
                        "parameterId": "IR-8(a)(10)",
                        "text": "entities, personnel, or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined entities, personnel, or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ir-08_odp.03"
                    },
                    {
                        "uuid": "a5ae2d38-94ce-4e1e-90bd-75b26d2bac37",
                        "parameterId": "IR-8(b)",
                        "text": "incident response personnel",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined incident response personnel] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ir-08_odp.04"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "6ef7bec6-d5eb-4f9e-aba7-a4f0aa37de19",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ir-8_smt.a",
                        "description": "<ul><li>a. Develop an incident response plan that:</li><ul><li>1. Provides the organization with a roadmap for implementing its incident response capability;</li><li>2. Describes the structure and organization of the incident response capability;</li><li>3. Provides a high-level approach for how the incident response capability fits into the overall organization;</li><li>4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;</li><li>5. Defines reportable incidents;</li><li>6. Provides metrics for measuring the incident response capability within the organization;</li><li>7. Defines the resources and management support needed to effectively maintain and mature an incident response capability;</li><li>8. Addresses the sharing of incident information;</li><li>9. Is reviewed and approved by {{ insert: param, IR-8(a)(9)-1 }} {{ insert: param, IR-8(a)(9)-2 }} ; and</li><li>10. Explicitly designates responsibility for incident response to {{ insert: param, IR-8(a)(10) }}.</li></ul>"
                    },
                    {
                        "uuid": "168fcf4b-3ffc-46b2-abc7-a585257ced08",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ir-8_smt.b",
                        "description": "<ul><li>b. Distribute copies of the incident response plan to {{ insert: param, IR-8(b) }};</li></ul>"
                    },
                    {
                        "uuid": "5caa5227-7226-4075-9484-2e3c49cbe2c3",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ir-8_smt.c",
                        "description": "<ul><li>c. Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;</li></ul>"
                    },
                    {
                        "uuid": "edb142fa-6a3e-4532-8c2a-4ea414cf72f0",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "ir-8_smt.d",
                        "description": "<ul><li>d. Communicate incident response plan changes to {{ insert: param, IR-8(d) }} ; and</li></ul>"
                    },
                    {
                        "uuid": "84eb9ec7-6d8e-4252-977d-0f1614af4524",
                        "name": "e.",
                        "objectiveType": "",
                        "otherId": "ir-8_smt.e",
                        "description": "<ul><li>e. Protect the incident response plan from unauthorized disclosure and modification.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "a61f2b00-cf05-4cf1-9f32-a9ee40b890f1",
                        "testId": "IR-08a.01",
                        "test": "Determine if an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident response planning.</li><li>Incident response plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of incident response plan reviews and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational incident response plan and related organizational processes.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "47ebc3c7-c7e4-49c1-8ffd-5fc5432a29c3",
                        "testId": "IR-08a.02",
                        "test": "Determine if an incident response plan is developed that describes the structure and organization of the incident response capability;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident response planning.</li><li>Incident response plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of incident response plan reviews and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational incident response plan and related organizational processes.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "417ef83b-01d5-4436-b880-bb0724456c46",
                        "testId": "IR-08a.03",
                        "test": "Determine if an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident response planning.</li><li>Incident response plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of incident response plan reviews and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational incident response plan and related organizational processes.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "474827ae-55fc-4313-8826-3b05bb630b8c",
                        "testId": "IR-08a.04",
                        "test": "Determine if an incident response plan is developed that meets the unique requirements of the organization with regard to mission, size, structure, and functions;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident response planning.</li><li>Incident response plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of incident response plan reviews and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational incident response plan and related organizational processes.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c11d0eb2-963f-4819-873c-713cb4b528ce",
                        "testId": "IR-08a.05",
                        "test": "Determine if an incident response plan is developed that defines reportable incidents;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident response planning.</li><li>Incident response plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of incident response plan reviews and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational incident response plan and related organizational processes.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "969aaf7c-3dce-4f2a-8676-56bd99b1f3bf",
                        "testId": "IR-08a.06",
                        "test": "Determine if an incident response plan is developed that provides metrics for measuring the incident response capability within the organization;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident response planning.</li><li>Incident response plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of incident response plan reviews and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational incident response plan and related organizational processes.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9ff56b07-5d98-4dab-afcc-46a16a41096f",
                        "testId": "IR-08a.07",
                        "test": "Determine if an incident response plan is developed that defines the resources and management support needed to effectively maintain and mature an incident response capability;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident response planning.</li><li>Incident response plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of incident response plan reviews and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational incident response plan and related organizational processes.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "080e8900-09f5-4bd4-b1f7-02729260a8d7",
                        "testId": "IR-08a.08",
                        "test": "Determine if an incident response plan is developed that addresses the sharing of incident information;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident response planning.</li><li>Incident response plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of incident response plan reviews and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational incident response plan and related organizational processes.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4f4d99e7-1b49-41da-a3d5-ffbff572ee21",
                        "testId": "IR-08a.09",
                        "test": "Determine if an incident response plan is developed that is reviewed and approved by  [SELECTED PARAMETER VALUE(S): personnel or roles ], [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident response planning.</li><li>Incident response plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of incident response plan reviews and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational incident response plan and related organizational processes.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "33b29382-c04c-4de4-96f1-e5748be48e57",
                        "testId": "IR-08a.10",
                        "test": "Determine if an incident response plan is developed that explicitly designates responsibility for incident response to  [SELECTED PARAMETER VALUE(S): entities, personnel, or roles ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident response planning.</li><li>Incident response plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of incident response plan reviews and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational incident response plan and related organizational processes.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "855f6fe2-a9e9-4aac-9a7b-2db21765840a",
                        "testId": "IR-08b.[01]",
                        "test": "Determine if copies of the incident response plan are distributed to  [SELECTED PARAMETER VALUE(S): incident response personnel ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident response planning.</li><li>Incident response plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of incident response plan reviews and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational incident response plan and related organizational processes.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "03a49123-ef3b-4c1c-aaa6-c6e0407f5cba",
                        "testId": "IR-08b.[02]",
                        "test": "Determine if copies of the incident response plan are distributed to  [SELECTED PARAMETER VALUE(S): organizational elements ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident response planning.</li><li>Incident response plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of incident response plan reviews and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational incident response plan and related organizational processes.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d0b74e28-a02a-4d0d-a371-518a62998c8e",
                        "testId": "IR-08c.",
                        "test": "Determine if the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident response planning.</li><li>Incident response plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of incident response plan reviews and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational incident response plan and related organizational processes.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ed3babeb-5453-4f5a-9cc0-102fdfb231f8",
                        "testId": "IR-08d.[01]",
                        "test": "Determine if incident response plan changes are communicated to  [SELECTED PARAMETER VALUE(S): incident response personnel ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident response planning.</li><li>Incident response plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of incident response plan reviews and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational incident response plan and related organizational processes.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "291bf26d-a6b2-4039-b176-3694c376555a",
                        "testId": "IR-08d.[02]",
                        "test": "Determine if incident response plan changes are communicated to  [SELECTED PARAMETER VALUE(S): organizational elements ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident response planning.</li><li>Incident response plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of incident response plan reviews and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational incident response plan and related organizational processes.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0495d404-c439-4256-a96b-714c54871a84",
                        "testId": "IR-08e.[01]",
                        "test": "Determine if the incident response plan is protected from unauthorized disclosure;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident response planning.</li><li>Incident response plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of incident response plan reviews and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational incident response plan and related organizational processes.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "dcb2ff37-8797-46fe-95d3-001026a7b580",
                        "testId": "IR-08e.[02]",
                        "test": "Determine if the incident response plan is protected from unauthorized modification.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident response planning.</li><li>Incident response plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of incident response plan reviews and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with incident response planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational incident response plan and related organizational processes.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "dd44c5d3-c709-4841-93c6-008bdae67c11",
                        "testId": "IR-08-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Incident response policy.</li><li>Procedures addressing incident response planning.</li><li>Incident response plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of incident response plan reviews and approvals.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5360e187-16ba-4cfb-aa78-0cbe9087a108",
                        "testId": "IR-08-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with incident response planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f5fb2c94-660f-4dee-becc-7897fae4ed0f",
                        "testId": "IR-08-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational incident response plan and related organizational processes.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "57a71fd2-38a8-4dc4-b87a-b22e3cea780f",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "IR-08 - Incident Response Plan",
                "description": "<ul><li>a. Develop an incident response plan that:</li><ul><li>1. Provides the organization with a roadmap for implementing its incident response capability;</li><li>2. Describes the structure and organization of the incident response capability;</li><li>3. Provides a high-level approach for how the incident response capability fits into the overall organization;</li><li>4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;</li><li>5. Defines reportable incidents;</li><li>6. Provides metrics for measuring the incident response capability within the organization;</li><li>7. Defines the resources and management support needed to effectively maintain and mature an incident response capability;</li><li>8. Addresses the sharing of incident information;</li><li>9. Is reviewed and approved by  {{ insert: param, IR-8(a)(9)-1 }}{{ insert: param, IR-8(a)(9)-2 }} ; and</li><li>10. Explicitly designates responsibility for incident response to  {{ insert: param, IR-8(a)(10) }}.</li></ul><li>b. Distribute copies of the incident response plan to  {{ insert: param, IR-8(b) }};</li><li>c. Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing;</li><li>d. Communicate incident response plan changes to  {{ insert: param, IR-8(d) }} ; and</li><li>e. Protect the incident response plan from unauthorized disclosure and modification.</li></ul><br/><strong>Discussion</strong><br/><p>It is important that organizations develop and implement a coordinated approach to incident response. Organizational mission and business functions determine the structure of incident response capabilities. As part of the incident response capabilities, organizations consider the coordination and sharing of information with external organizations, including external service providers and other organizations involved in the supply chain. For incidents involving personally identifiable information (i.e., breaches), include a process to determine whether notice to oversight organizations or affected individuals is appropriate and provide that notice accordingly.</p>",
                "controlId": "IR-8",
                "family": "Incident Response",
                "enhancements": "<strong>Enhancements</strong><ul><li>IR-8(1) - Breaches</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "d37435e4-91f0-4b5f-9b29-1ec4805eac62",
                        "parameterId": "MA-1(a)",
                        "text": "organization-defined personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ma-1_prm_1"
                    },
                    {
                        "uuid": "6d0caa42-c977-4ce6-94ac-7f68639adefd",
                        "parameterId": "MA-1(a)(1)",
                        "text": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ma-01_odp.03"
                    },
                    {
                        "uuid": "c07884c3-5785-4066-b04a-d9b6535d7226",
                        "parameterId": "MA-1(b)",
                        "text": "official",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined official] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ma-01_odp.04"
                    },
                    {
                        "uuid": "87c645e4-bcea-4d93-bd0c-9a77b6a28602",
                        "parameterId": "MA-1(c)(1)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ma-01_odp.05"
                    },
                    {
                        "uuid": "a5b8fcaf-9122-4d72-8107-1cabbc3913ab",
                        "parameterId": "MA-1(c)(1)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ma-01_odp.06"
                    },
                    {
                        "uuid": "18c93902-0dc8-40fb-9f19-556d90927a3f",
                        "parameterId": "MA-1(c)(2)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ma-01_odp.07"
                    },
                    {
                        "uuid": "97949452-6e7d-48d5-8d3c-00a551130a4b",
                        "parameterId": "MA-1(c)(2)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ma-01_odp.08"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "4581e292-0398-47af-83fb-b158c62907ff",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ma-1_smt.a",
                        "description": "<ul><li>a. Develop, document, and disseminate to {{ insert: param, MA-1(a) }}:</li><ul><li>1. {{ insert: param, MA-1(a)(1) }} maintenance policy that:</li><ul><li>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</li><li>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</li></ul><li>2. Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;</li></ul>"
                    },
                    {
                        "uuid": "1c98d9ea-f903-4ae2-95bc-149aae0bf91f",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ma-1_smt.b",
                        "description": "<ul><li>b. Designate an {{ insert: param, MA-1(b) }} to manage the development, documentation, and dissemination of the maintenance policy and procedures; and</li></ul>"
                    },
                    {
                        "uuid": "0cc02e30-8dc7-4510-a5ff-bf71b255e06e",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ma-1_smt.c",
                        "description": "<ul><li>c. Review and update the current maintenance:</li><ul><li>1. Policy {{ insert: param, MA-1(c)(1)-1 }} and following {{ insert: param, MA-1(c)(1)-2 }} ; and</li><li>2. Procedures {{ insert: param, MA-1(c)(2)-1 }} and following {{ insert: param, MA-1(c)(2)-2 }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "e43b223f-f0b1-4a2b-8923-2f6d76a04eb8",
                        "testId": "MA-01a.[01]",
                        "test": "Determine if a maintenance policy is developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with maintenance responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ddf31d81-9aef-4ead-a90a-84e2eeca8e92",
                        "testId": "MA-01a.[02]",
                        "test": "Determine if the maintenance policy is disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with maintenance responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a1f0ab6f-f95f-499e-9f0d-1b0b29fbf725",
                        "testId": "MA-01a.[03]",
                        "test": "Determine if maintenance procedures to facilitate the implementation of the maintenance policy and associated maintenance controls are developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with maintenance responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "36b7e82d-c1d0-4417-9463-191519f4467d",
                        "testId": "MA-01a.[04]",
                        "test": "Determine if the maintenance procedures are disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with maintenance responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "22b2c5d3-52d0-420e-a7c2-75c98dd19d75",
                        "testId": "MA-01a.01(a)[01]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  maintenance policy addresses purpose;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with maintenance responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "847441e6-5021-49f6-bf17-d843066b5c55",
                        "testId": "MA-01a.01(a)[02]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  maintenance policy addresses scope;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with maintenance responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3827965f-df82-452a-a063-9a406ff049c3",
                        "testId": "MA-01a.01(a)[03]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  maintenance policy addresses roles;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with maintenance responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6a1ed4b8-e826-45f0-8316-86ad6abd66d1",
                        "testId": "MA-01a.01(a)[04]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  maintenance policy addresses responsibilities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with maintenance responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1a1ac156-5de6-4aed-bccb-2a46cea3645f",
                        "testId": "MA-01a.01(a)[05]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  maintenance policy addresses management commitment;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with maintenance responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "202a098f-5dd4-4672-997e-37fd426bfcc1",
                        "testId": "MA-01a.01(a)[06]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  maintenance policy addresses coordination among organizational entities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with maintenance responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d41294c9-ba3b-48c9-b6ac-b54fb8fc4b77",
                        "testId": "MA-01a.01(a)[07]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  maintenance policy addresses compliance;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with maintenance responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "aa1d9d48-f6a7-4c51-bf9b-221b7424024c",
                        "testId": "MA-01a.01(b)",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  maintenance policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with maintenance responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "cc919a29-1422-4967-b628-55624989c233",
                        "testId": "MA-01b.",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): official ]  is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with maintenance responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d81ef143-787a-45ed-8838-353649473267",
                        "testId": "MA-01c.01[01]",
                        "test": "Determine if the current maintenance policy is reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with maintenance responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3c31d07d-0d69-4521-90b8-a07028318d81",
                        "testId": "MA-01c.01[02]",
                        "test": "Determine if the current maintenance policy is reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with maintenance responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e43d4b8c-1139-42f9-8458-3211d7e87bab",
                        "testId": "MA-01c.02[01]",
                        "test": "Determine if the current maintenance procedures are reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with maintenance responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a1affa36-23fe-4bd7-b38e-33ab3845418a",
                        "testId": "MA-01c.02[02]",
                        "test": "Determine if the current maintenance procedures are reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with maintenance responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5766e341-ea2a-429f-9a83-24a2dfda60ec",
                        "testId": "MA-01-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Maintenance policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "348d1572-6a0a-47a6-8b6a-0d4f765203bb",
                        "testId": "MA-01-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with maintenance responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "99605155-db9c-4388-b816-43e3f810c65e",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "MA-01 - Policy and Procedures",
                "description": "<ul><li><p>a. Develop, document, and disseminate to {{ insert: param, MA-1(a) }}:</p><ul><li><p>1. {{ insert: param, MA-1(a)(1) }} maintenance policy that:</p><ul><li><p>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p></li><li><p>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p></li></ul></li><li><p>2. Procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls;</p></li></ul></li><li><p>b. Designate an {{ insert: param, MA-1(b) }} to manage the development, documentation, and dissemination of the maintenance policy and procedures; and</p></li><li><p>c. Review and update the current maintenance:</p><ul><li><p>1. Policy {{ insert: param, MA-1(c)(1)-1 }} and following {{ insert: param, MA-1(c)(1)-2 }} ; and</p></li><li><p>2. Procedures {{ insert: param, MA-1(c)(2)-1 }} and following {{ insert: param, MA-1(c)(2)-2 }}.</p></li></ul></li><li><p><br><strong>Discussion</strong><br></p><p>Maintenance policy and procedures address the controls in the MA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of maintenance policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to maintenance policy and procedures assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.</p></li></ul><p></p><p><strong>OT Discussion</strong></p><p>The policy specifically addresses the unique properties and requirements of OT and the relationship to non-OT systems.</p>",
                "controlId": "MA-1",
                "family": "Maintenance",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "95ed1a8b-a6a8-4eda-a405-602e76a09195",
                        "parameterId": "MA-2(c)",
                        "text": "personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ma-02_odp.01"
                    },
                    {
                        "uuid": "e75746b7-ae63-44ea-83ca-aade25e5934d",
                        "parameterId": "MA-2(d)",
                        "text": "information",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined information] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ma-02_odp.02"
                    },
                    {
                        "uuid": "2c4ee830-d100-4214-b8ab-51f39db0468f",
                        "parameterId": "MA-2(f)",
                        "text": "information",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined information] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ma-02_odp.03"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "4d9a37eb-7806-4e95-b092-51d50e512f8b",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ma-2_smt.a",
                        "description": "<ul><li>a. Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;</li></ul>"
                    },
                    {
                        "uuid": "86add84b-0171-42a0-b96b-b46b3500137b",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ma-2_smt.b",
                        "description": "<ul><li>b. Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;</li></ul>"
                    },
                    {
                        "uuid": "ac12c3d5-0d87-4caa-b990-c45ccec7d291",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ma-2_smt.c",
                        "description": "<ul><li>c. Require that {{ insert: param, MA-2(c) }} explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;</li></ul>"
                    },
                    {
                        "uuid": "d704214c-f156-4410-9177-2cd74de4bdc2",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "ma-2_smt.d",
                        "description": "<ul><li>d. Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: {{ insert: param, MA-2(d) }};</li></ul>"
                    },
                    {
                        "uuid": "00ac9206-c412-4ba5-a4b1-f0a7d7d9e582",
                        "name": "e.",
                        "objectiveType": "",
                        "otherId": "ma-2_smt.e",
                        "description": "<ul><li>e. Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and</li></ul>"
                    },
                    {
                        "uuid": "4d1f1667-79d8-467d-b25b-3a09d4f698e4",
                        "name": "f.",
                        "objectiveType": "",
                        "otherId": "ma-2_smt.f",
                        "description": "<ul><li>f. Include the following information in organizational maintenance records: {{ insert: param, MA-2(f) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "81be6161-0329-4e70-906e-d512db830510",
                        "testId": "MA-02-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Maintenance policy.</li><li>Procedures addressing controlled system maintenance.</li><li>Maintenance records.</li><li>Manufacturer/vendor maintenance specifications.</li><li>Equipment sanitization records.</li><li>Media sanitization records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6279670f-d428-4145-868e-8a2f805faf9e",
                        "testId": "MA-02-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with system maintenance responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel responsible for media sanitization.</li><li>System/network administrators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "76762ec7-6b7d-448f-a244-563b369eb0f2",
                        "testId": "MA-02-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system.</li><li>Organizational processes for sanitizing system components.</li><li>Mechanisms supporting and/or implementing controlled maintenance.</li><li>Mechanisms implementing the sanitization of system components.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1677f5ce-37fd-4e2b-838e-b64d21a5451d",
                        "testId": "MA-02a.[01]",
                        "test": "Determine if maintenance, repair, and replacement of system components are scheduled in accordance with manufacturer or vendor specifications and/or organizational requirements;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy.</li><li>Procedures addressing controlled system maintenance.</li><li>Maintenance records.</li><li>Manufacturer/vendor maintenance specifications.</li><li>Equipment sanitization records.</li><li>Media sanitization records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system maintenance responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel responsible for media sanitization.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system.</li><li>Organizational processes for sanitizing system components.</li><li>Mechanisms supporting and/or implementing controlled maintenance.</li><li>Mechanisms implementing the sanitization of system components.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "97fea2b4-5330-4db1-a493-80953ea1e547",
                        "testId": "MA-02a.[02]",
                        "test": "Determine if maintenance, repair, and replacement of system components are documented in accordance with manufacturer or vendor specifications and/or organizational requirements;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy.</li><li>Procedures addressing controlled system maintenance.</li><li>Maintenance records.</li><li>Manufacturer/vendor maintenance specifications.</li><li>Equipment sanitization records.</li><li>Media sanitization records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system maintenance responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel responsible for media sanitization.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system.</li><li>Organizational processes for sanitizing system components.</li><li>Mechanisms supporting and/or implementing controlled maintenance.</li><li>Mechanisms implementing the sanitization of system components.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e3ad4f14-5e79-4772-b3db-5c1bb2807416",
                        "testId": "MA-02a.[03]",
                        "test": "Determine if records of maintenance, repair, and replacement of system components are reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy.</li><li>Procedures addressing controlled system maintenance.</li><li>Maintenance records.</li><li>Manufacturer/vendor maintenance specifications.</li><li>Equipment sanitization records.</li><li>Media sanitization records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system maintenance responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel responsible for media sanitization.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system.</li><li>Organizational processes for sanitizing system components.</li><li>Mechanisms supporting and/or implementing controlled maintenance.</li><li>Mechanisms implementing the sanitization of system components.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1829ef3a-9b37-45e4-8864-7481994eae7c",
                        "testId": "MA-02b.[01]",
                        "test": "Determine if all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are approved;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy.</li><li>Procedures addressing controlled system maintenance.</li><li>Maintenance records.</li><li>Manufacturer/vendor maintenance specifications.</li><li>Equipment sanitization records.</li><li>Media sanitization records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system maintenance responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel responsible for media sanitization.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system.</li><li>Organizational processes for sanitizing system components.</li><li>Mechanisms supporting and/or implementing controlled maintenance.</li><li>Mechanisms implementing the sanitization of system components.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9be4118f-ee87-4607-afae-2ea34cd68a00",
                        "testId": "MA-02b.[02]",
                        "test": "Determine if all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location, are monitored;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy.</li><li>Procedures addressing controlled system maintenance.</li><li>Maintenance records.</li><li>Manufacturer/vendor maintenance specifications.</li><li>Equipment sanitization records.</li><li>Media sanitization records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system maintenance responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel responsible for media sanitization.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system.</li><li>Organizational processes for sanitizing system components.</li><li>Mechanisms supporting and/or implementing controlled maintenance.</li><li>Mechanisms implementing the sanitization of system components.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5d1e1a0c-bad1-4b9d-a055-c1f8b745cc74",
                        "testId": "MA-02c.",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): personnel or roles ]  is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy.</li><li>Procedures addressing controlled system maintenance.</li><li>Maintenance records.</li><li>Manufacturer/vendor maintenance specifications.</li><li>Equipment sanitization records.</li><li>Media sanitization records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system maintenance responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel responsible for media sanitization.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system.</li><li>Organizational processes for sanitizing system components.</li><li>Mechanisms supporting and/or implementing controlled maintenance.</li><li>Mechanisms implementing the sanitization of system components.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "edfb61ec-a7b3-46f0-a6e0-cd6b44ffcbc4",
                        "testId": "MA-02d.",
                        "test": "Determine if equipment is sanitized to remove  [SELECTED PARAMETER VALUE(S): information ]  from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy.</li><li>Procedures addressing controlled system maintenance.</li><li>Maintenance records.</li><li>Manufacturer/vendor maintenance specifications.</li><li>Equipment sanitization records.</li><li>Media sanitization records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system maintenance responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel responsible for media sanitization.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system.</li><li>Organizational processes for sanitizing system components.</li><li>Mechanisms supporting and/or implementing controlled maintenance.</li><li>Mechanisms implementing the sanitization of system components.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f7dc16dd-d892-49b2-bfbe-ab5a237671ee",
                        "testId": "MA-02e.",
                        "test": "Determine if all potentially impacted controls are checked to verify that the controls are still functioning properly following maintenance, repair, or replacement actions;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy.</li><li>Procedures addressing controlled system maintenance.</li><li>Maintenance records.</li><li>Manufacturer/vendor maintenance specifications.</li><li>Equipment sanitization records.</li><li>Media sanitization records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system maintenance responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel responsible for media sanitization.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system.</li><li>Organizational processes for sanitizing system components.</li><li>Mechanisms supporting and/or implementing controlled maintenance.</li><li>Mechanisms implementing the sanitization of system components.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0406fa55-e594-4275-81b5-be2d54fb772c",
                        "testId": "MA-02f.",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): information ]  is included in organizational maintenance records.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy.</li><li>Procedures addressing controlled system maintenance.</li><li>Maintenance records.</li><li>Manufacturer/vendor maintenance specifications.</li><li>Equipment sanitization records.</li><li>Media sanitization records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system maintenance responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel responsible for media sanitization.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for the system.</li><li>Organizational processes for sanitizing system components.</li><li>Mechanisms supporting and/or implementing controlled maintenance.</li><li>Mechanisms implementing the sanitization of system components.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "2879e9ef-dd5d-4e21-97cc-67312a04900d",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "MA-02 - Controlled Maintenance",
                "description": "<ul><li>a. Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements;</li><li>b. Approve and monitor all maintenance activities, whether performed on site or remotely and whether the system or system components are serviced on site or removed to another location;</li><li>c. Require that  {{ insert: param, MA-2(c) }}  explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;</li><li>d. Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement:  {{ insert: param, MA-2(d) }};</li><li>e. Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and</li><li>f. Include the following information in organizational maintenance records:  {{ insert: param, MA-2(f) }}.</li></ul><br/><strong>Discussion</strong><br/><p>Controlling system maintenance addresses the information security aspects of the system maintenance program and applies to all types of maintenance to system components conducted by local or nonlocal entities. Maintenance includes peripherals such as scanners, copiers, and printers. Information necessary for creating effective maintenance records includes the date and time of maintenance, a description of the maintenance performed, names of the individuals or group performing the maintenance, name of the escort, and system components or equipment that are removed or replaced. Organizations consider supply chain-related risks associated with replacement components for systems.</p>",
                "controlId": "MA-2",
                "family": "Maintenance",
                "enhancements": "<strong>Enhancements</strong><ul><li>MA-2(2) - Automated Maintenance Activities</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "eff2cf0e-c374-4d9d-ae0d-51df190394f9",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ma-4_smt.a",
                        "description": "<ul><li>a. Approve and monitor nonlocal maintenance and diagnostic activities;</li></ul>"
                    },
                    {
                        "uuid": "7da7ad4e-8be5-451d-b5cc-76c6f3261736",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ma-4_smt.b",
                        "description": "<ul><li>b. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;</li></ul>"
                    },
                    {
                        "uuid": "5b872d44-0f70-4c72-a26b-f24c302b5d18",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ma-4_smt.c",
                        "description": "<ul><li>c. Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;</li></ul>"
                    },
                    {
                        "uuid": "81b72f1a-64b8-4b03-84f8-6ccaeb2e05b2",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "ma-4_smt.d",
                        "description": "<ul><li>d. Maintain records for nonlocal maintenance and diagnostic activities; and</li></ul>"
                    },
                    {
                        "uuid": "aaf6234b-f444-4bb1-a57d-1435269eb2a3",
                        "name": "e.",
                        "objectiveType": "",
                        "otherId": "ma-4_smt.e",
                        "description": "<ul><li>e. Terminate session and network connections when nonlocal maintenance is completed.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "5887bc01-0680-40ef-80aa-df9091e7acb4",
                        "testId": "MA-04a.[01]",
                        "test": "Determine if nonlocal maintenance and diagnostic activities are approved;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy.</li><li>Procedures addressing nonlocal system maintenance.</li><li>Remote access policy.</li><li>Remote access procedures.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Maintenance records.</li><li>Records of remote access.</li><li>Diagnostic records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system maintenance responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing nonlocal maintenance.</li><li>Mechanisms implementing, supporting, and/or managing nonlocal maintenance.</li><li>Mechanisms for strong authentication of nonlocal maintenance diagnostic sessions.</li><li>Mechanisms for terminating nonlocal maintenance sessions and network connections.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "efa96d6c-8c80-4b93-8b4e-d99f1379d528",
                        "testId": "MA-04a.[02]",
                        "test": "Determine if nonlocal maintenance and diagnostic activities are monitored;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy.</li><li>Procedures addressing nonlocal system maintenance.</li><li>Remote access policy.</li><li>Remote access procedures.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Maintenance records.</li><li>Records of remote access.</li><li>Diagnostic records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system maintenance responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing nonlocal maintenance.</li><li>Mechanisms implementing, supporting, and/or managing nonlocal maintenance.</li><li>Mechanisms for strong authentication of nonlocal maintenance diagnostic sessions.</li><li>Mechanisms for terminating nonlocal maintenance sessions and network connections.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b1d4a8fc-92e9-4d97-b1ef-0c0ac0e747fa",
                        "testId": "MA-04b.[01]",
                        "test": "Determine if the use of nonlocal maintenance and diagnostic tools are allowed only as consistent with organizational policy;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy.</li><li>Procedures addressing nonlocal system maintenance.</li><li>Remote access policy.</li><li>Remote access procedures.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Maintenance records.</li><li>Records of remote access.</li><li>Diagnostic records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system maintenance responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing nonlocal maintenance.</li><li>Mechanisms implementing, supporting, and/or managing nonlocal maintenance.</li><li>Mechanisms for strong authentication of nonlocal maintenance diagnostic sessions.</li><li>Mechanisms for terminating nonlocal maintenance sessions and network connections.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d5d4a49e-0023-467c-a6e1-0c4941254962",
                        "testId": "MA-04b.[02]",
                        "test": "Determine if the use of nonlocal maintenance and diagnostic tools are documented in the security plan for the system;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy.</li><li>Procedures addressing nonlocal system maintenance.</li><li>Remote access policy.</li><li>Remote access procedures.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Maintenance records.</li><li>Records of remote access.</li><li>Diagnostic records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system maintenance responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing nonlocal maintenance.</li><li>Mechanisms implementing, supporting, and/or managing nonlocal maintenance.</li><li>Mechanisms for strong authentication of nonlocal maintenance diagnostic sessions.</li><li>Mechanisms for terminating nonlocal maintenance sessions and network connections.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6f2af56a-0a52-481e-a06b-0dc85475b75e",
                        "testId": "MA-04c.",
                        "test": "Determine if strong authentication is employed in the establishment of nonlocal maintenance and diagnostic sessions;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy.</li><li>Procedures addressing nonlocal system maintenance.</li><li>Remote access policy.</li><li>Remote access procedures.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Maintenance records.</li><li>Records of remote access.</li><li>Diagnostic records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system maintenance responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing nonlocal maintenance.</li><li>Mechanisms implementing, supporting, and/or managing nonlocal maintenance.</li><li>Mechanisms for strong authentication of nonlocal maintenance diagnostic sessions.</li><li>Mechanisms for terminating nonlocal maintenance sessions and network connections.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "746a8f32-700a-45a6-a9c8-ea273de373e7",
                        "testId": "MA-04d.",
                        "test": "Determine if records for nonlocal maintenance and diagnostic activities are maintained;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy.</li><li>Procedures addressing nonlocal system maintenance.</li><li>Remote access policy.</li><li>Remote access procedures.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Maintenance records.</li><li>Records of remote access.</li><li>Diagnostic records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system maintenance responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing nonlocal maintenance.</li><li>Mechanisms implementing, supporting, and/or managing nonlocal maintenance.</li><li>Mechanisms for strong authentication of nonlocal maintenance diagnostic sessions.</li><li>Mechanisms for terminating nonlocal maintenance sessions and network connections.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a9266034-714a-4a28-bcea-8087d862be5f",
                        "testId": "MA-04e.[01]",
                        "test": "Determine if session connections are terminated when nonlocal maintenance is completed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy.</li><li>Procedures addressing nonlocal system maintenance.</li><li>Remote access policy.</li><li>Remote access procedures.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Maintenance records.</li><li>Records of remote access.</li><li>Diagnostic records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system maintenance responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing nonlocal maintenance.</li><li>Mechanisms implementing, supporting, and/or managing nonlocal maintenance.</li><li>Mechanisms for strong authentication of nonlocal maintenance diagnostic sessions.</li><li>Mechanisms for terminating nonlocal maintenance sessions and network connections.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f956e278-3ac2-4007-a088-dd445d743b54",
                        "testId": "MA-04e.[02]",
                        "test": "Determine if network connections are terminated when nonlocal maintenance is completed.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy.</li><li>Procedures addressing nonlocal system maintenance.</li><li>Remote access policy.</li><li>Remote access procedures.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Maintenance records.</li><li>Records of remote access.</li><li>Diagnostic records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system maintenance responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing nonlocal maintenance.</li><li>Mechanisms implementing, supporting, and/or managing nonlocal maintenance.</li><li>Mechanisms for strong authentication of nonlocal maintenance diagnostic sessions.</li><li>Mechanisms for terminating nonlocal maintenance sessions and network connections.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "08bced80-706b-4e09-9fe4-e56a02912cd2",
                        "testId": "MA-04-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Maintenance policy.</li><li>Procedures addressing nonlocal system maintenance.</li><li>Remote access policy.</li><li>Remote access procedures.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Maintenance records.</li><li>Records of remote access.</li><li>Diagnostic records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "75683004-171d-43b6-b9d5-38ed87319af8",
                        "testId": "MA-04-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with system maintenance responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "12a8dcdf-308a-4278-b470-36a456392bbe",
                        "testId": "MA-04-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for managing nonlocal maintenance.</li><li>Mechanisms implementing, supporting, and/or managing nonlocal maintenance.</li><li>Mechanisms for strong authentication of nonlocal maintenance diagnostic sessions.</li><li>Mechanisms for terminating nonlocal maintenance sessions and network connections.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "c36f0adb-b65a-4ae1-b211-7ba4f13ecd7c",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "MA-04 - Nonlocal Maintenance",
                "description": "<ul><li>a. Approve and monitor nonlocal maintenance and diagnostic activities;</li><li>b. Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the system;</li><li>c. Employ strong authentication in the establishment of nonlocal maintenance and diagnostic sessions;</li><li>d. Maintain records for nonlocal maintenance and diagnostic activities; and</li><li>e. Terminate session and network connections when nonlocal maintenance is completed.</li></ul><br/><strong>Discussion</strong><br/><p>Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in  <a href=\"#ia-2\">IA-2</a> . Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in  <a href=\"#ma-4\">MA-4</a>  is accomplished, in part, by other controls.  <a href=\"#e59c5a7c-8b1f-49ca-8de0-6ee0882180ce\">SP 800-63B</a>  provides additional guidance on strong authentication and authenticators.</p>",
                "controlId": "MA-4",
                "family": "Maintenance",
                "enhancements": "<strong>Enhancements</strong><ul><li>MA-4(1) - Logging and Review</li><li>MA-4(3) - Comparable Security and Sanitization</li><li>MA-4(4) - Authentication and Separation of Maintenance Sessions</li><li>MA-4(5) - Approvals and Notifications</li><li>MA-4(6) - Cryptographic Protection</li><li>MA-4(7) - Disconnect Verification</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "7e2e6e17-bf62-4275-8a9a-d8999577825f",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ma-5_smt.a",
                        "description": "<ul><li>a. Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;</li></ul>"
                    },
                    {
                        "uuid": "b64b47ea-a110-49c8-9add-329a7d98dd03",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ma-5_smt.b",
                        "description": "<ul><li>b. Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and</li></ul>"
                    },
                    {
                        "uuid": "d0b3915b-10cc-4381-acc6-7ab3a89d171c",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ma-5_smt.c",
                        "description": "<ul><li>c. Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "c53b6ac6-f063-4906-b1a9-a9919ea48c02",
                        "testId": "MA-05-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Maintenance policy.</li><li>Procedures addressing maintenance personnel.</li><li>Service provider contracts.</li><li>Service-level agreements.</li><li>List of authorized personnel.</li><li>Maintenance records.</li><li>Access control records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ede62f20-284e-4278-bde4-698bcbc34d5c",
                        "testId": "MA-05-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with system maintenance responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "43de6155-6e16-4200-9944-46398099d49a",
                        "testId": "MA-05-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for authorizing and managing maintenance personnel.</li><li>Mechanisms supporting and/or implementing authorization of maintenance personnel.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3fbac5ee-d495-4f75-92f8-274f9373142c",
                        "testId": "MA-05a.[01]",
                        "test": "Determine if a process for maintenance personnel authorization is established;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy.</li><li>Procedures addressing maintenance personnel.</li><li>Service provider contracts.</li><li>Service-level agreements.</li><li>List of authorized personnel.</li><li>Maintenance records.</li><li>Access control records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system maintenance responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for authorizing and managing maintenance personnel.</li><li>Mechanisms supporting and/or implementing authorization of maintenance personnel.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ec33919a-9c32-4169-ad45-2da353e1151a",
                        "testId": "MA-05a.[02]",
                        "test": "Determine if a list of authorized maintenance organizations or personnel is maintained;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy.</li><li>Procedures addressing maintenance personnel.</li><li>Service provider contracts.</li><li>Service-level agreements.</li><li>List of authorized personnel.</li><li>Maintenance records.</li><li>Access control records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system maintenance responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for authorizing and managing maintenance personnel.</li><li>Mechanisms supporting and/or implementing authorization of maintenance personnel.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2200fe90-58b9-4f29-83cc-137bdee86413",
                        "testId": "MA-05b.",
                        "test": "Determine if non-escorted personnel performing maintenance on the system possess the required access authorizations;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy.</li><li>Procedures addressing maintenance personnel.</li><li>Service provider contracts.</li><li>Service-level agreements.</li><li>List of authorized personnel.</li><li>Maintenance records.</li><li>Access control records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system maintenance responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for authorizing and managing maintenance personnel.</li><li>Mechanisms supporting and/or implementing authorization of maintenance personnel.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4d52e08e-5717-4e03-90c1-f6d42eb162c3",
                        "testId": "MA-05c.",
                        "test": "Determine if organizational personnel with required access authorizations and technical competence is/are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy.</li><li>Procedures addressing maintenance personnel.</li><li>Service provider contracts.</li><li>Service-level agreements.</li><li>List of authorized personnel.</li><li>Maintenance records.</li><li>Access control records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system maintenance responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for authorizing and managing maintenance personnel.</li><li>Mechanisms supporting and/or implementing authorization of maintenance personnel.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "d1ad35f6-5015-477c-b60b-576c2bf810a0",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "MA-05 - Maintenance Personnel",
                "description": "<ul><li>a. Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel;</li><li>b. Verify that non-escorted personnel performing maintenance on the system possess the required access authorizations; and</li><li>c. Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.</li></ul><br/><strong>Discussion</strong><br/><p>Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while  <a href=\"#pe-2\">PE-2</a>  addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel\u00e2\u20ac\u201dsuch as information technology manufacturers, vendors, systems integrators, and consultants\u00e2\u20ac\u201dmay require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods.</p>",
                "controlId": "MA-5",
                "family": "Maintenance",
                "enhancements": "<strong>Enhancements</strong><ul><li>MA-5(1) - Individuals Without Appropriate Access</li><li>MA-5(2) - Security Clearances for Classified Systems</li><li>MA-5(3) - Citizenship Requirements for Classified Systems</li><li>MA-5(4) - Foreign Nationals</li><li>MA-5(5) - Non-system Maintenance</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "4ba0a537-1251-43ee-8cee-e61fd6307993",
                        "parameterId": "MA-7-1",
                        "text": "systems or system components",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined systems or system components] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ma-07_odp.01"
                    },
                    {
                        "uuid": "e7d476a4-0733-4e24-a691-e066a3bbd225",
                        "parameterId": "MA-7-2",
                        "text": "trusted maintenance facilities",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined trusted maintenance facilities] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ma-07_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "d4f8961e-2ad7-4f35-b770-b2dbe863c244",
                        "name": "MA-7",
                        "objectiveType": "",
                        "otherId": "ma-7_smt",
                        "description": "Restrict or prohibit field maintenance on {{ insert: param, MA-7-1 }} to {{ insert: param, MA-7-2 }}."
                    }
                ],
                "tests": [
                    {
                        "uuid": "242f71f0-29f8-4270-9938-78a2192d8108",
                        "testId": "MA-07-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Maintenance policy.</li><li>Procedures addressing field maintenance.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Maintenance records.</li><li>Diagnostic records.</li><li>System security plan.</li><li>Other relevant documents or records..</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "12aaf301-e89c-400d-a171-fe79e5e2a441",
                        "testId": "MA-07-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with system maintenance responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1ebf7451-14ca-4ccd-8a0d-e62ae26bbb93",
                        "testId": "MA-07-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for managing field maintenance.</li><li>Mechanisms implementing, supporting, and/or managing field maintenance.</li><li>Mechanisms for strong authentication of field maintenance diagnostic sessions.</li><li>Mechanisms for terminating field maintenance sessions and network connections.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0e09942d-6bba-4096-b218-fc2e8e0e9872",
                        "testId": "MA-07",
                        "test": "Determine if field maintenance on  [SELECTED PARAMETER VALUE(S): systems or system components ]  are restricted or prohibited to  [SELECTED PARAMETER VALUE(S): trusted maintenance facilities ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Maintenance policy.</li><li>Procedures addressing field maintenance.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Maintenance records.</li><li>Diagnostic records.</li><li>System security plan.</li><li>Other relevant documents or records..</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system maintenance responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing field maintenance.</li><li>Mechanisms implementing, supporting, and/or managing field maintenance.</li><li>Mechanisms for strong authentication of field maintenance diagnostic sessions.</li><li>Mechanisms for terminating field maintenance sessions and network connections.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "9bf4b7c5-1382-4ab9-bf49-4bf2ab0e27d1",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "MA-07 - Field Maintenance",
                "description": "<p>Restrict or prohibit field maintenance on {{ insert: param, MA-7-1 }} to {{ insert: param, MA-7-2 }}.<br><strong>Discussion</strong><br></p><p>Field maintenance is the type of maintenance conducted on a system or system component after the system or component has been deployed to a specific site (i.e., operational environment). In certain instances, field maintenance (i.e., local maintenance at the site) may not be executed with the same degree of rigor or with the same quality control checks as depot maintenance. For critical systems designated as such by the organization, it may be necessary to restrict or prohibit field maintenance at the local site and require that such maintenance be conducted in trusted facilities with additional controls.</p><p></p><p><strong>OT Discussion</strong></p><p>Organizations identify OT systems and system components with specific calibration, maintenance, or other requirements and limit maintenance to specific facilities. Some examples may include safety-critical systems or systems involved in custody transfer where accuracy tolerances are limited and additional quality control checks are required.</p>",
                "controlId": "MA-7",
                "family": "Maintenance",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "a04e6510-8393-4731-9c86-1610656714c3",
                        "parameterId": "MP-1(a)",
                        "text": "organization-defined personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "mp-1_prm_1"
                    },
                    {
                        "uuid": "819dc7e4-b869-4c54-9fd1-c5495a90716f",
                        "parameterId": "MP-1(a)(1)",
                        "text": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "mp-01_odp.03"
                    },
                    {
                        "uuid": "247fe4f5-8e1e-4dd5-a315-13174f3a3127",
                        "parameterId": "MP-1(b)",
                        "text": "official",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined official] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "mp-01_odp.04"
                    },
                    {
                        "uuid": "28644884-9dff-46ca-8dfa-3c31a24b041d",
                        "parameterId": "MP-1(c)(1)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "mp-01_odp.05"
                    },
                    {
                        "uuid": "b16920ed-809f-4136-8dba-3ceb66283335",
                        "parameterId": "MP-1(c)(1)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "mp-01_odp.06"
                    },
                    {
                        "uuid": "64be5dcd-ae50-4903-a460-17f71e62c0dd",
                        "parameterId": "MP-1(c)(2)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "mp-01_odp.07"
                    },
                    {
                        "uuid": "8450456d-49d3-473b-8eda-cc8a84f4c258",
                        "parameterId": "MP-1(c)(2)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "mp-01_odp.08"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "4905440e-f9a5-4cb9-9306-24d84f2e58b9",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "mp-1_smt.a",
                        "description": "<ul><li>a. Develop, document, and disseminate to {{ insert: param, MP-1(a) }}:</li><ul><li>1. {{ insert: param, MP-1(a)(1) }} media protection policy that:</li><ul><li>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</li><li>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</li></ul><li>2. Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;</li></ul>"
                    },
                    {
                        "uuid": "bb4cadd1-40f7-45e2-8b2c-ab0db979a5ee",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "mp-1_smt.b",
                        "description": "<ul><li>b. Designate an {{ insert: param, MP-1(b) }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and</li></ul>"
                    },
                    {
                        "uuid": "7d7d445e-4c32-45af-b0ac-51177d9ead0e",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "mp-1_smt.c",
                        "description": "<ul><li>c. Review and update the current media protection:</li><ul><li>1. Policy {{ insert: param, MP-1(c)(1)-1 }} and following {{ insert: param, MP-1(c)(1)-2 }} ; and</li><li>2. Procedures {{ insert: param, MP-1(c)(2)-1 }} and following {{ insert: param, MP-1(c)(2)-2 }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "c7fad390-ac69-4576-bd9e-3a8c6dbc57f0",
                        "testId": "MP-01a.[01]",
                        "test": "Determine if a media protection policy is developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Media protection policy and procedures.</li><li>Organizational risk management strategy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with media protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7f026323-29f3-469e-96c1-ad183de3734f",
                        "testId": "MP-01a.[02]",
                        "test": "Determine if the media protection policy is disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Media protection policy and procedures.</li><li>Organizational risk management strategy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with media protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "fff53f56-79b7-46a0-947d-22859edb574b",
                        "testId": "MP-01a.[03]",
                        "test": "Determine if media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls are developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Media protection policy and procedures.</li><li>Organizational risk management strategy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with media protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0e27b73f-7f6c-4df8-a13c-e5f9caaaefa1",
                        "testId": "MP-01a.[04]",
                        "test": "Determine if the media protection procedures are disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Media protection policy and procedures.</li><li>Organizational risk management strategy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with media protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2a978854-83ac-4eb2-87d8-b650ff4101d6",
                        "testId": "MP-01a.01(a)[01]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  media protection policy addresses purpose;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Media protection policy and procedures.</li><li>Organizational risk management strategy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with media protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "dd6b1cdd-c3ed-4ce7-9ded-7f109345657d",
                        "testId": "MP-01a.01(a)[02]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  media protection policy addresses scope;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Media protection policy and procedures.</li><li>Organizational risk management strategy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with media protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c9d8284f-6d55-42a3-bf04-83c4ca4cbb21",
                        "testId": "MP-01a.01(a)[03]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  media protection policy addresses roles;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Media protection policy and procedures.</li><li>Organizational risk management strategy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with media protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "af4fcec8-afb7-4f9f-a3d9-cc038a09336a",
                        "testId": "MP-01a.01(a)[04]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  media protection policy addresses responsibilities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Media protection policy and procedures.</li><li>Organizational risk management strategy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with media protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f1e4be94-7ce6-4e05-8af6-2376086eaba6",
                        "testId": "MP-01a.01(a)[05]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  media protection policy addresses management commitment;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Media protection policy and procedures.</li><li>Organizational risk management strategy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with media protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "eb4882de-0106-4de7-8d42-7adc1450dba6",
                        "testId": "MP-01a.01(a)[06]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  media protection policy addresses coordination among organizational entities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Media protection policy and procedures.</li><li>Organizational risk management strategy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with media protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0052f288-9989-4f08-8863-7bb46e6b6eb6",
                        "testId": "MP-01a.01(a)[07]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  media protection policy compliance;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Media protection policy and procedures.</li><li>Organizational risk management strategy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with media protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d8fd8b03-f871-4200-829d-a5bb054b99cf",
                        "testId": "MP-01a.01(b)",
                        "test": "Determine if the media protection policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Media protection policy and procedures.</li><li>Organizational risk management strategy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with media protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "69237159-8c2b-48c7-8a47-52b5ad432a50",
                        "testId": "MP-01b.",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): official ]  is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Media protection policy and procedures.</li><li>Organizational risk management strategy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with media protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "da51dbaa-d708-4ab1-9baa-379686ae4d4c",
                        "testId": "MP-01c.01[01]",
                        "test": "Determine if the current media protection policy is reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ]; <br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Media protection policy and procedures.</li><li>Organizational risk management strategy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with media protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d4648a07-5066-4b8f-9c31-22071a4e4d32",
                        "testId": "MP-01c.01[02]",
                        "test": "Determine if the current media protection policy is reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Media protection policy and procedures.</li><li>Organizational risk management strategy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with media protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "002ae2a2-7e69-4ee5-807c-4648927de0d1",
                        "testId": "MP-01c.02[01]",
                        "test": "Determine if the current media protection procedures are reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ]; <br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Media protection policy and procedures.</li><li>Organizational risk management strategy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with media protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "753d2a51-fe9d-4894-8a9c-5474ba746081",
                        "testId": "MP-01c.02[02]",
                        "test": "Determine if the current media protection procedures are reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Media protection policy and procedures.</li><li>Organizational risk management strategy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with media protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1e4344af-2eee-462e-8e48-6537f2dd4f04",
                        "testId": "MP-01-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Media protection policy and procedures.</li><li>Organizational risk management strategy.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e86a459a-0147-476b-800b-2df48af59239",
                        "testId": "MP-01-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with media protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "5d15abb3-0cdb-40d1-8305-e541daf3d150",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "MP-01 - Policy and Procedures",
                "description": "<ul><li><p>a. Develop, document, and disseminate to {{ insert: param, MP-1(a) }}:</p><ul><li><p>1. {{ insert: param, MP-1(a)(1) }} media protection policy that:</p><ul><li><p>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p></li><li><p>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p></li></ul></li><li><p>2. Procedures to facilitate the implementation of the media protection policy and the associated media protection controls;</p></li></ul></li><li><p>b. Designate an {{ insert: param, MP-1(b) }} to manage the development, documentation, and dissemination of the media protection policy and procedures; and</p></li><li><p>c. Review and update the current media protection:</p><ul><li><p>1. Policy {{ insert: param, MP-1(c)(1)-1 }} and following {{ insert: param, MP-1(c)(1)-2 }} ; and</p></li><li><p>2. Procedures {{ insert: param, MP-1(c)(2)-1 }} and following {{ insert: param, MP-1(c)(2)-2 }}.</p></li></ul></li><li><p><br><strong>Discussion</strong><br></p><p>Media protection policy and procedures address the controls in the MP family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of media protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to media protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.</p></li></ul><p></p><p><strong>OT Discussion</strong></p><p>The policy specifically addresses the unique properties and requirements of OT and the relationship to non-OT systems.</p>",
                "controlId": "MP-1",
                "family": "Media Protection",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "f12607c0-e817-4748-a5d8-9171da31f02d",
                        "parameterId": "MP-2-1",
                        "text": "organization-defined types of digital and/or non-digital media",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined types of digital and/or non-digital media] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "mp-2_prm_1"
                    },
                    {
                        "uuid": "db3d36c2-42ae-4770-b641-996a0b736e5c",
                        "parameterId": "MP-2-2",
                        "text": "organization-defined personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "mp-2_prm_2"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "f1187807-7083-4e9f-b68b-0893887c98c8",
                        "name": "MP-2",
                        "objectiveType": "",
                        "otherId": "mp-2_smt",
                        "description": "Restrict access to {{ insert: param, MP-2-1 }} to {{ insert: param, MP-2-2 }}."
                    }
                ],
                "tests": [
                    {
                        "uuid": "ec5ef475-b6c6-4787-90ad-fe980e72e7d5",
                        "testId": "MP-02-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System media protection policy.</li><li>Procedures addressing media access restrictions.</li><li>Access control policy and procedures.</li><li>Physical and environmental protection policy and procedures.</li><li>Media storage facilities.</li><li>Access control records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "09ae0536-cfc5-4de1-b10f-b113aea8268d",
                        "testId": "MP-02-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with system media protection responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ab2c80cc-8309-4372-a20e-bbe0599f1440",
                        "testId": "MP-02-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for restricting information media.</li><li>Mechanisms supporting and/or implementing media access restrictions.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8cb5bf5a-daf0-4655-bfbc-aa4bbdefd638",
                        "testId": "MP-02[01]",
                        "test": "Determine if access to  [SELECTED PARAMETER VALUE(S): types of digital media ]  is restricted to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System media protection policy.</li><li>Procedures addressing media access restrictions.</li><li>Access control policy and procedures.</li><li>Physical and environmental protection policy and procedures.</li><li>Media storage facilities.</li><li>Access control records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system media protection responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for restricting information media.</li><li>Mechanisms supporting and/or implementing media access restrictions.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "fb7ded0d-28d9-4c17-b5ce-ddebc57c4eca",
                        "testId": "MP-02[02]",
                        "test": "Determine if access to  [SELECTED PARAMETER VALUE(S): types of non-digital media ]  is restricted to  [SELECTED PARAMETER VALUE(S): personnel or roles ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System media protection policy.</li><li>Procedures addressing media access restrictions.</li><li>Access control policy and procedures.</li><li>Physical and environmental protection policy and procedures.</li><li>Media storage facilities.</li><li>Access control records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system media protection responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for restricting information media.</li><li>Mechanisms supporting and/or implementing media access restrictions.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "700a53f4-a0d5-4901-ab28-9e8f72acae38",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "MP-02 - Media Access",
                "description": "Restrict access to  {{ insert: param, MP-2-1 }}  to  {{ insert: param, MP-2-2 }}.<br/><strong>Discussion</strong><br/><p>System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media.</p>",
                "controlId": "MP-2",
                "family": "Media Protection",
                "enhancements": "<strong>Enhancements</strong><ul></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "4d855978-1270-49bd-b86a-676933cbb979",
                        "parameterId": "MP-6(a)-1",
                        "text": "organization-defined system media",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined system media] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "mp-6_prm_1"
                    },
                    {
                        "uuid": "c6c80161-0568-483f-b9e0-aadefe8cd55e",
                        "parameterId": "MP-6(a)-2",
                        "text": "organization-defined sanitization techniques and procedures",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined sanitization techniques and procedures] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "mp-6_prm_2"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "65d6a704-e1a3-48b5-a627-7d56b0cb5651",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "mp-6_smt.a",
                        "description": "<ul><li>a. Sanitize {{ insert: param, MP-6(a)-1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, MP-6(a)-2 }} ; and</li></ul>"
                    },
                    {
                        "uuid": "e1b60c78-5238-429e-8421-7ac5ba1aa83a",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "mp-6_smt.b",
                        "description": "<ul><li>b. Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "f6fc1688-dd7b-42a2-96c1-0524700e529d",
                        "testId": "MP-06-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System media protection policy.</li><li>Procedures addressing media sanitization and disposal.</li><li>Applicable federal standards and policies addressing media sanitization policy.</li><li>Media sanitization records.</li><li>System audit records.</li><li>System design documentation.</li><li>Records retention and disposition policy.</li><li>Records retention and disposition procedures.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "611344ea-05ba-4752-9065-9ac7a577fc2b",
                        "testId": "MP-06-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with media sanitization responsibilities.</li><li>Organizational personnel with records retention and disposition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "28409cda-849b-4bea-88c9-33c8b25fb5c6",
                        "testId": "MP-06-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for media sanitization.</li><li>Mechanisms supporting and/or implementing media sanitization.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8e7cb610-f605-42ca-86ce-d21043ffec8f",
                        "testId": "MP-06a.[01]",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): system media ]  is sanitized using  [SELECTED PARAMETER VALUE(S): sanitization techniques and procedures ]  prior to disposal;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System media protection policy.</li><li>Procedures addressing media sanitization and disposal.</li><li>Applicable federal standards and policies addressing media sanitization policy.</li><li>Media sanitization records.</li><li>System audit records.</li><li>System design documentation.</li><li>Records retention and disposition policy.</li><li>Records retention and disposition procedures.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with media sanitization responsibilities.</li><li>Organizational personnel with records retention and disposition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for media sanitization.</li><li>Mechanisms supporting and/or implementing media sanitization.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c8654cd5-08ff-429c-8e0e-061e760c7a3c",
                        "testId": "MP-06a.[02]",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): system media ]  is sanitized using  [SELECTED PARAMETER VALUE(S): sanitization techniques and procedures ]  prior to release from organizational control;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System media protection policy.</li><li>Procedures addressing media sanitization and disposal.</li><li>Applicable federal standards and policies addressing media sanitization policy.</li><li>Media sanitization records.</li><li>System audit records.</li><li>System design documentation.</li><li>Records retention and disposition policy.</li><li>Records retention and disposition procedures.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with media sanitization responsibilities.</li><li>Organizational personnel with records retention and disposition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for media sanitization.</li><li>Mechanisms supporting and/or implementing media sanitization.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ab8ae932-6a43-4fd7-a322-9cce864b60bc",
                        "testId": "MP-06a.[03]",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): system media ]  is sanitized using  [SELECTED PARAMETER VALUE(S): sanitization techniques and procedures ]  prior to release for reuse;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System media protection policy.</li><li>Procedures addressing media sanitization and disposal.</li><li>Applicable federal standards and policies addressing media sanitization policy.</li><li>Media sanitization records.</li><li>System audit records.</li><li>System design documentation.</li><li>Records retention and disposition policy.</li><li>Records retention and disposition procedures.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with media sanitization responsibilities.</li><li>Organizational personnel with records retention and disposition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for media sanitization.</li><li>Mechanisms supporting and/or implementing media sanitization.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4d948055-a66f-4e11-b07a-698a6884dc9b",
                        "testId": "MP-06b.",
                        "test": "Determine if sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information are employed.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System media protection policy.</li><li>Procedures addressing media sanitization and disposal.</li><li>Applicable federal standards and policies addressing media sanitization policy.</li><li>Media sanitization records.</li><li>System audit records.</li><li>System design documentation.</li><li>Records retention and disposition policy.</li><li>Records retention and disposition procedures.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with media sanitization responsibilities.</li><li>Organizational personnel with records retention and disposition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for media sanitization.</li><li>Mechanisms supporting and/or implementing media sanitization.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "91d5f263-3b40-4fb8-9851-2b6578dfe9e2",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "MP-06 - Media Sanitization",
                "description": "<ul><li>a. Sanitize  {{ insert: param, MP-6(a)-1 }}  prior to disposal, release out of organizational control, or release for reuse using  {{ insert: param, MP-6(a)-2 }} ; and</li><li>b. Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.</li></ul><br/><strong>Discussion</strong><br/><p>Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques\u00e2\u20ac\u201dincluding clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction\u00e2\u20ac\u201dprevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information.</p>",
                "controlId": "MP-6",
                "family": "Media Protection",
                "enhancements": "<strong>Enhancements</strong><ul><li>MP-6(1) - Review, Approve, Track, Document, and Verify</li><li>MP-6(2) - Equipment Testing</li><li>MP-6(3) - Nondestructive Techniques</li><li>MP-6(7) - Dual Authorization</li><li>MP-6(8) - Remote Purging or Wiping of Information</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "a5443fd6-20a4-4b14-bcea-af8da14cac86",
                        "parameterId": "MP-7(a)-2",
                        "text": "types of system media",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined types of system media] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "mp-07_odp.01"
                    },
                    {
                        "uuid": "f9416940-ee6d-435f-b59b-346182bb5c59",
                        "parameterId": "MP-7(a)-1",
                        "text": "[Selection: restrict; prohibit]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection: restrict; prohibit]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "mp-07_odp.02"
                    },
                    {
                        "uuid": "f0b7983d-0d7b-4498-88db-328c4caf9906",
                        "parameterId": "MP-7(a)-3",
                        "text": "systems or system components",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined systems or system components] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "mp-07_odp.03"
                    },
                    {
                        "uuid": "3e3b5471-3179-44e8-8a1e-689d33e75ca0",
                        "parameterId": "MP-7(a)-4",
                        "text": "controls",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined controls] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "mp-07_odp.04"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "67b0a57d-bb6a-4bb6-b823-d4629db9fbeb",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "mp-7_smt.a",
                        "description": "<ul><li>a. {{ insert: param, MP-7(a)-1 }} the use of {{ insert: param, MP-7(a)-2 }} on {{ insert: param, MP-7(a)-3 }} using {{ insert: param, MP-7(a)-4 }} ; and</li></ul>"
                    },
                    {
                        "uuid": "cbfad219-b569-462a-b9c9-3ab0be54ac56",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "mp-7_smt.b",
                        "description": "<ul><li>b. Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "4970ff87-e4f1-4ed4-84cd-18957f11f1be",
                        "testId": "MP-07-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System media protection policy.</li><li>System use policy.</li><li>Procedures addressing media usage restrictions.</li><li>Rules of behavior.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "969263f3-6dd0-47a0-a8b1-035dfd29c7b6",
                        "testId": "MP-07-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with system media use responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "493f7268-791e-4b85-b115-c3b3da04508e",
                        "testId": "MP-07-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for media use.</li><li>Mechanisms restricting or prohibiting the use of system media on systems or system components.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "966a70cb-c017-4094-8280-1eb3e4a4c76c",
                        "testId": "MP-07a.",
                        "test": "Determine if the use of  [SELECTED PARAMETER VALUE(S): types of system media ]  is  [SELECTED PARAMETER VALUE(S): [Selection: restrict; prohibit] ]  on  [SELECTED PARAMETER VALUE(S): systems or system components ]  using  [SELECTED PARAMETER VALUE(S): controls ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System media protection policy.</li><li>System use policy.</li><li>Procedures addressing media usage restrictions.</li><li>Rules of behavior.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system media use responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for media use.</li><li>Mechanisms restricting or prohibiting the use of system media on systems or system components.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e9303a77-2dd3-479f-b670-731b8074040c",
                        "testId": "MP-07b.",
                        "test": "Determine if the use of portable storage devices in organizational systems is prohibited when such devices have no identifiable owner.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System media protection policy.</li><li>System use policy.</li><li>Procedures addressing media usage restrictions.</li><li>Rules of behavior.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system media use responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for media use.</li><li>Mechanisms restricting or prohibiting the use of system media on systems or system components.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "a623345f-c4ef-47b0-a833-f874e4017f91",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "MP-07 - Media Use",
                "description": "<ul><li>a. {{ insert: param, MP-7(a)-1 }}  the use of  {{ insert: param, MP-7(a)-2 }}  on  {{ insert: param, MP-7(a)-3 }}  using  {{ insert: param, MP-7(a)-4 }} ; and</li><li>b. Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner.</li></ul><br/><strong>Discussion</strong><br/><p>System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to  <a href=\"#mp-2\">MP-2</a> , which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices.</p>",
                "controlId": "MP-7",
                "family": "Media Protection",
                "enhancements": "<strong>Enhancements</strong><ul><li>MP-7(2) - Prohibit Use of Sanitization-resistant Media</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "93a2345f-578b-4b2c-8646-4390ee4e4c8e",
                        "parameterId": "PE-1(a)",
                        "text": "organization-defined personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pe-1_prm_1"
                    },
                    {
                        "uuid": "66d75305-a654-49e2-a3c3-a47c7a9dab8c",
                        "parameterId": "PE-1(a)(1)",
                        "text": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pe-01_odp.03"
                    },
                    {
                        "uuid": "c4e286a3-ed52-4f67-b57d-3a4cc47ca403",
                        "parameterId": "PE-1(b)",
                        "text": "official",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined official] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pe-01_odp.04"
                    },
                    {
                        "uuid": "2ac54449-7c1e-4c79-b422-ac7359d1c0da",
                        "parameterId": "PE-1(c)(1)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pe-01_odp.05"
                    },
                    {
                        "uuid": "ea6fbd5e-dfd4-48c3-b1c7-fdfcd66a1fc2",
                        "parameterId": "PE-1(c)(1)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pe-01_odp.06"
                    },
                    {
                        "uuid": "3e4224ad-54bc-4e56-8c12-03761870b53f",
                        "parameterId": "PE-1(c)(2)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pe-01_odp.07"
                    },
                    {
                        "uuid": "0ce6313a-f14c-4ab4-a30f-1b50601b4d8b",
                        "parameterId": "PE-1(c)(2)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pe-01_odp.08"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "84fbb432-59cd-4914-9cfe-941b58b0d3aa",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "pe-1_smt.a",
                        "description": "<ul><li>a. Develop, document, and disseminate to {{ insert: param, PE-1(a) }}:</li><ul><li>1. {{ insert: param, PE-1(a)(1) }} physical and environmental protection policy that:</li><ul><li>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</li><li>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</li></ul><li>2. Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;</li></ul>"
                    },
                    {
                        "uuid": "60dfee02-33f0-49e0-a272-496b2e614fc2",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "pe-1_smt.b",
                        "description": "<ul><li>b. Designate an {{ insert: param, PE-1(b) }} to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and</li></ul>"
                    },
                    {
                        "uuid": "a9c8637c-8c98-4d23-9069-8f98c8d17ea4",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "pe-1_smt.c",
                        "description": "<ul><li>c. Review and update the current physical and environmental protection:</li><ul><li>1. Policy {{ insert: param, PE-1(c)(1)-1 }} and following {{ insert: param, PE-1(c)(1)-2 }} ; and</li><li>2. Procedures {{ insert: param, PE-1(c)(2)-1 }} and following {{ insert: param, PE-1(c)(2)-2 }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "e793948c-0f19-4e77-9068-91874d06461d",
                        "testId": "PE-01a.[01]",
                        "test": "Determine if a physical and environmental protection policy is developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical and environmental protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f5cd29ac-77bb-4357-beb3-1658f150cb9a",
                        "testId": "PE-01a.[02]",
                        "test": "Determine if the physical and environmental protection policy is disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical and environmental protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8bf3842b-3eaa-4877-aca1-93046212f6a2",
                        "testId": "PE-01a.[03]",
                        "test": "Determine if physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls are developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical and environmental protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "eb1bd2cd-d631-4960-ab58-7dd1cd1091f1",
                        "testId": "PE-01a.[04]",
                        "test": "Determine if the physical and environmental protection procedures are disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical and environmental protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "70a8400e-79ca-4836-ae93-723b5771e7f6",
                        "testId": "PE-01a.01(a)[01]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  physical and environmental protection policy addresses purpose;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical and environmental protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "34ae4e97-23d4-4131-a9d4-10af7511bd85",
                        "testId": "PE-01a.01(a)[02]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  physical and environmental protection policy addresses scope;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical and environmental protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "cf24f07f-656b-48dd-82a9-69eecd46bf0a",
                        "testId": "PE-01a.01(a)[03]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  physical and environmental protection policy addresses roles;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical and environmental protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "24e9e620-bcc3-4932-bc18-b8274f123506",
                        "testId": "PE-01a.01(a)[04]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  physical and environmental protection policy addresses responsibilities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical and environmental protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d7f24f36-cc3a-40cc-a102-6f09d6f63b1c",
                        "testId": "PE-01a.01(a)[05]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  physical and environmental protection policy addresses management commitment;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical and environmental protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "79792d5c-dd2d-49a5-9acd-e5c2b31b823d",
                        "testId": "PE-01a.01(a)[06]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  physical and environmental protection policy addresses coordination among organizational entities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical and environmental protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "fce9c8d1-3b68-4cb9-80c5-793635bb5ce7",
                        "testId": "PE-01a.01(a)[07]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  physical and environmental protection policy addresses compliance;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical and environmental protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d7391981-8a22-4729-9bc0-5a5571bfa29c",
                        "testId": "PE-01a.01(b)",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  physical and environmental protection policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical and environmental protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2c8a1211-644b-45b9-8cd6-3c413878425c",
                        "testId": "PE-01b.",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): official ]  is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical and environmental protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7259a1f8-cf23-4270-a708-4a8cc36af3f6",
                        "testId": "PE-01c.01[01]",
                        "test": "Determine if the current physical and environmental protection policy is reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical and environmental protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c97a3e0f-4636-4b92-b665-11aba0992c77",
                        "testId": "PE-01c.01[02]",
                        "test": "Determine if the current physical and environmental protection policy is reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical and environmental protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b98b9c1f-dbe8-4248-b22e-03637a8dba4a",
                        "testId": "PE-01c.02[01]",
                        "test": "Determine if the current physical and environmental protection procedures are reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical and environmental protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3d3b4ddf-70da-455a-84c8-d8ae39158736",
                        "testId": "PE-01c.02[02]",
                        "test": "Determine if the current physical and environmental protection procedures are reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical and environmental protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6d90581f-003c-4151-999d-308c1c41251d",
                        "testId": "PE-01-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Physical and environmental protection policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Organizational risk management strategy.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b2677569-1730-4870-afc9-0ec78f0f4cd3",
                        "testId": "PE-01-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with physical and environmental protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "ef7d1f0e-a946-49a9-87ba-5385d27094fc",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PE-01 - Policy and Procedures",
                "description": "<ul><li><p>a. Develop, document, and disseminate to {{ insert: param, PE-1(a) }}:</p><ul><li><p>1. {{ insert: param, PE-1(a)(1) }} physical and environmental protection policy that:</p><ul><li><p>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p></li><li><p>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p></li></ul></li><li><p>2. Procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls;</p></li></ul></li><li><p>b. Designate an {{ insert: param, PE-1(b) }} to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and</p></li><li><p>c. Review and update the current physical and environmental protection:</p><ul><li><p>1. Policy {{ insert: param, PE-1(c)(1)-1 }} and following {{ insert: param, PE-1(c)(1)-2 }} ; and</p></li><li><p>2. Procedures {{ insert: param, PE-1(c)(2)-1 }} and following {{ insert: param, PE-1(c)(2)-2 }}.</p></li></ul></li><li><p><br><strong>Discussion</strong><br></p><p>Physical and environmental protection policy and procedures address the controls in the PE family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of physical and environmental protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to physical and environmental protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.</p></li></ul><p></p><p><strong>OT Discussion</strong></p><p>The policy specifically addresses the unique properties and requirements of OT and the relationship to non-OT systems. The OT components can be distributed over a large facility footprint or geographic area and can be an entry point into the entire organizational network OT. Regulatory controls may also apply.</p>",
                "controlId": "PE-1",
                "family": "Physical and Environmental Protection",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "59de8b80-681d-4c73-9df5-8a83bca719cb",
                        "parameterId": "PE-2(c)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pe-02_odp"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "0a9ac8a2-91ce-4249-8fe0-c822ebef5aea",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "pe-2_smt.a",
                        "description": "<ul><li>a. Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;</li></ul>"
                    },
                    {
                        "uuid": "8923e866-d282-4e53-be07-1b5d8cd0fbd5",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "pe-2_smt.b",
                        "description": "<ul><li>b. Issue authorization credentials for facility access;</li></ul>"
                    },
                    {
                        "uuid": "37fd7727-b7cb-48e4-bdfd-9e0089f34d16",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "pe-2_smt.c",
                        "description": "<ul><li>c. Review the access list detailing authorized facility access by individuals {{ insert: param, PE-2(c) }} ; and</li></ul>"
                    },
                    {
                        "uuid": "24f801ec-9168-4ee6-99ec-72227d0f671c",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "pe-2_smt.d",
                        "description": "<ul><li>d. Remove individuals from the facility access list when access is no longer required.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "e8a8e8aa-db78-40df-affd-4a70586bcc24",
                        "testId": "PE-02-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing physical access authorizations.</li><li>Authorized personnel access list.</li><li>Authorization credentials.</li><li>Physical access list reviews.</li><li>Physical access termination records and associated documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "bef42f96-7d41-4e93-8761-6c22c731dc4b",
                        "testId": "PE-02-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with physical access authorization responsibilities.</li><li>Organizational personnel with physical access to system facility.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b7f7f476-c22c-4c6a-a7d6-4390fe0af071",
                        "testId": "PE-02-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for physical access authorizations.</li><li>Mechanisms supporting and/or implementing physical access authorizations.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "211f42e2-5f5d-43af-bd7c-d747e5794d9c",
                        "testId": "PE-02a.[01]",
                        "test": "Determine if a list of individuals with authorized access to the facility where the system resides has been developed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing physical access authorizations.</li><li>Authorized personnel access list.</li><li>Authorization credentials.</li><li>Physical access list reviews.</li><li>Physical access termination records and associated documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical access authorization responsibilities.</li><li>Organizational personnel with physical access to system facility.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for physical access authorizations.</li><li>Mechanisms supporting and/or implementing physical access authorizations.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3b517170-2565-4151-8ba2-387fa768fef2",
                        "testId": "PE-02a.[02]",
                        "test": "Determine if the list of individuals with authorized access to the facility where the system resides has been approved;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing physical access authorizations.</li><li>Authorized personnel access list.</li><li>Authorization credentials.</li><li>Physical access list reviews.</li><li>Physical access termination records and associated documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical access authorization responsibilities.</li><li>Organizational personnel with physical access to system facility.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for physical access authorizations.</li><li>Mechanisms supporting and/or implementing physical access authorizations.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b1a70c33-4abc-46c8-b0db-4ac93e4f7486",
                        "testId": "PE-02a.[03]",
                        "test": "Determine if the list of individuals with authorized access to the facility where the system resides has been maintained;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing physical access authorizations.</li><li>Authorized personnel access list.</li><li>Authorization credentials.</li><li>Physical access list reviews.</li><li>Physical access termination records and associated documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical access authorization responsibilities.</li><li>Organizational personnel with physical access to system facility.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for physical access authorizations.</li><li>Mechanisms supporting and/or implementing physical access authorizations.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f811912f-b6f3-4d41-9542-b1b5d4a76437",
                        "testId": "PE-02b.",
                        "test": "Determine if authorization credentials are issued for facility access;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing physical access authorizations.</li><li>Authorized personnel access list.</li><li>Authorization credentials.</li><li>Physical access list reviews.</li><li>Physical access termination records and associated documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical access authorization responsibilities.</li><li>Organizational personnel with physical access to system facility.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for physical access authorizations.</li><li>Mechanisms supporting and/or implementing physical access authorizations.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "37a240d0-35f9-461a-b37d-4a1d6df960e9",
                        "testId": "PE-02c.",
                        "test": "Determine if the access list detailing authorized facility access by individuals is reviewed  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing physical access authorizations.</li><li>Authorized personnel access list.</li><li>Authorization credentials.</li><li>Physical access list reviews.</li><li>Physical access termination records and associated documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical access authorization responsibilities.</li><li>Organizational personnel with physical access to system facility.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for physical access authorizations.</li><li>Mechanisms supporting and/or implementing physical access authorizations.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8182d78a-912b-4746-9053-8d597f2a271c",
                        "testId": "PE-02d.",
                        "test": "Determine if individuals are removed from the facility access list when access is no longer required.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing physical access authorizations.</li><li>Authorized personnel access list.</li><li>Authorization credentials.</li><li>Physical access list reviews.</li><li>Physical access termination records and associated documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical access authorization responsibilities.</li><li>Organizational personnel with physical access to system facility.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for physical access authorizations.</li><li>Mechanisms supporting and/or implementing physical access authorizations.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "d68e2a7b-b0c5-4064-bf9e-87d42dc75c8a",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PE-02 - Physical Access Authorizations",
                "description": "<ul><li>a. Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides;</li><li>b. Issue authorization credentials for facility access;</li><li>c. Review the access list detailing authorized facility access by individuals  {{ insert: param, PE-2(c) }} ; and</li><li>d. Remove individuals from the facility access list when access is no longer required.</li></ul><br/><strong>Discussion</strong><br/><p>Physical access authorizations apply to employees and visitors. Individuals with permanent physical access authorization credentials are not considered visitors. Authorization credentials include ID badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials needed consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Physical access authorizations may not be necessary to access certain areas within facilities that are designated as publicly accessible.</p>",
                "controlId": "PE-2",
                "family": "Physical and Environmental Protection",
                "enhancements": "<strong>Enhancements</strong><ul><li>PE-2(1) - Access by Position or Role</li><li>PE-2(2) - Two Forms of Identification</li><li>PE-2(3) - Restrict Unescorted Access</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "ca1aea4d-9bc6-4084-89d1-9bc4ac9897ac",
                        "parameterId": "PE-3(g)",
                        "text": "organization-defined frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pe-3_prm_9"
                    },
                    {
                        "uuid": "eeda1fd1-adc6-4487-81a7-8986e8c66c59",
                        "parameterId": "PE-3(a)",
                        "text": "entry and exit points",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined entry and exit points] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pe-03_odp.01"
                    },
                    {
                        "uuid": "233e10c5-df9b-4674-a14a-6a974d2dceb4",
                        "parameterId": "PE-3(a)(2)",
                        "text": "[Selection (one or more): [(NESTED PARAMETER) Assignment for pe-03_odp.03: systems or devices]; guards]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): [(NESTED PARAMETER) Assignment for pe-03_odp.03: systems or devices]; guards]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pe-03_odp.02"
                    },
                    {
                        "uuid": "302226be-bbdb-406a-bb3b-507a91197fe6",
                        "parameterId": "PE-3(b)",
                        "text": "entry or exit points",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined entry or exit points] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pe-03_odp.04"
                    },
                    {
                        "uuid": "f1436b7d-826d-4511-89e4-ea4d0c9a784d",
                        "parameterId": "PE-3(c)",
                        "text": "physical access controls",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined physical access controls] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pe-03_odp.05"
                    },
                    {
                        "uuid": "9d58ba0f-9143-459b-9cc7-de710fe70c82",
                        "parameterId": "PE-3(d)",
                        "text": "circumstances",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined circumstances] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pe-03_odp.06"
                    },
                    {
                        "uuid": "853dd72d-c157-4bc1-b31f-00ca7e82cbaa",
                        "parameterId": "PE-3(f)-1",
                        "text": "physical access devices",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined physical access devices] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pe-03_odp.07"
                    },
                    {
                        "uuid": "73fdbb46-9447-4e15-a84a-404879d346a7",
                        "parameterId": "PE-3(f)-2",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pe-03_odp.08"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "748ed4e9-fb1d-4b35-be49-689f8e30e1c5",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "pe-3_smt.a",
                        "description": "<ul><li>a. Enforce physical access authorizations at {{ insert: param, PE-3(a) }} by:</li><ul><li>1. Verifying individual access authorizations before granting access to the facility; and</li><li>2. Controlling ingress and egress to the facility using {{ insert: param, PE-3(a)(2) }};</li></ul>"
                    },
                    {
                        "uuid": "af0aeb67-6f81-4312-bc10-2da39817c75c",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "pe-3_smt.b",
                        "description": "<ul><li>b. Maintain physical access audit logs for {{ insert: param, PE-3(b) }};</li></ul>"
                    },
                    {
                        "uuid": "d77497c0-70e8-429a-888a-79a7d5a9e90a",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "pe-3_smt.c",
                        "description": "<ul><li>c. Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ insert: param, PE-3(c) }};</li></ul>"
                    },
                    {
                        "uuid": "3e63189f-84ad-4118-adce-5fd109f111a9",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "pe-3_smt.d",
                        "description": "<ul><li>d. Escort visitors and control visitor activity {{ insert: param, PE-3(d) }};</li></ul>"
                    },
                    {
                        "uuid": "80a0e76b-2ce0-4af3-b75f-1a0891d15b8f",
                        "name": "e.",
                        "objectiveType": "",
                        "otherId": "pe-3_smt.e",
                        "description": "<ul><li>e. Secure keys, combinations, and other physical access devices;</li></ul>"
                    },
                    {
                        "uuid": "aafca3fe-288c-4119-acab-c73ffad6f87d",
                        "name": "f.",
                        "objectiveType": "",
                        "otherId": "pe-3_smt.f",
                        "description": "<ul><li>f. Inventory {{ insert: param, PE-3(f)-1 }} every {{ insert: param, PE-3(f)-2 }} ; and</li></ul>"
                    },
                    {
                        "uuid": "9f2f62f5-1786-4e7a-bff7-d6d6d5bfe643",
                        "name": "g.",
                        "objectiveType": "",
                        "otherId": "pe-3_smt.g",
                        "description": "<ul><li>g. Change combinations and keys {{ insert: param, PE-3(g) }} and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "42a3cdfe-24b5-4a39-bbf0-42507df11c48",
                        "testId": "PE-03-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing physical access control.</li><li>Physical access control logs or records.</li><li>Inventory records of physical access control devices.</li><li>System entry and exit points.</li><li>Records of key and lock combination changes.</li><li>Storage locations for physical access control devices.</li><li>Physical access control devices.</li><li>List of security safeguards controlling access to designated publicly accessible areas within facility.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "281265f1-31ff-4fb4-af74-c71547216a12",
                        "testId": "PE-03-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with physical access control responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f717f8a6-a739-43ef-bf6f-3ebdf9eb5352",
                        "testId": "PE-03-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for physical access control.</li><li>Mechanisms supporting and/or implementing physical access control.</li><li>Physical access control devices.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "58d792c7-4d25-4886-b459-2fe511c2f86d",
                        "testId": "PE-03a.01",
                        "test": "Determine if physical access authorizations are enforced at  [SELECTED PARAMETER VALUE(S): entry and exit points ]  by verifying individual access authorizations before granting access to the facility;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing physical access control.</li><li>Physical access control logs or records.</li><li>Inventory records of physical access control devices.</li><li>System entry and exit points.</li><li>Records of key and lock combination changes.</li><li>Storage locations for physical access control devices.</li><li>Physical access control devices.</li><li>List of security safeguards controlling access to designated publicly accessible areas within facility.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical access control responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for physical access control.</li><li>Mechanisms supporting and/or implementing physical access control.</li><li>Physical access control devices.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2802402f-b04e-4141-8f1d-308da47b8d56",
                        "testId": "PE-03a.02",
                        "test": "Determine if physical access authorizations are enforced at  [SELECTED PARAMETER VALUE(S): entry and exit points ]  by controlling ingress and egress to the facility using  [SELECTED PARAMETER VALUE(S): [Selection (one or more): [(NESTED PARAMETER) Assignment for pe-03_odp.03: systems or devices]; guards] ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing physical access control.</li><li>Physical access control logs or records.</li><li>Inventory records of physical access control devices.</li><li>System entry and exit points.</li><li>Records of key and lock combination changes.</li><li>Storage locations for physical access control devices.</li><li>Physical access control devices.</li><li>List of security safeguards controlling access to designated publicly accessible areas within facility.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical access control responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for physical access control.</li><li>Mechanisms supporting and/or implementing physical access control.</li><li>Physical access control devices.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ccff2c00-3710-4f3b-a4b5-ec1ee908aec1",
                        "testId": "PE-03b.",
                        "test": "Determine if physical access audit logs are maintained for  [SELECTED PARAMETER VALUE(S): entry or exit points ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing physical access control.</li><li>Physical access control logs or records.</li><li>Inventory records of physical access control devices.</li><li>System entry and exit points.</li><li>Records of key and lock combination changes.</li><li>Storage locations for physical access control devices.</li><li>Physical access control devices.</li><li>List of security safeguards controlling access to designated publicly accessible areas within facility.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical access control responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for physical access control.</li><li>Mechanisms supporting and/or implementing physical access control.</li><li>Physical access control devices.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "006faf76-2398-4c57-90de-f7fd6d87808b",
                        "testId": "PE-03c.",
                        "test": "Determine if access to areas within the facility designated as publicly accessible are maintained by implementing  [SELECTED PARAMETER VALUE(S): physical access controls ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing physical access control.</li><li>Physical access control logs or records.</li><li>Inventory records of physical access control devices.</li><li>System entry and exit points.</li><li>Records of key and lock combination changes.</li><li>Storage locations for physical access control devices.</li><li>Physical access control devices.</li><li>List of security safeguards controlling access to designated publicly accessible areas within facility.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical access control responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for physical access control.</li><li>Mechanisms supporting and/or implementing physical access control.</li><li>Physical access control devices.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ff645262-e1b4-4a3b-87b6-60d626ec75f5",
                        "testId": "PE-03d.[01]",
                        "test": "Determine if visitors are escorted;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing physical access control.</li><li>Physical access control logs or records.</li><li>Inventory records of physical access control devices.</li><li>System entry and exit points.</li><li>Records of key and lock combination changes.</li><li>Storage locations for physical access control devices.</li><li>Physical access control devices.</li><li>List of security safeguards controlling access to designated publicly accessible areas within facility.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical access control responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for physical access control.</li><li>Mechanisms supporting and/or implementing physical access control.</li><li>Physical access control devices.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6a4df0b5-2dea-4b04-afc4-0a7a03f9e423",
                        "testId": "PE-03d.[02]",
                        "test": "Determine if visitor activity is controlled  [SELECTED PARAMETER VALUE(S): circumstances ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing physical access control.</li><li>Physical access control logs or records.</li><li>Inventory records of physical access control devices.</li><li>System entry and exit points.</li><li>Records of key and lock combination changes.</li><li>Storage locations for physical access control devices.</li><li>Physical access control devices.</li><li>List of security safeguards controlling access to designated publicly accessible areas within facility.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical access control responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for physical access control.</li><li>Mechanisms supporting and/or implementing physical access control.</li><li>Physical access control devices.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "be7d7c0e-2aae-4e6b-acd4-c3e972956f25",
                        "testId": "PE-03e.[01]",
                        "test": "Determine if keys are secured;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing physical access control.</li><li>Physical access control logs or records.</li><li>Inventory records of physical access control devices.</li><li>System entry and exit points.</li><li>Records of key and lock combination changes.</li><li>Storage locations for physical access control devices.</li><li>Physical access control devices.</li><li>List of security safeguards controlling access to designated publicly accessible areas within facility.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical access control responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for physical access control.</li><li>Mechanisms supporting and/or implementing physical access control.</li><li>Physical access control devices.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4c275b59-fa3f-40c4-8cd9-7b8df25c2410",
                        "testId": "PE-03e.[02]",
                        "test": "Determine if combinations are secured;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing physical access control.</li><li>Physical access control logs or records.</li><li>Inventory records of physical access control devices.</li><li>System entry and exit points.</li><li>Records of key and lock combination changes.</li><li>Storage locations for physical access control devices.</li><li>Physical access control devices.</li><li>List of security safeguards controlling access to designated publicly accessible areas within facility.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical access control responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for physical access control.</li><li>Mechanisms supporting and/or implementing physical access control.</li><li>Physical access control devices.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3c684f99-ecd8-4c42-be82-2e04026f4b63",
                        "testId": "PE-03e.[03]",
                        "test": "Determine if other physical access devices are secured;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing physical access control.</li><li>Physical access control logs or records.</li><li>Inventory records of physical access control devices.</li><li>System entry and exit points.</li><li>Records of key and lock combination changes.</li><li>Storage locations for physical access control devices.</li><li>Physical access control devices.</li><li>List of security safeguards controlling access to designated publicly accessible areas within facility.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical access control responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for physical access control.</li><li>Mechanisms supporting and/or implementing physical access control.</li><li>Physical access control devices.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9ee4ddda-c8ff-435f-bec9-5a15df29d09d",
                        "testId": "PE-03f.",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): physical access devices ]  are inventoried  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing physical access control.</li><li>Physical access control logs or records.</li><li>Inventory records of physical access control devices.</li><li>System entry and exit points.</li><li>Records of key and lock combination changes.</li><li>Storage locations for physical access control devices.</li><li>Physical access control devices.</li><li>List of security safeguards controlling access to designated publicly accessible areas within facility.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical access control responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for physical access control.</li><li>Mechanisms supporting and/or implementing physical access control.</li><li>Physical access control devices.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5908be34-9739-4a74-83a1-fcab63a6c151",
                        "testId": "PE-03g.[01]",
                        "test": "Determine if combinations are changed  [SELECTED PARAMETER VALUE(S): frequency ] , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing physical access control.</li><li>Physical access control logs or records.</li><li>Inventory records of physical access control devices.</li><li>System entry and exit points.</li><li>Records of key and lock combination changes.</li><li>Storage locations for physical access control devices.</li><li>Physical access control devices.</li><li>List of security safeguards controlling access to designated publicly accessible areas within facility.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical access control responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for physical access control.</li><li>Mechanisms supporting and/or implementing physical access control.</li><li>Physical access control devices.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "69c2da49-bd38-44c8-9e8a-d79f8586074e",
                        "testId": "PE-03g.[02]",
                        "test": "Determine if keys are changed  [SELECTED PARAMETER VALUE(S): frequency ] , when keys are lost, or when individuals possessing the keys are transferred or terminated.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing physical access control.</li><li>Physical access control logs or records.</li><li>Inventory records of physical access control devices.</li><li>System entry and exit points.</li><li>Records of key and lock combination changes.</li><li>Storage locations for physical access control devices.</li><li>Physical access control devices.</li><li>List of security safeguards controlling access to designated publicly accessible areas within facility.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical access control responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for physical access control.</li><li>Mechanisms supporting and/or implementing physical access control.</li><li>Physical access control devices.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "e991b07f-de60-478e-8c9c-1c6e71addea0",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PE-03 - Physical Access Control",
                "description": "<ul><li><p>a. Enforce physical access authorizations at {{ insert: param, PE-3(a) }} by:</p><ul><li><p>1. Verifying individual access authorizations before granting access to the facility; and</p></li><li><p>2. Controlling ingress and egress to the facility using {{ insert: param, PE-3(a)(2) }};</p></li></ul></li><li><p>b. Maintain physical access audit logs for {{ insert: param, PE-3(b) }};</p></li><li><p>c. Control access to areas within the facility designated as publicly accessible by implementing the following controls: {{ insert: param, PE-3(c) }};</p></li><li><p>d. Escort visitors and control visitor activity {{ insert: param, PE-3(d) }};</p></li><li><p>e. Secure keys, combinations, and other physical access devices;</p></li><li><p>f. Inventory {{ insert: param, PE-3(f)-1 }} every {{ insert: param, PE-3(f)-2 }} ; and</p></li><li><p>g. Change combinations and keys {{ insert: param, PE-3(g) }} and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>Physical access control applies to employees and visitors. Individuals with permanent physical access authorizations are not considered visitors. Physical access controls for publicly accessible areas may include physical access control logs/records, guards, or physical access devices and barriers to prevent movement from publicly accessible areas to non-public areas. Organizations determine the types of guards needed, including professional security staff, system users, or administrative staff. Physical access devices include keys, locks, combinations, biometric readers, and card readers. Physical access control systems comply with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Organizations have flexibility in the types of audit logs employed. Audit logs can be procedural, automated, or some combination thereof. Physical access points can include facility access points, interior access points to systems that require supplemental access controls, or both. Components of systems may be in areas designated as publicly accessible with organizations controlling access to the components.</p><p></p><p><strong>OT Discussion</strong></p><p>The organization considers OT safety and security interdependencies and access requirements in emergency situations. During an emergency, the organization may restrict access to OT facilities and assets to authorized individuals only. OT systems are often constructed of devices that do not have or cannot use comprehensive access control capabilities due to time-restrictive safety constraints. Physical access controls and defense-in-depth measures are used by the organization when necessary and possible to supplement OT security when electronic mechanisms are unable to fulfill the security requirements of the organization\u2019s security plan.</p>",
                "controlId": "PE-3",
                "family": "Physical and Environmental Protection",
                "enhancements": "<strong>Enhancements</strong><ul><li>PE-3(1) - System Access</li><li>PE-3(2) - Facility and Systems</li><li>PE-3(3) - Continuous Guards</li><li>PE-3(4) - Lockable Casings</li><li>PE-3(5) - Tamper Protection</li><li>PE-3(7) - Physical Barriers</li><li>PE-3(8) - Access Control Vestibules</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "a44744ad-b101-4623-bd2f-caedbb1b892a",
                        "parameterId": "PE-6(b)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pe-06_odp.01"
                    },
                    {
                        "uuid": "de9c3064-dea7-48d5-918c-828f1b80bb4f",
                        "parameterId": "PE-6(b)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pe-06_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "cf4c9428-eebd-42cd-b5de-879bbc07d8d3",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "pe-6_smt.a",
                        "description": "<ul><li>a. Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;</li></ul>"
                    },
                    {
                        "uuid": "45270c28-074a-4b49-a7e2-a9b792c06381",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "pe-6_smt.b",
                        "description": "<ul><li>b. Review physical access logs {{ insert: param, PE-6(b)-1 }} and upon occurrence of {{ insert: param, PE-6(b)-2 }} ; and</li></ul>"
                    },
                    {
                        "uuid": "6f31cd54-a2e9-45cd-873e-8b5b2334e0dd",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "pe-6_smt.c",
                        "description": "<ul><li>c. Coordinate results of reviews and investigations with the organizational incident response capability.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "ee56ecd0-3224-4cdf-b119-32dc2a83410d",
                        "testId": "PE-06a.",
                        "test": "Determine if physical access to the facility where the system resides is monitored to detect and respond to physical security incidents;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing physical access monitoring.</li><li>Physical access logs or records.</li><li>Physical access monitoring records.</li><li>Physical access log reviews.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical access monitoring responsibilities.</li><li>Organizational personnel with incident response responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for monitoring physical access.</li><li>Mechanisms supporting and/or implementing physical access monitoring.</li><li>Mechanisms supporting and/or implementing the review of physical access logs.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "79bc2cba-9de8-403f-9e1b-6abb3a2d0073",
                        "testId": "PE-06b.[01]",
                        "test": "Determine if physical access logs are reviewed  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing physical access monitoring.</li><li>Physical access logs or records.</li><li>Physical access monitoring records.</li><li>Physical access log reviews.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical access monitoring responsibilities.</li><li>Organizational personnel with incident response responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for monitoring physical access.</li><li>Mechanisms supporting and/or implementing physical access monitoring.</li><li>Mechanisms supporting and/or implementing the review of physical access logs.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "92dcc2ea-e010-4ac1-9d82-67909efb24f3",
                        "testId": "PE-06b.[02]",
                        "test": "Determine if physical access logs are reviewed upon occurrence of  [SELECTED PARAMETER VALUE(S): events ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing physical access monitoring.</li><li>Physical access logs or records.</li><li>Physical access monitoring records.</li><li>Physical access log reviews.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical access monitoring responsibilities.</li><li>Organizational personnel with incident response responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for monitoring physical access.</li><li>Mechanisms supporting and/or implementing physical access monitoring.</li><li>Mechanisms supporting and/or implementing the review of physical access logs.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c34f1200-2393-4640-80d6-706392d5a5a2",
                        "testId": "PE-06c.[01]",
                        "test": "Determine if results of reviews are coordinated with organizational incident response capabilities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing physical access monitoring.</li><li>Physical access logs or records.</li><li>Physical access monitoring records.</li><li>Physical access log reviews.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical access monitoring responsibilities.</li><li>Organizational personnel with incident response responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for monitoring physical access.</li><li>Mechanisms supporting and/or implementing physical access monitoring.</li><li>Mechanisms supporting and/or implementing the review of physical access logs.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4f39a02c-4a32-4427-aa85-5e9c38e746d2",
                        "testId": "PE-06c.[02]",
                        "test": "Determine if results of investigations are coordinated with organizational incident response capabilities.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing physical access monitoring.</li><li>Physical access logs or records.</li><li>Physical access monitoring records.</li><li>Physical access log reviews.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with physical access monitoring responsibilities.</li><li>Organizational personnel with incident response responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for monitoring physical access.</li><li>Mechanisms supporting and/or implementing physical access monitoring.</li><li>Mechanisms supporting and/or implementing the review of physical access logs.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "abeebcd1-433c-43a3-8134-dec30f80798b",
                        "testId": "PE-06-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing physical access monitoring.</li><li>Physical access logs or records.</li><li>Physical access monitoring records.</li><li>Physical access log reviews.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "cc46e62c-94c9-409a-9893-5a317ad29fbe",
                        "testId": "PE-06-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with physical access monitoring responsibilities.</li><li>Organizational personnel with incident response responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "192c682f-a736-4c73-84e1-4753f003e61d",
                        "testId": "PE-06-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for monitoring physical access.</li><li>Mechanisms supporting and/or implementing physical access monitoring.</li><li>Mechanisms supporting and/or implementing the review of physical access logs.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "5f00f037-534b-443d-bad5-a861c0d6792f",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PE-06 - Monitoring Physical Access",
                "description": "<ul><li>a. Monitor physical access to the facility where the system resides to detect and respond to physical security incidents;</li><li>b. Review physical access logs  {{ insert: param, PE-6(b)-1 }}  and upon occurrence of  {{ insert: param, PE-6(b)-2 }} ; and</li><li>c. Coordinate results of reviews and investigations with the organizational incident response capability.</li></ul><br/><strong>Discussion</strong><br/><p>Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as  <a href=\"#au-2\">AU-2</a> , if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses.</p>",
                "controlId": "PE-6",
                "family": "Physical and Environmental Protection",
                "enhancements": "<strong>Enhancements</strong><ul><li>PE-6(1) - Intrusion Alarms and Surveillance Equipment</li><li>PE-6(2) - Automated Intrusion Recognition and Responses</li><li>PE-6(3) - Video Surveillance</li><li>PE-6(4) - Monitoring Physical Access to Systems</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "0252fd78-9aa7-4132-a299-726191c08769",
                        "parameterId": "PE-8(a)",
                        "text": "time period",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined time period] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pe-08_odp.01"
                    },
                    {
                        "uuid": "9136783e-662e-4dbe-b50b-75f12a3c2d14",
                        "parameterId": "PE-8(b)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pe-08_odp.02"
                    },
                    {
                        "uuid": "de4fcf7a-c2ba-472f-985d-5c32ba00e896",
                        "parameterId": "PE-8(c)",
                        "text": "personnel",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined personnel] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pe-08_odp.03"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "1a6bbd00-7746-449b-a697-05b300eec9bd",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "pe-8_smt.a",
                        "description": "<ul><li>a. Maintain visitor access records to the facility where the system resides for {{ insert: param, PE-8(a) }};</li></ul>"
                    },
                    {
                        "uuid": "18998d93-12f6-4aab-8864-7f5bd3e9fb8b",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "pe-8_smt.b",
                        "description": "<ul><li>b. Review visitor access records {{ insert: param, PE-8(b) }} ; and</li></ul>"
                    },
                    {
                        "uuid": "d7529b94-f76f-4dd0-9b2d-3eb90f17b8f1",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "pe-8_smt.c",
                        "description": "<ul><li>c. Report anomalies in visitor access records to {{ insert: param, PE-8(c) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "b68e6e8c-721c-45a4-be7a-d22092f994d9",
                        "testId": "PE-08-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing visitor access records.</li><li>Visitor access control logs or records.</li><li>Visitor access record or log reviews.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9b94bf72-e0c2-4adf-8047-49c2e6e5e0c6",
                        "testId": "PE-08-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with visitor access record responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "abaf0e92-13cd-487b-9bb6-0331dc72cbea",
                        "testId": "PE-08-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for maintaining and reviewing visitor access records.</li><li>Mechanisms supporting and/or implementing the maintenance and review of visitor access records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "bac35a0f-f2b0-4463-a0a6-d88cb1bea13f",
                        "testId": "PE-08a.",
                        "test": "Determine if visitor access records for the facility where the system resides are maintained for  [SELECTED PARAMETER VALUE(S): time period ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing visitor access records.</li><li>Visitor access control logs or records.</li><li>Visitor access record or log reviews.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with visitor access record responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for maintaining and reviewing visitor access records.</li><li>Mechanisms supporting and/or implementing the maintenance and review of visitor access records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "50fc24d0-aba4-4614-b583-5cc4188c698e",
                        "testId": "PE-08b.",
                        "test": "Determine if visitor access records are reviewed  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing visitor access records.</li><li>Visitor access control logs or records.</li><li>Visitor access record or log reviews.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with visitor access record responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for maintaining and reviewing visitor access records.</li><li>Mechanisms supporting and/or implementing the maintenance and review of visitor access records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "cec0d34d-04e8-4aff-8883-accb7f705a9e",
                        "testId": "PE-08c.",
                        "test": "Determine if visitor access records anomalies are reported to  [SELECTED PARAMETER VALUE(S): personnel ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing visitor access records.</li><li>Visitor access control logs or records.</li><li>Visitor access record or log reviews.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with visitor access record responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for maintaining and reviewing visitor access records.</li><li>Mechanisms supporting and/or implementing the maintenance and review of visitor access records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "1f8879dc-54e4-425f-94b1-43a4ee28cc4d",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PE-08 - Visitor Access Records",
                "description": "<ul><li>a. Maintain visitor access records to the facility where the system resides for  {{ insert: param, PE-8(a) }};</li><li>b. Review visitor access records  {{ insert: param, PE-8(b) }} ; and</li><li>c. Report anomalies in visitor access records to  {{ insert: param, PE-8(c) }}.</li></ul><br/><strong>Discussion</strong><br/><p>Visitor access records include the names and organizations of individuals visiting, visitor signatures, forms of identification, dates of access, entry and departure times, purpose of visits, and the names and organizations of individuals visited. Access record reviews determine if access authorizations are current and are still required to support organizational mission and business functions. Access records are not required for publicly accessible areas.</p>",
                "controlId": "PE-8",
                "family": "Physical and Environmental Protection",
                "enhancements": "<strong>Enhancements</strong><ul><li>PE-8(1) - Automated Records Maintenance and Review</li><li>PE-8(3) - Limit Personally Identifiable Information Elements</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "e023b205-0734-41ce-a098-a747c9131b63",
                        "name": "PE-12",
                        "objectiveType": "",
                        "otherId": "pe-12_smt",
                        "description": "Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility."
                    }
                ],
                "tests": [
                    {
                        "uuid": "6ffada76-30d8-4a65-bb5d-0163df3d259d",
                        "testId": "PE-12-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing emergency lighting.</li><li>Emergency lighting documentation.</li><li>Emergency lighting test records.</li><li>Emergency exits and evacuation routes.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a5dfe37c-1e1a-4c6c-8d80-d67c6d7baff5",
                        "testId": "PE-12-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with the responsibility for emergency lighting and/or planning.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a39c4f26-3ce9-46f8-b9d7-b12d5d690f93",
                        "testId": "PE-12-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting and/or implementing an emergency lighting capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0275e8ca-8963-4c40-96e3-a4610b4ec2c1",
                        "testId": "PE-12[01]",
                        "test": "Determine if automatic emergency lighting that activates in the event of a power outage or disruption is employed for the system;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing emergency lighting.</li><li>Emergency lighting documentation.</li><li>Emergency lighting test records.</li><li>Emergency exits and evacuation routes.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with the responsibility for emergency lighting and/or planning.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing an emergency lighting capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "547a5606-84ce-47aa-b83a-7d15ec0c3a72",
                        "testId": "PE-12[02]",
                        "test": "Determine if automatic emergency lighting that activates in the event of a power outage or disruption is maintained for the system;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing emergency lighting.</li><li>Emergency lighting documentation.</li><li>Emergency lighting test records.</li><li>Emergency exits and evacuation routes.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with the responsibility for emergency lighting and/or planning.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing an emergency lighting capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "318db194-b57e-4d8c-a373-d1e0292d31f1",
                        "testId": "PE-12[03]",
                        "test": "Determine if automatic emergency lighting for the system covers emergency exits within the facility;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing emergency lighting.</li><li>Emergency lighting documentation.</li><li>Emergency lighting test records.</li><li>Emergency exits and evacuation routes.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with the responsibility for emergency lighting and/or planning.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing an emergency lighting capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3d1645dd-a494-45d5-96af-b66644224449",
                        "testId": "PE-12[04]",
                        "test": "Determine if automatic emergency lighting for the system covers evacuation routes within the facility.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing emergency lighting.</li><li>Emergency lighting documentation.</li><li>Emergency lighting test records.</li><li>Emergency exits and evacuation routes.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with the responsibility for emergency lighting and/or planning.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing an emergency lighting capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "be674b1b-7aa9-4a6e-9f89-11b0253d85b7",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PE-12 - Emergency Lighting",
                "description": "Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.<br/><strong>Discussion</strong><br/><p>The provision of emergency lighting applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Emergency lighting provisions for the system are described in the contingency plan for the organization. If emergency lighting for the system fails or cannot be provided, organizations consider alternate processing sites for power-related contingencies.</p>",
                "controlId": "PE-12",
                "family": "Physical and Environmental Protection",
                "enhancements": "<strong>Enhancements</strong><ul><li>PE-12(1) - Essential Mission and Business Functions</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "47b921f6-c223-4039-8000-3b3fdaa4f0d9",
                        "name": "PE-13",
                        "objectiveType": "",
                        "otherId": "pe-13_smt",
                        "description": "Employ and maintain fire detection and suppression systems that are supported by an independent energy source."
                    }
                ],
                "tests": [
                    {
                        "uuid": "162f7ffe-9fc0-42be-95aa-af8261b77fa5",
                        "testId": "PE-13-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing fire protection.</li><li>Fire suppression and detection devices/systems.</li><li>Fire suppression and detection devices/systems documentation.</li><li>Test records of fire suppression and detection devices/systems.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "425b87c5-9abd-4827-a7e8-cae105e469f1",
                        "testId": "PE-13-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with responsibilities for fire detection and suppression devices/systems.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "36f99144-90e3-4c18-8b58-18c620244ffc",
                        "testId": "PE-13-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting and/or implementing fire suppression/detection devices/systems.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "66808ab9-cc57-43c3-989c-7d9a814bcd71",
                        "testId": "PE-13[01]",
                        "test": "Determine if fire detection systems are employed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing fire protection.</li><li>Fire suppression and detection devices/systems.</li><li>Fire suppression and detection devices/systems documentation.</li><li>Test records of fire suppression and detection devices/systems.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for fire detection and suppression devices/systems.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing fire suppression/detection devices/systems.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "53909925-8450-411d-a034-dbea3308671b",
                        "testId": "PE-13[02]",
                        "test": "Determine if employed fire detection systems are supported by an independent energy source;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing fire protection.</li><li>Fire suppression and detection devices/systems.</li><li>Fire suppression and detection devices/systems documentation.</li><li>Test records of fire suppression and detection devices/systems.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for fire detection and suppression devices/systems.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing fire suppression/detection devices/systems.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "022320d7-efd6-4281-be49-e2f8445abd76",
                        "testId": "PE-13[03]",
                        "test": "Determine if employed fire detection systems are maintained;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing fire protection.</li><li>Fire suppression and detection devices/systems.</li><li>Fire suppression and detection devices/systems documentation.</li><li>Test records of fire suppression and detection devices/systems.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for fire detection and suppression devices/systems.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing fire suppression/detection devices/systems.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "191e4eff-2c31-4371-81f8-e2cad1965618",
                        "testId": "PE-13[04]",
                        "test": "Determine if fire suppression systems are employed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing fire protection.</li><li>Fire suppression and detection devices/systems.</li><li>Fire suppression and detection devices/systems documentation.</li><li>Test records of fire suppression and detection devices/systems.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for fire detection and suppression devices/systems.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing fire suppression/detection devices/systems.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a9b94d8a-fc8c-4dbc-8262-f9180f58d0e2",
                        "testId": "PE-13[05]",
                        "test": "Determine if employed fire suppression systems are supported by an independent energy source;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing fire protection.</li><li>Fire suppression and detection devices/systems.</li><li>Fire suppression and detection devices/systems documentation.</li><li>Test records of fire suppression and detection devices/systems.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for fire detection and suppression devices/systems.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing fire suppression/detection devices/systems.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b75bac14-7866-46a9-b9c8-4cbde79f02cd",
                        "testId": "PE-13[06]",
                        "test": "Determine if employed fire suppression systems are maintained.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing fire protection.</li><li>Fire suppression and detection devices/systems.</li><li>Fire suppression and detection devices/systems documentation.</li><li>Test records of fire suppression and detection devices/systems.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for fire detection and suppression devices/systems.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing fire suppression/detection devices/systems.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "9e0c3d51-e525-4e86-8d7c-99647a2c1e8c",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PE-13 - Fire Protection",
                "description": "<p>Employ and maintain fire detection and suppression systems that are supported by an independent energy source.<br><strong>Discussion</strong><br></p><p>The provision of fire detection and suppression systems applies primarily to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Fire detection and suppression systems that may require an independent energy source include sprinkler systems and smoke detectors. An independent energy source is an energy source, such as a microgrid, that is separate, or can be separated, from the energy sources providing power for the other parts of the facility.</p><p></p><p><strong>OT Discussion</strong></p><p>Fire suppression mechanisms should take the OT environment into account (e.g., water sprinkler systems could be hazardous in specific environments).</p>",
                "controlId": "PE-13",
                "family": "Physical and Environmental Protection",
                "enhancements": "<strong>Enhancements</strong><ul><li>PE-13(1) - Detection Systems \u00e2\u20ac\u201d Automatic Activation and Notification</li><li>PE-13(2) - Suppression Systems \u00e2\u20ac\u201d Automatic Activation and Notification</li><li>PE-13(4) - Inspections</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "6e04ded7-2610-46a9-be16-16e19e9d46a4",
                        "parameterId": "PE-14(a)-1",
                        "text": "[Selection (one or more): temperature; humidity; pressure; radiation; [(NESTED PARAMETER) Assignment for pe-14_odp.02: environmental control]]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): temperature; humidity; pressure; radiation; [(NESTED PARAMETER) Assignment for pe-14_odp.02: environmental control]]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pe-14_odp.01"
                    },
                    {
                        "uuid": "be510cb3-7aeb-4f7c-8d2e-650d952cb056",
                        "parameterId": "PE-14(a)-2",
                        "text": "acceptable levels",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined acceptable levels] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pe-14_odp.03"
                    },
                    {
                        "uuid": "15b0671d-df26-492a-97b0-71d63b78aaa4",
                        "parameterId": "PE-14(b)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pe-14_odp.04"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "95d0bae5-605a-403f-a8da-72c522ec564e",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "pe-14_smt.a",
                        "description": "<ul><li>a. Maintain {{ insert: param, PE-14(a)-1 }} levels within the facility where the system resides at {{ insert: param, PE-14(a)-2 }} ; and</li></ul>"
                    },
                    {
                        "uuid": "19f28494-8887-459c-9605-7f425eb8a353",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "pe-14_smt.b",
                        "description": "<ul><li>b. Monitor environmental control levels {{ insert: param, PE-14(b) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "10fbfb5b-576b-40bb-be0c-f4dd7d2289e6",
                        "testId": "PE-14-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing temperature and humidity control.</li><li>Temperature and humidity controls.</li><li>Facility housing the system.</li><li>Temperature and humidity controls documentation.</li><li>Temperature and humidity records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6645daf7-9f27-4cef-a302-34ff1228f252",
                        "testId": "PE-14-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with responsibilities for system environmental controls.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d510fab8-96b5-4f53-b958-c74b6b73c761",
                        "testId": "PE-14-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting and/or implementing the maintenance and monitoring of temperature and humidity levels.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a8498991-4908-44fa-a584-1542e72842ef",
                        "testId": "PE-14a.",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): [Selection (one or more): temperature; humidity; pressure; radiation; [(NESTED PARAMETER) Assignment for pe-14_odp.02: environmental control]] ]  levels are maintained at  [SELECTED PARAMETER VALUE(S): acceptable levels ]  within the facility where the system resides;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing temperature and humidity control.</li><li>Temperature and humidity controls.</li><li>Facility housing the system.</li><li>Temperature and humidity controls documentation.</li><li>Temperature and humidity records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for system environmental controls.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing the maintenance and monitoring of temperature and humidity levels.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "223fde36-1686-4fc6-bca3-ece064c68019",
                        "testId": "PE-14b.",
                        "test": "Determine if environmental control levels are monitored  [SELECTED PARAMETER VALUE(S): frequency ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing temperature and humidity control.</li><li>Temperature and humidity controls.</li><li>Facility housing the system.</li><li>Temperature and humidity controls documentation.</li><li>Temperature and humidity records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for system environmental controls.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing the maintenance and monitoring of temperature and humidity levels.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "ac77d6be-04b2-43ed-834a-2df9c533b931",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PE-14 - Environmental Controls",
                "description": "<ul><li><p>a. Maintain {{ insert: param, PE-14(a)-1 }} levels within the facility where the system resides at {{ insert: param, PE-14(a)-2 }} ; and</p></li><li><p>b. Monitor environmental control levels {{ insert: param, PE-14(b) }}.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>The provision of environmental controls applies primarily to organizational facilities that contain concentrations of system resources (e.g., data centers, mainframe computer rooms, and server rooms). Insufficient environmental controls, especially in very harsh environments, can have a significant adverse impact on the availability of systems and system components that are needed to support organizational mission and business functions.</p><p></p><p><strong>OT Discussion</strong></p><p>Temperature and humidity controls are typically components of other OT systems (e.g., HVAC, process, or lighting systems) or can be a stand-alone and unique OT system. OT can operate in extreme environments and both interior and exterior locations. For a specific OT, the temperature and humidity design and operational parameters dictate the performance specifications. Power circuits, distribution closets, routers, and switches that support fire protection and life safety systems must be maintained at the proper temperature and humidity. When environmental controls cannot be implemented, use hardware that is engineered to withstand the OT\u2019s unique environmental hazards.</p>",
                "controlId": "PE-14",
                "family": "Physical and Environmental Protection",
                "enhancements": "<strong>Enhancements</strong><ul><li>PE-14(1) - Automatic Controls</li><li>PE-14(2) - Monitoring with Alarms and Notifications</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "edf74ed9-a3cb-4464-9336-0d05cfc4330d",
                        "name": "PE-15",
                        "objectiveType": "",
                        "otherId": "pe-15_smt",
                        "description": "Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel."
                    }
                ],
                "tests": [
                    {
                        "uuid": "778239f9-3dbd-414f-8745-88ea16382ee3",
                        "testId": "PE-15[01]",
                        "test": "Determine if the system is protected from damage resulting from water leakage by providing master shutoff or isolation valves;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing water damage protection.</li><li>Facility housing the system.</li><li>Master shutoff valves.</li><li>List of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system.</li><li>Master shutoff valve documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for system environmental controls.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Master water-shutoff valves.</li><li>Organizational process for activating master water shutoff.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1461e171-546c-43af-a349-9db90443be4a",
                        "testId": "PE-15[02]",
                        "test": "Determine if the master shutoff or isolation valves are accessible;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing water damage protection.</li><li>Facility housing the system.</li><li>Master shutoff valves.</li><li>List of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system.</li><li>Master shutoff valve documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for system environmental controls.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Master water-shutoff valves.</li><li>Organizational process for activating master water shutoff.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "90124427-6774-49ed-a4b8-44c412b537bd",
                        "testId": "PE-15[03]",
                        "test": "Determine if the master shutoff or isolation valves are working properly;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing water damage protection.</li><li>Facility housing the system.</li><li>Master shutoff valves.</li><li>List of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system.</li><li>Master shutoff valve documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for system environmental controls.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Master water-shutoff valves.</li><li>Organizational process for activating master water shutoff.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0beea8a9-15f7-48a0-9bb6-b3f87af11922",
                        "testId": "PE-15[04]",
                        "test": "Determine if the master shutoff or isolation valves are known to key personnel.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing water damage protection.</li><li>Facility housing the system.</li><li>Master shutoff valves.</li><li>List of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system.</li><li>Master shutoff valve documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for system environmental controls.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Master water-shutoff valves.</li><li>Organizational process for activating master water shutoff.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "47113407-7940-4f77-b5de-55a433ec29f0",
                        "testId": "PE-15-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing water damage protection.</li><li>Facility housing the system.</li><li>Master shutoff valves.</li><li>List of key personnel with knowledge of location and activation procedures for master shutoff valves for the plumbing system.</li><li>Master shutoff valve documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c42cbeb8-fbed-4874-867c-f003802ac82c",
                        "testId": "PE-15-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with responsibilities for system environmental controls.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5516c4b3-bf86-4245-b022-fe8a5e5b2c1e",
                        "testId": "PE-15-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Master water-shutoff valves.</li><li>Organizational process for activating master water shutoff.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "9cb9107c-51e0-4bca-8534-35893c2cb4dd",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PE-15 - Water Damage Protection",
                "description": "<p>Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.<br><strong>Discussion</strong><br></p><p>The provision of water damage protection primarily applies to organizational facilities that contain concentrations of system resources, including data centers, server rooms, and mainframe computer rooms. Isolation valves can be employed in addition to or in lieu of master shutoff valves to shut off water supplies in specific areas of concern without affecting entire organizations.</p><p></p><p><strong>OT Discussion</strong></p><p>Water damage protection and the use of shutoff and isolation valves are procedural actions and specific types of OT. OT used in the manufacturing, hydropower, transportation/navigation, water, and wastewater industries rely on the movement of water and are specifically designed to manage the quantity, flow, and pressure of water. Power circuits, distribution closets, routers, and switches that support fire protection and life safety systems should ensure that water will not disable the system (e.g., a fire that activates the sprinkler system does not spray onto the fire control servers, routers, or switches or short out the alarms, egress systems, emergency lighting, or suppression systems).</p>",
                "controlId": "PE-15",
                "family": "Physical and Environmental Protection",
                "enhancements": "<strong>Enhancements</strong><ul><li>PE-15(1) - Automation Support</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "578345c1-5361-40c3-89bb-42090f491de9",
                        "parameterId": "PE-16(a)",
                        "text": "organization-defined types of system components",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined types of system components] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pe-16_prm_1"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "dbb0c96d-2459-48e3-bb9c-56dd6f9c27da",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "pe-16_smt.a",
                        "description": "<ul><li>a. Authorize and control {{ insert: param, PE-16(a) }} entering and exiting the facility; and</li></ul>"
                    },
                    {
                        "uuid": "e2e31d32-c739-46b0-8b39-31b3d58e0c1e",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "pe-16_smt.b",
                        "description": "<ul><li>b. Maintain records of the system components.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "1cc5a920-bf29-4f93-a704-a61344216808",
                        "testId": "PE-16a.[01]",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): types of system components ]  are authorized when entering the facility;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing the delivery and removal of system components from the facility.</li><li>Facility housing the system.</li><li>Records of items entering and exiting the facility.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for controlling system components entering and exiting the facility.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility.</li><li>Mechanisms supporting and/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "dadcb732-bac8-4dd7-8b42-5a76fe792b63",
                        "testId": "PE-16a.[02]",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): types of system components ]  are controlled when entering the facility;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing the delivery and removal of system components from the facility.</li><li>Facility housing the system.</li><li>Records of items entering and exiting the facility.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for controlling system components entering and exiting the facility.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility.</li><li>Mechanisms supporting and/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7fed7bc0-2ace-43c5-9176-1b570a104271",
                        "testId": "PE-16a.[03]",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): types of system components ]  are authorized when exiting the facility;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing the delivery and removal of system components from the facility.</li><li>Facility housing the system.</li><li>Records of items entering and exiting the facility.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for controlling system components entering and exiting the facility.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility.</li><li>Mechanisms supporting and/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ebc3b4e9-7804-42d2-a367-bd4a69ed5d0e",
                        "testId": "PE-16a.[04]",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): types of system components ]  are controlled when exiting the facility;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing the delivery and removal of system components from the facility.</li><li>Facility housing the system.</li><li>Records of items entering and exiting the facility.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for controlling system components entering and exiting the facility.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility.</li><li>Mechanisms supporting and/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d12192fb-c503-44c7-9833-4671d07c9b08",
                        "testId": "PE-16b.",
                        "test": "Determine if records of the system components are maintained.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing the delivery and removal of system components from the facility.</li><li>Facility housing the system.</li><li>Records of items entering and exiting the facility.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for controlling system components entering and exiting the facility.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility.</li><li>Mechanisms supporting and/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9d4e6399-ef5e-4e73-aaa8-d164f56826a5",
                        "testId": "PE-16-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Physical and environmental protection policy.</li><li>Procedures addressing the delivery and removal of system components from the facility.</li><li>Facility housing the system.</li><li>Records of items entering and exiting the facility.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "16d745b9-2271-4d2c-b382-2fd857a0380c",
                        "testId": "PE-16-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with responsibilities for controlling system components entering and exiting the facility.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "74033ccc-c1cc-46ca-8f8f-9adf48f30b8f",
                        "testId": "PE-16-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational process for authorizing, monitoring, and controlling system-related items entering and exiting the facility.</li><li>Mechanisms supporting and/or implementing, authorizing, monitoring, and controlling system-related items entering and exiting the facility.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "5b7257b8-c562-4013-8647-135ffa014f9f",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PE-16 - Delivery and Removal",
                "description": "<ul><li>a. Authorize and control  {{ insert: param, PE-16(a) }}  entering and exiting the facility; and</li><li>b. Maintain records of the system components.</li></ul><br/><strong>Discussion</strong><br/><p>Enforcing authorizations for entry and exit of system components may require restricting access to delivery areas and isolating the areas from the system and media libraries.</p>",
                "controlId": "PE-16",
                "family": "Physical and Environmental Protection",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "46e4f480-2a02-4208-b065-6ab3a5703a2c",
                        "parameterId": "PL-1(a)",
                        "text": "organization-defined personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pl-1_prm_1"
                    },
                    {
                        "uuid": "ed9425c5-5f35-4aeb-8a40-1eb28e1a8996",
                        "parameterId": "PL-1(a)(1)",
                        "text": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pl-01_odp.03"
                    },
                    {
                        "uuid": "5dbbb7bc-7f66-4ee2-bf1a-a4088279add3",
                        "parameterId": "PL-1(b)",
                        "text": "official",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined official] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pl-01_odp.04"
                    },
                    {
                        "uuid": "24c6b47f-45cb-432d-bf67-7d808154ec80",
                        "parameterId": "PL-1(c)(1)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pl-01_odp.05"
                    },
                    {
                        "uuid": "140614b6-10a0-40bb-8526-27672e2fb510",
                        "parameterId": "PL-1(c)(1)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pl-01_odp.06"
                    },
                    {
                        "uuid": "2cf632d5-b638-4cd4-bd4b-e7987e21563f",
                        "parameterId": "PL-1(c)(2)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pl-01_odp.07"
                    },
                    {
                        "uuid": "013c6e4e-6dff-4ca7-9b85-5c39cd166519",
                        "parameterId": "PL-1(c)(2)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pl-01_odp.08"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "66a3a023-0ffe-4170-987e-803c75fbfc20",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "pl-1_smt.a",
                        "description": "<ul><li>a. Develop, document, and disseminate to {{ insert: param, PL-1(a) }}:</li><ul><li>1. {{ insert: param, PL-1(a)(1) }} planning policy that:</li><ul><li>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</li><li>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</li></ul><li>2. Procedures to facilitate the implementation of the planning policy and the associated planning controls;</li></ul>"
                    },
                    {
                        "uuid": "382e2e5a-71b1-4b41-ac14-35e5985c311c",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "pl-1_smt.b",
                        "description": "<ul><li>b. Designate an {{ insert: param, PL-1(b) }} to manage the development, documentation, and dissemination of the planning policy and procedures; and</li></ul>"
                    },
                    {
                        "uuid": "e388e734-41e2-4318-8545-d01ed4de04e9",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "pl-1_smt.c",
                        "description": "<ul><li>c. Review and update the current planning:</li><ul><li>1. Policy {{ insert: param, PL-1(c)(1)-1 }} and following {{ insert: param, PL-1(c)(1)-2 }} ; and</li><li>2. Procedures {{ insert: param, PL-1(c)(2)-1 }} and following {{ insert: param, PL-1(c)(2)-2 }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "107aae79-c05f-4078-b3b4-81b48449cafe",
                        "testId": "PL-01-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "aa47649c-c298-49be-91c6-bd8349d387b9",
                        "testId": "PL-01-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "afb258e4-380f-43d9-a3f3-31493e4986ea",
                        "testId": "PL-01a.[01]",
                        "test": "Determine if a planning policy is developed and documented.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d76eeed1-75ba-40dd-92ed-9bdaeecf31c3",
                        "testId": "PL-01a.[02]",
                        "test": "Determine if the planning policy is disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "596f8e95-b457-439f-ac72-00a63d517fa1",
                        "testId": "PL-01a.[03]",
                        "test": "Determine if planning procedures to facilitate the implementation of the planning policy and associated planning controls are developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d49b586d-bbdd-4d8e-8181-5903222d170b",
                        "testId": "PL-01a.[04]",
                        "test": "Determine if the planning procedures are disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "dfc4e0ee-3d30-40fc-a820-8ae571735202",
                        "testId": "PL-01a.01(a)[01]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  planning policy addresses purpose;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "62b6aa2e-83f4-4016-8062-30d4f9cc788a",
                        "testId": "PL-01a.01(a)[02]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  planning policy addresses scope;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "33951aa6-6f83-4dbd-a034-2aa9f6da1947",
                        "testId": "PL-01a.01(a)[03]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  planning policy addresses roles;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "568a35bc-cd1b-422d-a216-45cd05d17879",
                        "testId": "PL-01a.01(a)[04]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  planning policy addresses responsibilities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0b0de753-1cf2-4ab7-b755-009e7db01eb4",
                        "testId": "PL-01a.01(a)[05]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  planning policy addresses management commitment;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5061c53f-a34b-43f8-ab6c-62d04c191382",
                        "testId": "PL-01a.01(a)[06]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  planning policy addresses coordination among organizational entities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b253ea83-859b-42ff-9781-2545e69ba010",
                        "testId": "PL-01a.01(a)[07]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  planning policy addresses compliance;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c3754696-b5a5-4ec8-bf57-e5707bbdb3d5",
                        "testId": "PL-01a.01(b)",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  planning policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ca46a7f8-4fe9-4f26-aa8f-633179b0e4fd",
                        "testId": "PL-01b.",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): official ]  is designated to manage the development, documentation, and dissemination of the planning policy and procedures;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7f47a59f-76d3-41ef-a309-c4bab3018602",
                        "testId": "PL-01c.01[01]",
                        "test": "Determine if the current planning policy is reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "354900a7-f846-4ead-a716-76acb51e5b66",
                        "testId": "PL-01c.01[02]",
                        "test": "Determine if the current planning policy is reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "89ce15ba-af34-42bb-860b-f3e2d85e6fc5",
                        "testId": "PL-01c.02[01]",
                        "test": "Determine if the current planning procedures are reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d30c38e9-cd38-4c56-a57d-220754650fb4",
                        "testId": "PL-01c.02[02]",
                        "test": "Determine if the current planning procedures are reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Planning policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with planning responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "08d0cefd-96b1-4db6-9ed6-3047a9004734",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PL-01 - Policy and Procedures",
                "description": "<ul><li><p>a. Develop, document, and disseminate to {{ insert: param, PL-1(a) }}:</p><ul><li><p>1. {{ insert: param, PL-1(a)(1) }} planning policy that:</p><ul><li><p>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p></li><li><p>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p></li></ul></li><li><p>2. Procedures to facilitate the implementation of the planning policy and the associated planning controls;</p></li></ul></li><li><p>b. Designate an {{ insert: param, PL-1(b) }} to manage the development, documentation, and dissemination of the planning policy and procedures; and</p></li><li><p>c. Review and update the current planning:</p><ul><li><p>1. Policy {{ insert: param, PL-1(c)(1)-1 }} and following {{ insert: param, PL-1(c)(1)-2 }} ; and</p></li><li><p>2. Procedures {{ insert: param, PL-1(c)(2)-1 }} and following {{ insert: param, PL-1(c)(2)-2 }}.</p></li></ul></li><li><p><br><strong>Discussion</strong><br></p><p>Planning policy and procedures for the controls in the PL family implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to planning policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.</p></li></ul><p></p><p><strong>OT Discussion</strong></p><p>The policy specifically addresses the unique properties and requirements of OT and the relationship to non-OT systems.</p>",
                "controlId": "PL-1",
                "family": "Planning",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "70a0add1-f0f5-4fd7-a2df-0d0b9480d352",
                        "parameterId": "PL-2(a)(14)",
                        "text": "individuals or groups",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined individuals or groups] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pl-02_odp.01"
                    },
                    {
                        "uuid": "761f3b98-79aa-471b-83df-84ebe6d68cf0",
                        "parameterId": "PL-2(b)",
                        "text": "personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pl-02_odp.02"
                    },
                    {
                        "uuid": "5d912f57-e19e-4776-b6fc-74911e7a6ed4",
                        "parameterId": "PL-2(c)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pl-02_odp.03"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "5cc51209-dab7-43c7-8891-e37dd2641418",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "pl-2_smt.a",
                        "description": "<ul><li>a. Develop security and privacy plans for the system that:</li><ul><li>1. Are consistent with the organization\u2019s enterprise architecture;</li><li>2. Explicitly define the constituent system components;</li><li>3. Describe the operational context of the system in terms of mission and business processes;</li><li>4. Identify the individuals that fulfill system roles and responsibilities;</li><li>5. Identify the information types processed, stored, and transmitted by the system;</li><li>6. Provide the security categorization of the system, including supporting rationale;</li><li>7. Describe any specific threats to the system that are of concern to the organization;</li><li>8. Provide the results of a privacy risk assessment for systems processing personally identifiable information;</li><li>9. Describe the operational environment for the system and any dependencies on or connections to other systems or system components;</li><li>10. Provide an overview of the security and privacy requirements for the system;</li><li>11. Identify any relevant control baselines or overlays, if applicable;</li><li>12. Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;</li><li>13. Include risk determinations for security and privacy architecture and design decisions;</li><li>14. Include security- and privacy-related activities affecting the system that require planning and coordination with {{ insert: param, PL-2(a)(14) }} ; and</li><li>15. Are reviewed and approved by the authorizing official or designated representative prior to plan implementation.</li></ul>"
                    },
                    {
                        "uuid": "7f66f61e-f5ce-414d-9825-f05463ecc372",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "pl-2_smt.b",
                        "description": "<ul><li>b. Distribute copies of the plans and communicate subsequent changes to the plans to {{ insert: param, PL-2(b) }};</li></ul>"
                    },
                    {
                        "uuid": "8749744b-e4ea-4b2c-8d97-ae7cd35531db",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "pl-2_smt.c",
                        "description": "<ul><li>c. Review the plans {{ insert: param, PL-2(c) }};</li></ul>"
                    },
                    {
                        "uuid": "a04147b6-b358-47ea-ad9a-667c68ce0e3d",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "pl-2_smt.d",
                        "description": "<ul><li>d. Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and</li></ul>"
                    },
                    {
                        "uuid": "43c53387-8a9d-41fe-9936-19ffde672de9",
                        "name": "e.",
                        "objectiveType": "",
                        "otherId": "pl-2_smt.e",
                        "description": "<ul><li>e. Protect the plans from unauthorized disclosure and modification.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "a6afc843-68dc-4bf4-a4ed-7b6bf56c3480",
                        "testId": "PL-02a.01[01]",
                        "test": "Determine if a security plan for the system is developed that is consistent with the organization\u00e2\u20ac\u2122s enterprise architecture;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "53b49897-711a-498b-be83-9c521af39b31",
                        "testId": "PL-02a.01[02]",
                        "test": "Determine if a privacy plan for the system is developed that is consistent with the organization\u00e2\u20ac\u2122s enterprise architecture;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "39d4ef46-a935-4bfe-a990-d1f383dc085f",
                        "testId": "PL-02a.02[01]",
                        "test": "Determine if a security plan for the system is developed that explicitly defines the constituent system components;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2c8b454f-9f5b-4e82-86ed-e10b1485f5d0",
                        "testId": "PL-02a.02[02]",
                        "test": "Determine if a privacy plan for the system is developed that explicitly defines the constituent system components;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2b1e05b1-0e14-4a22-9e90-bbf3d0aed091",
                        "testId": "PL-02a.03[01]",
                        "test": "Determine if a security plan for the system is developed that describes the operational context of the system in terms of mission and business processes;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d29b1008-46fc-4e57-b51f-82dc12f1f5a2",
                        "testId": "PL-02a.03[02]",
                        "test": "Determine if a privacy plan for the system is developed that describes the operational context of the system in terms of mission and business processes;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4967633a-0c32-43b2-af3f-6ae4bcf4fd69",
                        "testId": "PL-02a.04[01]",
                        "test": "Determine if a security plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e836b6b9-033e-4eb9-bc1c-7515685895b2",
                        "testId": "PL-02a.04[02]",
                        "test": "Determine if a privacy plan for the system is developed that identifies the individuals that fulfill system roles and responsibilities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c12fca83-7d68-46b9-bff4-185bc19c4bc1",
                        "testId": "PL-02a.05[01]",
                        "test": "Determine if a security plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e249b0d3-9fc3-485e-ac1c-8e3e64c9d8a4",
                        "testId": "PL-02a.05[02]",
                        "test": "Determine if a privacy plan for the system is developed that identifies the information types processed, stored, and transmitted by the system;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "bf77d2cd-3fa7-4192-9548-9350d9a0920b",
                        "testId": "PL-02a.06[01]",
                        "test": "Determine if a security plan for the system is developed that provides the security categorization of the system, including supporting rationale;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7844eaf6-ce8b-4311-96c0-d107b9f7d4d3",
                        "testId": "PL-02a.06[02]",
                        "test": "Determine if a privacy plan for the system is developed that provides the security categorization of the system, including supporting rationale;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "48dab403-f2d9-43a0-a4e6-47fc0fb47bf7",
                        "testId": "PL-02a.07[01]",
                        "test": "Determine if a security plan for the system is developed that describes any specific threats to the system that are of concern to the organization;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4f43e655-8a0b-4dea-85a6-1e2126e04b17",
                        "testId": "PL-02a.07[02]",
                        "test": "Determine if a privacy plan for the system is developed that describes any specific threats to the system that are of concern to the organization;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f308345f-69d0-4dfb-901e-2469a220149c",
                        "testId": "PL-02a.08[01]",
                        "test": "Determine if a security plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f7fd6eb1-80b2-4608-9657-d3f02723feb0",
                        "testId": "PL-02a.08[02]",
                        "test": "Determine if a privacy plan for the system is developed that provides the results of a privacy risk assessment for systems processing personally identifiable information;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b6cb0027-2729-44eb-bcc5-e7034ccf3cd5",
                        "testId": "PL-02a.09[01]",
                        "test": "Determine if a security plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4e8d7f28-6ff0-468c-90e0-f5af8ffc39d1",
                        "testId": "PL-02a.09[02]",
                        "test": "Determine if a privacy plan for the system is developed that describes the operational environment for the system and any dependencies on or connections to other systems or system components;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "41ce92f2-b2d7-4e47-84e0-a72a3e71da6d",
                        "testId": "PL-02a.10[01]",
                        "test": "Determine if a security plan for the system is developed that provides an overview of the security requirements for the system;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "74cbdd99-b5f6-40d1-8778-37d804bb4ecf",
                        "testId": "PL-02a.10[02]",
                        "test": "Determine if a privacy plan for the system is developed that provides an overview of the privacy requirements for the system;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7d418b04-cf80-4d5f-9047-6266cb5862f4",
                        "testId": "PL-02a.11[01]",
                        "test": "Determine if a security plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5c94803d-73a9-4988-bde9-0b50a8cf5bd5",
                        "testId": "PL-02a.11[02]",
                        "test": "Determine if a privacy plan for the system is developed that identifies any relevant control baselines or overlays, if applicable;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "925f4504-cf39-4297-94fe-4f273a187b91",
                        "testId": "PL-02a.12[01]",
                        "test": "Determine if a security plan for the system is developed that describes the controls in place or planned for meeting the security requirements, including rationale for any tailoring decisions;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "853f8630-37db-422d-bbd5-6912d5056382",
                        "testId": "PL-02a.12[02]",
                        "test": "Determine if a privacy plan for the system is developed that describes the controls in place or planned for meeting the privacy requirements, including rationale for any tailoring decisions;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b1546344-44b6-4576-bc62-f9d704dcc705",
                        "testId": "PL-02a.13[01]",
                        "test": "Determine if a security plan for the system is developed that includes risk determinations for security architecture and design decisions;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d8da4a23-6109-4202-bcdc-cdfece7139dd",
                        "testId": "PL-02a.13[02]",
                        "test": "Determine if a privacy plan for the system is developed that includes risk determinations for privacy architecture and design decisions;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ee710941-f52e-4d06-b34e-532e6f18a85b",
                        "testId": "PL-02a.14[01]",
                        "test": "Determine if a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with  [SELECTED PARAMETER VALUE(S): individuals or groups ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c8002f52-6458-4866-b21a-34f36d41f6ca",
                        "testId": "PL-02a.14[02]",
                        "test": "Determine if a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with  [SELECTED PARAMETER VALUE(S): individuals or groups ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2796d1b2-6c19-43a5-a390-83dde6738270",
                        "testId": "PL-02a.15[01]",
                        "test": "Determine if a security plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c734455c-c484-4305-848b-a2dcd2e427f0",
                        "testId": "PL-02a.15[02]",
                        "test": "Determine if a privacy plan for the system is developed that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ac842729-06c8-4aea-a729-c4878c84d58d",
                        "testId": "PL-02b.[01]",
                        "test": "Determine if copies of the plans are distributed to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "bba9c19d-f489-4a84-9738-d7ae2896271c",
                        "testId": "PL-02b.[02]",
                        "test": "Determine if subsequent changes to the plans are communicated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e905c87b-012c-4163-b05e-bf82e9f69113",
                        "testId": "PL-02c.",
                        "test": "Determine if plans are reviewed  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "66f78f8a-d352-4053-aa53-edb021aaee31",
                        "testId": "PL-02d.[01]",
                        "test": "Determine if plans are updated to address changes to the system and environment of operations;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5ccd13c6-aa97-4cbf-ad8f-0a8c5599f21b",
                        "testId": "PL-02d.[02]",
                        "test": "Determine if plans are updated to address problems identified during the plan implementation;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "38641684-7d50-4489-8707-42185e83c0a8",
                        "testId": "PL-02d.[03]",
                        "test": "Determine if plans are updated to address problems identified during control assessments;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3398e154-50f3-4a45-a710-522ab1173542",
                        "testId": "PL-02e.[01]",
                        "test": "Determine if plans are protected from unauthorized disclosure;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a1ff811c-2af7-47bb-ad77-5b36f9f556b2",
                        "testId": "PL-02e.[02]",
                        "test": "Determine if plans are protected from unauthorized modification.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a0a0a714-4c77-4171-b747-806334dc215c",
                        "testId": "PL-02-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing security and privacy plan reviews and updates.</li><li>Enterprise architecture documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Security and privacy architecture and design documentation.</li><li>Risk assessments.</li><li>Risk assessment results.</li><li>Control assessment documentation.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "06669be6-b6f1-45b3-848d-7efb5cb3fcbe",
                        "testId": "PL-02-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with system security and privacy planning and plan implementation responsibilities.</li><li>System developers.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5917f5d5-387d-4714-9108-299ee1c47856",
                        "testId": "PL-02-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for system security and privacy plan development, review, update, and approval.</li><li>Mechanisms supporting the system security and privacy plan.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "67877581-b877-4007-93d7-d7a97dc4e99a",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PL-02 - System Security and Privacy Plans",
                "description": "<ul><li><p>a. Develop security and privacy plans for the system that:</p><ul><li><p>1. Are consistent with the organization\u00e2\u20ac\u2122s enterprise architecture;</p></li><li><p>2. Explicitly define the constituent system components;</p></li><li><p>3. Describe the operational context of the system in terms of mission and business processes;</p></li><li><p>4. Identify the individuals that fulfill system roles and responsibilities;</p></li><li><p>5. Identify the information types processed, stored, and transmitted by the system;</p></li><li><p>6. Provide the security categorization of the system, including supporting rationale;</p></li><li><p>7. Describe any specific threats to the system that are of concern to the organization;</p></li><li><p>8. Provide the results of a privacy risk assessment for systems processing personally identifiable information;</p></li><li><p>9. Describe the operational environment for the system and any dependencies on or connections to other systems or system components;</p></li><li><p>10. Provide an overview of the security and privacy requirements for the system;</p></li><li><p>11. Identify any relevant control baselines or overlays, if applicable;</p></li><li><p>12. Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;</p></li><li><p>13. Include risk determinations for security and privacy architecture and design decisions;</p></li><li><p>14. Include security- and privacy-related activities affecting the system that require planning and coordination with {{ insert: param, PL-2(a)(14) }} ; and</p></li><li><p>15. Are reviewed and approved by the authorizing official or designated representative prior to plan implementation.</p></li></ul></li><li><p>b. Distribute copies of the plans and communicate subsequent changes to the plans to {{ insert: param, PL-2(b) }};</p></li><li><p>c. Review the plans {{ insert: param, PL-2(c) }};</p></li><li><p>d. Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and</p></li><li><p>e. Protect the plans from unauthorized disclosure and modification.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). <a href=\"#c3397cc9-83c6-4459-adb2-836739dc1b94\">Section 2.1</a> describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.</p><p>Organizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented.</p><p>Security and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide\u00e2\u20ac\u201dexplicitly or by reference\u00e2\u20ac\u201dsufficient information to define what needs to be accomplished by those plans.</p><p>Security- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate.</p><p></p><p><strong>OT Discussion</strong></p><p>When systems are highly interconnected, coordinated planning is essential. A low-impact system could adversely affect a higher-impact system.</p>",
                "controlId": "PL-2",
                "family": "Planning",
                "enhancements": "<strong>Enhancements</strong><ul></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "afcf7550-1e24-4a90-8cb6-61b74d06702d",
                        "parameterId": "PL-4(c)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pl-04_odp.01"
                    },
                    {
                        "uuid": "6998b2ef-9b03-4b88-89ce-3a2cb28f811d",
                        "parameterId": "PL-4(d)",
                        "text": "[Selection (one or more): [(NESTED PARAMETER) Assignment for pl-04_odp.03: frequency]; when the rules are revised or updated]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): [(NESTED PARAMETER) Assignment for pl-04_odp.03: frequency]; when the rules are revised or updated]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pl-04_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "b0d0aa44-9da8-4a5b-87c6-804a4a308343",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "pl-4_smt.a",
                        "description": "<ul><li>a. Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;</li></ul>"
                    },
                    {
                        "uuid": "956a25fe-c380-45cf-b8aa-af5ade975880",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "pl-4_smt.b",
                        "description": "<ul><li>b. Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;</li></ul>"
                    },
                    {
                        "uuid": "0e791d4b-64c8-4eb1-a13e-8484e848d818",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "pl-4_smt.c",
                        "description": "<ul><li>c. Review and update the rules of behavior {{ insert: param, PL-4(c) }} ; and</li></ul>"
                    },
                    {
                        "uuid": "4df20c93-c81b-4b34-be5b-4c9965f5a6da",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "pl-4_smt.d",
                        "description": "<ul><li>d. Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ insert: param, PL-4(d) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "d10d7eb7-fe6c-4bdb-8c60-23a0d47f7ac4",
                        "testId": "PL-04-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing rules of behavior for system users.</li><li>Rules of behavior.</li><li>Signed acknowledgements.</li><li>Records for rules of behavior reviews and updates.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ccd0dfd7-cdbc-4aed-a378-3b3111b5e313",
                        "testId": "PL-04-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior.</li><li>Organizational personnel with responsibility for literacy training and awareness and role-based training.</li><li>Organizational personnel who are authorized users of the system and have signed and resigned rules of behavior.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0b85e11d-418f-48c7-bb94-39ee9914db0f",
                        "testId": "PL-04-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior.</li><li>Mechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ea4817cc-ea1d-4df5-abe2-c165b69c237e",
                        "testId": "PL-04a.[01]",
                        "test": "Determine if rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are established for individuals requiring access to the system;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing rules of behavior for system users.</li><li>Rules of behavior.</li><li>Signed acknowledgements.</li><li>Records for rules of behavior reviews and updates.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior.</li><li>Organizational personnel with responsibility for literacy training and awareness and role-based training.</li><li>Organizational personnel who are authorized users of the system and have signed and resigned rules of behavior.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior.</li><li>Mechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "556d69c2-7828-4444-a83b-d37320275d06",
                        "testId": "PL-04a.[02]",
                        "test": "Determine if rules that describe responsibilities and expected behavior for information and system usage, security, and privacy are provided to individuals requiring access to the system;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing rules of behavior for system users.</li><li>Rules of behavior.</li><li>Signed acknowledgements.</li><li>Records for rules of behavior reviews and updates.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior.</li><li>Organizational personnel with responsibility for literacy training and awareness and role-based training.</li><li>Organizational personnel who are authorized users of the system and have signed and resigned rules of behavior.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior.</li><li>Mechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5cc8ff6c-7eac-4d67-9cb3-ef63601f7596",
                        "testId": "PL-04b.",
                        "test": "Determine if before authorizing access to information and the system, a documented acknowledgement from such individuals indicating that they have read, understand, and agree to abide by the rules of behavior is received;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing rules of behavior for system users.</li><li>Rules of behavior.</li><li>Signed acknowledgements.</li><li>Records for rules of behavior reviews and updates.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior.</li><li>Organizational personnel with responsibility for literacy training and awareness and role-based training.</li><li>Organizational personnel who are authorized users of the system and have signed and resigned rules of behavior.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior.</li><li>Mechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0c20e7bd-874c-4ee8-a62c-a63b0e40cfe8",
                        "testId": "PL-04c.",
                        "test": "Determine if rules of behavior are reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing rules of behavior for system users.</li><li>Rules of behavior.</li><li>Signed acknowledgements.</li><li>Records for rules of behavior reviews and updates.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior.</li><li>Organizational personnel with responsibility for literacy training and awareness and role-based training.</li><li>Organizational personnel who are authorized users of the system and have signed and resigned rules of behavior.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior.</li><li>Mechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "15a1ffed-a3f0-4daa-bdc6-b9065155002d",
                        "testId": "PL-04d.",
                        "test": "Determine if individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge  [SELECTED PARAMETER VALUE(S): [Selection (one or more): [(NESTED PARAMETER) Assignment for pl-04_odp.03: frequency]; when the rules are revised or updated] ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing rules of behavior for system users.</li><li>Rules of behavior.</li><li>Signed acknowledgements.</li><li>Records for rules of behavior reviews and updates.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior.</li><li>Organizational personnel with responsibility for literacy training and awareness and role-based training.</li><li>Organizational personnel who are authorized users of the system and have signed and resigned rules of behavior.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for establishing, reviewing, disseminating, and updating rules of behavior.</li><li>Mechanisms supporting and/or implementing the establishment, review, dissemination, and update of rules of behavior.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "0fab75ea-c282-46d0-a68b-c5a7aa0359f4",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PL-04 - Rules of Behavior",
                "description": "<ul><li>a. Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;</li><li>b. Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;</li><li>c. Review and update the rules of behavior  {{ insert: param, PL-4(c) }} ; and</li><li>d. Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge  {{ insert: param, PL-4(d) }}.</li></ul><br/><strong>Discussion</strong><br/><p>Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see  <a href=\"#ps-6\">PS-6</a> ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in  <a href=\"#ac-8\">AC-8</a> . The related controls section provides a list of controls that are relevant to organizational rules of behavior.  <a href=\"#pl-4_smt.b\">PL-4b</a> , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons.</p>",
                "controlId": "PL-4",
                "family": "Planning",
                "enhancements": "<strong>Enhancements</strong><ul><li>PL-4(1) - Social Media and External Site/Application Usage Restrictions</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "3a10ca02-05d5-4f7d-aa6a-60a88dcdeebe",
                        "name": "(a)",
                        "objectiveType": "",
                        "otherId": "pl-4.1_smt.a",
                        "description": "<ul><li>(a) Include in the rules of behavior, restrictions on: Use of social media, social networking sites, and external sites/applications;</li></ul>"
                    },
                    {
                        "uuid": "2aeafa61-298e-474b-9e22-22f5eec052cf",
                        "name": "(b)",
                        "objectiveType": "",
                        "otherId": "pl-4.1_smt.b",
                        "description": "<ul><li>(b) Include in the rules of behavior, restrictions on: Posting organizational information on public websites; and</li></ul>"
                    },
                    {
                        "uuid": "e089d728-f0eb-4844-a9d0-9be01ce22f17",
                        "name": "(c)",
                        "objectiveType": "",
                        "otherId": "pl-4.1_smt.c",
                        "description": "<ul><li>(c) Include in the rules of behavior, restrictions on: Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "be141198-757e-48f4-98da-5e0026fce683",
                        "testId": "PL-04(01)(a)",
                        "test": "Determine if the rules of behavior include restrictions on the use of social media, social networking sites, and external sites/applications;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing rules of behavior for system users.</li><li>Rules of behavior.</li><li>Training policy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior.</li><li>Organizational personnel with responsibility for literacy training and awareness and role-based training.</li><li>Organizational personnel who are authorized users of the system and have signed rules of behavior.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for establishing rules of behavior.</li><li>Mechanisms supporting and/or implementing the establishment of rules of behavior.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "09ff01fe-adf2-4715-94f9-db526b5a7a4b",
                        "testId": "PL-04(01)(b)",
                        "test": "Determine if the rules of behavior include restrictions on posting organizational information on public websites;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing rules of behavior for system users.</li><li>Rules of behavior.</li><li>Training policy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior.</li><li>Organizational personnel with responsibility for literacy training and awareness and role-based training.</li><li>Organizational personnel who are authorized users of the system and have signed rules of behavior.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for establishing rules of behavior.</li><li>Mechanisms supporting and/or implementing the establishment of rules of behavior.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ae6b23e0-84c7-4784-9e27-472813674185",
                        "testId": "PL-04(01)(c)",
                        "test": "Determine if the rules of behavior include restrictions on the use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing rules of behavior for system users.</li><li>Rules of behavior.</li><li>Training policy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior.</li><li>Organizational personnel with responsibility for literacy training and awareness and role-based training.</li><li>Organizational personnel who are authorized users of the system and have signed rules of behavior.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for establishing rules of behavior.</li><li>Mechanisms supporting and/or implementing the establishment of rules of behavior.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6a4fbe74-df3c-457a-b13b-02b54346646e",
                        "testId": "PL-04(01)-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing rules of behavior for system users.</li><li>Rules of behavior.</li><li>Training policy.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ba111b1a-1042-483c-8894-374b45232ad0",
                        "testId": "PL-04(01)-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with responsibility for establishing, reviewing, and updating rules of behavior.</li><li>Organizational personnel with responsibility for literacy training and awareness and role-based training.</li><li>Organizational personnel who are authorized users of the system and have signed rules of behavior.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "08aee083-930b-4d19-97dc-a8672f9e3ff6",
                        "testId": "PL-04(01)-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for establishing rules of behavior.</li><li>Mechanisms supporting and/or implementing the establishment of rules of behavior.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "140a5bf6-28c0-43a1-b142-3a74c7fb6895",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PL-04(01) - Social Media and External Site/Application Usage Restrictions",
                "description": "Include in the rules of behavior, restrictions on:<ul><li>(a) Use of social media, social networking sites, and external sites/applications;</li><li>(b) Posting organizational information on public websites; and</li><li>(c) Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.</li></ul><br/><strong>Discussion</strong><br/><p>Social media, social networking, and external site/application usage restrictions address rules of behavior related to the use of social media, social networking, and external sites when organizational personnel are using such sites for official duties or in the conduct of official business, when organizational information is involved in social media and social networking transactions, and when personnel access social media and networking sites from organizational systems. Organizations also address specific rules that prevent unauthorized entities from obtaining non-public organizational information from social media and networking sites either directly or through inference. Non-public information includes personally identifiable information and system account information.</p>",
                "controlId": "PL-4(1)",
                "family": "Planning",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "82025ab4-caa5-4bea-944f-861e7e5bf998",
                        "name": "PL-10",
                        "objectiveType": "",
                        "otherId": "pl-10_smt",
                        "description": "Select a control baseline for the system."
                    }
                ],
                "tests": [
                    {
                        "uuid": "6c8f2219-1960-447e-996f-3282d1632647",
                        "testId": "PL-10",
                        "test": "Determine if a control baseline for the system is selected.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing system security and privacy plan reviews and updates.</li><li>System design documentation.</li><li>System architecture and configuration documentation.</li><li>System categorization decision.</li><li>Information types stored, transmitted, and processed by the system.</li><li>System element/component information.</li><li>Stakeholder needs analysis.</li><li>List of security and privacy requirements allocated to the system, system elements, and environment of operation.</li><li>List of contractual requirements allocated to external providers of the system or system element.</li><li>Business impact analysis or criticality analysis.</li><li>Risk assessments.</li><li>Risk management strategy.</li><li>Organizational security and privacy policy.</li><li>Federal or organization-approved or mandated baselines or overlays.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with security and privacy planning and plan implementation responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with responsibility for organizational risk management activities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d83473eb-01c0-4125-82b6-efa1065251fe",
                        "testId": "PL-10-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>Procedures addressing system security and privacy plan reviews and updates.</li><li>System design documentation.</li><li>System architecture and configuration documentation.</li><li>System categorization decision.</li><li>Information types stored, transmitted, and processed by the system.</li><li>System element/component information.</li><li>Stakeholder needs analysis.</li><li>List of security and privacy requirements allocated to the system, system elements, and environment of operation.</li><li>List of contractual requirements allocated to external providers of the system or system element.</li><li>Business impact analysis or criticality analysis.</li><li>Risk assessments.</li><li>Risk management strategy.</li><li>Organizational security and privacy policy.</li><li>Federal or organization-approved or mandated baselines or overlays.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0ba604a0-f607-4c39-9b2d-9b8ed6795d0d",
                        "testId": "PL-10-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with security and privacy planning and plan implementation responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with responsibility for organizational risk management activities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "8b35abe0-b262-4e50-b8ab-50267b52e470",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PL-10 - Baseline Selection",
                "description": "Select a control baseline for the system.<br/><strong>Discussion</strong><br/><p>Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals\u00e2\u20ac\u2122 privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see  <a href=\"#pl-11\">PL-11</a> ). Federal control baselines are provided in  <a href=\"#46d9e201-840e-440e-987c-2c773333c752\">SP 800-53B</a> . The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in  <a href=\"#46d9e201-840e-440e-987c-2c773333c752\">SP 800-53B</a>  are based on the requirements from  <a href=\"#0c67b2a9-bede-43d2-b86d-5f35b8be36e9\">FISMA</a>  and  <a href=\"#18e71fec-c6fd-475a-925a-5d8495cf8455\">PRIVACT</a> . The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization\u00e2\u20ac\u2122s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments.  <a href=\"#4e4fbc93-333d-45e6-a875-de36b878b6b9\">CNSSI 1253</a>  provides guidance on control baselines for national security systems.</p>",
                "controlId": "PL-10",
                "family": "Planning",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "ddd2e70c-972d-4c2a-877c-f38eb070f189",
                        "name": "PL-11",
                        "objectiveType": "",
                        "otherId": "pl-11_smt",
                        "description": "Tailor the selected control baseline by applying specified tailoring actions."
                    }
                ],
                "tests": [
                    {
                        "uuid": "3019cce6-d7fd-47ba-97f6-5d6083f085c7",
                        "testId": "PL-11-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>System design documentation.</li><li>System categorization decision.</li><li>Information types stored, transmitted, and processed by the system.</li><li>System element/component information.</li><li>Stakeholder needs analysis.</li><li>List of security and privacy requirements allocated to the system, system elements, and environment of operation.</li><li>List of contractual requirements allocated to external providers of the system or system element.</li><li>Business impact analysis or criticality analysis.</li><li>Risk assessments.</li><li>Risk management strategy.</li><li>Organizational security and privacy policy.</li><li>Federal or organization-approved or mandated baselines or overlays.</li><li>Baseline tailoring rationale.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d0485522-ba6e-40de-8836-611c6c8e4bd9",
                        "testId": "PL-11-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with security and privacy planning and plan implementation responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6488747c-25be-4c51-9596-895f2e59e71b",
                        "testId": "PL-11",
                        "test": "Determine if the selected control baseline is tailored by applying specified tailoring actions.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Security and privacy planning policy.</li><li>Procedures addressing system security and privacy plan development and implementation.</li><li>System design documentation.</li><li>System categorization decision.</li><li>Information types stored, transmitted, and processed by the system.</li><li>System element/component information.</li><li>Stakeholder needs analysis.</li><li>List of security and privacy requirements allocated to the system, system elements, and environment of operation.</li><li>List of contractual requirements allocated to external providers of the system or system element.</li><li>Business impact analysis or criticality analysis.</li><li>Risk assessments.</li><li>Risk management strategy.</li><li>Organizational security and privacy policy.</li><li>Federal or organization-approved or mandated baselines or overlays.</li><li>Baseline tailoring rationale.</li><li>System security plan.</li><li>Privacy plan.</li><li>Records of system security and privacy plan reviews and updates.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with security and privacy planning and plan implementation responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "ed49b92c-c217-4701-9b8d-cbf58ea57825",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PL-11 - Baseline Tailoring",
                "description": "Tailor the selected control baseline by applying specified tailoring actions.<br/><strong>Discussion</strong><br/><p>The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in  <a href=\"#46d9e201-840e-440e-987c-2c773333c752\">SP 800-53B</a> . Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in  <a href=\"#46d9e201-840e-440e-987c-2c773333c752\">SP 800-53B</a>  can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in  <a href=\"#46d9e201-840e-440e-987c-2c773333c752\">SP 800-53B</a>  in accordance with the security and privacy requirements from  <a href=\"#0c67b2a9-bede-43d2-b86d-5f35b8be36e9\">FISMA</a>,  <a href=\"#18e71fec-c6fd-475a-925a-5d8495cf8455\">PRIVACT</a> , and  <a href=\"#27847491-5ce1-4f6a-a1e4-9e483782f0ef\">OMB A-130</a> . Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in  <a href=\"#46d9e201-840e-440e-987c-2c773333c752\">SP 800-53B</a>  to specialize or customize the controls that represent the specific needs and concerns of those entities.</p>",
                "controlId": "PL-11",
                "family": "Planning",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "d5ed3a5e-8794-4264-b987-eac04c503a36",
                        "name": "PM-12",
                        "objectiveType": "",
                        "otherId": "pm-12_smt",
                        "description": "Implement an insider threat program that includes a cross-discipline insider threat incident handling team."
                    }
                ],
                "tests": [
                    {
                        "uuid": "ccf6acc4-47b7-4a78-ab7a-db5ac587da15",
                        "testId": "PM-12-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with information security and privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel responsible for the insider threat program.</li><li>Members of the cross-discipline insider threat incident handling team.</li><li>Legal counsel.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "86adafb0-bc1c-4fcf-915b-5a61a5a6aec9",
                        "testId": "PM-12-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for implementing the insider threat program and the cross-discipline insider threat incident handling team.</li><li>Mechanisms supporting and/or implementing the insider threat program and the cross-discipline insider threat incident handling team.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6444a65e-2477-4fa8-95c4-525ba6f9a027",
                        "testId": "PM-12",
                        "test": "Determine if an insider threat program that includes a cross-discipline insider threat incident handling team is implemented.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Interview</h5><ul><li>Organizational personnel with information security and privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel responsible for the insider threat program.</li><li>Members of the cross-discipline insider threat incident handling team.</li><li>Legal counsel.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for implementing the insider threat program and the cross-discipline insider threat incident handling team.</li><li>Mechanisms supporting and/or implementing the insider threat program and the cross-discipline insider threat incident handling team.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "883c8e07-731c-4115-b289-4917532fe970",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PM-12 - Insider Threat Program",
                "description": "Implement an insider threat program that includes a cross-discipline insider threat incident handling team.<br/><strong>Discussion</strong><br/><p>Organizations that handle classified information are required, under Executive Order 13587  <a href=\"#0af071a6-cf8e-48ee-8c82-fe91efa20f94\">EO 13587</a>  and the National Insider Threat Policy  <a href=\"#06d74ea9-2178-449c-a9c5-b2980f804ac8\">ODNI NITP</a> , to establish insider threat programs. The same standards and guidelines that apply to insider threat programs in classified environments can also be employed effectively to improve the security of controlled unclassified and other information in non-national security systems. Insider threat programs include controls to detect and prevent malicious insider activity through the centralized integration and analysis of both technical and nontechnical information to identify potential insider threat concerns. A senior official is designated by the department or agency head as the responsible individual to implement and provide oversight for the program. In addition to the centralized integration and analysis capability, insider threat programs require organizations to prepare department or agency insider threat policies and implementation plans, conduct host-based user monitoring of individual employee activities on government-owned classified computers, provide insider threat awareness training to employees, receive access to information from offices in the department or agency for insider threat analysis, and conduct self-assessments of department or agency insider threat posture.</p><p>Insider threat programs can leverage the existence of incident handling teams that organizations may already have in place, such as computer security incident response teams. Human resources records are especially important in this effort, as there is compelling evidence to show that some types of insider crimes are often preceded by nontechnical behaviors in the workplace, including ongoing patterns of disgruntled behavior and conflicts with coworkers and other colleagues. These precursors can guide organizational officials in more focused, targeted monitoring efforts. However, the use of human resource records could raise significant concerns for privacy. The participation of a legal team, including consultation with the senior agency official for privacy, ensures that monitoring activities are performed in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.</p>",
                "controlId": "PM-12",
                "family": "Program Management",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "148aca68-9f4f-4fb7-843e-1d191b088666",
                        "name": "PM-13",
                        "objectiveType": "",
                        "otherId": "pm-13_smt",
                        "description": "Establish a security and privacy workforce development and improvement program."
                    }
                ],
                "tests": [
                    {
                        "uuid": "9589e18b-8a20-41d1-800e-8926d218021a",
                        "testId": "PM-13[01]",
                        "test": "Determine if a security workforce development and improvement program is established;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Information security and privacy workforce development and improvement program documentation.</li><li>Procedures for the information security and privacy workforce development and improvement program.</li><li>Information security and privacy role-based training program documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information security and privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel responsible for the information security and privacy workforce development and improvement program.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for implementing the information security and privacy workforce development and improvement program.</li><li>Mechanisms supporting and/or implementing the information security and privacy workforce development and improvement program.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "eed0be09-3253-413b-ac2f-729750430bd8",
                        "testId": "PM-13[02]",
                        "test": "Determine if a privacy workforce development and improvement program is established.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Information security and privacy workforce development and improvement program documentation.</li><li>Procedures for the information security and privacy workforce development and improvement program.</li><li>Information security and privacy role-based training program documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information security and privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel responsible for the information security and privacy workforce development and improvement program.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for implementing the information security and privacy workforce development and improvement program.</li><li>Mechanisms supporting and/or implementing the information security and privacy workforce development and improvement program.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7c6b301b-e217-4690-a034-0a1137adf6b3",
                        "testId": "PM-13-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Information security and privacy workforce development and improvement program documentation.</li><li>Procedures for the information security and privacy workforce development and improvement program.</li><li>Information security and privacy role-based training program documentation.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "60d41a16-399d-4ef2-b498-17119e433b87",
                        "testId": "PM-13-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with information security and privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel responsible for the information security and privacy workforce development and improvement program.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e4b55b6d-89f2-4e51-8632-64aba5f7ca04",
                        "testId": "PM-13-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for implementing the information security and privacy workforce development and improvement program.</li><li>Mechanisms supporting and/or implementing the information security and privacy workforce development and improvement program.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "91873113-8b2c-47d0-b733-c046f7b9f266",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PM-13 - Security and Privacy Workforce",
                "description": "Establish a security and privacy workforce development and improvement program.<br/><strong>Discussion</strong><br/><p>Security and privacy workforce development and improvement programs include defining the knowledge, skills, and abilities needed to perform security and privacy duties and tasks; developing role-based training programs for individuals assigned security and privacy roles and responsibilities; and providing standards and guidelines for measuring and building individual qualifications for incumbents and applicants for security- and privacy-related positions. Such workforce development and improvement programs can also include security and privacy career paths to encourage security and privacy professionals to advance in the field and fill positions with greater responsibility. The programs encourage organizations to fill security- and privacy-related positions with qualified personnel. Security and privacy workforce development and improvement programs are complementary to organizational security awareness and training programs and focus on developing and institutionalizing the core security and privacy capabilities of personnel needed to protect organizational operations, assets, and individuals.</p>",
                "controlId": "PM-13",
                "family": "Program Management",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "fa33e908-363c-49db-bd33-2ee9b99fb49d",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "pm-14_smt.a",
                        "description": "<ul><li>a. Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems:</li><ul><li>1. Are developed and maintained; and</li><li>2. Continue to be executed; and</li></ul>"
                    },
                    {
                        "uuid": "78287da0-6d59-4490-bc6b-7b4e4e1bd8f3",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "pm-14_smt.b",
                        "description": "<ul><li>b. Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "587503e6-d4a8-46ff-abfd-ebbfdb6b727f",
                        "testId": "PM-14-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Organizational procedures addressing the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Risk management strategy.</li><li>Procedures for the review of plans for conducting security and privacy testing, training, and monitoring activities for consistency with risk management strategy and risk response priorities.</li><li>Results of risk assessments associated with conducting security and privacy testing, training, and monitoring activities.</li><li>Documentation of the timely execution of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5781f329-ea46-4889-b2df-40dbc8f9e469",
                        "testId": "PM-14-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with responsibilities for developing and maintaining plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ec62d371-72ba-4724-ac74-0ba173ecce44",
                        "testId": "PM-14-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Mechanisms supporting the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5ee48175-1bbe-447b-b1ec-c8db750ecb4d",
                        "testId": "PM-14a.01[01]",
                        "test": "Determine if a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are developed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Organizational procedures addressing the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Risk management strategy.</li><li>Procedures for the review of plans for conducting security and privacy testing, training, and monitoring activities for consistency with risk management strategy and risk response priorities.</li><li>Results of risk assessments associated with conducting security and privacy testing, training, and monitoring activities.</li><li>Documentation of the timely execution of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for developing and maintaining plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Mechanisms supporting the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d49c6e3f-0341-4bc2-bbb9-456b00291b3b",
                        "testId": "PM-14a.01[02]",
                        "test": "Determine if a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems are maintained;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Organizational procedures addressing the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Risk management strategy.</li><li>Procedures for the review of plans for conducting security and privacy testing, training, and monitoring activities for consistency with risk management strategy and risk response priorities.</li><li>Results of risk assessments associated with conducting security and privacy testing, training, and monitoring activities.</li><li>Documentation of the timely execution of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for developing and maintaining plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Mechanisms supporting the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2c930280-d492-4b2d-944e-a7f13b6ce5fd",
                        "testId": "PM-14a.01[03]",
                        "test": "Determine if a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are developed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Organizational procedures addressing the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Risk management strategy.</li><li>Procedures for the review of plans for conducting security and privacy testing, training, and monitoring activities for consistency with risk management strategy and risk response priorities.</li><li>Results of risk assessments associated with conducting security and privacy testing, training, and monitoring activities.</li><li>Documentation of the timely execution of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for developing and maintaining plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Mechanisms supporting the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "74c862e6-53c0-4e73-8e21-fb52b1c29fc9",
                        "testId": "PM-14a.01[04]",
                        "test": "Determine if a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems are maintained;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Organizational procedures addressing the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Risk management strategy.</li><li>Procedures for the review of plans for conducting security and privacy testing, training, and monitoring activities for consistency with risk management strategy and risk response priorities.</li><li>Results of risk assessments associated with conducting security and privacy testing, training, and monitoring activities.</li><li>Documentation of the timely execution of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for developing and maintaining plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Mechanisms supporting the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "de36aee6-1b32-46bc-929b-9e0c7d684f1d",
                        "testId": "PM-14a.02[01]",
                        "test": "Determine if a process is implemented for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational systems continue to be executed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Organizational procedures addressing the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Risk management strategy.</li><li>Procedures for the review of plans for conducting security and privacy testing, training, and monitoring activities for consistency with risk management strategy and risk response priorities.</li><li>Results of risk assessments associated with conducting security and privacy testing, training, and monitoring activities.</li><li>Documentation of the timely execution of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for developing and maintaining plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Mechanisms supporting the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1900cc05-79da-477b-be9c-688590104429",
                        "testId": "PM-14a.02[02]",
                        "test": "Determine if a process is implemented for ensuring that organizational plans for conducting privacy testing, training, and monitoring activities associated with organizational systems continue to be executed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Organizational procedures addressing the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Risk management strategy.</li><li>Procedures for the review of plans for conducting security and privacy testing, training, and monitoring activities for consistency with risk management strategy and risk response priorities.</li><li>Results of risk assessments associated with conducting security and privacy testing, training, and monitoring activities.</li><li>Documentation of the timely execution of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for developing and maintaining plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Mechanisms supporting the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "284ca170-8956-4304-bb70-269cd036fa6b",
                        "testId": "PM-14b.[01]",
                        "test": "Determine if testing plans are reviewed for consistency with the organizational risk management strategy;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Organizational procedures addressing the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Risk management strategy.</li><li>Procedures for the review of plans for conducting security and privacy testing, training, and monitoring activities for consistency with risk management strategy and risk response priorities.</li><li>Results of risk assessments associated with conducting security and privacy testing, training, and monitoring activities.</li><li>Documentation of the timely execution of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for developing and maintaining plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Mechanisms supporting the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ab124273-a555-4352-acae-a4085d12c0b6",
                        "testId": "PM-14b.[02]",
                        "test": "Determine if training plans are reviewed for consistency with the organizational risk management strategy;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Organizational procedures addressing the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Risk management strategy.</li><li>Procedures for the review of plans for conducting security and privacy testing, training, and monitoring activities for consistency with risk management strategy and risk response priorities.</li><li>Results of risk assessments associated with conducting security and privacy testing, training, and monitoring activities.</li><li>Documentation of the timely execution of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for developing and maintaining plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Mechanisms supporting the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d4016df2-4949-4925-89ca-5626c23f13ae",
                        "testId": "PM-14b.[03]",
                        "test": "Determine if monitoring plans are reviewed for consistency with the organizational risk management strategy;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Organizational procedures addressing the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Risk management strategy.</li><li>Procedures for the review of plans for conducting security and privacy testing, training, and monitoring activities for consistency with risk management strategy and risk response priorities.</li><li>Results of risk assessments associated with conducting security and privacy testing, training, and monitoring activities.</li><li>Documentation of the timely execution of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for developing and maintaining plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Mechanisms supporting the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "cdf7e2a3-22a0-4f26-9aaf-84fe305e7205",
                        "testId": "PM-14b.[04]",
                        "test": "Determine if testing plans are reviewed for consistency with organization-wide priorities for risk response actions;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Organizational procedures addressing the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Risk management strategy.</li><li>Procedures for the review of plans for conducting security and privacy testing, training, and monitoring activities for consistency with risk management strategy and risk response priorities.</li><li>Results of risk assessments associated with conducting security and privacy testing, training, and monitoring activities.</li><li>Documentation of the timely execution of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for developing and maintaining plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Mechanisms supporting the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0dd4880a-f42c-40a3-afa1-0a8bf09dc7a2",
                        "testId": "PM-14b.[05]",
                        "test": "Determine if training plans are reviewed for consistency with organization-wide priorities for risk response actions;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Organizational procedures addressing the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Risk management strategy.</li><li>Procedures for the review of plans for conducting security and privacy testing, training, and monitoring activities for consistency with risk management strategy and risk response priorities.</li><li>Results of risk assessments associated with conducting security and privacy testing, training, and monitoring activities.</li><li>Documentation of the timely execution of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for developing and maintaining plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Mechanisms supporting the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "87107ece-8064-445d-afb8-2a3e08463a21",
                        "testId": "PM-14b.[06]",
                        "test": "Determine if monitoring plans are reviewed for consistency with organization-wide priorities for risk response actions.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Organizational procedures addressing the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Risk management strategy.</li><li>Procedures for the review of plans for conducting security and privacy testing, training, and monitoring activities for consistency with risk management strategy and risk response priorities.</li><li>Results of risk assessments associated with conducting security and privacy testing, training, and monitoring activities.</li><li>Documentation of the timely execution of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with responsibilities for developing and maintaining plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li><li>Mechanisms supporting the development and maintenance of plans for conducting security and privacy testing, training, and monitoring activities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "f9980f11-0e38-4c3e-9ffb-c72923f27ef0",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PM-14 - Testing, Training, and Monitoring",
                "description": "<ul><li>a. Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems:</li><ul><li>1. Are developed and maintained; and</li><li>2. Continue to be executed; and</li></ul><li>b. Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.</li></ul><br/><strong>Discussion</strong><br/><p>A process for organization-wide security and privacy testing, training, and monitoring helps ensure that organizations provide oversight for testing, training, and monitoring activities and that those activities are coordinated. With the growing importance of continuous monitoring programs, the implementation of information security and privacy across the three levels of the risk management hierarchy and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing assessments supporting a variety of controls. Security and privacy training activities, while focused on individual systems and specific roles, require coordination across all organizational elements. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments.</p>",
                "controlId": "PM-14",
                "family": "Program Management",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "8fa74d8c-8487-4668-8d6d-af9b0b55e7da",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "pm-15_smt.a",
                        "description": "<ul><li>a. Establish and institutionalize contact with selected groups and associations within the security and privacy communities: To facilitate ongoing security and privacy education and training for organizational personnel;</li></ul>"
                    },
                    {
                        "uuid": "a724bcbc-9062-4f6e-bc59-edaedfd8ed67",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "pm-15_smt.b",
                        "description": "<ul><li>b. Establish and institutionalize contact with selected groups and associations within the security and privacy communities: To maintain currency with recommended security and privacy practices, techniques, and technologies; and</li></ul>"
                    },
                    {
                        "uuid": "1cf3acd3-09c8-4922-9a84-bfb774a6e758",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "pm-15_smt.c",
                        "description": "<ul><li>c. Establish and institutionalize contact with selected groups and associations within the security and privacy communities: To share current security and privacy information, including threats, vulnerabilities, and incidents.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "540a9ec5-24a2-4e3d-897b-a8393a8ba2ca",
                        "testId": "PM-15a.[01]",
                        "test": "Determine if contact is established and institutionalized with selected groups and associations within the security community to facilitate ongoing security education and training for organizational personnel;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Risk management strategy.</li><li>Procedures for establishing and institutionalizing contacts with security and privacy groups and associations.</li><li>Lists or other records of contacts with and/or membership in security and privacy groups and associations.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information security and privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel responsible for establishing and institutionalizing contact with security and privacy groups and associations.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Personnel from selected groups and associations with which the organization has established and institutionalized contact.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for establishing and institutionalizing contact with security and privacy groups and associations.</li><li>Mechanisms supporting contact with security and privacy groups and associations.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b481f447-8554-42f6-9f9b-6029637a2bbb",
                        "testId": "PM-15a.[02]",
                        "test": "Determine if contact is established and institutionalized with selected groups and associations within the privacy community to facilitate ongoing privacy education and training for organizational personnel;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Risk management strategy.</li><li>Procedures for establishing and institutionalizing contacts with security and privacy groups and associations.</li><li>Lists or other records of contacts with and/or membership in security and privacy groups and associations.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information security and privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel responsible for establishing and institutionalizing contact with security and privacy groups and associations.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Personnel from selected groups and associations with which the organization has established and institutionalized contact.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for establishing and institutionalizing contact with security and privacy groups and associations.</li><li>Mechanisms supporting contact with security and privacy groups and associations.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "122de85e-be69-40c3-a494-0dac022692ce",
                        "testId": "PM-15b.[01]",
                        "test": "Determine if contact is established and institutionalized with selected groups and associations within the security community to maintain currency with recommended security practices, techniques, and technologies;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Risk management strategy.</li><li>Procedures for establishing and institutionalizing contacts with security and privacy groups and associations.</li><li>Lists or other records of contacts with and/or membership in security and privacy groups and associations.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information security and privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel responsible for establishing and institutionalizing contact with security and privacy groups and associations.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Personnel from selected groups and associations with which the organization has established and institutionalized contact.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for establishing and institutionalizing contact with security and privacy groups and associations.</li><li>Mechanisms supporting contact with security and privacy groups and associations.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c01ec270-0028-4a38-bced-3bf3121d3ab0",
                        "testId": "PM-15b.[02]",
                        "test": "Determine if contact is established and institutionalized with selected groups and associations within the privacy community to maintain currency with recommended privacy practices, techniques, and technologies;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Risk management strategy.</li><li>Procedures for establishing and institutionalizing contacts with security and privacy groups and associations.</li><li>Lists or other records of contacts with and/or membership in security and privacy groups and associations.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information security and privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel responsible for establishing and institutionalizing contact with security and privacy groups and associations.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Personnel from selected groups and associations with which the organization has established and institutionalized contact.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for establishing and institutionalizing contact with security and privacy groups and associations.</li><li>Mechanisms supporting contact with security and privacy groups and associations.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a9a8c87a-6905-4cca-82c9-3a8350a58316",
                        "testId": "PM-15c.[01]",
                        "test": "Determine if contact is established and institutionalized with selected groups and associations within the security community to share current security information, including threats, vulnerabilities, and incidents;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Risk management strategy.</li><li>Procedures for establishing and institutionalizing contacts with security and privacy groups and associations.</li><li>Lists or other records of contacts with and/or membership in security and privacy groups and associations.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information security and privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel responsible for establishing and institutionalizing contact with security and privacy groups and associations.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Personnel from selected groups and associations with which the organization has established and institutionalized contact.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for establishing and institutionalizing contact with security and privacy groups and associations.</li><li>Mechanisms supporting contact with security and privacy groups and associations.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "dd5d489a-18da-42d9-bacf-c6dcecd38a2d",
                        "testId": "PM-15c.[02]",
                        "test": "Determine if contact is established and institutionalized with selected groups and associations within the privacy community to share current privacy information, including threats, vulnerabilities, and incidents.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Risk management strategy.</li><li>Procedures for establishing and institutionalizing contacts with security and privacy groups and associations.</li><li>Lists or other records of contacts with and/or membership in security and privacy groups and associations.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information security and privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel responsible for establishing and institutionalizing contact with security and privacy groups and associations.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Personnel from selected groups and associations with which the organization has established and institutionalized contact.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for establishing and institutionalizing contact with security and privacy groups and associations.</li><li>Mechanisms supporting contact with security and privacy groups and associations.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "153122b4-e9c5-44fa-8f42-8f736e2effd2",
                        "testId": "PM-15-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Risk management strategy.</li><li>Procedures for establishing and institutionalizing contacts with security and privacy groups and associations.</li><li>Lists or other records of contacts with and/or membership in security and privacy groups and associations.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ac2c11c1-e157-4c3c-b055-a78b0a8e58b1",
                        "testId": "PM-15-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with information security and privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel responsible for establishing and institutionalizing contact with security and privacy groups and associations.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Personnel from selected groups and associations with which the organization has established and institutionalized contact.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ebeb5752-9023-4f8d-9a9d-01d521bf9755",
                        "testId": "PM-15-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for establishing and institutionalizing contact with security and privacy groups and associations.</li><li>Mechanisms supporting contact with security and privacy groups and associations.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "824e9f08-0fa8-4a2d-9adb-68df56bed15a",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PM-15 - Security and Privacy Groups and Associations",
                "description": "<p>Establish and institutionalize contact with selected groups and associations within the security and privacy communities:</p><ul><li><p>a. To facilitate ongoing security and privacy education and training for organizational personnel;</p></li><li><p>b. To maintain currency with recommended security and privacy practices, techniques, and technologies; and</p></li><li><p>c. To share current security and privacy information, including threats, vulnerabilities, and incidents.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>Ongoing contact with security and privacy groups and associations is important in an environment of rapidly changing technologies and threats. Groups and associations include special interest groups, professional associations, forums, news groups, users\u00e2\u20ac\u2122 groups, and peer groups of security and privacy professionals in similar organizations. Organizations select security and privacy groups and associations based on mission and business functions. Organizations share threat, vulnerability, and incident information as well as contextual insights, compliance techniques, and privacy problems consistent with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.</p><p></p><p><strong>OT Discussion</strong></p><p>Organizations should be familiar with relevant security-focused and industry-specific groups or associations, including government sector-specific agencies (SSAs), Information Sharing and Analysis Centers (ISACs), and industry trade organizations.</p>",
                "controlId": "PM-15",
                "family": "Program Management",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "17224c1a-cca5-4364-90d5-fdced4b4cf73",
                        "name": "PM-16",
                        "objectiveType": "",
                        "otherId": "pm-16_smt",
                        "description": "Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence."
                    }
                ],
                "tests": [
                    {
                        "uuid": "70717392-cb05-4f14-96fd-64c01ba87d38",
                        "testId": "PM-16-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Threat awareness program policy.</li><li>Threat awareness program procedures.</li><li>Risk assessment results relevant to threat awareness.</li><li>Documentation about the cross-organization information-sharing capability.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f4c37a25-990e-47d6-9bff-c00f2617fda1",
                        "testId": "PM-16-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with information security and privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel responsible for the threat awareness program.</li><li>Organizational personnel responsible for the cross-organization information-sharing capability.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>External personnel with whom threat awareness information is shared by the organization.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8d4babed-8e46-461b-b939-22a1a1acdd59",
                        "testId": "PM-16-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for implementing the threat awareness program.</li><li>Organizational processes for implementing the cross-organization information-sharing capability.</li><li>Mechanisms supporting and/or implementing the threat awareness program.</li><li>Mechanisms supporting and/or implementing the cross-organization information-sharing capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d0ecc8f2-75f5-4cd3-869c-d8db10876a1d",
                        "testId": "PM-16",
                        "test": "Determine if a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence is implemented.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Threat awareness program policy.</li><li>Threat awareness program procedures.</li><li>Risk assessment results relevant to threat awareness.</li><li>Documentation about the cross-organization information-sharing capability.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information security and privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel responsible for the threat awareness program.</li><li>Organizational personnel responsible for the cross-organization information-sharing capability.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>External personnel with whom threat awareness information is shared by the organization.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for implementing the threat awareness program.</li><li>Organizational processes for implementing the cross-organization information-sharing capability.</li><li>Mechanisms supporting and/or implementing the threat awareness program.</li><li>Mechanisms supporting and/or implementing the cross-organization information-sharing capability.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "7ff81978-5865-43e2-8f6e-aa503913ed0d",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PM-16 - Threat Awareness Program",
                "description": "<p>Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence.<br><strong>Discussion</strong><br></p><p>Because of the constantly changing and increasing sophistication of adversaries, especially the advanced persistent threat (APT), it may be more likely that adversaries can successfully breach or compromise organizational systems. One of the best techniques to address this concern is for organizations to share threat information, including threat events (i.e., tactics, techniques, and procedures) that organizations have experienced, mitigations that organizations have found are effective against certain types of threats, and threat intelligence (i.e., indications and warnings about threats). Threat information sharing may be bilateral or multilateral. Bilateral threat sharing includes government-to-commercial and government-to-government cooperatives. Multilateral threat sharing includes organizations taking part in threat-sharing consortia. Threat information may require special agreements and protection, or it may be freely shared.</p><p></p><p><strong>OT Discussion</strong></p><p>The organization should collaborate and share information about potential incidents on a timely basis. CISA serves as a centralized location where operational elements involved in cybersecurity and communications reliance are coordinated and integrated. Organizations should consider having both an unclassified and classified information sharing capability.</p>",
                "controlId": "PM-16",
                "family": "Program Management",
                "enhancements": "<strong>Enhancements</strong><ul><li>PM-16(1) - Automated Means for Sharing Threat Intelligence</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "509abd04-b4d3-4806-9132-5042914c45ba",
                        "parameterId": "PM-17(b)",
                        "text": "organization-defined frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pm-17_prm_1"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "0c6ac58b-681c-428e-b3ce-198343e32e5f",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "pm-17_smt.a",
                        "description": "<ul><li>a. Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards; and</li></ul>"
                    },
                    {
                        "uuid": "dcf99e26-5511-44f4-8f7b-91850467c717",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "pm-17_smt.b",
                        "description": "<ul><li>b. Review and update the policy and procedures {{ insert: param, PM-17(b) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "f30b21d3-5604-4c29-bc5e-ee580de04a0f",
                        "testId": "PM-17-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Controlled unclassified information policy.</li><li>Controlled unclassified information procedures.</li><li>Other relevant documents or records..</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "91644c15-5384-4188-861f-5d14344f74e5",
                        "testId": "PM-17-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with controlled unclassified information responsibilities.</li><li>Organizational personnel with information security responsibilities..</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "94f3c076-653c-4a97-9a5c-be888aad0ce1",
                        "testId": "PM-17a.[01]",
                        "test": "Determine if policy is established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Controlled unclassified information policy.</li><li>Controlled unclassified information procedures.</li><li>Other relevant documents or records..</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with controlled unclassified information responsibilities.</li><li>Organizational personnel with information security responsibilities..</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "53590887-3d2e-4821-8cf3-e18fb7dc24f6",
                        "testId": "PM-17a.[02]",
                        "test": "Determine if procedures are established to ensure that requirements for the protection of controlled unclassified information that is processed, stored, or transmitted on external systems are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Controlled unclassified information policy.</li><li>Controlled unclassified information procedures.</li><li>Other relevant documents or records..</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with controlled unclassified information responsibilities.</li><li>Organizational personnel with information security responsibilities..</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "80dd3c29-3738-47e3-873f-37d694f76b97",
                        "testId": "PM-17b.[01]",
                        "test": "Determine if policy is reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Controlled unclassified information policy.</li><li>Controlled unclassified information procedures.</li><li>Other relevant documents or records..</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with controlled unclassified information responsibilities.</li><li>Organizational personnel with information security responsibilities..</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5ab70350-a14c-49d9-8a00-3311673ca2a9",
                        "testId": "PM-17b.[02]",
                        "test": "Determine if procedures are reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ], <br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Controlled unclassified information policy.</li><li>Controlled unclassified information procedures.</li><li>Other relevant documents or records..</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with controlled unclassified information responsibilities.</li><li>Organizational personnel with information security responsibilities..</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "0be34fec-1463-4485-ae23-d2e980730f94",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PM-17 - Protecting Controlled Unclassified Information on External Systems",
                "description": "<ul><li><p>a. Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards; and</p></li><li><p>b. Review and update the policy and procedures {{ insert: param, PM-17(b) }}.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>Controlled unclassified information is defined by the National Archives and Records Administration along with the safeguarding and dissemination requirements for such information and is codified in <a href=\"#91f992fb-f668-4c91-a50f-0f05b95ccee3\">32 CFR 2002</a> and, specifically for systems external to the federal organization, <a href=\"https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/xml/CFR-2017-title32-vol6-part2002.xml\">32 CFR 2002.14h</a> . The policy prescribes the specific use and conditions to be implemented in accordance with organizational procedures, including via its contracting processes.</p><p></p><p><strong>OT Discussion</strong></p><p>This control applies to federal agencies and other organizations that support the Government and process controlled unclassified information (CUI).</p>",
                "controlId": "PM-17",
                "family": "Program Management",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "742034ff-7325-4802-98bf-efa19f520147",
                        "parameterId": "PM-18(b)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pm-18_odp"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "b3931e59-85ca-4707-979a-4ee0cd877994",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "pm-18_smt.a",
                        "description": "<ul><li>a. Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency\u2019s privacy program, and:</li><ul><li>1. Includes a description of the structure of the privacy program and the resources dedicated to the privacy program;</li><li>2. Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements;</li><li>3. Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities;</li><li>4. Describes management commitment, compliance, and the strategic goals and objectives of the privacy program;</li><li>5. Reflects coordination among organizational entities responsible for the different aspects of privacy; and</li><li>6. Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and</li></ul>"
                    },
                    {
                        "uuid": "47e8a157-ae9a-4289-8d92-c921f0734a6f",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "pm-18_smt.b",
                        "description": "<ul><li>b. Update the plan {{ insert: param, PM-18(b) }} and to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "49a5ad89-2e07-4696-968a-4c1264065d01",
                        "testId": "PM-18a.[01]",
                        "test": "Determine if an organization-wide privacy program plan that provides an overview of the agency\u00e2\u20ac\u2122s privacy program is developed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Procedures addressing program plan development and implementation.</li><li>Procedures addressing program plan reviews, updates, and approvals.</li><li>Procedures addressing coordination of the program plan with relevant entities.</li><li>Records of program plan reviews, updates, and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9fd84e87-5e77-46ae-9cfb-e45145258664",
                        "testId": "PM-18a.01[01]",
                        "test": "Determine if the privacy program plan includes a description of the structure of the privacy program;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Procedures addressing program plan development and implementation.</li><li>Procedures addressing program plan reviews, updates, and approvals.</li><li>Procedures addressing coordination of the program plan with relevant entities.</li><li>Records of program plan reviews, updates, and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "cfe789bd-34ba-4ffc-bc13-d22927a38da0",
                        "testId": "PM-18a.01[02]",
                        "test": "Determine if the privacy program plan includes a description of the resources dedicated to the privacy program;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Procedures addressing program plan development and implementation.</li><li>Procedures addressing program plan reviews, updates, and approvals.</li><li>Procedures addressing coordination of the program plan with relevant entities.</li><li>Records of program plan reviews, updates, and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9d3b82e6-a7e6-403b-a92a-8f8eeae2c60e",
                        "testId": "PM-18a.02[01]",
                        "test": "Determine if the privacy program plan provides an overview of the requirements for the privacy program;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Procedures addressing program plan development and implementation.</li><li>Procedures addressing program plan reviews, updates, and approvals.</li><li>Procedures addressing coordination of the program plan with relevant entities.</li><li>Records of program plan reviews, updates, and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0da7780b-e03a-4013-abb8-854a66acdacb",
                        "testId": "PM-18a.02[02]",
                        "test": "Determine if the privacy program plan provides a description of the privacy program management controls in place or planned for meeting the requirements of the privacy program;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Procedures addressing program plan development and implementation.</li><li>Procedures addressing program plan reviews, updates, and approvals.</li><li>Procedures addressing coordination of the program plan with relevant entities.</li><li>Records of program plan reviews, updates, and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f9888a78-6f65-449d-ab9f-45b3cd314507",
                        "testId": "PM-18a.02[03]",
                        "test": "Determine if the privacy program plan provides a description of common controls in place or planned for meeting the requirements of the privacy program;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Procedures addressing program plan development and implementation.</li><li>Procedures addressing program plan reviews, updates, and approvals.</li><li>Procedures addressing coordination of the program plan with relevant entities.</li><li>Records of program plan reviews, updates, and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5622900f-dd1a-4da6-a9ef-f6ff456c15e6",
                        "testId": "PM-18a.03[01]",
                        "test": "Determine if the privacy program plan includes the role of the senior agency official for privacy;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Procedures addressing program plan development and implementation.</li><li>Procedures addressing program plan reviews, updates, and approvals.</li><li>Procedures addressing coordination of the program plan with relevant entities.</li><li>Records of program plan reviews, updates, and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ff1ab39f-54a5-4a18-a648-252a490732c3",
                        "testId": "PM-18a.03[02]",
                        "test": "Determine if the privacy program plan includes the identification and assignment of the roles of other privacy officials and staff and their responsibilities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Procedures addressing program plan development and implementation.</li><li>Procedures addressing program plan reviews, updates, and approvals.</li><li>Procedures addressing coordination of the program plan with relevant entities.</li><li>Records of program plan reviews, updates, and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e46f0d43-e6b1-4d0e-926e-25a8dcb1abc3",
                        "testId": "PM-18a.04[01]",
                        "test": "Determine if the privacy program plan describes management commitment;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Procedures addressing program plan development and implementation.</li><li>Procedures addressing program plan reviews, updates, and approvals.</li><li>Procedures addressing coordination of the program plan with relevant entities.</li><li>Records of program plan reviews, updates, and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e6b5d504-c0c7-4d2e-b842-7006a76d7576",
                        "testId": "PM-18a.04[02]",
                        "test": "Determine if the privacy program plan describes compliance;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Procedures addressing program plan development and implementation.</li><li>Procedures addressing program plan reviews, updates, and approvals.</li><li>Procedures addressing coordination of the program plan with relevant entities.</li><li>Records of program plan reviews, updates, and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6fa9061e-7e7a-4b99-b746-41184de03f02",
                        "testId": "PM-18a.04[03]",
                        "test": "Determine if the privacy program plan describes the strategic goals and objectives of the privacy program;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Procedures addressing program plan development and implementation.</li><li>Procedures addressing program plan reviews, updates, and approvals.</li><li>Procedures addressing coordination of the program plan with relevant entities.</li><li>Records of program plan reviews, updates, and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b18d81ae-22a5-482e-988f-509c7cdc648d",
                        "testId": "PM-18a.05",
                        "test": "Determine if the privacy program plan reflects coordination among organizational entities responsible for the different aspects of privacy;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Procedures addressing program plan development and implementation.</li><li>Procedures addressing program plan reviews, updates, and approvals.</li><li>Procedures addressing coordination of the program plan with relevant entities.</li><li>Records of program plan reviews, updates, and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3a91f9e5-14b8-43ce-9202-44866af06bd4",
                        "testId": "PM-18a.06",
                        "test": "Determine if the privacy program plan is approved by a senior official with responsibility and accountability for the privacy risk being incurred by organizational operations (including, mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the nation;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Procedures addressing program plan development and implementation.</li><li>Procedures addressing program plan reviews, updates, and approvals.</li><li>Procedures addressing coordination of the program plan with relevant entities.</li><li>Records of program plan reviews, updates, and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "184fd250-53bf-4926-8bf6-579f294a893b",
                        "testId": "PM-18a.[02]",
                        "test": "Determine if the privacy program plan is disseminated;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Procedures addressing program plan development and implementation.</li><li>Procedures addressing program plan reviews, updates, and approvals.</li><li>Procedures addressing coordination of the program plan with relevant entities.</li><li>Records of program plan reviews, updates, and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "621b8f29-967b-4b0a-88e8-f26013290a44",
                        "testId": "PM-18b.[01]",
                        "test": "Determine if the privacy program plan is updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Procedures addressing program plan development and implementation.</li><li>Procedures addressing program plan reviews, updates, and approvals.</li><li>Procedures addressing coordination of the program plan with relevant entities.</li><li>Records of program plan reviews, updates, and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c3f4ce20-5323-449c-b80e-e2da7d917bf9",
                        "testId": "PM-18b.[02]",
                        "test": "Determine if the privacy program plan is updated to address changes in federal privacy laws and policies;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Procedures addressing program plan development and implementation.</li><li>Procedures addressing program plan reviews, updates, and approvals.</li><li>Procedures addressing coordination of the program plan with relevant entities.</li><li>Records of program plan reviews, updates, and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a026921d-8288-4fd7-8212-2c47d1af780c",
                        "testId": "PM-18b.[03]",
                        "test": "Determine if the privacy program plan is updated to address organizational changes;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Procedures addressing program plan development and implementation.</li><li>Procedures addressing program plan reviews, updates, and approvals.</li><li>Procedures addressing coordination of the program plan with relevant entities.</li><li>Records of program plan reviews, updates, and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "84e329db-b1af-4c2e-9078-f772a486f480",
                        "testId": "PM-18b.[04]",
                        "test": "Determine if the privacy program plan is updated to address problems identified during plan implementation or privacy control assessments.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Procedures addressing program plan development and implementation.</li><li>Procedures addressing program plan reviews, updates, and approvals.</li><li>Procedures addressing coordination of the program plan with relevant entities.</li><li>Records of program plan reviews, updates, and approvals.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3efef1ec-9ace-4072-b41f-ad239c3c201b",
                        "testId": "PM-18-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Privacy program plan.</li><li>Procedures addressing program plan development and implementation.</li><li>Procedures addressing program plan reviews, updates, and approvals.</li><li>Procedures addressing coordination of the program plan with relevant entities.</li><li>Records of program plan reviews, updates, and approvals.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7af8379f-8102-479c-9393-f47823b65c77",
                        "testId": "PM-18-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "96b88451-385f-4c79-b208-8bc3bcdf887b",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PM-18 - Privacy Program Plan",
                "description": "<ul><li>a. Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency\u00e2\u20ac\u2122s privacy program, and:</li><ul><li>1. Includes a description of the structure of the privacy program and the resources dedicated to the privacy program;</li><li>2. Provides an overview of the requirements for the privacy program and a description of the privacy program management controls and common controls in place or planned for meeting those requirements;</li><li>3. Includes the role of the senior agency official for privacy and the identification and assignment of roles of other privacy officials and staff and their responsibilities;</li><li>4. Describes management commitment, compliance, and the strategic goals and objectives of the privacy program;</li><li>5. Reflects coordination among organizational entities responsible for the different aspects of privacy; and</li><li>6. Is approved by a senior official with responsibility and accountability for the privacy risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and</li></ul><li>b. Update the plan  {{ insert: param, PM-18(b) }}  and to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments.</li></ul><br/><strong>Discussion</strong><br/><p>A privacy program plan is a formal document that provides an overview of an organization\u00e2\u20ac\u2122s privacy program, including a description of the structure of the privacy program, the resources dedicated to the privacy program, the role of the senior agency official for privacy and other privacy officials and staff, the strategic goals and objectives of the privacy program, and the program management controls and common controls in place or planned for meeting applicable privacy requirements and managing privacy risks. Privacy program plans can be represented in single documents or compilations of documents.</p><p>The senior agency official for privacy is responsible for designating which privacy controls the organization will treat as program management, common, system-specific, and hybrid controls. Privacy program plans provide sufficient information about the privacy program management and common controls (including the specification of parameters and assignment and selection operations explicitly or by reference) to enable control implementations that are unambiguously compliant with the intent of the plans and a determination of the risk incurred if the plans are implemented as intended.</p><p>Program management controls are generally implemented at the organization level and are essential for managing the organization\u00e2\u20ac\u2122s privacy program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular information system. Together, the privacy plans for individual systems and the organization-wide privacy program plan provide complete coverage for the privacy controls employed within the organization.</p><p>Common controls are documented in an appendix to the organization\u00e2\u20ac\u2122s privacy program plan unless the controls are included in a separate privacy plan for a system. The organization-wide privacy program plan indicates which separate privacy plans contain descriptions of privacy controls.</p>",
                "controlId": "PM-18",
                "family": "Program Management",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "69f175f7-1279-428b-8155-f9718b01e82e",
                        "name": "PM-19",
                        "objectiveType": "",
                        "otherId": "pm-19_smt",
                        "description": "Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program."
                    }
                ],
                "tests": [
                    {
                        "uuid": "020656e0-60eb-49d0-917b-acf32d18b6aa",
                        "testId": "PM-19-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Privacy program documents, including policies, procedures, plans, and reports.</li><li>Public privacy notices, including federal register notices.</li><li>Privacy impact assessments.</li><li>Privacy risk assessments.</li><li>Privacy act statements.</li><li>System of records notices.</li><li>Computer matching agreements and notices.</li><li>Contracts, information sharing agreements, and memoranda of understanding.</li><li>Governing requirements, including laws, executive orders, regulations, standards, and guidance.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c8eaa648-f966-44d6-a6f6-ab05853de6fa",
                        "testId": "PM-19-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>Senior agency official for privacy.</li><li>Privacy officials.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "870b78fa-e53e-4b1f-b942-6e796f07d075",
                        "testId": "PM-19[01]",
                        "test": "Determine if a senior agency official for privacy with authority, mission, accountability, and resources is appointed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program documents, including policies, procedures, plans, and reports.</li><li>Public privacy notices, including federal register notices.</li><li>Privacy impact assessments.</li><li>Privacy risk assessments.</li><li>Privacy act statements.</li><li>System of records notices.</li><li>Computer matching agreements and notices.</li><li>Contracts, information sharing agreements, and memoranda of understanding.</li><li>Governing requirements, including laws, executive orders, regulations, standards, and guidance.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>Senior agency official for privacy.</li><li>Privacy officials.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "52e70897-e01f-460b-8c01-098a22dfcce1",
                        "testId": "PM-19[02]",
                        "test": "Determine if the senior agency official for privacy coordinates applicable privacy requirements;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program documents, including policies, procedures, plans, and reports.</li><li>Public privacy notices, including federal register notices.</li><li>Privacy impact assessments.</li><li>Privacy risk assessments.</li><li>Privacy act statements.</li><li>System of records notices.</li><li>Computer matching agreements and notices.</li><li>Contracts, information sharing agreements, and memoranda of understanding.</li><li>Governing requirements, including laws, executive orders, regulations, standards, and guidance.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>Senior agency official for privacy.</li><li>Privacy officials.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6b647267-3a27-4f7a-a661-af6c7018c7b6",
                        "testId": "PM-19[03]",
                        "test": "Determine if the senior agency official for privacy develops applicable privacy requirements;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program documents, including policies, procedures, plans, and reports.</li><li>Public privacy notices, including federal register notices.</li><li>Privacy impact assessments.</li><li>Privacy risk assessments.</li><li>Privacy act statements.</li><li>System of records notices.</li><li>Computer matching agreements and notices.</li><li>Contracts, information sharing agreements, and memoranda of understanding.</li><li>Governing requirements, including laws, executive orders, regulations, standards, and guidance.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>Senior agency official for privacy.</li><li>Privacy officials.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6327da9a-f831-4fd7-aa2f-b04c329f0ff9",
                        "testId": "PM-19[04]",
                        "test": "Determine if the senior agency official for privacy implements applicable privacy requirements;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program documents, including policies, procedures, plans, and reports.</li><li>Public privacy notices, including federal register notices.</li><li>Privacy impact assessments.</li><li>Privacy risk assessments.</li><li>Privacy act statements.</li><li>System of records notices.</li><li>Computer matching agreements and notices.</li><li>Contracts, information sharing agreements, and memoranda of understanding.</li><li>Governing requirements, including laws, executive orders, regulations, standards, and guidance.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>Senior agency official for privacy.</li><li>Privacy officials.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "aeb8eed2-b93e-403d-bffe-c521e8ba15f0",
                        "testId": "PM-19[05]",
                        "test": "Determine if the senior agency official for privacy manages privacy risks through the organization-wide privacy program.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program documents, including policies, procedures, plans, and reports.</li><li>Public privacy notices, including federal register notices.</li><li>Privacy impact assessments.</li><li>Privacy risk assessments.</li><li>Privacy act statements.</li><li>System of records notices.</li><li>Computer matching agreements and notices.</li><li>Contracts, information sharing agreements, and memoranda of understanding.</li><li>Governing requirements, including laws, executive orders, regulations, standards, and guidance.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program planning and plan implementation responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>Senior agency official for privacy.</li><li>Privacy officials.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "ec840e29-0acd-4b0e-ba33-bd059e69ce84",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PM-19 - Privacy Program Leadership Role",
                "description": "Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program.<br/><strong>Discussion</strong><br/><p>The privacy officer is an organizational official. For federal agencies\u00e2\u20ac\u201das defined by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines\u00e2\u20ac\u201dthis official is designated as the senior agency official for privacy. Organizations may also refer to this official as the chief privacy officer. The senior agency official for privacy also has roles on the data management board (see  <a href=\"#pm-23\">PM-23</a> ) and the data integrity board (see  <a href=\"#pm-24\">PM-24</a>).</p>",
                "controlId": "PM-19",
                "family": "Program Management",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "e8c56104-88be-42f3-a9a4-e7fa75e3fd6f",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "pm-20_smt.a",
                        "description": "<ul><li>a. Maintain a central resource webpage on the organization\u2019s principal public website that serves as a central source of information about the organization\u2019s privacy program and that: Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy;</li></ul>"
                    },
                    {
                        "uuid": "40053b32-e394-4fe6-9fc3-4efb266f4939",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "pm-20_smt.b",
                        "description": "<ul><li>b. Maintain a central resource webpage on the organization\u2019s principal public website that serves as a central source of information about the organization\u2019s privacy program and that: Ensures that organizational privacy practices and reports are publicly available; and</li></ul>"
                    },
                    {
                        "uuid": "abe32452-dcac-489c-b79c-4724715b525f",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "pm-20_smt.c",
                        "description": "<ul><li>c. Maintain a central resource webpage on the organization\u2019s principal public website that serves as a central source of information about the organization\u2019s privacy program and that: Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "a825050b-fa0b-470b-b00c-af62a848dc3b",
                        "testId": "PM-20[01]",
                        "test": "Determine if a central resource webpage is maintained on the organization\u00e2\u20ac\u2122s principal public website;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Public website.</li><li>Publicly posted privacy program documents, including policies, procedures, plans, and reports.</li><li>Position description of the senior agency official for privacy.</li><li>Public privacy notices, including federal register notices.</li><li>Privacy impact assessments.</li><li>Privacy risk assessments.</li><li>Privacy act statements and system of records notices.</li><li>Computer matching agreements and notices.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Location, access, availability, and functionality of privacy resource webpage.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3a19c6b8-c31f-42b9-8f20-531707bde03c",
                        "testId": "PM-20[02]",
                        "test": "Determine if the webpage serves as a central source of information about the organization\u00e2\u20ac\u2122s privacy program;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Public website.</li><li>Publicly posted privacy program documents, including policies, procedures, plans, and reports.</li><li>Position description of the senior agency official for privacy.</li><li>Public privacy notices, including federal register notices.</li><li>Privacy impact assessments.</li><li>Privacy risk assessments.</li><li>Privacy act statements and system of records notices.</li><li>Computer matching agreements and notices.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Location, access, availability, and functionality of privacy resource webpage.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e327d6d4-46fa-4886-9147-2cd0a5b05b74",
                        "testId": "PM-20a.[01]",
                        "test": "Determine if the webpage ensures that the public has access to information about organizational privacy activities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Public website.</li><li>Publicly posted privacy program documents, including policies, procedures, plans, and reports.</li><li>Position description of the senior agency official for privacy.</li><li>Public privacy notices, including federal register notices.</li><li>Privacy impact assessments.</li><li>Privacy risk assessments.</li><li>Privacy act statements and system of records notices.</li><li>Computer matching agreements and notices.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Location, access, availability, and functionality of privacy resource webpage.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9bd6adaa-001c-4f40-910b-8a88024e9773",
                        "testId": "PM-20a.[02]",
                        "test": "Determine if the webpage ensures that the public can communicate with its senior agency official for privacy;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Public website.</li><li>Publicly posted privacy program documents, including policies, procedures, plans, and reports.</li><li>Position description of the senior agency official for privacy.</li><li>Public privacy notices, including federal register notices.</li><li>Privacy impact assessments.</li><li>Privacy risk assessments.</li><li>Privacy act statements and system of records notices.</li><li>Computer matching agreements and notices.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Location, access, availability, and functionality of privacy resource webpage.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a33fe3c3-c979-4ece-8b12-7bcb638b85f1",
                        "testId": "PM-20b.[01]",
                        "test": "Determine if the webpage ensures that organizational privacy practices are publicly available;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Public website.</li><li>Publicly posted privacy program documents, including policies, procedures, plans, and reports.</li><li>Position description of the senior agency official for privacy.</li><li>Public privacy notices, including federal register notices.</li><li>Privacy impact assessments.</li><li>Privacy risk assessments.</li><li>Privacy act statements and system of records notices.</li><li>Computer matching agreements and notices.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Location, access, availability, and functionality of privacy resource webpage.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ec633436-66e0-4f98-9ea6-fed26636f1e2",
                        "testId": "PM-20b.[02]",
                        "test": "Determine if the webpage ensures that organizational privacy reports are publicly available;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Public website.</li><li>Publicly posted privacy program documents, including policies, procedures, plans, and reports.</li><li>Position description of the senior agency official for privacy.</li><li>Public privacy notices, including federal register notices.</li><li>Privacy impact assessments.</li><li>Privacy risk assessments.</li><li>Privacy act statements and system of records notices.</li><li>Computer matching agreements and notices.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Location, access, availability, and functionality of privacy resource webpage.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4fe76096-9ee7-4dc7-b386-998ed34d721a",
                        "testId": "PM-20c.",
                        "test": "Determine if the webpage employs publicly facing email addresses and/or phone numbers to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Public website.</li><li>Publicly posted privacy program documents, including policies, procedures, plans, and reports.</li><li>Position description of the senior agency official for privacy.</li><li>Public privacy notices, including federal register notices.</li><li>Privacy impact assessments.</li><li>Privacy risk assessments.</li><li>Privacy act statements and system of records notices.</li><li>Computer matching agreements and notices.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Location, access, availability, and functionality of privacy resource webpage.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c6fbc4ab-7ffb-473c-8b92-b49288ca58f4",
                        "testId": "PM-20-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Public website.</li><li>Publicly posted privacy program documents, including policies, procedures, plans, and reports.</li><li>Position description of the senior agency official for privacy.</li><li>Public privacy notices, including federal register notices.</li><li>Privacy impact assessments.</li><li>Privacy risk assessments.</li><li>Privacy act statements and system of records notices.</li><li>Computer matching agreements and notices.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d6dbd142-d26c-4ebe-9040-bfaffbe865b7",
                        "testId": "PM-20-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "fe0763d3-99c5-4e36-8756-a57c1cb65467",
                        "testId": "PM-20-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Location, access, availability, and functionality of privacy resource webpage.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "6294342d-3993-43d3-9258-2cdb9e4667b8",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PM-20 - Dissemination of Privacy Program Information",
                "description": "Maintain a central resource webpage on the organization\u00e2\u20ac\u2122s principal public website that serves as a central source of information about the organization\u00e2\u20ac\u2122s privacy program and that:<ul><li>a. Ensures that the public has access to information about organizational privacy activities and can communicate with its senior agency official for privacy;</li><li>b. Ensures that organizational privacy practices and reports are publicly available; and</li><li>c. Employs publicly facing email addresses and/or phone lines to enable the public to provide feedback and/or direct questions to privacy offices regarding privacy practices.</li></ul><br/><strong>Discussion</strong><br/><p>For federal agencies, the webpage is located at www.[agency].gov/privacy. Federal agencies include public privacy impact assessments, system of records notices, computer matching notices and agreements,  <a href=\"#18e71fec-c6fd-475a-925a-5d8495cf8455\">PRIVACT</a>  exemption and implementation rules, privacy reports, privacy policies, instructions for individuals making an access or amendment request, email addresses for questions/complaints, blogs, and periodic publications.</p>",
                "controlId": "PM-20",
                "family": "Program Management",
                "enhancements": "<strong>Enhancements</strong><ul><li>PM-20(1) - Privacy Policies on Websites, Applications, and Digital Services</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "df06911d-69b6-487c-b135-7cd90b42e8ae",
                        "name": "(a)",
                        "objectiveType": "",
                        "otherId": "pm-20.1_smt.a",
                        "description": "<ul><li>(a) Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, that: Are written in plain language and organized in a way that is easy to understand and navigate;</li></ul>"
                    },
                    {
                        "uuid": "bfdda5f8-7822-470c-87bc-d5ccba469074",
                        "name": "(b)",
                        "objectiveType": "",
                        "otherId": "pm-20.1_smt.b",
                        "description": "<ul><li>(b) Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, that: Provide information needed by the public to make an informed decision about whether and how to interact with the organization; and</li></ul>"
                    },
                    {
                        "uuid": "8122eacc-adf0-4852-b802-419bae9d6e1a",
                        "name": "(c)",
                        "objectiveType": "",
                        "otherId": "pm-20.1_smt.c",
                        "description": "<ul><li>(c) Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, that: Are updated whenever the organization makes a substantive change to the practices it describes and includes a time/date stamp to inform the public of the date of the most recent changes.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "1147383e-9c11-4a90-a921-abbf3dea1e52",
                        "testId": "PM-20(01)-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Privacy program plan.</li><li>Privacy policies on the agency website, mobile applications, and/or other digital services.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2685026c-4e0b-4695-bb1c-002aa6d56a66",
                        "testId": "PM-20(01)-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0640a5c4-ae9e-423b-b98a-51c0cbe75690",
                        "testId": "PM-20(01)-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing.</li><li>Organizational procedures and practices for disseminating privacy program information.</li><li>Mechanisms supporting the dissemination of privacy program information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "91939c1d-e3a8-4c33-a545-92e57e279b7b",
                        "testId": "PM-20(01)[01]",
                        "test": "Determine if privacy policies are developed and posted on all external-facing websites;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Privacy policies on the agency website, mobile applications, and/or other digital services.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing.</li><li>Organizational procedures and practices for disseminating privacy program information.</li><li>Mechanisms supporting the dissemination of privacy program information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d7c8f9eb-774d-46d7-af11-f36892e2d5a5",
                        "testId": "PM-20(01)[02]",
                        "test": "Determine if privacy policies are developed and posted on all mobile applications;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Privacy policies on the agency website, mobile applications, and/or other digital services.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing.</li><li>Organizational procedures and practices for disseminating privacy program information.</li><li>Mechanisms supporting the dissemination of privacy program information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "cafc16af-f7a6-47e4-a8d5-fb8bc1f706a4",
                        "testId": "PM-20(01)[03]",
                        "test": "Determine if privacy policies are developed and posted on all other digital services;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Privacy policies on the agency website, mobile applications, and/or other digital services.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing.</li><li>Organizational procedures and practices for disseminating privacy program information.</li><li>Mechanisms supporting the dissemination of privacy program information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "79ca29fa-5ba1-4442-8392-2aa880bfdca7",
                        "testId": "PM-20(01)(a)[01]",
                        "test": "Determine if the privacy policies are written in plain language;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Privacy policies on the agency website, mobile applications, and/or other digital services.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing.</li><li>Organizational procedures and practices for disseminating privacy program information.</li><li>Mechanisms supporting the dissemination of privacy program information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "95ebdf65-6828-43b2-b8f4-fd9f5473cd8e",
                        "testId": "PM-20(01)(a)[02]",
                        "test": "Determine if the privacy policies are organized in a way that is easy to understand and navigate;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Privacy policies on the agency website, mobile applications, and/or other digital services.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing.</li><li>Organizational procedures and practices for disseminating privacy program information.</li><li>Mechanisms supporting the dissemination of privacy program information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6eb20798-72b1-4618-a677-5a20bd773aeb",
                        "testId": "PM-20(01)(b)[01]",
                        "test": "Determine if the privacy policies provide the information needed by the public to make an informed decision about whether to interact with the organization;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Privacy policies on the agency website, mobile applications, and/or other digital services.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing.</li><li>Organizational procedures and practices for disseminating privacy program information.</li><li>Mechanisms supporting the dissemination of privacy program information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7e71ca5e-ef00-4824-88dd-3ff4104fe0d3",
                        "testId": "PM-20(01)(b)[02]",
                        "test": "Determine if the privacy policies provide the information needed by the public to make an informed decision about how to interact with the organization;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Privacy policies on the agency website, mobile applications, and/or other digital services.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing.</li><li>Organizational procedures and practices for disseminating privacy program information.</li><li>Mechanisms supporting the dissemination of privacy program information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "871c0770-f2fd-432e-8ac9-fbadf5a1d90d",
                        "testId": "PM-20(01)(c)[01]",
                        "test": "Determine if the privacy policies are updated whenever the organization makes a substantive change to the practices it describes;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Privacy policies on the agency website, mobile applications, and/or other digital services.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing.</li><li>Organizational procedures and practices for disseminating privacy program information.</li><li>Mechanisms supporting the dissemination of privacy program information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "33825370-61ff-483a-a8a0-f9e106146cdf",
                        "testId": "PM-20(01)(c)[02]",
                        "test": "Determine if the privacy policies include a time/date stamp to inform the public of the date of the most recent changes.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Privacy policies on the agency website, mobile applications, and/or other digital services.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing.</li><li>Organizational procedures and practices for disseminating privacy program information.</li><li>Mechanisms supporting the dissemination of privacy program information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "67713367-04df-4da0-9f38-04d52b4542dc",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PM-20(01) - Privacy Policies on Websites, Applications, and Digital Services",
                "description": "Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, that:<ul><li>(a) Are written in plain language and organized in a way that is easy to understand and navigate;</li><li>(b) Provide information needed by the public to make an informed decision about whether and how to interact with the organization; and</li><li>(c) Are updated whenever the organization makes a substantive change to the practices it describes and includes a time/date stamp to inform the public of the date of the most recent changes.</li></ul><br/><strong>Discussion</strong><br/><p>Organizations post privacy policies on all external-facing websites, mobile applications, and other digital services. Organizations post a link to the relevant privacy policy on any known, major entry points to the website, application, or digital service. In addition, organizations provide a link to the privacy policy on any webpage that collects personally identifiable information. Organizations may be subject to applicable laws, executive orders, directives, regulations, or policies that require the provision of specific information to the public. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.</p>",
                "controlId": "PM-20(1)",
                "family": "Program Management",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "9a54d5e1-deef-49fc-add9-313ef2f64efd",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "pm-21_smt.a",
                        "description": "<ul><li>a. Develop and maintain an accurate accounting of disclosures of personally identifiable information, including:</li><ul><li>1. Date, nature, and purpose of each disclosure; and</li><li>2. Name and address, or other contact information of the individual or organization to which the disclosure was made;</li></ul>"
                    },
                    {
                        "uuid": "c6c68c91-2955-4f9b-8c45-5c419ac15ef8",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "pm-21_smt.b",
                        "description": "<ul><li>b. Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and</li></ul>"
                    },
                    {
                        "uuid": "4f31ffb5-6e89-499a-b520-12f5a3904d0c",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "pm-21_smt.c",
                        "description": "<ul><li>c. Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "68abf8a4-6ea5-4374-b815-f635eeec3317",
                        "testId": "PM-21a.",
                        "test": "Determine if an accurate accounting of disclosures of personally identifiable information is developed and maintained;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Disclosure policies and procedures.</li><li>Records of disclosures.</li><li>Audit logs.</li><li>Privacy act policies and procedures.</li><li>System of records notice.</li><li>Privacy act exemption rules..</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities..</li></ul><br><h5>Test</h5><ul><li>Organizational processes for disclosures.</li><li>Mechanisms supporting the accounting of disclosures, including commercial services that provide notifications and alerts..</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0fcc2781-0dcf-4132-8a78-835f3460269b",
                        "testId": "PM-21a.01[01]",
                        "test": "Determine if the accounting includes the date of each disclosure;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Disclosure policies and procedures.</li><li>Records of disclosures.</li><li>Audit logs.</li><li>Privacy act policies and procedures.</li><li>System of records notice.</li><li>Privacy act exemption rules..</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities..</li></ul><br><h5>Test</h5><ul><li>Organizational processes for disclosures.</li><li>Mechanisms supporting the accounting of disclosures, including commercial services that provide notifications and alerts..</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9cca7970-62d8-4be2-bd6a-16c4c400931a",
                        "testId": "PM-21a.01[02]",
                        "test": "Determine if the accounting includes the nature of each disclosure;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Disclosure policies and procedures.</li><li>Records of disclosures.</li><li>Audit logs.</li><li>Privacy act policies and procedures.</li><li>System of records notice.</li><li>Privacy act exemption rules..</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities..</li></ul><br><h5>Test</h5><ul><li>Organizational processes for disclosures.</li><li>Mechanisms supporting the accounting of disclosures, including commercial services that provide notifications and alerts..</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "98a58a24-573b-411b-8b70-e1160db665e5",
                        "testId": "PM-21a.01[03]",
                        "test": "Determine if the accounting includes the purpose of each disclosure;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Disclosure policies and procedures.</li><li>Records of disclosures.</li><li>Audit logs.</li><li>Privacy act policies and procedures.</li><li>System of records notice.</li><li>Privacy act exemption rules..</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities..</li></ul><br><h5>Test</h5><ul><li>Organizational processes for disclosures.</li><li>Mechanisms supporting the accounting of disclosures, including commercial services that provide notifications and alerts..</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "255cddd6-1e21-4d68-ba9e-a5c2f5497296",
                        "testId": "PM-21a.02[01]",
                        "test": "Determine if the accounting includes the name of the individual or organization to whom the disclosure was made;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Disclosure policies and procedures.</li><li>Records of disclosures.</li><li>Audit logs.</li><li>Privacy act policies and procedures.</li><li>System of records notice.</li><li>Privacy act exemption rules..</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities..</li></ul><br><h5>Test</h5><ul><li>Organizational processes for disclosures.</li><li>Mechanisms supporting the accounting of disclosures, including commercial services that provide notifications and alerts..</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9d5ae1cf-3a88-4ccb-80f1-c47bdace874f",
                        "testId": "PM-21a.02[02]",
                        "test": "Determine if the accounting includes the address or other contact information of the individual or organization to whom the disclosure was made;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Disclosure policies and procedures.</li><li>Records of disclosures.</li><li>Audit logs.</li><li>Privacy act policies and procedures.</li><li>System of records notice.</li><li>Privacy act exemption rules..</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities..</li></ul><br><h5>Test</h5><ul><li>Organizational processes for disclosures.</li><li>Mechanisms supporting the accounting of disclosures, including commercial services that provide notifications and alerts..</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c7bfecce-9b22-4d27-8003-567f3a179c5b",
                        "testId": "PM-21b.",
                        "test": "Determine if the accounting of disclosures is retained for the length of time that the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Disclosure policies and procedures.</li><li>Records of disclosures.</li><li>Audit logs.</li><li>Privacy act policies and procedures.</li><li>System of records notice.</li><li>Privacy act exemption rules..</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities..</li></ul><br><h5>Test</h5><ul><li>Organizational processes for disclosures.</li><li>Mechanisms supporting the accounting of disclosures, including commercial services that provide notifications and alerts..</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3638911c-d4e2-45b6-995c-53d8566823e6",
                        "testId": "PM-21c.",
                        "test": "Determine if the accounting of disclosures is made available to the individual to whom the personally identifiable information relates upon request.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Disclosure policies and procedures.</li><li>Records of disclosures.</li><li>Audit logs.</li><li>Privacy act policies and procedures.</li><li>System of records notice.</li><li>Privacy act exemption rules..</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities..</li></ul><br><h5>Test</h5><ul><li>Organizational processes for disclosures.</li><li>Mechanisms supporting the accounting of disclosures, including commercial services that provide notifications and alerts..</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a24b44b2-6538-4f5e-94c8-3609253c3e63",
                        "testId": "PM-21-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Privacy program plan.</li><li>Disclosure policies and procedures.</li><li>Records of disclosures.</li><li>Audit logs.</li><li>Privacy act policies and procedures.</li><li>System of records notice.</li><li>Privacy act exemption rules..</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "97eccd7c-4112-4dec-a215-c429bfc7b0c1",
                        "testId": "PM-21-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities..</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8ccb605e-da37-44da-bc4d-c63c1e2c2038",
                        "testId": "PM-21-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for disclosures.</li><li>Mechanisms supporting the accounting of disclosures, including commercial services that provide notifications and alerts..</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "2d5395e9-e54f-49b1-994c-59f4173d644e",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PM-21 - Accounting of Disclosures",
                "description": "<ul><li>a. Develop and maintain an accurate accounting of disclosures of personally identifiable information, including:</li><ul><li>1. Date, nature, and purpose of each disclosure; and</li><li>2. Name and address, or other contact information of the individual or organization to which the disclosure was made;</li></ul><li>b. Retain the accounting of disclosures for the length of the time the personally identifiable information is maintained or five years after the disclosure is made, whichever is longer; and</li><li>c. Make the accounting of disclosures available to the individual to whom the personally identifiable information relates upon request.</li></ul><br/><strong>Discussion</strong><br/><p>The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed, to provide a basis for subsequently advising recipients of any corrected or disputed personally identifiable information, and to provide an audit trail for subsequent reviews of organizational compliance with conditions for disclosures. For federal agencies, keeping an accounting of disclosures is required by the  <a href=\"#18e71fec-c6fd-475a-925a-5d8495cf8455\">PRIVACT</a> ; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision.</p><p>Organizations can use any system for keeping notations of disclosures, if it can construct from such a system, a document listing of all disclosures along with the required information. Automated mechanisms can be used by organizations to determine when personally identifiable information is disclosed, including commercial services that provide notifications and alerts. Accounting of disclosures may also be used to help organizations verify compliance with applicable privacy statutes and policies governing the disclosure or dissemination of information and dissemination restrictions.</p>",
                "controlId": "PM-21",
                "family": "Program Management",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "f6d822a9-778b-45d4-9ca8-630a79680110",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "pm-22_smt.a",
                        "description": "<ul><li>a. Develop and document organization-wide policies and procedures for: Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle;</li></ul>"
                    },
                    {
                        "uuid": "d466946f-cdea-4dba-aabf-79bf7cd3eb60",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "pm-22_smt.b",
                        "description": "<ul><li>b. Develop and document organization-wide policies and procedures for: Correcting or deleting inaccurate or outdated personally identifiable information;</li></ul>"
                    },
                    {
                        "uuid": "936e03bd-7a17-4498-b9b2-c5a9871a9aca",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "pm-22_smt.c",
                        "description": "<ul><li>c. Develop and document organization-wide policies and procedures for: Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and</li></ul>"
                    },
                    {
                        "uuid": "863e1989-943c-480c-b48f-96110886785f",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "pm-22_smt.d",
                        "description": "<ul><li>d. Develop and document organization-wide policies and procedures for: Appeals of adverse decisions on correction or deletion requests.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "2251ba4c-14dc-463a-a9b8-efe608239501",
                        "testId": "PM-22-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Privacy program plan.</li><li>Policies and procedures addressing personally identifiable information quality management, information life cycle documentation, and sample notices of correction or deletion.</li><li>Records of monitoring pii quality management practices.</li><li>Documentation of reviews and updates of policies and procedures.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "902e0530-1b10-44af-97fb-b3853d37448d",
                        "testId": "PM-22-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "51f9f137-83a4-4901-86f9-1de7db4358ed",
                        "testId": "PM-22-Test",
                        "test": "<br><h5>TEST</h5><ul><li>[organizational processes for data quality and personally identifiable information quality management procedures.</li><li>Mechanisms supporting and/or implementing quality management requirements.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "49962757-3413-439e-9d63-82372631dc5f",
                        "testId": "PM-22[01]",
                        "test": "Determine if organization-wide policies for personally identifiable information quality management are developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures addressing personally identifiable information quality management, information life cycle documentation, and sample notices of correction or deletion.</li><li>Records of monitoring pii quality management practices.</li><li>Documentation of reviews and updates of policies and procedures.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>[organizational processes for data quality and personally identifiable information quality management procedures.</li><li>Mechanisms supporting and/or implementing quality management requirements.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "fcccf983-3396-4823-b1ed-17261a74c384",
                        "testId": "PM-22[02]",
                        "test": "Determine if organization-wide procedures for personally identifiable information quality management are developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures addressing personally identifiable information quality management, information life cycle documentation, and sample notices of correction or deletion.</li><li>Records of monitoring pii quality management practices.</li><li>Documentation of reviews and updates of policies and procedures.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>[organizational processes for data quality and personally identifiable information quality management procedures.</li><li>Mechanisms supporting and/or implementing quality management requirements.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ff10cab4-5357-4486-b46c-7c7b88aa12e0",
                        "testId": "PM-22a.[01]",
                        "test": "Determine if the policies address reviewing the accuracy of personally identifiable information across the information life cycle;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures addressing personally identifiable information quality management, information life cycle documentation, and sample notices of correction or deletion.</li><li>Records of monitoring pii quality management practices.</li><li>Documentation of reviews and updates of policies and procedures.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>[organizational processes for data quality and personally identifiable information quality management procedures.</li><li>Mechanisms supporting and/or implementing quality management requirements.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4c5c4741-a727-4413-ae04-589a2cbdeed7",
                        "testId": "PM-22a.[02]",
                        "test": "Determine if the policies address reviewing the relevance of personally identifiable information across the information life cycle;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures addressing personally identifiable information quality management, information life cycle documentation, and sample notices of correction or deletion.</li><li>Records of monitoring pii quality management practices.</li><li>Documentation of reviews and updates of policies and procedures.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>[organizational processes for data quality and personally identifiable information quality management procedures.</li><li>Mechanisms supporting and/or implementing quality management requirements.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ff5b4017-ab8b-4b8b-8174-98383aa30b76",
                        "testId": "PM-22a.[03]",
                        "test": "Determine if the policies address reviewing the timeliness of personally identifiable information across the information life cycle;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures addressing personally identifiable information quality management, information life cycle documentation, and sample notices of correction or deletion.</li><li>Records of monitoring pii quality management practices.</li><li>Documentation of reviews and updates of policies and procedures.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>[organizational processes for data quality and personally identifiable information quality management procedures.</li><li>Mechanisms supporting and/or implementing quality management requirements.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "96e38ec8-b811-4183-baeb-0a7c0a0b6cc5",
                        "testId": "PM-22a.[04]",
                        "test": "Determine if the policies address reviewing the completeness of personally identifiable information across the information life cycle;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures addressing personally identifiable information quality management, information life cycle documentation, and sample notices of correction or deletion.</li><li>Records of monitoring pii quality management practices.</li><li>Documentation of reviews and updates of policies and procedures.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>[organizational processes for data quality and personally identifiable information quality management procedures.</li><li>Mechanisms supporting and/or implementing quality management requirements.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b17b32ce-cc04-421c-810e-c052d6eefe3f",
                        "testId": "PM-22a.[05]",
                        "test": "Determine if the procedures address reviewing the accuracy of personally identifiable information across the information life cycle;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures addressing personally identifiable information quality management, information life cycle documentation, and sample notices of correction or deletion.</li><li>Records of monitoring pii quality management practices.</li><li>Documentation of reviews and updates of policies and procedures.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>[organizational processes for data quality and personally identifiable information quality management procedures.</li><li>Mechanisms supporting and/or implementing quality management requirements.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "39dc1174-8f88-42e1-946a-6a683e648183",
                        "testId": "PM-22a.[06]",
                        "test": "Determine if the procedures address reviewing the relevance of personally identifiable information across the information life cycle;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures addressing personally identifiable information quality management, information life cycle documentation, and sample notices of correction or deletion.</li><li>Records of monitoring pii quality management practices.</li><li>Documentation of reviews and updates of policies and procedures.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>[organizational processes for data quality and personally identifiable information quality management procedures.</li><li>Mechanisms supporting and/or implementing quality management requirements.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "65a4726b-dc9c-4c92-a392-d52e39461bc0",
                        "testId": "PM-22a.[07]",
                        "test": "Determine if the procedures address reviewing the timeliness of personally identifiable information across the information life cycle;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures addressing personally identifiable information quality management, information life cycle documentation, and sample notices of correction or deletion.</li><li>Records of monitoring pii quality management practices.</li><li>Documentation of reviews and updates of policies and procedures.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>[organizational processes for data quality and personally identifiable information quality management procedures.</li><li>Mechanisms supporting and/or implementing quality management requirements.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "fad1588d-1f00-4683-ac79-d7552917959c",
                        "testId": "PM-22a.[08]",
                        "test": "Determine if the procedures address reviewing the completeness of personally identifiable information across the information life cycle;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures addressing personally identifiable information quality management, information life cycle documentation, and sample notices of correction or deletion.</li><li>Records of monitoring pii quality management practices.</li><li>Documentation of reviews and updates of policies and procedures.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>[organizational processes for data quality and personally identifiable information quality management procedures.</li><li>Mechanisms supporting and/or implementing quality management requirements.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f9ff0d77-113d-46b8-bed2-848caf2c18ec",
                        "testId": "PM-22b.[01]",
                        "test": "Determine if the policies address correcting or deleting inaccurate or outdated personally identifiable information;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures addressing personally identifiable information quality management, information life cycle documentation, and sample notices of correction or deletion.</li><li>Records of monitoring pii quality management practices.</li><li>Documentation of reviews and updates of policies and procedures.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>[organizational processes for data quality and personally identifiable information quality management procedures.</li><li>Mechanisms supporting and/or implementing quality management requirements.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "918452af-7b87-43ba-a2a6-6b0fc81592c7",
                        "testId": "PM-22b.[02]",
                        "test": "Determine if the procedures address correcting or deleting inaccurate or outdated personally identifiable information;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures addressing personally identifiable information quality management, information life cycle documentation, and sample notices of correction or deletion.</li><li>Records of monitoring pii quality management practices.</li><li>Documentation of reviews and updates of policies and procedures.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>[organizational processes for data quality and personally identifiable information quality management procedures.</li><li>Mechanisms supporting and/or implementing quality management requirements.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3d66a214-ac05-42d5-ac5a-9276c744e183",
                        "testId": "PM-22c.[01]",
                        "test": "Determine if the policies address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures addressing personally identifiable information quality management, information life cycle documentation, and sample notices of correction or deletion.</li><li>Records of monitoring pii quality management practices.</li><li>Documentation of reviews and updates of policies and procedures.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>[organizational processes for data quality and personally identifiable information quality management procedures.</li><li>Mechanisms supporting and/or implementing quality management requirements.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f9d1192e-a46d-4d9b-b4fb-6c95f1247804",
                        "testId": "PM-22c.[02]",
                        "test": "Determine if the procedures address disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures addressing personally identifiable information quality management, information life cycle documentation, and sample notices of correction or deletion.</li><li>Records of monitoring pii quality management practices.</li><li>Documentation of reviews and updates of policies and procedures.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>[organizational processes for data quality and personally identifiable information quality management procedures.</li><li>Mechanisms supporting and/or implementing quality management requirements.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "efeb5343-967d-438c-93e9-dd2d0b424d23",
                        "testId": "PM-22d.[01]",
                        "test": "Determine if the policies address appeals of adverse decisions on correction or deletion requests;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures addressing personally identifiable information quality management, information life cycle documentation, and sample notices of correction or deletion.</li><li>Records of monitoring pii quality management practices.</li><li>Documentation of reviews and updates of policies and procedures.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>[organizational processes for data quality and personally identifiable information quality management procedures.</li><li>Mechanisms supporting and/or implementing quality management requirements.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d17c6e68-746c-4ac4-97a2-aa17ccb6c125",
                        "testId": "PM-22d.[02]",
                        "test": "Determine if the procedures address appeals of adverse decisions on correction or deletion requests.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures addressing personally identifiable information quality management, information life cycle documentation, and sample notices of correction or deletion.</li><li>Records of monitoring pii quality management practices.</li><li>Documentation of reviews and updates of policies and procedures.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program information dissemination responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>[organizational processes for data quality and personally identifiable information quality management procedures.</li><li>Mechanisms supporting and/or implementing quality management requirements.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "9317165a-6b9c-4449-a04d-2c34fa0504c1",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PM-22 - Personally Identifiable Information Quality Management",
                "description": "Develop and document organization-wide policies and procedures for:<ul><li>a. Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle;</li><li>b. Correcting or deleting inaccurate or outdated personally identifiable information;</li><li>c. Disseminating notice of corrected or deleted personally identifiable information to individuals or other appropriate entities; and</li><li>d. Appeals of adverse decisions on correction or deletion requests.</li></ul><br/><strong>Discussion</strong><br/><p>Personally identifiable information quality management includes steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition of personally identifiable information. Organizational policies and procedures for personally identifiable information quality management are important because inaccurate or outdated personally identifiable information maintained by organizations may cause problems for individuals. Organizations consider the quality of personally identifiable information involved in business functions where inaccurate information may result in adverse decisions or the denial of benefits and services, or the disclosure of the information may cause stigmatization. Correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of organizations maintaining the information. Organizations consider creating policies and procedures for the removal of such information.</p><p>The senior agency official for privacy ensures that practical means and mechanisms exist and are accessible for individuals or their authorized representatives to seek the correction or deletion of personally identifiable information. Processes for correcting or deleting data are clearly defined and publicly available. Organizations use discretion in determining whether data is to be deleted or corrected based on the scope of requests, the changes sought, and the impact of the changes. Additionally, processes include the provision of responses to individuals of decisions to deny requests for correction or deletion. The responses include the reasons for the decisions, a means to record individual objections to the decisions, and a means of requesting reviews of the initial determinations.</p><p>Organizations notify individuals or their designated representatives when their personally identifiable information is corrected or deleted to provide transparency and confirm the completed action. Due to the complexity of data flows and storage, other entities may need to be informed of the correction or deletion. Notice supports the consistent correction and deletion of personally identifiable information across the data ecosystem.</p>",
                "controlId": "PM-22",
                "family": "Program Management",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "1957521f-c9d0-4288-ab8e-bf0ea6867470",
                        "parameterId": "PM-23-1",
                        "text": "roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pm-23_odp.01"
                    },
                    {
                        "uuid": "c428b4be-530b-4e34-89a5-8622073c3746",
                        "parameterId": "PM-23-2",
                        "text": "responsibilities",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined responsibilities] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pm-23_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "ef6e8b8d-5430-4225-aad9-572ab23a08fa",
                        "name": "PM-23",
                        "objectiveType": "",
                        "otherId": "pm-23_smt",
                        "description": "Establish a Data Governance Body consisting of {{ insert: param, PM-23-1 }} with {{ insert: param, PM-23-2 }}."
                    }
                ],
                "tests": [
                    {
                        "uuid": "2f0d0d97-a855-4d27-aaca-796c6462722f",
                        "testId": "PM-23",
                        "test": "Determine if a data governance body consisting of  [SELECTED PARAMETER VALUE(S): roles ]  with  [SELECTED PARAMETER VALUE(S): responsibilities ]  is established.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Documentation relating to the data governance body, including documents establishing such a body, its charter of operations, and any plans and reports.</li><li>Records of board meetings and decisions.</li><li>Records of requests to review data.</li><li>Policies, procedures, and standards that facilitate data governance.</li></ul><br><h5>Interview</h5><ul><li>Officials serving on the data governance body (e.g., chief information officer, senior agency information security officer, and senior agency official for privacy).</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c973f280-fea4-483f-a8c7-f1ce4ea1128b",
                        "testId": "PM-23-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Privacy program plan.</li><li>Documentation relating to the data governance body, including documents establishing such a body, its charter of operations, and any plans and reports.</li><li>Records of board meetings and decisions.</li><li>Records of requests to review data.</li><li>Policies, procedures, and standards that facilitate data governance.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a3ac2a48-bbcf-4b8a-a147-e296b9875610",
                        "testId": "PM-23-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Officials serving on the data governance body (e.g., chief information officer, senior agency information security officer, and senior agency official for privacy).</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "ce357d1d-6da5-4ed3-9e20-cc166dc63f72",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PM-23 - Data Governance Body",
                "description": "Establish a Data Governance Body consisting of  {{ insert: param, PM-23-1 }}  with  {{ insert: param, PM-23-2 }}.<br/><strong>Discussion</strong><br/><p>A Data Governance Body can help ensure that the organization has coherent policies and the ability to balance the utility of data with security and privacy requirements. The Data Governance Body establishes policies, procedures, and standards that facilitate data governance so that data, including personally identifiable information, is effectively managed and maintained in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidance. Responsibilities can include developing and implementing guidelines that support data modeling, quality, integrity, and the de-identification needs of personally identifiable information across the information life cycle as well as reviewing and approving applications to release data outside of the organization, archiving the applications and the released data, and performing post-release monitoring to ensure that the assumptions made as part of the data release continue to be valid. Members include the chief information officer, senior agency information security officer, and senior agency official for privacy. Federal agencies are required to establish a Data Governance Body with specific roles and responsibilities in accordance with the  <a href=\"#511da9ca-604d-43f7-be41-b862085420a9\">EVIDACT</a>  and policies set forth under  <a href=\"#d886c141-c832-4ad7-ac6d-4b94f4b550d3\">OMB M-19-23</a>.</p>",
                "controlId": "PM-23",
                "family": "Program Management",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "eaf6f367-102e-45f9-8603-67274433f66d",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "pm-24_smt.a",
                        "description": "<ul><li>a. Establish a Data Integrity Board to: Review proposals to conduct or participate in a matching program; and</li></ul>"
                    },
                    {
                        "uuid": "0cfc2de6-695a-431b-ae67-db0c95261c59",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "pm-24_smt.b",
                        "description": "<ul><li>b. Establish a Data Integrity Board to: Conduct an annual review of all matching programs in which the agency has participated.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "17493c8b-cf21-4a8d-bf0a-9fb20321193f",
                        "testId": "PM-24-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Privacy program plan.</li><li>Privacy program documents relating to the data integrity board, including documents establishing the board, its charter of operations, and any plans and reports.</li><li>Computer matching agreements and notices.</li><li>Information sharing agreements.</li><li>Memoranda of understanding.</li><li>Records documenting annual reviews.</li><li>Governing requirements, including laws, executive orders, regulations, standards, and guidance.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "68f021dc-3946-44e6-a3da-8d4a93907624",
                        "testId": "PM-24-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Members of the data integrity board (e.g., the chief information officer, senior information security officer, senior agency official for privacy, and agency inspector general).</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "78029316-cdd2-4930-8dac-bdd1971a9384",
                        "testId": "PM-24a.",
                        "test": "Determine if the data integrity board reviews proposals to conduct or participate in a matching program;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Privacy program documents relating to the data integrity board, including documents establishing the board, its charter of operations, and any plans and reports.</li><li>Computer matching agreements and notices.</li><li>Information sharing agreements.</li><li>Memoranda of understanding.</li><li>Records documenting annual reviews.</li><li>Governing requirements, including laws, executive orders, regulations, standards, and guidance.</li></ul><br><h5>Interview</h5><ul><li>Members of the data integrity board (e.g., the chief information officer, senior information security officer, senior agency official for privacy, and agency inspector general).</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4bd75553-c103-497c-bc98-9bdc5cf952aa",
                        "testId": "PM-24b.",
                        "test": "Determine if the data integrity board conducts an annual review of all matching programs in which the agency has participated.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Privacy program documents relating to the data integrity board, including documents establishing the board, its charter of operations, and any plans and reports.</li><li>Computer matching agreements and notices.</li><li>Information sharing agreements.</li><li>Memoranda of understanding.</li><li>Records documenting annual reviews.</li><li>Governing requirements, including laws, executive orders, regulations, standards, and guidance.</li></ul><br><h5>Interview</h5><ul><li>Members of the data integrity board (e.g., the chief information officer, senior information security officer, senior agency official for privacy, and agency inspector general).</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4f7328cb-cf8d-456b-8452-709b27938ec4",
                        "testId": "PM-24",
                        "test": "Determine if a data integrity board is established;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Privacy program documents relating to the data integrity board, including documents establishing the board, its charter of operations, and any plans and reports.</li><li>Computer matching agreements and notices.</li><li>Information sharing agreements.</li><li>Memoranda of understanding.</li><li>Records documenting annual reviews.</li><li>Governing requirements, including laws, executive orders, regulations, standards, and guidance.</li></ul><br><h5>Interview</h5><ul><li>Members of the data integrity board (e.g., the chief information officer, senior information security officer, senior agency official for privacy, and agency inspector general).</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "22719ee2-2774-4fbe-b3ad-565421ea3d1c",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PM-24 - Data Integrity Board",
                "description": "Establish a Data Integrity Board to:<ul><li>a. Review proposals to conduct or participate in a matching program; and</li><li>b. Conduct an annual review of all matching programs in which the agency has participated.</li></ul><br/><strong>Discussion</strong><br/><p>A Data Integrity Board is the board of senior officials designated by the head of a federal agency and is responsible for, among other things, reviewing the agency\u00e2\u20ac\u2122s proposals to conduct or participate in a matching program and conducting an annual review of all matching programs in which the agency has participated. As a general matter, a matching program is a computerized comparison of records from two or more automated  <a href=\"#18e71fec-c6fd-475a-925a-5d8495cf8455\">PRIVACT</a>  systems of records or an automated system of records and automated records maintained by a non-federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. At a minimum, the Data Integrity Board includes the Inspector General of the agency, if any, and the senior agency official for privacy.</p>",
                "controlId": "PM-24",
                "family": "Program Management",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "189c6886-ab3f-4162-b2da-ac1a48b77ae5",
                        "parameterId": "PM-25(d)",
                        "text": "organization-defined frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pm-25_prm_1"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "23940437-c368-429e-a89c-fcdb704bb442",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "pm-25_smt.a",
                        "description": "<ul><li>a. Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;</li></ul>"
                    },
                    {
                        "uuid": "f913c9a8-f12f-443d-81df-086f5e57d9a0",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "pm-25_smt.b",
                        "description": "<ul><li>b. Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes;</li></ul>"
                    },
                    {
                        "uuid": "317ab9aa-96e7-4f38-b2d7-a56a20b9bbd4",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "pm-25_smt.c",
                        "description": "<ul><li>c. Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and</li></ul>"
                    },
                    {
                        "uuid": "12cb1953-a51a-4c56-9c1c-db33da6de0f4",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "pm-25_smt.d",
                        "description": "<ul><li>d. Review and update policies and procedures {{ insert: param, PM-25(d) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "ac244947-d15f-4cb2-ae6a-408799fe0e9d",
                        "testId": "PM-25a.[01]",
                        "test": "Determine if policies that address the use of personally identifiable information for internal testing are developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures for the minimization of personally identifiable information used in testing, training, and research.</li><li>Documentation supporting policy implementation (e.g., templates for testing, training, and research.</li><li>Privacy threshold analysis.</li><li>Privacy risk assessment).</li><li>Data sets used for testing, training, and research.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>System developers.</li><li>Personnel with irb responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for data quality and personally identifiable information management.</li><li>Mechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9d14c797-0b40-4d48-8d58-4efdcdd49273",
                        "testId": "PM-25a.[02]",
                        "test": "Determine if policies that address the use of personally identifiable information for internal training are developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures for the minimization of personally identifiable information used in testing, training, and research.</li><li>Documentation supporting policy implementation (e.g., templates for testing, training, and research.</li><li>Privacy threshold analysis.</li><li>Privacy risk assessment).</li><li>Data sets used for testing, training, and research.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>System developers.</li><li>Personnel with irb responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for data quality and personally identifiable information management.</li><li>Mechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1459fc5f-5e44-46fb-b3f9-f65bae010860",
                        "testId": "PM-25a.[03]",
                        "test": "Determine if policies that address the use of personally identifiable information for internal research are developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures for the minimization of personally identifiable information used in testing, training, and research.</li><li>Documentation supporting policy implementation (e.g., templates for testing, training, and research.</li><li>Privacy threshold analysis.</li><li>Privacy risk assessment).</li><li>Data sets used for testing, training, and research.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>System developers.</li><li>Personnel with irb responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for data quality and personally identifiable information management.</li><li>Mechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6f2f4e29-9be8-4305-8b06-228630fb32fe",
                        "testId": "PM-25a.[04]",
                        "test": "Determine if procedures that address the use of personally identifiable information for internal testing are developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures for the minimization of personally identifiable information used in testing, training, and research.</li><li>Documentation supporting policy implementation (e.g., templates for testing, training, and research.</li><li>Privacy threshold analysis.</li><li>Privacy risk assessment).</li><li>Data sets used for testing, training, and research.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>System developers.</li><li>Personnel with irb responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for data quality and personally identifiable information management.</li><li>Mechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "54c9e0b7-7608-49f7-aee7-84da507a720d",
                        "testId": "PM-25a.[05]",
                        "test": "Determine if procedures that address the use of personally identifiable information for internal training are developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures for the minimization of personally identifiable information used in testing, training, and research.</li><li>Documentation supporting policy implementation (e.g., templates for testing, training, and research.</li><li>Privacy threshold analysis.</li><li>Privacy risk assessment).</li><li>Data sets used for testing, training, and research.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>System developers.</li><li>Personnel with irb responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for data quality and personally identifiable information management.</li><li>Mechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "681e26d5-d706-4dde-8ea0-09fd4721b57e",
                        "testId": "PM-25a.[06]",
                        "test": "Determine if procedures that address the use of personally identifiable information for internal research are developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures for the minimization of personally identifiable information used in testing, training, and research.</li><li>Documentation supporting policy implementation (e.g., templates for testing, training, and research.</li><li>Privacy threshold analysis.</li><li>Privacy risk assessment).</li><li>Data sets used for testing, training, and research.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>System developers.</li><li>Personnel with irb responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for data quality and personally identifiable information management.</li><li>Mechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2be0d57c-cc28-4b5a-8079-79ceb1eb3e2d",
                        "testId": "PM-25a.[07]",
                        "test": "Determine if policies that address the use of personally identifiable information for internal testing, are implemented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures for the minimization of personally identifiable information used in testing, training, and research.</li><li>Documentation supporting policy implementation (e.g., templates for testing, training, and research.</li><li>Privacy threshold analysis.</li><li>Privacy risk assessment).</li><li>Data sets used for testing, training, and research.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>System developers.</li><li>Personnel with irb responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for data quality and personally identifiable information management.</li><li>Mechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "81bb3366-ef54-4a33-9886-165907f11fe3",
                        "testId": "PM-25a.[08]",
                        "test": "Determine if policies that address the use of personally identifiable information for training are implemented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures for the minimization of personally identifiable information used in testing, training, and research.</li><li>Documentation supporting policy implementation (e.g., templates for testing, training, and research.</li><li>Privacy threshold analysis.</li><li>Privacy risk assessment).</li><li>Data sets used for testing, training, and research.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>System developers.</li><li>Personnel with irb responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for data quality and personally identifiable information management.</li><li>Mechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "47f03ffa-6070-4903-ab1a-9f13f1f4bb02",
                        "testId": "PM-25a.[09]",
                        "test": "Determine if policies that address the use of personally identifiable information for research are implemented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures for the minimization of personally identifiable information used in testing, training, and research.</li><li>Documentation supporting policy implementation (e.g., templates for testing, training, and research.</li><li>Privacy threshold analysis.</li><li>Privacy risk assessment).</li><li>Data sets used for testing, training, and research.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>System developers.</li><li>Personnel with irb responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for data quality and personally identifiable information management.</li><li>Mechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f98cde4f-ead8-4b55-93f5-8e2ca50d0c6c",
                        "testId": "PM-25a.[10]",
                        "test": "Determine if procedures that address the use of personally identifiable information for internal testing are implemented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures for the minimization of personally identifiable information used in testing, training, and research.</li><li>Documentation supporting policy implementation (e.g., templates for testing, training, and research.</li><li>Privacy threshold analysis.</li><li>Privacy risk assessment).</li><li>Data sets used for testing, training, and research.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>System developers.</li><li>Personnel with irb responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for data quality and personally identifiable information management.</li><li>Mechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d8658016-cc6b-44b5-ba0e-16ba218d291c",
                        "testId": "PM-25a.[11]",
                        "test": "Determine if procedures that address the use of personally identifiable information for training are implemented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures for the minimization of personally identifiable information used in testing, training, and research.</li><li>Documentation supporting policy implementation (e.g., templates for testing, training, and research.</li><li>Privacy threshold analysis.</li><li>Privacy risk assessment).</li><li>Data sets used for testing, training, and research.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>System developers.</li><li>Personnel with irb responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for data quality and personally identifiable information management.</li><li>Mechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "65afa0ad-260b-4c49-aa6f-ae241184e630",
                        "testId": "PM-25a.[12]",
                        "test": "Determine if procedures that address the use of personally identifiable information for research are implemented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures for the minimization of personally identifiable information used in testing, training, and research.</li><li>Documentation supporting policy implementation (e.g., templates for testing, training, and research.</li><li>Privacy threshold analysis.</li><li>Privacy risk assessment).</li><li>Data sets used for testing, training, and research.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>System developers.</li><li>Personnel with irb responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for data quality and personally identifiable information management.</li><li>Mechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "28ea0965-d658-4df8-b58d-8ec8e86d736f",
                        "testId": "PM-25b.[01]",
                        "test": "Determine if the amount of personally identifiable information used for internal testing purposes is limited or minimized;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures for the minimization of personally identifiable information used in testing, training, and research.</li><li>Documentation supporting policy implementation (e.g., templates for testing, training, and research.</li><li>Privacy threshold analysis.</li><li>Privacy risk assessment).</li><li>Data sets used for testing, training, and research.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>System developers.</li><li>Personnel with irb responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for data quality and personally identifiable information management.</li><li>Mechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9d777728-162b-4fb4-a1ca-ac1e4a410a6c",
                        "testId": "PM-25b.[02]",
                        "test": "Determine if the amount of personally identifiable information used for internal training purposes is limited or minimized;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures for the minimization of personally identifiable information used in testing, training, and research.</li><li>Documentation supporting policy implementation (e.g., templates for testing, training, and research.</li><li>Privacy threshold analysis.</li><li>Privacy risk assessment).</li><li>Data sets used for testing, training, and research.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>System developers.</li><li>Personnel with irb responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for data quality and personally identifiable information management.</li><li>Mechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "723e25f2-af3b-42d6-a6a7-fc96397eb837",
                        "testId": "PM-25b.[03]",
                        "test": "Determine if the amount of personally identifiable information used for internal research purposes is limited or minimized;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures for the minimization of personally identifiable information used in testing, training, and research.</li><li>Documentation supporting policy implementation (e.g., templates for testing, training, and research.</li><li>Privacy threshold analysis.</li><li>Privacy risk assessment).</li><li>Data sets used for testing, training, and research.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>System developers.</li><li>Personnel with irb responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for data quality and personally identifiable information management.</li><li>Mechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e8d7f996-ce3f-429f-a4f8-778fb6bbca7f",
                        "testId": "PM-25c.[01]",
                        "test": "Determine if the required use of personally identifiable information for internal testing is authorized;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures for the minimization of personally identifiable information used in testing, training, and research.</li><li>Documentation supporting policy implementation (e.g., templates for testing, training, and research.</li><li>Privacy threshold analysis.</li><li>Privacy risk assessment).</li><li>Data sets used for testing, training, and research.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>System developers.</li><li>Personnel with irb responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for data quality and personally identifiable information management.</li><li>Mechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c12145ce-20b3-4227-9a6c-ae6ad3fcc21a",
                        "testId": "PM-25c.[02]",
                        "test": "Determine if the required use of personally identifiable information for internal training is authorized;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures for the minimization of personally identifiable information used in testing, training, and research.</li><li>Documentation supporting policy implementation (e.g., templates for testing, training, and research.</li><li>Privacy threshold analysis.</li><li>Privacy risk assessment).</li><li>Data sets used for testing, training, and research.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>System developers.</li><li>Personnel with irb responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for data quality and personally identifiable information management.</li><li>Mechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "beaa460d-7c9c-4a0d-93a7-d93caac16030",
                        "testId": "PM-25c.[03]",
                        "test": "Determine if the required use of personally identifiable information for internal research is authorized;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures for the minimization of personally identifiable information used in testing, training, and research.</li><li>Documentation supporting policy implementation (e.g., templates for testing, training, and research.</li><li>Privacy threshold analysis.</li><li>Privacy risk assessment).</li><li>Data sets used for testing, training, and research.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>System developers.</li><li>Personnel with irb responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for data quality and personally identifiable information management.</li><li>Mechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "510bfbde-996d-469c-bd02-8e28fc65236d",
                        "testId": "PM-25d.[01]",
                        "test": "Determine if policies are reviewed  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures for the minimization of personally identifiable information used in testing, training, and research.</li><li>Documentation supporting policy implementation (e.g., templates for testing, training, and research.</li><li>Privacy threshold analysis.</li><li>Privacy risk assessment).</li><li>Data sets used for testing, training, and research.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>System developers.</li><li>Personnel with irb responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for data quality and personally identifiable information management.</li><li>Mechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "15f1a3ac-a013-477a-8fec-4ec32df0bf11",
                        "testId": "PM-25d.[02]",
                        "test": "Determine if policies are updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures for the minimization of personally identifiable information used in testing, training, and research.</li><li>Documentation supporting policy implementation (e.g., templates for testing, training, and research.</li><li>Privacy threshold analysis.</li><li>Privacy risk assessment).</li><li>Data sets used for testing, training, and research.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>System developers.</li><li>Personnel with irb responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for data quality and personally identifiable information management.</li><li>Mechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "845c7862-085a-47fb-94e1-8079dfa60b46",
                        "testId": "PM-25d.[03]",
                        "test": "Determine if procedures are reviewed  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures for the minimization of personally identifiable information used in testing, training, and research.</li><li>Documentation supporting policy implementation (e.g., templates for testing, training, and research.</li><li>Privacy threshold analysis.</li><li>Privacy risk assessment).</li><li>Data sets used for testing, training, and research.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>System developers.</li><li>Personnel with irb responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for data quality and personally identifiable information management.</li><li>Mechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e0be1e2d-211a-4f8d-85c6-adab3eeb7386",
                        "testId": "PM-25d.[04]",
                        "test": "Determine if procedures are updated  [SELECTED PARAMETER VALUE(S): frequency ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Policies and procedures for the minimization of personally identifiable information used in testing, training, and research.</li><li>Documentation supporting policy implementation (e.g., templates for testing, training, and research.</li><li>Privacy threshold analysis.</li><li>Privacy risk assessment).</li><li>Data sets used for testing, training, and research.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>System developers.</li><li>Personnel with irb responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for data quality and personally identifiable information management.</li><li>Mechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f91fee33-a360-4745-9b1d-f2d5524c7502",
                        "testId": "PM-25-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Privacy program plan.</li><li>Policies and procedures for the minimization of personally identifiable information used in testing, training, and research.</li><li>Documentation supporting policy implementation (e.g., templates for testing, training, and research.</li><li>Privacy threshold analysis.</li><li>Privacy risk assessment).</li><li>Data sets used for testing, training, and research.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8eea871d-3811-4685-93f7-dda2ffd835ea",
                        "testId": "PM-25-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>System developers.</li><li>Personnel with irb responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "095e3f12-baee-43cb-9cf4-e6220d6347df",
                        "testId": "PM-25-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for data quality and personally identifiable information management.</li><li>Mechanisms supporting data quality management and personally identifiable information management to minimize the use of personally identifiable information.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "262af9d5-d84e-413d-ba86-8077cd0b331a",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PM-25 - Minimization of Personally Identifiable Information Used in Testing, Training, and Research",
                "description": "<ul><li>a. Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research;</li><li>b. Limit or minimize the amount of personally identifiable information used for internal testing, training, and research purposes;</li><li>c. Authorize the use of personally identifiable information when such information is required for internal testing, training, and research; and</li><li>d. Review and update policies and procedures  {{ insert: param, PM-25(d) }}.</li></ul><br/><strong>Discussion</strong><br/><p>The use of personally identifiable information in testing, research, and training increases the risk of unauthorized disclosure or misuse of such information. Organizations consult with the senior agency official for privacy and/or legal counsel to ensure that the use of personally identifiable information in testing, training, and research is compatible with the original purpose for which it was collected. When possible, organizations use placeholder data to avoid exposure of personally identifiable information when conducting testing, training, and research.</p>",
                "controlId": "PM-25",
                "family": "Program Management",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "9e7cac63-6e8b-4de4-98c0-5a30dc67514d",
                        "parameterId": "PM-26(c)",
                        "text": "organization-defined time period",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined time period] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pm-26_prm_1"
                    },
                    {
                        "uuid": "0aff223c-f737-4656-8b52-1c41360ec80e",
                        "parameterId": "PM-26(d)",
                        "text": "time period",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined time period] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pm-26_odp.03"
                    },
                    {
                        "uuid": "13c73f39-281a-45a2-843a-e76f9f173390",
                        "parameterId": "PM-26(e)",
                        "text": "time period",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined time period] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pm-26_odp.04"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "16561508-bbbb-4c37-ab6d-ed260bec263e",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "pm-26_smt.a",
                        "description": "<ul><li>a. Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes: Mechanisms that are easy to use and readily accessible by the public;</li></ul>"
                    },
                    {
                        "uuid": "39c987b5-5a6a-4534-b9b6-4e8d2a5566e8",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "pm-26_smt.b",
                        "description": "<ul><li>b. Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes: All information necessary for successfully filing complaints;</li></ul>"
                    },
                    {
                        "uuid": "f281e774-03c9-4206-af26-cc1b4de02bbd",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "pm-26_smt.c",
                        "description": "<ul><li>c. Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes: Tracking mechanisms to ensure all complaints received are reviewed and addressed within {{ insert: param, PM-26(c) }};</li></ul>"
                    },
                    {
                        "uuid": "a1813f8e-ff6d-4ffb-9ee5-1cd12a5b2671",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "pm-26_smt.d",
                        "description": "<ul><li>d. Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes: Acknowledgement of receipt of complaints, concerns, or questions from individuals within {{ insert: param, PM-26(d) }} ; and</li></ul>"
                    },
                    {
                        "uuid": "7d41b3bb-c80b-41f5-8587-46caa6357313",
                        "name": "e.",
                        "objectiveType": "",
                        "otherId": "pm-26_smt.e",
                        "description": "<ul><li>e. Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes: Response to complaints, concerns, or questions from individuals within {{ insert: param, PM-26(e) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "b4b70a06-3a26-444b-96dc-5b41e51edd64",
                        "testId": "PM-26-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Privacy program plan.</li><li>Procedures addressing complaint management.</li><li>Complaint documentation.</li><li>Procedures addressing the reviews of complaints.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c6cedf64-94ee-4016-a17e-9f1bb845b998",
                        "testId": "PM-26-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f817acb4-0c82-496a-ac4a-51227a2cc38d",
                        "testId": "PM-26-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for complaint management.</li><li>Mechanisms supporting complaint management.</li><li>Tools used by the public to submit complaints, concerns, and questions (e.g., telephone, hotline, email, or web-based forms.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6c11fab3-1987-40be-b2fb-2fff28943dbb",
                        "testId": "PM-26[01]",
                        "test": "Determine if a process for receiving complaints, concerns, or questions from individuals about organizational security and privacy practices is implemented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Procedures addressing complaint management.</li><li>Complaint documentation.</li><li>Procedures addressing the reviews of complaints.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for complaint management.</li><li>Mechanisms supporting complaint management.</li><li>Tools used by the public to submit complaints, concerns, and questions (e.g., telephone, hotline, email, or web-based forms.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d0a2eac0-8a89-406f-ac4e-f825306ca55b",
                        "testId": "PM-26[02]",
                        "test": "Determine if a process for responding to complaints, concerns, or questions from individuals about organizational security and privacy practices is implemented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Procedures addressing complaint management.</li><li>Complaint documentation.</li><li>Procedures addressing the reviews of complaints.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for complaint management.</li><li>Mechanisms supporting complaint management.</li><li>Tools used by the public to submit complaints, concerns, and questions (e.g., telephone, hotline, email, or web-based forms.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b1210f71-416a-44fc-b40a-99b0d5af67b7",
                        "testId": "PM-26a.[01]",
                        "test": "Determine if the complaint management process includes mechanisms that are easy to use by the public;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Procedures addressing complaint management.</li><li>Complaint documentation.</li><li>Procedures addressing the reviews of complaints.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for complaint management.</li><li>Mechanisms supporting complaint management.</li><li>Tools used by the public to submit complaints, concerns, and questions (e.g., telephone, hotline, email, or web-based forms.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9d4a9f55-e2d3-460c-88d3-fabf709be458",
                        "testId": "PM-26a.[02]",
                        "test": "Determine if the complaint management process includes mechanisms that are readily accessible by the public;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Procedures addressing complaint management.</li><li>Complaint documentation.</li><li>Procedures addressing the reviews of complaints.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for complaint management.</li><li>Mechanisms supporting complaint management.</li><li>Tools used by the public to submit complaints, concerns, and questions (e.g., telephone, hotline, email, or web-based forms.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f5598426-25bb-4dae-a2ce-c5954a17c8a4",
                        "testId": "PM-26b.",
                        "test": "Determine if the complaint management process includes all information necessary for successfully filing complaints;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Procedures addressing complaint management.</li><li>Complaint documentation.</li><li>Procedures addressing the reviews of complaints.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for complaint management.</li><li>Mechanisms supporting complaint management.</li><li>Tools used by the public to submit complaints, concerns, and questions (e.g., telephone, hotline, email, or web-based forms.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6596ca64-de47-45cf-a075-e69635788582",
                        "testId": "PM-26c.[01]",
                        "test": "Determine if the complaint management process includes tracking mechanisms to ensure that all complaints are reviewed within  [SELECTED PARAMETER VALUE(S): time period ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Procedures addressing complaint management.</li><li>Complaint documentation.</li><li>Procedures addressing the reviews of complaints.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for complaint management.</li><li>Mechanisms supporting complaint management.</li><li>Tools used by the public to submit complaints, concerns, and questions (e.g., telephone, hotline, email, or web-based forms.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "769ce37a-f430-45db-8be2-8161cb49cb0d",
                        "testId": "PM-26c.[02]",
                        "test": "Determine if the complaint management process includes tracking mechanisms to ensure that all complaints are addressed within  [SELECTED PARAMETER VALUE(S): time period ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Procedures addressing complaint management.</li><li>Complaint documentation.</li><li>Procedures addressing the reviews of complaints.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for complaint management.</li><li>Mechanisms supporting complaint management.</li><li>Tools used by the public to submit complaints, concerns, and questions (e.g., telephone, hotline, email, or web-based forms.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "82299e15-cdd0-41da-b390-661366fdd8e6",
                        "testId": "PM-26d.",
                        "test": "Determine if the complaint management process includes acknowledging the receipt of complaints, concerns, or questions from individuals within  [SELECTED PARAMETER VALUE(S): time period ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Procedures addressing complaint management.</li><li>Complaint documentation.</li><li>Procedures addressing the reviews of complaints.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for complaint management.</li><li>Mechanisms supporting complaint management.</li><li>Tools used by the public to submit complaints, concerns, and questions (e.g., telephone, hotline, email, or web-based forms.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "663c64dd-eb6e-4182-b2b4-72feaeec4c4f",
                        "testId": "PM-26e.",
                        "test": "Determine if the complaint management process includes responding to complaints, concerns, or questions from individuals within  [SELECTED PARAMETER VALUE(S): time period ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Procedures addressing complaint management.</li><li>Complaint documentation.</li><li>Procedures addressing the reviews of complaints.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for complaint management.</li><li>Mechanisms supporting complaint management.</li><li>Tools used by the public to submit complaints, concerns, and questions (e.g., telephone, hotline, email, or web-based forms.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "60f60219-63a3-4252-94f9-2a28fcfa2b46",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PM-26 - Complaint Management",
                "description": "Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes:<ul><li>a. Mechanisms that are easy to use and readily accessible by the public;</li><li>b. All information necessary for successfully filing complaints;</li><li>c. Tracking mechanisms to ensure all complaints received are reviewed and addressed within  {{ insert: param, PM-26(c) }};</li><li>d. Acknowledgement of receipt of complaints, concerns, or questions from individuals within  {{ insert: param, PM-26(d) }} ; and</li><li>e. Response to complaints, concerns, or questions from individuals within  {{ insert: param, PM-26(e) }}.</li></ul><br/><strong>Discussion</strong><br/><p>Complaints, concerns, and questions from individuals can serve as valuable sources of input to organizations and ultimately improve operational models, uses of technology, data collection practices, and controls. Mechanisms that can be used by the public include telephone hotline, email, or web-based forms. The information necessary for successfully filing complaints includes contact information for the senior agency official for privacy or other official designated to receive complaints. Privacy complaints may also include personally identifiable information which is handled in accordance with relevant policies and processes.</p>",
                "controlId": "PM-26",
                "family": "Program Management",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "262c5594-26a2-4f11-a165-4805d9a1cc48",
                        "parameterId": "PM-27(a)",
                        "text": "privacy reports",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined privacy reports] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pm-27_odp.01"
                    },
                    {
                        "uuid": "9145bc19-b3d8-426a-8442-bccd46d2d538",
                        "parameterId": "PM-27(a)(1)",
                        "text": "oversight bodies",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined oversight bodies] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pm-27_odp.02"
                    },
                    {
                        "uuid": "977b901b-74e0-488f-b3b9-ebd08963ff5a",
                        "parameterId": "PM-27(a)(2)",
                        "text": "officials",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined officials] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pm-27_odp.03"
                    },
                    {
                        "uuid": "60ca597f-9ffb-465e-811c-8f002bb37196",
                        "parameterId": "PM-27(b)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pm-27_odp.04"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "114665ee-7637-4a77-b81f-9a43de4e8dd8",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "pm-27_smt.a",
                        "description": "<ul><li>a. Develop {{ insert: param, PM-27(a) }} and disseminate to:</li><ul><li>1. {{ insert: param, PM-27(a)(1) }} to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and</li><li>2. {{ insert: param, PM-27(a)(2) }} and other personnel with responsibility for monitoring privacy program compliance; and</li></ul>"
                    },
                    {
                        "uuid": "7d5d042b-3a41-486b-a306-3695a88a54e1",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "pm-27_smt.b",
                        "description": "<ul><li>b. Review and update privacy reports {{ insert: param, PM-27(b) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "802260cc-c8fa-4f88-b3c5-8c73897e17ef",
                        "testId": "PM-27a.",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): privacy reports ]  are developed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Internal and external privacy reports.</li><li>Privacy program plan.</li><li>Annual senior agency official for privacy reports to omb.</li><li>Reports to congress required by law, regulation, or policy, including internal policies.</li><li>Records documenting the dissemination of reports to oversight bodies and officials responsible for monitoring privacy program compliance.</li><li>Records of review and updates of privacy reports..</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>Legal counsel..</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ba1bde43-78b3-420d-a409-882a45d839fc",
                        "testId": "PM-27a.01",
                        "test": "Determine if the privacy reports are disseminated to  [SELECTED PARAMETER VALUE(S): oversight bodies ]  to demonstrate accountability with statutory, regulatory, and policy privacy mandates;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Internal and external privacy reports.</li><li>Privacy program plan.</li><li>Annual senior agency official for privacy reports to omb.</li><li>Reports to congress required by law, regulation, or policy, including internal policies.</li><li>Records documenting the dissemination of reports to oversight bodies and officials responsible for monitoring privacy program compliance.</li><li>Records of review and updates of privacy reports..</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>Legal counsel..</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "74ae59fb-c5ce-4af5-8aaa-94a7f790821f",
                        "testId": "PM-27a.02[01]",
                        "test": "Determine if the privacy reports are disseminated to  [SELECTED PARAMETER VALUE(S): officials ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Internal and external privacy reports.</li><li>Privacy program plan.</li><li>Annual senior agency official for privacy reports to omb.</li><li>Reports to congress required by law, regulation, or policy, including internal policies.</li><li>Records documenting the dissemination of reports to oversight bodies and officials responsible for monitoring privacy program compliance.</li><li>Records of review and updates of privacy reports..</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>Legal counsel..</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9f22bec1-f41a-4d85-adb8-7ec0b8d09dba",
                        "testId": "PM-27a.02[02]",
                        "test": "Determine if the privacy reports are disseminated to other personnel responsible for monitoring privacy program compliance;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Internal and external privacy reports.</li><li>Privacy program plan.</li><li>Annual senior agency official for privacy reports to omb.</li><li>Reports to congress required by law, regulation, or policy, including internal policies.</li><li>Records documenting the dissemination of reports to oversight bodies and officials responsible for monitoring privacy program compliance.</li><li>Records of review and updates of privacy reports..</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>Legal counsel..</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "722ba9c6-a448-4d63-822d-a745d4c21038",
                        "testId": "PM-27b.",
                        "test": "Determine if the privacy reports are reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Privacy program plan.</li><li>Internal and external privacy reports.</li><li>Privacy program plan.</li><li>Annual senior agency official for privacy reports to omb.</li><li>Reports to congress required by law, regulation, or policy, including internal policies.</li><li>Records documenting the dissemination of reports to oversight bodies and officials responsible for monitoring privacy program compliance.</li><li>Records of review and updates of privacy reports..</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>Legal counsel..</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1935f2c8-d84e-4f64-b600-4f6a05825983",
                        "testId": "PM-27-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Privacy program plan.</li><li>Internal and external privacy reports.</li><li>Privacy program plan.</li><li>Annual senior agency official for privacy reports to omb.</li><li>Reports to congress required by law, regulation, or policy, including internal policies.</li><li>Records documenting the dissemination of reports to oversight bodies and officials responsible for monitoring privacy program compliance.</li><li>Records of review and updates of privacy reports..</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "bf230655-0338-4a1f-826d-25837d8c6f98",
                        "testId": "PM-27-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with privacy program responsibilities.</li><li>Organizational personnel with privacy responsibilities.</li><li>Legal counsel..</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "9c9d41bc-1430-4c78-9800-870db78ee5ca",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PM-27 - Privacy Reporting",
                "description": "<ul><li>a. Develop  {{ insert: param, PM-27(a) }}  and disseminate to:</li><ul><li>1. {{ insert: param, PM-27(a)(1) }}  to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and</li><li>2. {{ insert: param, PM-27(a)(2) }}  and other personnel with responsibility for monitoring privacy program compliance; and</li></ul><li>b. Review and update privacy reports  {{ insert: param, PM-27(b) }}.</li></ul><br/><strong>Discussion</strong><br/><p>Through internal and external reporting, organizations promote accountability and transparency in organizational privacy operations. Reporting can also help organizations to determine progress in meeting privacy compliance requirements and privacy controls, compare performance across the federal government, discover vulnerabilities, identify gaps in policy and implementation, and identify models for success. For federal agencies, privacy reports include annual senior agency official for privacy reports to OMB, reports to Congress required by Implementing Regulations of the 9/11 Commission Act, and other public reports required by law, regulation, or policy, including internal policies of organizations. The senior agency official for privacy consults with legal counsel, where appropriate, to ensure that organizations meet all applicable privacy reporting requirements.</p>",
                "controlId": "PM-27",
                "family": "Program Management",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "9c63c02e-310b-4a29-9b77-cc4e93bb1775",
                        "parameterId": "PM-28(b)",
                        "text": "personnel",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined personnel] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pm-28_odp.01"
                    },
                    {
                        "uuid": "93af07a1-c10e-432e-91ff-0071499f0738",
                        "parameterId": "PM-28(c)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pm-28_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "079ad92c-58ac-4887-a27f-8374bf702da8",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "pm-28_smt.a",
                        "description": "<ul><li>a. Identify and document:</li><ul><li>1. Assumptions affecting risk assessments, risk responses, and risk monitoring;</li><li>2. Constraints affecting risk assessments, risk responses, and risk monitoring;</li><li>3. Priorities and trade-offs considered by the organization for managing risk; and</li><li>4. Organizational risk tolerance;</li></ul>"
                    },
                    {
                        "uuid": "6d2c1a2a-ffe1-4670-a695-c35ef4f8e7bb",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "pm-28_smt.b",
                        "description": "<ul><li>b. Distribute the results of risk framing activities to {{ insert: param, PM-28(b) }} ; and</li></ul>"
                    },
                    {
                        "uuid": "8a4e5e44-e2ef-4498-8aa3-f3b0eb7900ea",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "pm-28_smt.c",
                        "description": "<ul><li>c. Review and update risk framing considerations {{ insert: param, PM-28(c) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "70eb4d11-7a7b-4f49-ae5c-8a23917ea419",
                        "testId": "PM-28-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Supply chain risk management strategy.</li><li>Documentation of risk framing activities.</li><li>Policies and procedures for risk framing activities.</li><li>Risk management strategy.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "bab89bbb-d39b-4a7d-a106-8830899b2e4a",
                        "testId": "PM-28-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel (including mission, business, and system owners or stewards.</li><li>Authorizing officials.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>And senior accountable official for risk management).</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ff575158-7d65-4aa5-b882-bd7463ca2492",
                        "testId": "PM-28-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing.</li><li>Organizational processes for risk framing.</li><li>Mechanisms supporting the development, review, update, and approval of risk framing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "492fc0de-8fc6-4655-8cc5-d2ccb0a9b790",
                        "testId": "PM-28a.01[01]",
                        "test": "Determine if assumptions affecting risk assessments are identified and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Supply chain risk management strategy.</li><li>Documentation of risk framing activities.</li><li>Policies and procedures for risk framing activities.</li><li>Risk management strategy.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel (including mission, business, and system owners or stewards.</li><li>Authorizing officials.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>And senior accountable official for risk management).</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing.</li><li>Organizational processes for risk framing.</li><li>Mechanisms supporting the development, review, update, and approval of risk framing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "cbf1b938-dce0-4a6a-967e-fec27365da00",
                        "testId": "PM-28a.01[02]",
                        "test": "Determine if assumptions affecting risk responses are identified and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Supply chain risk management strategy.</li><li>Documentation of risk framing activities.</li><li>Policies and procedures for risk framing activities.</li><li>Risk management strategy.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel (including mission, business, and system owners or stewards.</li><li>Authorizing officials.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>And senior accountable official for risk management).</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing.</li><li>Organizational processes for risk framing.</li><li>Mechanisms supporting the development, review, update, and approval of risk framing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "28c34c1d-ac4d-4450-928b-c21f8b2dac1f",
                        "testId": "PM-28a.01[03]",
                        "test": "Determine if assumptions affecting risk monitoring are identified and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Supply chain risk management strategy.</li><li>Documentation of risk framing activities.</li><li>Policies and procedures for risk framing activities.</li><li>Risk management strategy.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel (including mission, business, and system owners or stewards.</li><li>Authorizing officials.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>And senior accountable official for risk management).</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing.</li><li>Organizational processes for risk framing.</li><li>Mechanisms supporting the development, review, update, and approval of risk framing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1bd90884-4632-4f60-a834-124539cdc7a0",
                        "testId": "PM-28a.02[01]",
                        "test": "Determine if constraints affecting risk assessments are identified and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Supply chain risk management strategy.</li><li>Documentation of risk framing activities.</li><li>Policies and procedures for risk framing activities.</li><li>Risk management strategy.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel (including mission, business, and system owners or stewards.</li><li>Authorizing officials.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>And senior accountable official for risk management).</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing.</li><li>Organizational processes for risk framing.</li><li>Mechanisms supporting the development, review, update, and approval of risk framing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "197ddfe2-17ff-4d88-b82b-19e3bcf8c952",
                        "testId": "PM-28a.02[02]",
                        "test": "Determine if constraints affecting risk responses are identified and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Supply chain risk management strategy.</li><li>Documentation of risk framing activities.</li><li>Policies and procedures for risk framing activities.</li><li>Risk management strategy.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel (including mission, business, and system owners or stewards.</li><li>Authorizing officials.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>And senior accountable official for risk management).</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing.</li><li>Organizational processes for risk framing.</li><li>Mechanisms supporting the development, review, update, and approval of risk framing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c415515e-60b7-4152-81f2-0a1cbee32649",
                        "testId": "PM-28a.02[03]",
                        "test": "Determine if constraints affecting risk monitoring are identified and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Supply chain risk management strategy.</li><li>Documentation of risk framing activities.</li><li>Policies and procedures for risk framing activities.</li><li>Risk management strategy.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel (including mission, business, and system owners or stewards.</li><li>Authorizing officials.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>And senior accountable official for risk management).</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing.</li><li>Organizational processes for risk framing.</li><li>Mechanisms supporting the development, review, update, and approval of risk framing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d6d65bc1-f7fb-4a9b-a212-e35d0dd4e25c",
                        "testId": "PM-28a.03[01]",
                        "test": "Determine if priorities considered by the organization for managing risk are identified and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Supply chain risk management strategy.</li><li>Documentation of risk framing activities.</li><li>Policies and procedures for risk framing activities.</li><li>Risk management strategy.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel (including mission, business, and system owners or stewards.</li><li>Authorizing officials.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>And senior accountable official for risk management).</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing.</li><li>Organizational processes for risk framing.</li><li>Mechanisms supporting the development, review, update, and approval of risk framing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "83f698ef-ae78-4c5c-a012-07ac1054891a",
                        "testId": "PM-28a.03[02]",
                        "test": "Determine if trade-offs considered by the organization for managing risk are identified and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Supply chain risk management strategy.</li><li>Documentation of risk framing activities.</li><li>Policies and procedures for risk framing activities.</li><li>Risk management strategy.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel (including mission, business, and system owners or stewards.</li><li>Authorizing officials.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>And senior accountable official for risk management).</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing.</li><li>Organizational processes for risk framing.</li><li>Mechanisms supporting the development, review, update, and approval of risk framing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7af0b71e-03d0-4ac0-9a1a-6090a855126f",
                        "testId": "PM-28a.04",
                        "test": "Determine if organizational risk tolerance is identified and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Supply chain risk management strategy.</li><li>Documentation of risk framing activities.</li><li>Policies and procedures for risk framing activities.</li><li>Risk management strategy.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel (including mission, business, and system owners or stewards.</li><li>Authorizing officials.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>And senior accountable official for risk management).</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing.</li><li>Organizational processes for risk framing.</li><li>Mechanisms supporting the development, review, update, and approval of risk framing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4526f803-f807-4ff9-a9c7-7055726b0ada",
                        "testId": "PM-28b.",
                        "test": "Determine if the results of risk framing activities are distributed to  [SELECTED PARAMETER VALUE(S): personnel ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Supply chain risk management strategy.</li><li>Documentation of risk framing activities.</li><li>Policies and procedures for risk framing activities.</li><li>Risk management strategy.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel (including mission, business, and system owners or stewards.</li><li>Authorizing officials.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>And senior accountable official for risk management).</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing.</li><li>Organizational processes for risk framing.</li><li>Mechanisms supporting the development, review, update, and approval of risk framing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "045f456b-2b0f-4102-8402-816b3c512e29",
                        "testId": "PM-28c.",
                        "test": "Determine if risk framing considerations are reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Supply chain risk management strategy.</li><li>Documentation of risk framing activities.</li><li>Policies and procedures for risk framing activities.</li><li>Risk management strategy.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel (including mission, business, and system owners or stewards.</li><li>Authorizing officials.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>And senior accountable official for risk management).</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and practices for authorizing, conducting, managing, and reviewing personally identifiable information processing.</li><li>Organizational processes for risk framing.</li><li>Mechanisms supporting the development, review, update, and approval of risk framing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "bf47ac2f-c3a4-417a-935d-7f8f3123647f",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PM-28 - Risk Framing",
                "description": "<ul><li>a. Identify and document:</li><ul><li>1. Assumptions affecting risk assessments, risk responses, and risk monitoring;</li><li>2. Constraints affecting risk assessments, risk responses, and risk monitoring;</li><li>3. Priorities and trade-offs considered by the organization for managing risk; and</li><li>4. Organizational risk tolerance;</li></ul><li>b. Distribute the results of risk framing activities to  {{ insert: param, PM-28(b) }} ; and</li><li>c. Review and update risk framing considerations  {{ insert: param, PM-28(c) }}.</li></ul><br/><strong>Discussion</strong><br/><p>Risk framing is most effective when conducted at the organization level and in consultation with stakeholders throughout the organization including mission, business, and system owners. The assumptions, constraints, risk tolerance, priorities, and trade-offs identified as part of the risk framing process inform the risk management strategy, which in turn informs the conduct of risk assessment, risk response, and risk monitoring activities. Risk framing results are shared with organizational personnel, including mission and business owners, information owners or stewards, system owners, authorizing officials, senior agency information security officer, senior agency official for privacy, and senior accountable official for risk management.</p>",
                "controlId": "PM-28",
                "family": "Program Management",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "a580fe0b-b789-48bc-8576-5fdfdfae2ad1",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "pm-29_smt.a",
                        "description": "<ul><li>a. Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and</li></ul>"
                    },
                    {
                        "uuid": "f43ad42f-9e8f-4a23-b053-5b9ce97ba84e",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "pm-29_smt.b",
                        "description": "<ul><li>b. Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "05f53bc1-bf51-4d2b-ba34-3cdcb186f0db",
                        "testId": "PM-29a.[01]",
                        "test": "Determine if a senior accountable official for risk management is appointed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Risk management strategy.</li><li>Supply chain risk management strategy.</li><li>Documentation of appointment, roles, and responsibilities of a senior accountable official for risk management.</li><li>Documentation of actions taken by the official.</li><li>Documentation of the establishment, policies, and procedures of a risk executive (function).</li></ul><br><h5>Interview</h5><ul><li>Senior accountable official for risk management.</li><li>Chief information officer.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>Organizational personnel with information security and privacy program responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0d2a868e-fcd7-4d18-a28d-69deac8a2d3c",
                        "testId": "PM-29a.[02]",
                        "test": "Determine if a senior accountable official for risk management aligns information security and privacy management processes with strategic, operational, and budgetary planning processes;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Risk management strategy.</li><li>Supply chain risk management strategy.</li><li>Documentation of appointment, roles, and responsibilities of a senior accountable official for risk management.</li><li>Documentation of actions taken by the official.</li><li>Documentation of the establishment, policies, and procedures of a risk executive (function).</li></ul><br><h5>Interview</h5><ul><li>Senior accountable official for risk management.</li><li>Chief information officer.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>Organizational personnel with information security and privacy program responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "06486e77-7780-4564-9211-0bb140fbfc80",
                        "testId": "PM-29b.[01]",
                        "test": "Determine if a risk executive (function) is established;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Risk management strategy.</li><li>Supply chain risk management strategy.</li><li>Documentation of appointment, roles, and responsibilities of a senior accountable official for risk management.</li><li>Documentation of actions taken by the official.</li><li>Documentation of the establishment, policies, and procedures of a risk executive (function).</li></ul><br><h5>Interview</h5><ul><li>Senior accountable official for risk management.</li><li>Chief information officer.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>Organizational personnel with information security and privacy program responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "cfb5de23-6ed3-4fe0-ba4a-8b3fc8dba327",
                        "testId": "PM-29b.[02]",
                        "test": "Determine if a risk executive (function) views and analyzes risk from an organization-wide perspective;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Risk management strategy.</li><li>Supply chain risk management strategy.</li><li>Documentation of appointment, roles, and responsibilities of a senior accountable official for risk management.</li><li>Documentation of actions taken by the official.</li><li>Documentation of the establishment, policies, and procedures of a risk executive (function).</li></ul><br><h5>Interview</h5><ul><li>Senior accountable official for risk management.</li><li>Chief information officer.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>Organizational personnel with information security and privacy program responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d24a429b-bc78-4901-8a2a-cebde26539c9",
                        "testId": "PM-29b.[03]",
                        "test": "Determine if a risk executive (function) ensures that the management of risk is consistent across the organization.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Risk management strategy.</li><li>Supply chain risk management strategy.</li><li>Documentation of appointment, roles, and responsibilities of a senior accountable official for risk management.</li><li>Documentation of actions taken by the official.</li><li>Documentation of the establishment, policies, and procedures of a risk executive (function).</li></ul><br><h5>Interview</h5><ul><li>Senior accountable official for risk management.</li><li>Chief information officer.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>Organizational personnel with information security and privacy program responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e3ef03f1-ecba-4bd7-b545-bc0e191a5f2b",
                        "testId": "PM-29-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Risk management strategy.</li><li>Supply chain risk management strategy.</li><li>Documentation of appointment, roles, and responsibilities of a senior accountable official for risk management.</li><li>Documentation of actions taken by the official.</li><li>Documentation of the establishment, policies, and procedures of a risk executive (function).</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ea2b7b58-201c-40e0-84c8-4b223679ac53",
                        "testId": "PM-29-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Senior accountable official for risk management.</li><li>Chief information officer.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>Organizational personnel with information security and privacy program responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "5a9e77db-0546-4dbb-897d-352ab1f7fc50",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PM-29 - Risk Management Program Leadership Roles",
                "description": "<ul><li>a. Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and</li><li>b. Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization.</li></ul><br/><strong>Discussion</strong><br/><p>The senior accountable official for risk management leads the risk executive (function) in organization-wide risk management activities.</p>",
                "controlId": "PM-29",
                "family": "Program Management",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "5645b411-2c56-4ead-b76a-93c957e6bf35",
                        "parameterId": "PM-30(c)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pm-30_odp"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "93ce8614-b7c9-4a28-8543-2e92c2524af2",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "pm-30_smt.a",
                        "description": "<ul><li>a. Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services;</li></ul>"
                    },
                    {
                        "uuid": "580b515d-b1fb-400d-989f-a637304fef37",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "pm-30_smt.b",
                        "description": "<ul><li>b. Implement the supply chain risk management strategy consistently across the organization; and</li></ul>"
                    },
                    {
                        "uuid": "118d464d-21fd-489d-971a-a5ea41c66d3a",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "pm-30_smt.c",
                        "description": "<ul><li>c. Review and update the supply chain risk management strategy on {{ insert: param, PM-30(c) }} or as required, to address organizational changes.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "9ccfd156-9d00-4ebc-bb81-53aa0e6d74f4",
                        "testId": "PM-30-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Supply chain risk management strategy.</li><li>Organizational risk management strategy.</li><li>Enterprise risk management documents.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d841a411-7e3f-493e-986f-f7634f554d08",
                        "testId": "PM-30-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "bd7b12f7-1d36-447f-8abe-ad316bd2b0a6",
                        "testId": "PM-30a.[01]",
                        "test": "Determine if an organization-wide strategy for managing supply chain risks is developed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management strategy.</li><li>Organizational risk management strategy.</li><li>Enterprise risk management documents.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3552442b-20ec-41cb-8a34-165468c8ea24",
                        "testId": "PM-30a.[02]",
                        "test": "Determine if the supply chain risk management strategy addresses risks associated with the development of systems;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management strategy.</li><li>Organizational risk management strategy.</li><li>Enterprise risk management documents.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "aa9eb97f-40ae-4434-9c62-737a757a4420",
                        "testId": "PM-30a.[03]",
                        "test": "Determine if the supply chain risk management strategy addresses risks associated with the development of system components;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management strategy.</li><li>Organizational risk management strategy.</li><li>Enterprise risk management documents.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "70b1fa54-186c-4085-ac78-e2ecdad42828",
                        "testId": "PM-30a.[04]",
                        "test": "Determine if the supply chain risk management strategy addresses risks associated with the development of system services;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management strategy.</li><li>Organizational risk management strategy.</li><li>Enterprise risk management documents.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3a530bf8-e4e7-4f08-a3c0-7766683d24d5",
                        "testId": "PM-30a.[05]",
                        "test": "Determine if the supply chain risk management strategy addresses risks associated with the acquisition of systems;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management strategy.</li><li>Organizational risk management strategy.</li><li>Enterprise risk management documents.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c92d0772-6492-43e0-9e9d-47a1afd17818",
                        "testId": "PM-30a.[06]",
                        "test": "Determine if the supply chain risk management strategy addresses risks associated with the acquisition of system components;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management strategy.</li><li>Organizational risk management strategy.</li><li>Enterprise risk management documents.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e131b0e6-9d41-43e0-86e4-13d1f678b5ae",
                        "testId": "PM-30a.[07]",
                        "test": "Determine if the supply chain risk management strategy addresses risks associated with the acquisition of system services;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management strategy.</li><li>Organizational risk management strategy.</li><li>Enterprise risk management documents.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ec5c9a1c-fb77-4aff-b90c-f3cb88538f60",
                        "testId": "PM-30a.[08]",
                        "test": "Determine if the supply chain risk management strategy addresses risks associated with the maintenance of systems;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management strategy.</li><li>Organizational risk management strategy.</li><li>Enterprise risk management documents.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "cd859104-0567-4557-b271-692fa1a54387",
                        "testId": "PM-30a.[09]",
                        "test": "Determine if the supply chain risk management strategy addresses risks associated with the maintenance of system components;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management strategy.</li><li>Organizational risk management strategy.</li><li>Enterprise risk management documents.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c2467535-248e-45a2-a5d5-58fd3700ab8d",
                        "testId": "PM-30a.[10]",
                        "test": "Determine if the supply chain risk management strategy addresses risks associated with the maintenance of system services;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management strategy.</li><li>Organizational risk management strategy.</li><li>Enterprise risk management documents.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "465e4e94-de15-466e-99cf-61a8b1ceb5a2",
                        "testId": "PM-30a.[11]",
                        "test": "Determine if the supply chain risk management strategy addresses risks associated with the disposal of systems;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management strategy.</li><li>Organizational risk management strategy.</li><li>Enterprise risk management documents.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ede59d17-9320-4655-998c-b91f8998d4f6",
                        "testId": "PM-30a.[12]",
                        "test": "Determine if the supply chain risk management strategy addresses risks associated with the disposal of system components;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management strategy.</li><li>Organizational risk management strategy.</li><li>Enterprise risk management documents.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b4e051ef-deba-4f17-bb2a-9ccc1d7a9991",
                        "testId": "PM-30a.[13]",
                        "test": "Determine if the supply chain risk management strategy addresses risks associated with the disposal of system services;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management strategy.</li><li>Organizational risk management strategy.</li><li>Enterprise risk management documents.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "51d5e02e-a82f-4be6-8696-4e659dfa8f70",
                        "testId": "PM-30b.",
                        "test": "Determine if the supply chain risk management strategy is implemented consistently across the organization;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management strategy.</li><li>Organizational risk management strategy.</li><li>Enterprise risk management documents.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b20e8723-0c17-4305-8cee-1668db19ff90",
                        "testId": "PM-30c.",
                        "test": "Determine if the supply chain risk management strategy is reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ]  or as required to address organizational changes.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management strategy.</li><li>Organizational risk management strategy.</li><li>Enterprise risk management documents.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "f13cd0a9-d814-430e-a9d8-16c213234d19",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PM-30 - Supply Chain Risk Management Strategy",
                "description": "<ul><li>a. Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services;</li><li>b. Implement the supply chain risk management strategy consistently across the organization; and</li><li>c. Review and update the supply chain risk management strategy on  {{ insert: param, PM-30(c) }}  or as required, to address organizational changes.</li></ul><br/><strong>Discussion</strong><br/><p>An organization-wide supply chain risk management strategy includes an unambiguous expression of the supply chain risk appetite and tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the supply chain risk management strategy, and the associated roles and responsibilities. Supply chain risk management includes considerations of the security and privacy risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services. The supply chain risk management strategy can be incorporated into the organization\u00e2\u20ac\u2122s overarching risk management strategy and can guide and inform supply chain policies and system-level supply chain risk management plans. In addition, the use of a risk executive function can facilitate a consistent, organization-wide application of the supply chain risk management strategy. The supply chain risk management strategy is implemented at the organization and mission/business levels, whereas the supply chain risk management plan (see  <a href=\"#sr-2\">SR-2</a> ) is implemented at the system level.</p>",
                "controlId": "PM-30",
                "family": "Program Management",
                "enhancements": "<strong>Enhancements</strong><ul><li>PM-30(1) - Suppliers of Critical or Mission-essential Items</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "1655a5ba-86d8-402c-9921-a1ea59ee56ce",
                        "name": "PM-30(1)",
                        "objectiveType": "",
                        "otherId": "pm-30.1_smt",
                        "description": "Identify, prioritize, and assess suppliers of critical or mission-essential technologies, products, and services."
                    }
                ],
                "tests": [
                    {
                        "uuid": "9c0885d4-129e-409a-9c56-20a574cb4d1e",
                        "testId": "PM-30(01)[01]",
                        "test": "Determine if suppliers of critical or mission-essential technologies, products, and services are identified;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management strategy.</li><li>Organization-wide risk management strategy.</li><li>Enterprise risk management documents.</li><li>Inventory records or suppliers.</li><li>Assessment and prioritization documentation.</li><li>Critical or mission-essential technologies, products, and service documents or records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for identifying, prioritizing, and assessing critical or mission-essential technologies, products, and services.</li><li>Organizational processes for maintaining an inventory of suppliers.</li><li>Organizational process for associating suppliers with critical or mission-essential technologies, products, and services.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "60e89748-7244-445f-801c-b1bd37eb77bf",
                        "testId": "PM-30(01)[02]",
                        "test": "Determine if suppliers of critical or mission-essential technologies, products, and services are prioritized;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management strategy.</li><li>Organization-wide risk management strategy.</li><li>Enterprise risk management documents.</li><li>Inventory records or suppliers.</li><li>Assessment and prioritization documentation.</li><li>Critical or mission-essential technologies, products, and service documents or records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for identifying, prioritizing, and assessing critical or mission-essential technologies, products, and services.</li><li>Organizational processes for maintaining an inventory of suppliers.</li><li>Organizational process for associating suppliers with critical or mission-essential technologies, products, and services.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "924836e8-9654-4201-a74c-304e759210e2",
                        "testId": "PM-30(01)[03]",
                        "test": "Determine if suppliers of critical or mission-essential technologies, products, and services are assessed.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management strategy.</li><li>Organization-wide risk management strategy.</li><li>Enterprise risk management documents.</li><li>Inventory records or suppliers.</li><li>Assessment and prioritization documentation.</li><li>Critical or mission-essential technologies, products, and service documents or records.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for identifying, prioritizing, and assessing critical or mission-essential technologies, products, and services.</li><li>Organizational processes for maintaining an inventory of suppliers.</li><li>Organizational process for associating suppliers with critical or mission-essential technologies, products, and services.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "83f47914-3e55-421f-b049-a741eebe9b53",
                        "testId": "PM-30(01)-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Supply chain risk management strategy.</li><li>Organization-wide risk management strategy.</li><li>Enterprise risk management documents.</li><li>Inventory records or suppliers.</li><li>Assessment and prioritization documentation.</li><li>Critical or mission-essential technologies, products, and service documents or records.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e9d457a2-5db8-4607-93f5-154ccf022940",
                        "testId": "PM-30(01)-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "177ac9b4-5703-478e-afe7-5fa4dff2f2d2",
                        "testId": "PM-30(01)-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for identifying, prioritizing, and assessing critical or mission-essential technologies, products, and services.</li><li>Organizational processes for maintaining an inventory of suppliers.</li><li>Organizational process for associating suppliers with critical or mission-essential technologies, products, and services.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "e96bf3b2-37e2-41d2-a926-a3d682725433",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PM-30(01) - Suppliers of Critical or Mission-essential Items",
                "description": "Identify, prioritize, and assess suppliers of critical or mission-essential technologies, products, and services.<br/><strong>Discussion</strong><br/><p>The identification and prioritization of suppliers of critical or mission-essential technologies, products, and services is paramount to the mission/business success of organizations. The assessment of suppliers is conducted using supplier reviews (see  <a href=\"#sr-6\">SR-6</a> ) and supply chain risk assessment processes (see  <a href=\"#ra-3.1\">RA-3(1)</a> ). An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required.</p>",
                "controlId": "PM-30(1)",
                "family": "Program Management",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "36bbe9e4-8fe9-43fd-9064-d3eb99e79ac5",
                        "parameterId": "PM-31(f)-1",
                        "text": "organization-defined personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pm-31_prm_4"
                    },
                    {
                        "uuid": "0f3bb050-141d-499c-94e0-9ad571dcd49f",
                        "parameterId": "PM-31(f)-2",
                        "text": "organization-defined frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pm-31_prm_5"
                    },
                    {
                        "uuid": "4a5ce48a-ea38-4c8b-b19c-34296e291cdf",
                        "parameterId": "PM-31(a)",
                        "text": "metrics",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined metrics] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pm-31_odp.01"
                    },
                    {
                        "uuid": "1cc8c447-c144-4d76-bc6a-eea71dcde8e7",
                        "parameterId": "PM-31(b)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pm-31_odp.02"
                    },
                    {
                        "uuid": "ffc7d757-4255-404c-9637-bd406b04ff74",
                        "parameterId": "PM-31(b)-2",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pm-31_odp.03"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "8bcc8e8a-6793-40ba-b9c4-4586607c1452",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "pm-31_smt.a",
                        "description": "<ul><li>a. Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: Establishing the following organization-wide metrics to be monitored: {{ insert: param, PM-31(a) }};</li></ul>"
                    },
                    {
                        "uuid": "ec52bb25-a1fa-4e02-bc29-aea6eb867c05",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "pm-31_smt.b",
                        "description": "<ul><li>b. Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: Establishing {{ insert: param, PM-31(b)-1 }} and {{ insert: param, PM-31(b)-2 }} for control effectiveness;</li></ul>"
                    },
                    {
                        "uuid": "81fa391a-cbf7-4bce-afc8-3380841d1ff6",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "pm-31_smt.c",
                        "description": "<ul><li>c. Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy;</li></ul>"
                    },
                    {
                        "uuid": "66dc08bc-08f5-497e-96de-2771d8a3ee9c",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "pm-31_smt.d",
                        "description": "<ul><li>d. Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: Correlation and analysis of information generated by control assessments and monitoring;</li></ul>"
                    },
                    {
                        "uuid": "472b45bd-1164-4aa0-bc8f-ec228e4f66c1",
                        "name": "e.",
                        "objectiveType": "",
                        "otherId": "pm-31_smt.e",
                        "description": "<ul><li>e. Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: Response actions to address results of the analysis of control assessment and monitoring information; and</li></ul>"
                    },
                    {
                        "uuid": "f1cdd137-9cfe-4479-a7bf-7a2536b34ace",
                        "name": "f.",
                        "objectiveType": "",
                        "otherId": "pm-31_smt.f",
                        "description": "<ul><li>f. Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: Reporting the security and privacy status of organizational systems to {{ insert: param, PM-31(f)-1 }} {{ insert: param, PM-31(f)-2 }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "68ef2978-d820-4daf-83a9-687ce300889b",
                        "testId": "PM-31-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Supply chain risk management plan.</li><li>Continuous monitoring strategy.</li><li>Risk management strategy.</li><li>Information security continuous monitoring program documentation, reporting, metrics, and artifacts.</li><li>Information security continuous monitoring program assessment documentation, reporting, metrics, and artifacts.</li><li>Assessment and authorization policy.</li><li>Procedures addressing the continuous monitoring of controls.</li><li>Privacy program continuous monitoring documentation, reporting, metrics, and artifacts.</li><li>Continuous monitoring program records, security, and privacy impact analyses.</li><li>Status reports.</li><li>Risk response documentation.</li><li>Other relevant documents or records..</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6c46a7ba-c086-4f3d-8aac-602d50e9d8f8",
                        "testId": "PM-31-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Senior accountable official for risk management.</li><li>Chief information officer.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>Organizational personnel with information security, privacy, and supply chain risk management program responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2953dcd0-5f5e-4823-998c-5e85df9b8a99",
                        "testId": "PM-31-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational procedures and mechanisms used for information security, privacy, and supply chain continuous monitoring.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "812e5bc7-df39-4c72-a21e-778855b940e9",
                        "testId": "PM-31a.",
                        "test": "Determine if continuous monitoring programs are implemented that include establishing  [SELECTED PARAMETER VALUE(S): metrics ]  to be monitored;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Supply chain risk management plan.</li><li>Continuous monitoring strategy.</li><li>Risk management strategy.</li><li>Information security continuous monitoring program documentation, reporting, metrics, and artifacts.</li><li>Information security continuous monitoring program assessment documentation, reporting, metrics, and artifacts.</li><li>Assessment and authorization policy.</li><li>Procedures addressing the continuous monitoring of controls.</li><li>Privacy program continuous monitoring documentation, reporting, metrics, and artifacts.</li><li>Continuous monitoring program records, security, and privacy impact analyses.</li><li>Status reports.</li><li>Risk response documentation.</li><li>Other relevant documents or records..</li></ul><br><h5>Interview</h5><ul><li>Senior accountable official for risk management.</li><li>Chief information officer.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>Organizational personnel with information security, privacy, and supply chain risk management program responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and mechanisms used for information security, privacy, and supply chain continuous monitoring.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "997e741b-0028-48b3-bd41-0173c77d2623",
                        "testId": "PM-31b.[01]",
                        "test": "Determine if continuous monitoring programs are implemented that establish [SELECTED PARAMETER VALUE(S): frequency ]  for monitoring;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Supply chain risk management plan.</li><li>Continuous monitoring strategy.</li><li>Risk management strategy.</li><li>Information security continuous monitoring program documentation, reporting, metrics, and artifacts.</li><li>Information security continuous monitoring program assessment documentation, reporting, metrics, and artifacts.</li><li>Assessment and authorization policy.</li><li>Procedures addressing the continuous monitoring of controls.</li><li>Privacy program continuous monitoring documentation, reporting, metrics, and artifacts.</li><li>Continuous monitoring program records, security, and privacy impact analyses.</li><li>Status reports.</li><li>Risk response documentation.</li><li>Other relevant documents or records..</li></ul><br><h5>Interview</h5><ul><li>Senior accountable official for risk management.</li><li>Chief information officer.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>Organizational personnel with information security, privacy, and supply chain risk management program responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and mechanisms used for information security, privacy, and supply chain continuous monitoring.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e7ff0f61-a90b-4a95-8464-250d500013de",
                        "testId": "PM-31b.[02]",
                        "test": "Determine if continuous monitoring programs are implemented that establish  [SELECTED PARAMETER VALUE(S): frequency ]  for assessment of control effectiveness;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Supply chain risk management plan.</li><li>Continuous monitoring strategy.</li><li>Risk management strategy.</li><li>Information security continuous monitoring program documentation, reporting, metrics, and artifacts.</li><li>Information security continuous monitoring program assessment documentation, reporting, metrics, and artifacts.</li><li>Assessment and authorization policy.</li><li>Procedures addressing the continuous monitoring of controls.</li><li>Privacy program continuous monitoring documentation, reporting, metrics, and artifacts.</li><li>Continuous monitoring program records, security, and privacy impact analyses.</li><li>Status reports.</li><li>Risk response documentation.</li><li>Other relevant documents or records..</li></ul><br><h5>Interview</h5><ul><li>Senior accountable official for risk management.</li><li>Chief information officer.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>Organizational personnel with information security, privacy, and supply chain risk management program responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and mechanisms used for information security, privacy, and supply chain continuous monitoring.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "fca53648-460d-4510-bba9-2600c745d0ab",
                        "testId": "PM-31c.",
                        "test": "Determine if continuous monitoring programs are implemented that include monitoring  [SELECTED PARAMETER VALUE(S): metrics ]  on an ongoing basis in accordance with the continuous monitoring strategy;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Supply chain risk management plan.</li><li>Continuous monitoring strategy.</li><li>Risk management strategy.</li><li>Information security continuous monitoring program documentation, reporting, metrics, and artifacts.</li><li>Information security continuous monitoring program assessment documentation, reporting, metrics, and artifacts.</li><li>Assessment and authorization policy.</li><li>Procedures addressing the continuous monitoring of controls.</li><li>Privacy program continuous monitoring documentation, reporting, metrics, and artifacts.</li><li>Continuous monitoring program records, security, and privacy impact analyses.</li><li>Status reports.</li><li>Risk response documentation.</li><li>Other relevant documents or records..</li></ul><br><h5>Interview</h5><ul><li>Senior accountable official for risk management.</li><li>Chief information officer.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>Organizational personnel with information security, privacy, and supply chain risk management program responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and mechanisms used for information security, privacy, and supply chain continuous monitoring.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ab27fdd9-e7b1-49ef-ad26-a76c59daf1f6",
                        "testId": "PM-31d.[01]",
                        "test": "Determine if continuous monitoring programs are implemented that include correlating information generated by control assessments and monitoring;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Supply chain risk management plan.</li><li>Continuous monitoring strategy.</li><li>Risk management strategy.</li><li>Information security continuous monitoring program documentation, reporting, metrics, and artifacts.</li><li>Information security continuous monitoring program assessment documentation, reporting, metrics, and artifacts.</li><li>Assessment and authorization policy.</li><li>Procedures addressing the continuous monitoring of controls.</li><li>Privacy program continuous monitoring documentation, reporting, metrics, and artifacts.</li><li>Continuous monitoring program records, security, and privacy impact analyses.</li><li>Status reports.</li><li>Risk response documentation.</li><li>Other relevant documents or records..</li></ul><br><h5>Interview</h5><ul><li>Senior accountable official for risk management.</li><li>Chief information officer.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>Organizational personnel with information security, privacy, and supply chain risk management program responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and mechanisms used for information security, privacy, and supply chain continuous monitoring.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a560da48-2ee3-48af-883d-53c584d5402e",
                        "testId": "PM-31d.[02]",
                        "test": "Determine if continuous monitoring programs are implemented that include analyzing information generated by control assessments and monitoring;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Supply chain risk management plan.</li><li>Continuous monitoring strategy.</li><li>Risk management strategy.</li><li>Information security continuous monitoring program documentation, reporting, metrics, and artifacts.</li><li>Information security continuous monitoring program assessment documentation, reporting, metrics, and artifacts.</li><li>Assessment and authorization policy.</li><li>Procedures addressing the continuous monitoring of controls.</li><li>Privacy program continuous monitoring documentation, reporting, metrics, and artifacts.</li><li>Continuous monitoring program records, security, and privacy impact analyses.</li><li>Status reports.</li><li>Risk response documentation.</li><li>Other relevant documents or records..</li></ul><br><h5>Interview</h5><ul><li>Senior accountable official for risk management.</li><li>Chief information officer.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>Organizational personnel with information security, privacy, and supply chain risk management program responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and mechanisms used for information security, privacy, and supply chain continuous monitoring.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4c4fa306-7110-456e-aaf2-913dd8aef7b1",
                        "testId": "PM-31e.[01]",
                        "test": "Determine if continuous monitoring programs are implemented that include response actions to address the analysis of control assessment information;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Supply chain risk management plan.</li><li>Continuous monitoring strategy.</li><li>Risk management strategy.</li><li>Information security continuous monitoring program documentation, reporting, metrics, and artifacts.</li><li>Information security continuous monitoring program assessment documentation, reporting, metrics, and artifacts.</li><li>Assessment and authorization policy.</li><li>Procedures addressing the continuous monitoring of controls.</li><li>Privacy program continuous monitoring documentation, reporting, metrics, and artifacts.</li><li>Continuous monitoring program records, security, and privacy impact analyses.</li><li>Status reports.</li><li>Risk response documentation.</li><li>Other relevant documents or records..</li></ul><br><h5>Interview</h5><ul><li>Senior accountable official for risk management.</li><li>Chief information officer.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>Organizational personnel with information security, privacy, and supply chain risk management program responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and mechanisms used for information security, privacy, and supply chain continuous monitoring.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0988e710-54e9-460c-8e77-08bd42c7e54a",
                        "testId": "PM-31e.[02]",
                        "test": "Determine if continuous monitoring programs are implemented that include response actions to address the analysis of monitoring information;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Supply chain risk management plan.</li><li>Continuous monitoring strategy.</li><li>Risk management strategy.</li><li>Information security continuous monitoring program documentation, reporting, metrics, and artifacts.</li><li>Information security continuous monitoring program assessment documentation, reporting, metrics, and artifacts.</li><li>Assessment and authorization policy.</li><li>Procedures addressing the continuous monitoring of controls.</li><li>Privacy program continuous monitoring documentation, reporting, metrics, and artifacts.</li><li>Continuous monitoring program records, security, and privacy impact analyses.</li><li>Status reports.</li><li>Risk response documentation.</li><li>Other relevant documents or records..</li></ul><br><h5>Interview</h5><ul><li>Senior accountable official for risk management.</li><li>Chief information officer.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>Organizational personnel with information security, privacy, and supply chain risk management program responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and mechanisms used for information security, privacy, and supply chain continuous monitoring.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6b7f8c20-f197-411c-981d-694c993e71ee",
                        "testId": "PM-31f.[01]",
                        "test": "Determine if continuous monitoring programs are implemented that include reporting the security status of organizational systems to  [SELECTED PARAMETER VALUE(S): personnel or roles ], [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Supply chain risk management plan.</li><li>Continuous monitoring strategy.</li><li>Risk management strategy.</li><li>Information security continuous monitoring program documentation, reporting, metrics, and artifacts.</li><li>Information security continuous monitoring program assessment documentation, reporting, metrics, and artifacts.</li><li>Assessment and authorization policy.</li><li>Procedures addressing the continuous monitoring of controls.</li><li>Privacy program continuous monitoring documentation, reporting, metrics, and artifacts.</li><li>Continuous monitoring program records, security, and privacy impact analyses.</li><li>Status reports.</li><li>Risk response documentation.</li><li>Other relevant documents or records..</li></ul><br><h5>Interview</h5><ul><li>Senior accountable official for risk management.</li><li>Chief information officer.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>Organizational personnel with information security, privacy, and supply chain risk management program responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and mechanisms used for information security, privacy, and supply chain continuous monitoring.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "492d4655-8700-4c93-bd60-19dcfa1abc9f",
                        "testId": "PM-31f.[02]",
                        "test": "Determine if continuous monitoring programs are implemented that include reporting the privacy status of organizational systems to  [SELECTED PARAMETER VALUE(S): personnel or roles ], [SELECTED PARAMETER VALUE(S): frequency ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Supply chain risk management plan.</li><li>Continuous monitoring strategy.</li><li>Risk management strategy.</li><li>Information security continuous monitoring program documentation, reporting, metrics, and artifacts.</li><li>Information security continuous monitoring program assessment documentation, reporting, metrics, and artifacts.</li><li>Assessment and authorization policy.</li><li>Procedures addressing the continuous monitoring of controls.</li><li>Privacy program continuous monitoring documentation, reporting, metrics, and artifacts.</li><li>Continuous monitoring program records, security, and privacy impact analyses.</li><li>Status reports.</li><li>Risk response documentation.</li><li>Other relevant documents or records..</li></ul><br><h5>Interview</h5><ul><li>Senior accountable official for risk management.</li><li>Chief information officer.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>Organizational personnel with information security, privacy, and supply chain risk management program responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and mechanisms used for information security, privacy, and supply chain continuous monitoring.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8e667356-d271-433c-b920-2da55f45430e",
                        "testId": "PM-31",
                        "test": "Determine if an organization-wide continuous monitoring strategy is developed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>Supply chain risk management plan.</li><li>Continuous monitoring strategy.</li><li>Risk management strategy.</li><li>Information security continuous monitoring program documentation, reporting, metrics, and artifacts.</li><li>Information security continuous monitoring program assessment documentation, reporting, metrics, and artifacts.</li><li>Assessment and authorization policy.</li><li>Procedures addressing the continuous monitoring of controls.</li><li>Privacy program continuous monitoring documentation, reporting, metrics, and artifacts.</li><li>Continuous monitoring program records, security, and privacy impact analyses.</li><li>Status reports.</li><li>Risk response documentation.</li><li>Other relevant documents or records..</li></ul><br><h5>Interview</h5><ul><li>Senior accountable official for risk management.</li><li>Chief information officer.</li><li>Senior agency information security officer.</li><li>Senior agency official for privacy.</li><li>Organizational personnel with information security, privacy, and supply chain risk management program responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational procedures and mechanisms used for information security, privacy, and supply chain continuous monitoring.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "ccebcaa2-a5aa-47ff-b761-31bb39b20f58",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PM-31 - Continuous Monitoring Strategy",
                "description": "Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:<ul><li>a. Establishing the following organization-wide metrics to be monitored:  {{ insert: param, PM-31(a) }};</li><li>b. Establishing  {{ insert: param, PM-31(b)-1 }}  for monitoring and  {{ insert: param, PM-31(b)-2 }}  for assessment of control effectiveness;</li><li>c. Ongoing monitoring of organizationally-defined metrics in accordance with the continuous monitoring strategy;</li><li>d. Correlation and analysis of information generated by control assessments and monitoring;</li><li>e. Response actions to address results of the analysis of control assessment and monitoring information; and</li><li>f. Reporting the security and privacy status of organizational systems to  {{ insert: param, PM-31(f)-1 }}{{ insert: param, PM-31(f)-2 }}.</li></ul><br/><strong>Discussion</strong><br/><p>Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms  <q>continuous</q>  and  <q>ongoing</q>  imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective, timely, and informed risk management decisions, including ongoing authorization decisions. To further facilitate security and privacy risk management, organizations consider aligning organization-defined monitoring metrics with organizational risk tolerance as defined in the risk management strategy. Monitoring requirements, including the need for monitoring, may be referenced in other controls and control enhancements such as,  <a href=\"#ac-2_smt.g\">AC-2g</a>,  <a href=\"#ac-2.7\">AC-2(7)</a>,  <a href=\"#ac-2.12_smt.a\">AC-2(12)(a)</a>,  <a href=\"#ac-2.7_smt.b\">AC-2(7)(b)</a>,  <a href=\"#ac-2.7_smt.c\">AC-2(7)(c)</a>,  <a href=\"#ac-17.1\">AC-17(1)</a>,  <a href=\"#at-4_smt.a\">AT-4a</a>,  <a href=\"#au-13\">AU-13</a>,  <a href=\"#au-13.1\">AU-13(1)</a>,  <a href=\"#au-13.2\">AU-13(2)</a>,  <a href=\"#ca-7\">CA-7</a>,  <a href=\"#cm-3_smt.f\">CM-3f</a>,  <a href=\"#cm-6_smt.d\">CM-6d</a>,  <a href=\"#cm-11_smt.c\">CM-11c</a>,  <a href=\"#ir-5\">IR-5</a>,  <a href=\"#ma-2_smt.b\">MA-2b</a>,  <a href=\"#ma-3_smt.a\">MA-3a</a>,  <a href=\"#ma-4_smt.a\">MA-4a</a>,  <a href=\"#pe-3_smt.d\">PE-3d</a>,  <a href=\"#pe-6\">PE-6</a>,  <a href=\"#pe-14_smt.b\">PE-14b</a>,  <a href=\"#pe-16\">PE-16</a>,  <a href=\"#pe-20\">PE-20</a>,  <a href=\"#pm-6\">PM-6</a>,  <a href=\"#pm-23\">PM-23</a>,  <a href=\"#ps-7_smt.e\">PS-7e</a>,  <a href=\"#sa-9_smt.c\">SA-9c</a>,  <a href=\"#sc-5.3_smt.b\">SC-5(3)(b)</a>,  <a href=\"#sc-7_smt.a\">SC-7a</a>,  <a href=\"#sc-7.24_smt.b\">SC-7(24)(b)</a>,  <a href=\"#sc-18_smt.b\">SC-18b</a>,  <a href=\"#sc-43_smt.b\">SC-43b</a>,  <a href=\"#si-4\">SI-4</a>.</p>",
                "controlId": "PM-31",
                "family": "Program Management",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "0317010f-ca4f-4ec8-b23f-6df33e003803",
                        "parameterId": "PM-32",
                        "text": "systems or system components",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined systems or system components] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "pm-32_odp"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "36936a1b-2927-433b-be13-9b4d6246313a",
                        "name": "PM-32",
                        "objectiveType": "",
                        "otherId": "pm-32_smt",
                        "description": "Analyze {{ insert: param, PM-32 }} supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose."
                    }
                ],
                "tests": [
                    {
                        "uuid": "ce02e970-6b42-4457-90e7-a3a2508e1fb2",
                        "testId": "PM-32",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): systems or system components ]  supporting mission-essential services or functions are analyzed to ensure that the information resources are being used in a manner that is consistent with their intended purpose.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>List of essential services and functions.</li><li>Organizational analysis of information resources.</li><li>Risk management strategy.</li><li>Other relevant documents or records..</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information security, privacy, and supply chain risk management program responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "94263878-8e38-4ebe-a90e-77a2afc732de",
                        "testId": "PM-32-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Information security program plan.</li><li>Privacy program plan.</li><li>List of essential services and functions.</li><li>Organizational analysis of information resources.</li><li>Risk management strategy.</li><li>Other relevant documents or records..</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3adee495-7c71-4da7-93c7-1674413623c2",
                        "testId": "PM-32-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with information security, privacy, and supply chain risk management program responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "00ad07a4-7388-43b7-bf2f-433186e8644b",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PM-32 - Purposing",
                "description": "Analyze  {{ insert: param, PM-32 }}  supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose.<br/><strong>Discussion</strong><br/><p>Systems are designed to support a specific mission or business function. However, over time, systems and system components may be used to support services and functions that are outside of the scope of the intended mission or business functions. This can result in exposing information resources to unintended environments and uses that can significantly increase threat exposure. In doing so, the systems are more vulnerable to compromise, which can ultimately impact the services and functions for which they were intended. This is especially impactful for mission-essential services and functions. By analyzing resource use, organizations can identify such potential exposures.</p>",
                "controlId": "PM-32",
                "family": "Program Management",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "fa000895-276d-4b11-ad66-9721dafef4f3",
                        "parameterId": "PS-1(a)",
                        "text": "organization-defined personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ps-1_prm_1"
                    },
                    {
                        "uuid": "ee8a6b6e-7272-4895-90ae-6b14b07d8f12",
                        "parameterId": "PS-1(a)(1)",
                        "text": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ps-01_odp.03"
                    },
                    {
                        "uuid": "a6a6e419-6342-4835-baf1-8c60635f6df8",
                        "parameterId": "PS-1(b)",
                        "text": "official",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined official] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ps-01_odp.04"
                    },
                    {
                        "uuid": "b187b5f2-aee6-4fa9-b721-81dc08bb0f37",
                        "parameterId": "PS-1(c)(1)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ps-01_odp.05"
                    },
                    {
                        "uuid": "f21aee7b-31cf-49f8-9c01-c22b42977409",
                        "parameterId": "PS-1(c)(1)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ps-01_odp.06"
                    },
                    {
                        "uuid": "c8e4d7a1-e9cc-42d8-acb4-6786a42c11bc",
                        "parameterId": "PS-1(c)(2)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ps-01_odp.07"
                    },
                    {
                        "uuid": "c620e1a3-5add-4830-9a38-0f1e328103d2",
                        "parameterId": "PS-1(c)(2)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ps-01_odp.08"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "a7f76bdb-1968-4380-8c19-889eb0f4b0c0",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ps-1_smt.a",
                        "description": "<ul><li>a. Develop, document, and disseminate to {{ insert: param, PS-1(a) }}:</li><ul><li>1. {{ insert: param, PS-1(a)(1) }} personnel security policy that:</li><ul><li>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</li><li>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</li></ul><li>2. Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;</li></ul>"
                    },
                    {
                        "uuid": "4f269325-59e5-48cf-bf09-989a6ce4da99",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ps-1_smt.b",
                        "description": "<ul><li>b. Designate an {{ insert: param, PS-1(b) }} to manage the development, documentation, and dissemination of the personnel security policy and procedures; and</li></ul>"
                    },
                    {
                        "uuid": "a17f967f-5c6e-46be-be09-e8b141d59c74",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ps-1_smt.c",
                        "description": "<ul><li>c. Review and update the current personnel security:</li><ul><li>1. Policy {{ insert: param, PS-1(c)(1)-1 }} and following {{ insert: param, PS-1(c)(1)-2 }} ; and</li><li>2. Procedures {{ insert: param, PS-1(c)(2)-1 }} and following {{ insert: param, PS-1(c)(2)-2 }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "d15b1ed6-daaa-41dd-9022-82d89663d1a3",
                        "testId": "PS-01-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Personnel security policy.</li><li>Personnel security procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "57df1a7c-f23b-44fd-b05a-135b2a7c12da",
                        "testId": "PS-01-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "059da387-cf6d-4f26-95cc-b64784c62de0",
                        "testId": "PS-01a.[01]",
                        "test": "Determine if a personnel security policy is developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Personnel security procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "44dc1e86-d350-401e-ab50-da9e2cd34bb0",
                        "testId": "PS-01a.[02]",
                        "test": "Determine if the personnel security policy is disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Personnel security procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2c12801b-fb50-4212-9f34-e1af3b828821",
                        "testId": "PS-01a.[03]",
                        "test": "Determine if personnel security procedures to facilitate the implementation of the personnel security policy and associated personnel security controls are developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Personnel security procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "efa3b40b-3393-4ab1-a0a9-171ee401f1a7",
                        "testId": "PS-01a.[04]",
                        "test": "Determine if the personnel security procedures are disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Personnel security procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "974ca540-801b-4c22-a6a8-f19e01fa1597",
                        "testId": "PS-01a.01(a)[01]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  personnel security policy addresses purpose;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Personnel security procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8930ccba-f7ad-47e7-b140-dd83ce79795d",
                        "testId": "PS-01a.01(a)[02]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  personnel security policy addresses scope;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Personnel security procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1e680be2-d762-4cf0-966d-e200d72c0d39",
                        "testId": "PS-01a.01(a)[03]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  personnel security policy addresses roles;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Personnel security procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "85bf475d-9fe0-40f9-8589-18ade2e5997b",
                        "testId": "PS-01a.01(a)[04]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  personnel security policy addresses responsibilities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Personnel security procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4a973b09-d9c9-4909-b8e1-38381005053a",
                        "testId": "PS-01a.01(a)[05]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  personnel security policy addresses management commitment;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Personnel security procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "de5e147f-bd14-41fb-b501-56306499deb8",
                        "testId": "PS-01a.01(a)[06]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  personnel security policy addresses coordination among organizational entities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Personnel security procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "123c47d0-89b0-4004-aea7-8735c814fe07",
                        "testId": "PS-01a.01(a)[07]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  personnel security policy addresses compliance;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Personnel security procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "86a8ad48-4a3a-4c38-a19f-275f1f42f32f",
                        "testId": "PS-01a.01(b)",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  personnel security policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Personnel security procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e4667e81-8e30-4d62-b894-8f4900d85636",
                        "testId": "PS-01b.",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): official ]  is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Personnel security procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d03b924c-e64d-441f-be0c-73884c1fee64",
                        "testId": "PS-01c.01[01]",
                        "test": "Determine if the current personnel security policy is reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Personnel security procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4d663d78-0cab-482a-bab7-927e0eb72b5b",
                        "testId": "PS-01c.01[02]",
                        "test": "Determine if the current personnel security policy is reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Personnel security procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "adf52fda-e24a-46df-b788-f81b5af34f79",
                        "testId": "PS-01c.02[01]",
                        "test": "Determine if the current personnel security procedures are reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Personnel security procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5ac96437-19dc-4c06-a8ea-8a5e7897bafb",
                        "testId": "PS-01c.02[02]",
                        "test": "Determine if the current personnel security procedures are reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Personnel security procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "dc5f7f79-3ac6-44b9-aea2-3f8e8b97cb1c",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PS-01 - Policy and Procedures",
                "description": "<ul><li><p>a. Develop, document, and disseminate to {{ insert: param, PS-1(a) }}:</p><ul><li><p>1. {{ insert: param, PS-1(a)(1) }} personnel security policy that:</p><ul><li><p>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p></li><li><p>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p></li></ul></li><li><p>2. Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls;</p></li></ul></li><li><p>b. Designate an {{ insert: param, PS-1(b) }} to manage the development, documentation, and dissemination of the personnel security policy and procedures; and</p></li><li><p>c. Review and update the current personnel security:</p><ul><li><p>1. Policy {{ insert: param, PS-1(c)(1)-1 }} and following {{ insert: param, PS-1(c)(1)-2 }} ; and</p></li><li><p>2. Procedures {{ insert: param, PS-1(c)(2)-1 }} and following {{ insert: param, PS-1(c)(2)-2 }}.</p></li></ul></li><li><p><br><strong>Discussion</strong><br></p><p>Personnel security policy and procedures for the controls in the PS family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on their development. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission level or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to personnel security policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.</p></li></ul><p></p><p><strong>OT Discussion</strong></p><p>The policy specifically addresses the unique properties and requirements of OT and the relationship to non-OT systems.</p>",
                "controlId": "PS-1",
                "family": "Personnel Security",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "10b9901c-ae98-4daf-b67c-20a09907de30",
                        "parameterId": "PS-2(c)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ps-02_odp"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "fb91e35c-88de-4c43-9cbd-e07962ebd173",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ps-2_smt.a",
                        "description": "<ul><li>a. Assign a risk designation to all organizational positions;</li></ul>"
                    },
                    {
                        "uuid": "c7d3270d-f785-48ad-92fd-a5173d8228c9",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ps-2_smt.b",
                        "description": "<ul><li>b. Establish screening criteria for individuals filling those positions; and</li></ul>"
                    },
                    {
                        "uuid": "7199fa2e-34a1-4a27-bfd4-5d09c2845ba6",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ps-2_smt.c",
                        "description": "<ul><li>c. Review and update position risk designations {{ insert: param, PS-2(c) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "5a6d4aa4-e827-4045-b46f-cfbbfeb0d308",
                        "testId": "PS-02a.",
                        "test": "Determine if a risk designation is assigned to all organizational positions;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Procedures addressing position categorization.</li><li>Appropriate codes of federal regulations.</li><li>List of risk designations for organizational positions.</li><li>Records of position risk designation reviews and updates.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for assigning, reviewing, and updating position risk designations.</li><li>Organizational processes for establishing screening criteria.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e04dde14-ad1c-4474-a2c7-942741b2d4df",
                        "testId": "PS-02b.",
                        "test": "Determine if screening criteria are established for individuals filling organizational positions;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Procedures addressing position categorization.</li><li>Appropriate codes of federal regulations.</li><li>List of risk designations for organizational positions.</li><li>Records of position risk designation reviews and updates.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for assigning, reviewing, and updating position risk designations.</li><li>Organizational processes for establishing screening criteria.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a8e60dd0-a851-4666-9a3c-30e735e1df12",
                        "testId": "PS-02c.",
                        "test": "Determine if position risk designations are reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Procedures addressing position categorization.</li><li>Appropriate codes of federal regulations.</li><li>List of risk designations for organizational positions.</li><li>Records of position risk designation reviews and updates.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for assigning, reviewing, and updating position risk designations.</li><li>Organizational processes for establishing screening criteria.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e5896d64-5b09-4c42-a7e3-f5696c7487ed",
                        "testId": "PS-02-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Personnel security policy.</li><li>Procedures addressing position categorization.</li><li>Appropriate codes of federal regulations.</li><li>List of risk designations for organizational positions.</li><li>Records of position risk designation reviews and updates.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0a2b6a6c-7ec2-43b1-8416-e9b02c5991f9",
                        "testId": "PS-02-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c1976696-decc-4cb1-b2ad-73294d5d4169",
                        "testId": "PS-02-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for assigning, reviewing, and updating position risk designations.</li><li>Organizational processes for establishing screening criteria.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "3b1e58c4-d58c-4eda-8d29-500d14e4f867",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PS-02 - Position Risk Designation",
                "description": "<ul><li><p>a. Assign a risk designation to all organizational positions;</p></li><li><p>b. Establish screening criteria for individuals filling those positions; and</p></li><li><p>c. Review and update position risk designations {{ insert: param, PS-2(c) }}.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions.</p><p></p><p><strong>OT Discussion</strong></p><p>Private organizations should utilize existing sector-specific regulations, laws, policy, and guidance for determining appropriate risk designations for positions.</p>",
                "controlId": "PS-2",
                "family": "Personnel Security",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "ac69baec-6c74-4e6f-b672-86dbf4a4e428",
                        "parameterId": "PS-3(b)",
                        "text": "organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of rescreening] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ps-3_prm_1"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "e9b63931-c800-4321-8fef-88fc238aa9c5",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ps-3_smt.a",
                        "description": "<ul><li>a. Screen individuals prior to authorizing access to the system; and</li></ul>"
                    },
                    {
                        "uuid": "33554f4e-ad7d-4726-a933-f49346c83cb7",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ps-3_smt.b",
                        "description": "<ul><li>b. Rescreen individuals in accordance with {{ insert: param, PS-3(b) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "c91b7e6e-8f35-4d1a-ab6a-30f8cd83fb85",
                        "testId": "PS-03-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Personnel security policy.</li><li>Procedures addressing personnel screening.</li><li>Records of screened personnel.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "77bbe995-8110-4c4a-840d-9bb229db5d12",
                        "testId": "PS-03-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "df672584-7e22-4a93-9262-079c6ca7830b",
                        "testId": "PS-03-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for personnel screening.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ff7772a8-42c6-467a-bd2d-fdb1a738cb4c",
                        "testId": "PS-03a.",
                        "test": "Determine if individuals are screened prior to authorizing access to the system;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Procedures addressing personnel screening.</li><li>Records of screened personnel.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for personnel screening.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ced27bc2-b77b-47ac-9d7f-2cf8ae05422c",
                        "testId": "PS-03b.[01]",
                        "test": "Determine if individuals are rescreened in accordance with  [SELECTED PARAMETER VALUE(S): conditions requiring rescreening ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Procedures addressing personnel screening.</li><li>Records of screened personnel.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for personnel screening.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "79990b4a-82c5-4a30-8df1-8b87fe40ef1b",
                        "testId": "PS-03b.[02]",
                        "test": "Determine if where rescreening is so indicated, individuals are rescreened  [SELECTED PARAMETER VALUE(S): frequency ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Procedures addressing personnel screening.</li><li>Records of screened personnel.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for personnel screening.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "9b1b73b9-88c3-4d8d-b450-628903dbe6cd",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PS-03 - Personnel Screening",
                "description": "<ul><li>a. Screen individuals prior to authorizing access to the system; and</li><li>b. Rescreen individuals in accordance with  {{ insert: param, PS-3(b) }}.</li></ul><br/><strong>Discussion</strong><br/><p>Personnel screening and rescreening activities reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and specific criteria established for the risk designations of assigned positions. Examples of personnel screening include background investigations and agency checks. Organizations may define different rescreening conditions and frequencies for personnel accessing systems based on types of information processed, stored, or transmitted by the systems.</p>",
                "controlId": "PS-3",
                "family": "Personnel Security",
                "enhancements": "<strong>Enhancements</strong><ul><li>PS-3(1) - Classified Information</li><li>PS-3(2) - Formal Indoctrination</li><li>PS-3(3) - Information Requiring Special Protective Measures</li><li>PS-3(4) - Citizenship Requirements</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "7ff39a36-8922-45c5-9b2a-c707a0777abd",
                        "parameterId": "PS-4(a)",
                        "text": "time period",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined time period] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ps-04_odp.01"
                    },
                    {
                        "uuid": "6a9f9507-2f94-431e-93aa-801bce146edf",
                        "parameterId": "PS-4(c)",
                        "text": "information security topics",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined information security topics] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ps-04_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "48d3eae1-3ee7-4692-b3a5-014f662e5fc8",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ps-4_smt.a",
                        "description": "<ul><li>a. Upon termination of individual employment: Disable system access within {{ insert: param, PS-4(a) }};</li></ul>"
                    },
                    {
                        "uuid": "3969a819-0308-4932-946b-3d238ae8f9a8",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ps-4_smt.b",
                        "description": "<ul><li>b. Upon termination of individual employment: Terminate or revoke any authenticators and credentials associated with the individual;</li></ul>"
                    },
                    {
                        "uuid": "1f6ce260-eed3-4120-8585-1a8b50956f75",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ps-4_smt.c",
                        "description": "<ul><li>c. Upon termination of individual employment: Conduct exit interviews that include a discussion of {{ insert: param, PS-4(c) }};</li></ul>"
                    },
                    {
                        "uuid": "205ebafd-6433-4784-901f-b28cc5b859dc",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "ps-4_smt.d",
                        "description": "<ul><li>d. Upon termination of individual employment: Retrieve all security-related organizational system-related property; and</li></ul>"
                    },
                    {
                        "uuid": "ca20ff36-8cab-4ac0-87ab-e7009d6c36af",
                        "name": "e.",
                        "objectiveType": "",
                        "otherId": "ps-4_smt.e",
                        "description": "<ul><li>e. Upon termination of individual employment: Retain access to organizational information and systems formerly controlled by terminated individual.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "7a107285-198f-4689-9700-56543189b4a5",
                        "testId": "PS-04a.",
                        "test": "Determine if upon termination of individual employment, system access is disabled within  [SELECTED PARAMETER VALUE(S): time period ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Procedures addressing personnel termination.</li><li>Records of personnel termination actions.</li><li>List of system accounts.</li><li>Records of terminated or revoked authenticators/credentials.</li><li>Records of exit interviews.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for personnel termination.</li><li>Mechanisms supporting and/or implementing personnel termination notifications.</li><li>Mechanisms for disabling system access/revoking authenticators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "34f8e076-246d-4336-8604-9af754ddddb6",
                        "testId": "PS-04b.",
                        "test": "Determine if upon termination of individual employment, any authenticators and credentials are terminated or revoked;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Procedures addressing personnel termination.</li><li>Records of personnel termination actions.</li><li>List of system accounts.</li><li>Records of terminated or revoked authenticators/credentials.</li><li>Records of exit interviews.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for personnel termination.</li><li>Mechanisms supporting and/or implementing personnel termination notifications.</li><li>Mechanisms for disabling system access/revoking authenticators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ce91915e-eb28-40fc-b5de-d3f213c2cd26",
                        "testId": "PS-04c.",
                        "test": "Determine if upon termination of individual employment, exit interviews that include a discussion of  [SELECTED PARAMETER VALUE(S): information security topics ]  are conducted;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Procedures addressing personnel termination.</li><li>Records of personnel termination actions.</li><li>List of system accounts.</li><li>Records of terminated or revoked authenticators/credentials.</li><li>Records of exit interviews.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for personnel termination.</li><li>Mechanisms supporting and/or implementing personnel termination notifications.</li><li>Mechanisms for disabling system access/revoking authenticators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b33a12f1-c300-4c35-94a1-d79f0f233a29",
                        "testId": "PS-04d.",
                        "test": "Determine if upon termination of individual employment, all security-related organizational system-related property is retrieved;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Procedures addressing personnel termination.</li><li>Records of personnel termination actions.</li><li>List of system accounts.</li><li>Records of terminated or revoked authenticators/credentials.</li><li>Records of exit interviews.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for personnel termination.</li><li>Mechanisms supporting and/or implementing personnel termination notifications.</li><li>Mechanisms for disabling system access/revoking authenticators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ed20a215-abba-4448-830e-383e9c8ba3c5",
                        "testId": "PS-04e.",
                        "test": "Determine if upon termination of individual employment, access to organizational information and systems formerly controlled by the terminated individual are retained.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Procedures addressing personnel termination.</li><li>Records of personnel termination actions.</li><li>List of system accounts.</li><li>Records of terminated or revoked authenticators/credentials.</li><li>Records of exit interviews.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for personnel termination.</li><li>Mechanisms supporting and/or implementing personnel termination notifications.</li><li>Mechanisms for disabling system access/revoking authenticators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "229dee85-0310-4e04-ae29-5898d20a26fe",
                        "testId": "PS-04-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Personnel security policy.</li><li>Procedures addressing personnel termination.</li><li>Records of personnel termination actions.</li><li>List of system accounts.</li><li>Records of terminated or revoked authenticators/credentials.</li><li>Records of exit interviews.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b3644d39-58f9-47e3-b66e-7d0b7daf594d",
                        "testId": "PS-04-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c3e3af74-202b-4e2e-8551-06b550e15e76",
                        "testId": "PS-04-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for personnel termination.</li><li>Mechanisms supporting and/or implementing personnel termination notifications.</li><li>Mechanisms for disabling system access/revoking authenticators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "97315a76-c0f3-4874-bfab-e098e2d02137",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PS-04 - Personnel Termination",
                "description": "Upon termination of individual employment:<ul><li>a. Disable system access within  {{ insert: param, PS-4(a) }};</li><li>b. Terminate or revoke any authenticators and credentials associated with the individual;</li><li>c. Conduct exit interviews that include a discussion of  {{ insert: param, PS-4(c) }};</li><li>d. Retrieve all security-related organizational system-related property; and</li><li>e. Retain access to organizational information and systems formerly controlled by terminated individual.</li></ul><br/><strong>Discussion</strong><br/><p>System property includes hardware authentication tokens, system administration technical manuals, keys, identification cards, and building passes. Exit interviews ensure that terminated individuals understand the security constraints imposed by being former employees and that proper accountability is achieved for system-related property. Security topics at exit interviews include reminding individuals of nondisclosure agreements and potential limitations on future employment. Exit interviews may not always be possible for some individuals, including in cases related to the unavailability of supervisors, illnesses, or job abandonment. Exit interviews are important for individuals with security clearances. The timely execution of termination actions is essential for individuals who have been terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals who are being terminated prior to the individuals being notified.</p>",
                "controlId": "PS-4",
                "family": "Personnel Security",
                "enhancements": "<strong>Enhancements</strong><ul><li>PS-4(1) - Post-employment Requirements</li><li>PS-4(2) - Automated Actions</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "e4fad8cf-ec9c-4387-8fe5-1e3847406dbe",
                        "parameterId": "PS-5(b)-1",
                        "text": "transfer or reassignment actions",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined transfer or reassignment actions] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ps-05_odp.01"
                    },
                    {
                        "uuid": "db766c3d-04c1-4855-8350-510f75e0dd04",
                        "parameterId": "PS-5(b)-2",
                        "text": "time period following the formal transfer action",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined time period following the formal transfer action] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ps-05_odp.02"
                    },
                    {
                        "uuid": "75b0d0f4-c3d6-45b4-ace9-dd6b79f45b68",
                        "parameterId": "PS-5(d)-1",
                        "text": "personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ps-05_odp.03"
                    },
                    {
                        "uuid": "2fc6c171-f726-4307-8dd1-e8895ec91d58",
                        "parameterId": "PS-5(d)-2",
                        "text": "time period",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined time period] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ps-05_odp.04"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "2904737c-52b0-4017-8461-57c3353df747",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ps-5_smt.a",
                        "description": "<ul><li>a. Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;</li></ul>"
                    },
                    {
                        "uuid": "8a798546-c54f-4f75-b120-94d44fbe0f95",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ps-5_smt.b",
                        "description": "<ul><li>b. Initiate {{ insert: param, PS-5(b)-1 }} within {{ insert: param, PS-5(b)-2 }};</li></ul>"
                    },
                    {
                        "uuid": "c332925a-7fd3-41e1-868f-60f8a1410287",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ps-5_smt.c",
                        "description": "<ul><li>c. Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and</li></ul>"
                    },
                    {
                        "uuid": "8ca68a57-bf34-4dde-8c10-dbcfd6cf7f95",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "ps-5_smt.d",
                        "description": "<ul><li>d. Notify {{ insert: param, PS-5(d)-1 }} within {{ insert: param, PS-5(d)-2 }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "b2e5c2d7-88c6-4348-8875-403f30d3152a",
                        "testId": "PS-05-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Personnel security policy.</li><li>Procedures addressing personnel transfer.</li><li>Records of personnel transfer actions.</li><li>List of system and facility access authorizations.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d0819ea3-13a7-4d5c-af32-1da4968fa6ab",
                        "testId": "PS-05-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "03adff3a-ec70-4c14-ab49-1f05e7f45ee1",
                        "testId": "PS-05-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for personnel transfer.</li><li>Mechanisms supporting and/or implementing personnel transfer notifications.</li><li>Mechanisms for disabling system access/revoking authenticators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2424f708-c089-46fd-849e-d5a9f9ef0b2e",
                        "testId": "PS-05a.",
                        "test": "Determine if the ongoing operational need for current logical and physical access authorizations to systems and facilities are reviewed and confirmed when individuals are reassigned or transferred to other positions within the organization;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Procedures addressing personnel transfer.</li><li>Records of personnel transfer actions.</li><li>List of system and facility access authorizations.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for personnel transfer.</li><li>Mechanisms supporting and/or implementing personnel transfer notifications.</li><li>Mechanisms for disabling system access/revoking authenticators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "edbe6400-0cd2-418f-b4d3-363281c3ab11",
                        "testId": "PS-05b.",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): transfer or reassignment actions ]  are initiated within  [SELECTED PARAMETER VALUE(S): time period following the formal transfer action ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Procedures addressing personnel transfer.</li><li>Records of personnel transfer actions.</li><li>List of system and facility access authorizations.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for personnel transfer.</li><li>Mechanisms supporting and/or implementing personnel transfer notifications.</li><li>Mechanisms for disabling system access/revoking authenticators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "fdff6089-0aa2-4618-88ee-4243da693362",
                        "testId": "PS-05c.",
                        "test": "Determine if access authorization is modified as needed to correspond with any changes in operational need due to reassignment or transfer;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Procedures addressing personnel transfer.</li><li>Records of personnel transfer actions.</li><li>List of system and facility access authorizations.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for personnel transfer.</li><li>Mechanisms supporting and/or implementing personnel transfer notifications.</li><li>Mechanisms for disabling system access/revoking authenticators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "22b1f6c0-1fc8-4e23-9f09-301a20d34e78",
                        "testId": "PS-05d.",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): personnel or roles ]  are notified within  [SELECTED PARAMETER VALUE(S): time period ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Procedures addressing personnel transfer.</li><li>Records of personnel transfer actions.</li><li>List of system and facility access authorizations.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with account management responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for personnel transfer.</li><li>Mechanisms supporting and/or implementing personnel transfer notifications.</li><li>Mechanisms for disabling system access/revoking authenticators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "55ca8ff9-a057-427e-b82d-c525a1d64b5e",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PS-05 - Personnel Transfer",
                "description": "<ul><li>a. Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization;</li><li>b. Initiate  {{ insert: param, PS-5(b)-1 }}  within  {{ insert: param, PS-5(b)-2 }};</li><li>c. Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and</li><li>d. Notify  {{ insert: param, PS-5(d)-1 }}  within  {{ insert: param, PS-5(d)-2 }}.</li></ul><br/><strong>Discussion</strong><br/><p>Personnel transfer applies when reassignments or transfers of individuals are permanent or of such extended duration as to make the actions warranted. Organizations define actions appropriate for the types of reassignments or transfers, whether permanent or extended. Actions that may be required for personnel transfers or reassignments to other positions within organizations include returning old and issuing new keys, identification cards, and building passes; closing system accounts and establishing new accounts; changing system access authorizations (i.e., privileges); and providing for access to official records to which individuals had access at previous work locations and in previous system accounts.</p>",
                "controlId": "PS-5",
                "family": "Personnel Security",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "1a332176-a34f-4ac5-9be4-ac0031456423",
                        "parameterId": "PS-6(b)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ps-06_odp.01"
                    },
                    {
                        "uuid": "121342c6-2420-4ff9-85bc-32ea84d62ea0",
                        "parameterId": "PS-6(c)(2)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ps-06_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "cca1cb59-d75a-414b-b9cb-9ef0ec45a63c",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ps-6_smt.a",
                        "description": "<ul><li>a. Develop and document access agreements for organizational systems;</li></ul>"
                    },
                    {
                        "uuid": "72c1c2a0-6e78-44a3-8063-8b9142384f7b",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ps-6_smt.b",
                        "description": "<ul><li>b. Review and update the access agreements {{ insert: param, PS-6(b) }} ; and</li></ul>"
                    },
                    {
                        "uuid": "34566f07-54e1-436d-908b-17adab607ab0",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ps-6_smt.c",
                        "description": "<ul><li>c. Verify that individuals requiring access to organizational information and systems:</li><ul><li>1. Sign appropriate access agreements prior to being granted access; and</li><li>2. Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or {{ insert: param, PS-6(c)(2) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "106cce6a-85fc-4582-b3a6-2f07ae96ed86",
                        "testId": "PS-06a.",
                        "test": "Determine if access agreements are developed and documented for organizational systems;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Personnel security procedures.</li><li>Procedures addressing access agreements for organizational information and systems.</li><li>Access control policy.</li><li>Access control procedures.</li><li>Access agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements).</li><li>Documentation of access agreement reviews, updates, and re-signing.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel who have signed/resigned access agreements.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for reviewing, updating, and re-signing access agreements.</li><li>Mechanisms supporting the reviewing, updating, and re-signing of access agreements.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5b0f1bf6-0335-4c9b-822d-5c582aa71d59",
                        "testId": "PS-06b.",
                        "test": "Determine if the access agreements are reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Personnel security procedures.</li><li>Procedures addressing access agreements for organizational information and systems.</li><li>Access control policy.</li><li>Access control procedures.</li><li>Access agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements).</li><li>Documentation of access agreement reviews, updates, and re-signing.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel who have signed/resigned access agreements.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for reviewing, updating, and re-signing access agreements.</li><li>Mechanisms supporting the reviewing, updating, and re-signing of access agreements.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "aebdd2ba-b964-46eb-899a-5a21d4ea4e65",
                        "testId": "PS-06c.01",
                        "test": "Determine if individuals requiring access to organizational information and systems sign appropriate access agreements prior to being granted access;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Personnel security procedures.</li><li>Procedures addressing access agreements for organizational information and systems.</li><li>Access control policy.</li><li>Access control procedures.</li><li>Access agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements).</li><li>Documentation of access agreement reviews, updates, and re-signing.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel who have signed/resigned access agreements.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for reviewing, updating, and re-signing access agreements.</li><li>Mechanisms supporting the reviewing, updating, and re-signing of access agreements.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "46ecafff-d280-4636-887d-ef0155347e3b",
                        "testId": "PS-06c.02",
                        "test": "Determine if individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or  [SELECTED PARAMETER VALUE(S): frequency ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Personnel security procedures.</li><li>Procedures addressing access agreements for organizational information and systems.</li><li>Access control policy.</li><li>Access control procedures.</li><li>Access agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements).</li><li>Documentation of access agreement reviews, updates, and re-signing.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel who have signed/resigned access agreements.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for reviewing, updating, and re-signing access agreements.</li><li>Mechanisms supporting the reviewing, updating, and re-signing of access agreements.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0621c034-809d-4af8-baa3-97e3198653d6",
                        "testId": "PS-06-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Personnel security policy.</li><li>Personnel security procedures.</li><li>Procedures addressing access agreements for organizational information and systems.</li><li>Access control policy.</li><li>Access control procedures.</li><li>Access agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements).</li><li>Documentation of access agreement reviews, updates, and re-signing.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "efa68005-179f-4450-b2ab-538d039533a2",
                        "testId": "PS-06-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel who have signed/resigned access agreements.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3f9e86ac-ca6f-44ed-9f30-083fd47691d9",
                        "testId": "PS-06-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for reviewing, updating, and re-signing access agreements.</li><li>Mechanisms supporting the reviewing, updating, and re-signing of access agreements.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "9e8c1729-9e70-4a62-beef-b14f4afa6115",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PS-06 - Access Agreements",
                "description": "<ul><li>a. Develop and document access agreements for organizational systems;</li><li>b. Review and update the access agreements  {{ insert: param, PS-6(b) }} ; and</li><li>c. Verify that individuals requiring access to organizational information and systems:</li><ul><li>1. Sign appropriate access agreements prior to being granted access; and</li><li>2. Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or  {{ insert: param, PS-6(c)(2) }}.</li></ul><br/><strong>Discussion</strong><br/><p>Access agreements include nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy.</p>",
                "controlId": "PS-6",
                "family": "Personnel Security",
                "enhancements": "<strong>Enhancements</strong><ul><li>PS-6(2) - Classified Information Requiring Special Protection</li><li>PS-6(3) - Post-employment Requirements</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "dcd16eb8-e8f3-42ca-a0f4-71531f710b5e",
                        "parameterId": "PS-7(d)-1",
                        "text": "personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ps-07_odp.01"
                    },
                    {
                        "uuid": "0413b08e-998a-4b43-96e5-1c5767b8f586",
                        "parameterId": "PS-7(d)-2",
                        "text": "time period",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined time period] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ps-07_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "f62eff00-2981-4afa-b775-3d0fcd3935af",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ps-7_smt.a",
                        "description": "<ul><li>a. Establish personnel security requirements, including security roles and responsibilities for external providers;</li></ul>"
                    },
                    {
                        "uuid": "fc2163c6-f847-4375-ae81-298c1bc282ed",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ps-7_smt.b",
                        "description": "<ul><li>b. Require external providers to comply with personnel security policies and procedures established by the organization;</li></ul>"
                    },
                    {
                        "uuid": "ff8d0a4d-6ae7-461a-a418-4097527ff89a",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ps-7_smt.c",
                        "description": "<ul><li>c. Document personnel security requirements;</li></ul>"
                    },
                    {
                        "uuid": "a30ae642-e116-4daa-b038-cf366789dcb8",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "ps-7_smt.d",
                        "description": "<ul><li>d. Require external providers to notify {{ insert: param, PS-7(d)-1 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within {{ insert: param, PS-7(d)-2 }} ; and</li></ul>"
                    },
                    {
                        "uuid": "8e788c62-772b-49a8-9089-eaa41ce362e9",
                        "name": "e.",
                        "objectiveType": "",
                        "otherId": "ps-7_smt.e",
                        "description": "<ul><li>e. Monitor provider compliance with personnel security requirements.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "fe0f8b96-cc17-4319-8a84-951dd8dc5f6e",
                        "testId": "PS-07-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Personnel security policy.</li><li>Procedures addressing external personnel security.</li><li>List of personnel security requirements.</li><li>Acquisition documents.</li><li>Service-level agreements.</li><li>Compliance monitoring process.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "607476e4-493f-43c5-90df-7ea886aeb456",
                        "testId": "PS-07-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>External providers.</li><li>System/network administrators.</li><li>Organizational personnel with account management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "714b147a-19ea-45ae-915e-13d6bc8d3f46",
                        "testId": "PS-07-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for managing and monitoring external personnel security.</li><li>Mechanisms supporting and/or implementing the monitoring of provider compliance.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "adb447b0-ff79-40d2-b492-d639a731815e",
                        "testId": "PS-07a.",
                        "test": "Determine if personnel security requirements are established, including security roles and responsibilities for external providers;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Procedures addressing external personnel security.</li><li>List of personnel security requirements.</li><li>Acquisition documents.</li><li>Service-level agreements.</li><li>Compliance monitoring process.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>External providers.</li><li>System/network administrators.</li><li>Organizational personnel with account management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing and monitoring external personnel security.</li><li>Mechanisms supporting and/or implementing the monitoring of provider compliance.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0f550f87-7074-4f21-88ab-44d3994e19da",
                        "testId": "PS-07b.",
                        "test": "Determine if external providers are required to comply with personnel security policies and procedures established by the organization;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Procedures addressing external personnel security.</li><li>List of personnel security requirements.</li><li>Acquisition documents.</li><li>Service-level agreements.</li><li>Compliance monitoring process.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>External providers.</li><li>System/network administrators.</li><li>Organizational personnel with account management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing and monitoring external personnel security.</li><li>Mechanisms supporting and/or implementing the monitoring of provider compliance.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8bbd43bc-14b6-42da-8a0d-3860a2e9fa26",
                        "testId": "PS-07c.",
                        "test": "Determine if personnel security requirements are documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Procedures addressing external personnel security.</li><li>List of personnel security requirements.</li><li>Acquisition documents.</li><li>Service-level agreements.</li><li>Compliance monitoring process.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>External providers.</li><li>System/network administrators.</li><li>Organizational personnel with account management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing and monitoring external personnel security.</li><li>Mechanisms supporting and/or implementing the monitoring of provider compliance.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "475ce09e-9757-4743-bc57-7a7ac0e21c6b",
                        "testId": "PS-07d.",
                        "test": "Determine if external providers are required to notify  [SELECTED PARAMETER VALUE(S): personnel or roles ]  of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within  [SELECTED PARAMETER VALUE(S): time period ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Procedures addressing external personnel security.</li><li>List of personnel security requirements.</li><li>Acquisition documents.</li><li>Service-level agreements.</li><li>Compliance monitoring process.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>External providers.</li><li>System/network administrators.</li><li>Organizational personnel with account management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing and monitoring external personnel security.</li><li>Mechanisms supporting and/or implementing the monitoring of provider compliance.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "607dcfd4-856e-4769-b2d3-edd5402971b7",
                        "testId": "PS-07e.",
                        "test": "Determine if provider compliance with personnel security requirements is monitored.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Procedures addressing external personnel security.</li><li>List of personnel security requirements.</li><li>Acquisition documents.</li><li>Service-level agreements.</li><li>Compliance monitoring process.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>External providers.</li><li>System/network administrators.</li><li>Organizational personnel with account management responsibilities.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing and monitoring external personnel security.</li><li>Mechanisms supporting and/or implementing the monitoring of provider compliance.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "8c8834da-b1e0-46a5-a3c0-76fbed61fdff",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PS-07 - External Personnel Security",
                "description": "<ul><li>a. Establish personnel security requirements, including security roles and responsibilities for external providers;</li><li>b. Require external providers to comply with personnel security policies and procedures established by the organization;</li><li>c. Document personnel security requirements;</li><li>d. Require external providers to notify  {{ insert: param, PS-7(d)-1 }}  of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within  {{ insert: param, PS-7(d)-2 }} ; and</li><li>e. Monitor provider compliance with personnel security requirements.</li></ul><br/><strong>Discussion</strong><br/><p>External provider refers to organizations other than the organization operating or acquiring the system. External providers include service bureaus, contractors, and other organizations that provide system development, information technology services, testing or assessment services, outsourced applications, and network/security management. Organizations explicitly include personnel security requirements in acquisition-related documents. External providers may have personnel working at organizational facilities with credentials, badges, or system privileges issued by organizations. Notifications of external personnel changes ensure the appropriate termination of privileges and credentials. Organizations define the transfers and terminations deemed reportable by security-related characteristics that include functions, roles, and the nature of credentials or privileges associated with transferred or terminated individuals.</p>",
                "controlId": "PS-7",
                "family": "Personnel Security",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "8446d096-3b4e-4d37-ab99-0523f414ea11",
                        "parameterId": "PS-8(b)-1",
                        "text": "personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ps-08_odp.01"
                    },
                    {
                        "uuid": "c8509fcf-aa92-441f-8aa5-2a6117959da0",
                        "parameterId": "PS-8(b)-2",
                        "text": "time period",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined time period] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ps-08_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "9bc57331-38dd-47ae-aacc-4372234e8197",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ps-8_smt.a",
                        "description": "<ul><li>a. Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and</li></ul>"
                    },
                    {
                        "uuid": "622fe581-472d-4bc6-aa45-4eece78817a2",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ps-8_smt.b",
                        "description": "<ul><li>b. Notify {{ insert: param, PS-8(b)-1 }} within {{ insert: param, PS-8(b)-2 }} when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "3adb1e5d-8de0-4adb-adee-db334a1f9fe7",
                        "testId": "PS-08a.",
                        "test": "Determine if a formal sanctions process is employed for individuals failing to comply with established information security and privacy policies and procedures;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Personnel security procedures.</li><li>Procedures addressing personnel sanctions.</li><li>Access agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements).</li><li>List of personnel or roles to be notified of formal employee sanctions.</li><li>Records or notifications of formal employee sanctions.</li><li>System security plan.</li><li>Privacy plan.</li><li>Personally identifiable information processing policy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Legal counsel.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing formal employee sanctions.</li><li>Mechanisms supporting and/or implementing formal employee sanctions notifications.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ab3e4700-a4b2-475c-8767-78dc8e1605b7",
                        "testId": "PS-08b.",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): personnel or roles ]  is/are notified within  [SELECTED PARAMETER VALUE(S): time period ]  when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Personnel security procedures.</li><li>Procedures addressing personnel sanctions.</li><li>Access agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements).</li><li>List of personnel or roles to be notified of formal employee sanctions.</li><li>Records or notifications of formal employee sanctions.</li><li>System security plan.</li><li>Privacy plan.</li><li>Personally identifiable information processing policy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Legal counsel.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing formal employee sanctions.</li><li>Mechanisms supporting and/or implementing formal employee sanctions notifications.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5499f17c-e6b0-4832-a9cd-bb74c6a59305",
                        "testId": "PS-08-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Personnel security policy.</li><li>Personnel security procedures.</li><li>Procedures addressing personnel sanctions.</li><li>Access agreements (including non-disclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements).</li><li>List of personnel or roles to be notified of formal employee sanctions.</li><li>Records or notifications of formal employee sanctions.</li><li>System security plan.</li><li>Privacy plan.</li><li>Personally identifiable information processing policy.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e2675df3-5587-42db-af63-57ae69b6dd7d",
                        "testId": "PS-08-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Legal counsel.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "07e03da5-c267-4ae2-9820-8ac16b803ad5",
                        "testId": "PS-08-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for managing formal employee sanctions.</li><li>Mechanisms supporting and/or implementing formal employee sanctions notifications.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "97fde01d-47cd-40a5-9726-9b00009a2406",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PS-08 - Personnel Sanctions",
                "description": "<ul><li>a. Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and</li><li>b. Notify  {{ insert: param, PS-8(b)-1 }}  within  {{ insert: param, PS-8(b)-2 }}  when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.</li></ul><br/><strong>Discussion</strong><br/><p>Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.</p>",
                "controlId": "PS-8",
                "family": "Personnel Security",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "6e2c879a-8374-49a6-aa39-ab7077841a85",
                        "name": "PS-9",
                        "objectiveType": "",
                        "otherId": "ps-9_smt",
                        "description": "Incorporate security and privacy roles and responsibilities into organizational position descriptions."
                    }
                ],
                "tests": [
                    {
                        "uuid": "94bea3dc-8981-43ed-8f90-2282a41a03bf",
                        "testId": "PS-09-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Personnel security policy.</li><li>Personnel security procedures.</li><li>Procedures addressing position descriptions.</li><li>Security and privacy position descriptions.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6e3e6c80-5e2e-40b3-b9fb-4bd3850674f8",
                        "testId": "PS-09-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with human capital management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b9e3ed67-f2bf-4db3-bca7-dd2f4c9d746b",
                        "testId": "PS-09-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for managing position descriptions.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a53f7d91-fb54-442a-bf63-07055f038858",
                        "testId": "PS-09[01]",
                        "test": "Determine if security roles and responsibilities are incorporated into organizational position descriptions;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Personnel security procedures.</li><li>Procedures addressing position descriptions.</li><li>Security and privacy position descriptions.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with human capital management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing position descriptions.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d3aab821-24d4-4381-b7aa-6d4abf1a9b11",
                        "testId": "PS-09[02]",
                        "test": "Determine if privacy roles and responsibilities are incorporated into organizational position descriptions.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Personnel security policy.</li><li>Personnel security procedures.</li><li>Procedures addressing position descriptions.</li><li>Security and privacy position descriptions.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with personnel security responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with human capital management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for managing position descriptions.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "8c24c99f-9fd9-4930-985a-28cb62bd6f88",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "PS-09 - Position Descriptions",
                "description": "Incorporate security and privacy roles and responsibilities into organizational position descriptions.<br/><strong>Discussion</strong><br/><p>Specification of security and privacy roles in individual organizational position descriptions facilitates clarity in understanding the security or privacy responsibilities associated with the roles and the role-based security and privacy training requirements for the roles.</p>",
                "controlId": "PS-9",
                "family": "Personnel Security",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "b3357d1e-b309-45d2-b79b-44b5835ba63b",
                        "parameterId": "RA-1(a)",
                        "text": "organization-defined personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ra-1_prm_1"
                    },
                    {
                        "uuid": "3bbd89ac-5538-4413-ac6f-72ce1aa35e1a",
                        "parameterId": "RA-1(a)(1)",
                        "text": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ra-01_odp.03"
                    },
                    {
                        "uuid": "0944d697-c3af-4ebc-baac-9f85dd060403",
                        "parameterId": "RA-1(b)",
                        "text": "official",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined official] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ra-01_odp.04"
                    },
                    {
                        "uuid": "ebfd3e37-873e-4562-ad53-1ff6858904a4",
                        "parameterId": "RA-1(c)(1)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ra-01_odp.05"
                    },
                    {
                        "uuid": "46e788a2-16c5-47f7-a56f-2db0eb7a230f",
                        "parameterId": "RA-1(c)(1)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ra-01_odp.06"
                    },
                    {
                        "uuid": "5d3c1fa8-bf6b-4620-83fe-d40d789e9123",
                        "parameterId": "RA-1(c)(2)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ra-01_odp.07"
                    },
                    {
                        "uuid": "4b1b9909-c764-4b00-8371-2474ea3153e4",
                        "parameterId": "RA-1(c)(2)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ra-01_odp.08"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "04f1ba03-52d1-431a-892a-66b831946588",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ra-1_smt.a",
                        "description": "<ul><li>a. Develop, document, and disseminate to {{ insert: param, RA-1(a) }}:</li><ul><li>1. {{ insert: param, RA-1(a)(1) }} risk assessment policy that:</li><ul><li>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</li><li>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</li></ul><li>2. Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;</li></ul>"
                    },
                    {
                        "uuid": "eb7b9ead-f3a2-49e3-82b7-55559e0bcca9",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ra-1_smt.b",
                        "description": "<ul><li>b. Designate an {{ insert: param, RA-1(b) }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and</li></ul>"
                    },
                    {
                        "uuid": "ccd01f79-4a39-4117-bb8f-1083714d3076",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ra-1_smt.c",
                        "description": "<ul><li>c. Review and update the current risk assessment:</li><ul><li>1. Policy {{ insert: param, RA-1(c)(1)-1 }} and following {{ insert: param, RA-1(c)(1)-2 }} ; and</li><li>2. Procedures {{ insert: param, RA-1(c)(2)-1 }} and following {{ insert: param, RA-1(c)(2)-2 }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "64bbfa3e-12f4-4e86-94b7-8fd4d68f8629",
                        "testId": "RA-01-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Risk assessment policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4b00d54f-3dbf-4efc-a470-5ce49bc0a4a8",
                        "testId": "RA-01-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a27a508b-6142-43c2-87ea-82ab2e264fe6",
                        "testId": "RA-01a.[01]",
                        "test": "Determine if a risk assessment policy is developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e9eb48a8-d381-4c7c-a846-20acc43bbddb",
                        "testId": "RA-01a.[02]",
                        "test": "Determine if the risk assessment policy is disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e40b7e2e-9832-4556-91cc-ca5d41b93682",
                        "testId": "RA-01a.[03]",
                        "test": "Determine if risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls are developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7ee68f48-844e-4b99-b118-5cf1f5a63c1b",
                        "testId": "RA-01a.[04]",
                        "test": "Determine if the risk assessment procedures are disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "169e7d4e-a3ad-401e-ad10-a1eb1e9d6897",
                        "testId": "RA-01a.01(a)[01]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  risk assessment policy addresses purpose;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "62021c36-8b24-4469-b73f-c3dabe0d97dd",
                        "testId": "RA-01a.01(a)[02]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  risk assessment policy addresses scope;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a31c7c9a-d34f-4315-abc6-3b0ab81315cf",
                        "testId": "RA-01a.01(a)[03]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  risk assessment policy addresses roles;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "065f7e30-3f0c-4187-87a7-62ddbfcc90d1",
                        "testId": "RA-01a.01(a)[04]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  risk assessment policy addresses responsibilities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f3f3f553-47bc-40e4-96ba-f17fd35090f0",
                        "testId": "RA-01a.01(a)[05]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  risk assessment policy addresses management commitment;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "52d327b2-f07b-4666-9f68-f9d83d7e28c7",
                        "testId": "RA-01a.01(a)[06]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  risk assessment policy addresses coordination among organizational entities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "94071cb2-41e2-496f-a49c-f74cc7f5ae1c",
                        "testId": "RA-01a.01(a)[07]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  risk assessment policy addresses compliance;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "992749e8-dca6-4007-9579-ecca2c305463",
                        "testId": "RA-01a.01(b)",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "cbc93acc-8d6a-432d-a83d-13440f61f02d",
                        "testId": "RA-01b.",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): official ]  is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8df62252-6238-429c-9230-80f29445d9bc",
                        "testId": "RA-01c.01[01]",
                        "test": "Determine if the current risk assessment policy is reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0804fe23-c222-4d1a-b61e-553f08a53370",
                        "testId": "RA-01c.01[02]",
                        "test": "Determine if the current risk assessment policy is reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "bc7a9f75-dc20-406d-b32b-a47506a08ae8",
                        "testId": "RA-01c.02[01]",
                        "test": "Determine if the current risk assessment procedures are reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2d296bd5-dd6c-4d3c-99bd-d4b49a25e2e9",
                        "testId": "RA-01c.02[02]",
                        "test": "Determine if the current risk assessment procedures are reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "2b3f6bab-2ca8-4139-aa0c-ca4ab90dd432",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "RA-01 - Policy and Procedures",
                "description": "<ul><li><p>a. Develop, document, and disseminate to {{ insert: param, RA-1(a) }}:</p><ul><li><p>1. {{ insert: param, RA-1(a)(1) }} risk assessment policy that:</p><ul><li><p>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p></li><li><p>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p></li></ul></li><li><p>2. Procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls;</p></li></ul></li><li><p>b. Designate an {{ insert: param, RA-1(b) }} to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and</p></li><li><p>c. Review and update the current risk assessment:</p><ul><li><p>1. Policy {{ insert: param, RA-1(c)(1)-1 }} and following {{ insert: param, RA-1(c)(1)-2 }} ; and</p></li><li><p>2. Procedures {{ insert: param, RA-1(c)(2)-1 }} and following {{ insert: param, RA-1(c)(2)-2 }}.</p></li></ul></li><li><p><br><strong>Discussion</strong><br></p><p>Risk assessment policy and procedures address the controls in the RA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of risk assessment policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to risk assessment policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.</p></li></ul><p></p><p><strong>OT Discussion</strong></p><p>The policy specifically addresses the unique properties and requirements of OT and the relationship to non-OT systems.</p>",
                "controlId": "RA-1",
                "family": "Risk Assessment",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "95506cfa-55f3-4f86-b251-7ef0687a9cc8",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ra-2_smt.a",
                        "description": "<ul><li>a. Categorize the system and information it processes, stores, and transmits;</li></ul>"
                    },
                    {
                        "uuid": "89d575a4-e15e-4851-9430-3cdfc208c3aa",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ra-2_smt.b",
                        "description": "<ul><li>b. Document the security categorization results, including supporting rationale, in the security plan for the system; and</li></ul>"
                    },
                    {
                        "uuid": "e7b4acfd-1c35-41f4-abe2-8148cc5a2f3b",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ra-2_smt.c",
                        "description": "<ul><li>c. Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "81e4e2cc-8bbd-4e14-b033-d34dc548ab44",
                        "testId": "RA-02a.",
                        "test": "Determine if the system and the information it processes, stores, and transmits are categorized;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy.</li><li>Security planning policy and procedures.</li><li>Procedures addressing security categorization of organizational information and systems.</li><li>Security categorization documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with security categorization and risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for security categorization.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "515e786b-8a30-4f36-8854-3073aaf4a9f0",
                        "testId": "RA-02b.",
                        "test": "Determine if the security categorization results, including supporting rationale, are documented in the security plan for the system;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy.</li><li>Security planning policy and procedures.</li><li>Procedures addressing security categorization of organizational information and systems.</li><li>Security categorization documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with security categorization and risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for security categorization.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b300c546-a383-454c-9339-b03c1e58e099",
                        "testId": "RA-02c.",
                        "test": "Determine if the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy.</li><li>Security planning policy and procedures.</li><li>Procedures addressing security categorization of organizational information and systems.</li><li>Security categorization documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with security categorization and risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for security categorization.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0a31d8a3-5eba-4a40-b34f-c81ce29e3136",
                        "testId": "RA-02-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Risk assessment policy.</li><li>Security planning policy and procedures.</li><li>Procedures addressing security categorization of organizational information and systems.</li><li>Security categorization documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8b08a685-898b-4971-9572-8b41f7737399",
                        "testId": "RA-02-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with security categorization and risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "35cce952-fc4e-4972-b0bf-c66c17ae84aa",
                        "testId": "RA-02-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for security categorization.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "d4ccc905-f3a4-4b04-bc53-9a0957db9b01",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "RA-02 - Security Categorization",
                "description": "<ul><li><p>a. Categorize the system and information it processes, stores, and transmits;</p></li><li><p>b. Document the security categorization results, including supporting rationale, in the security plan for the system; and</p></li><li><p>c. Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. <a href=\"#4e4fbc93-333d-45e6-a875-de36b878b6b9\">CNSSI 1253</a> provides additional guidance on categorization for national security systems.</p><p>Organizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with <a href=\"#13f0c39d-eaf7-417a-baef-69a041878bb5\">USA PATRIOT</a> and Homeland Security Presidential Directives, potential national-level adverse impacts.</p><p>Security categorization processes facilitate the development of inventories of information assets and, along with <a href=\"#cm-8\">CM-8</a> , mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant.</p><p></p><p><strong>OT Discussion</strong></p><p>PHA, functional safety assessments, and other organization-established risk assessments can be referenced to identify the impact level of the OT systems.</p>",
                "controlId": "RA-2",
                "family": "Risk Assessment",
                "enhancements": "<strong>Enhancements</strong><ul><li>RA-2(1) - Impact-level Prioritization</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "8d6b09b5-4f02-4025-8f68-c683764aa84b",
                        "parameterId": "RA-3(c)",
                        "text": "[Selection: security and privacy plans; risk assessment report; [(NESTED PARAMETER) Assignment for ra-03_odp.02: document]]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection: security and privacy plans; risk assessment report; [(NESTED PARAMETER) Assignment for ra-03_odp.02: document]]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ra-03_odp.01"
                    },
                    {
                        "uuid": "ea8565d2-9168-46f2-a4b4-90bed784cb33",
                        "parameterId": "RA-3(d)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ra-03_odp.03"
                    },
                    {
                        "uuid": "a4039080-b02a-496d-ba29-ddf5ca108215",
                        "parameterId": "RA-3(e)",
                        "text": "personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ra-03_odp.04"
                    },
                    {
                        "uuid": "565c5f8e-0e2a-437e-8417-ace3f0c52b5e",
                        "parameterId": "RA-3(f)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ra-03_odp.05"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "6be66405-5130-45cb-8642-1b0a37e38da7",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ra-3_smt.a",
                        "description": "<ul><li>a. Conduct a risk assessment, including:</li><ul><li>1. Identifying threats to and vulnerabilities in the system;</li><li>2. Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and</li><li>3. Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;</li></ul>"
                    },
                    {
                        "uuid": "29fe1df4-bc1f-49ce-abed-c4c08710ed48",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ra-3_smt.b",
                        "description": "<ul><li>b. Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;</li></ul>"
                    },
                    {
                        "uuid": "e8523323-b025-423d-b2be-be554a23203f",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ra-3_smt.c",
                        "description": "<ul><li>c. Document risk assessment results in {{ insert: param, RA-3(c) }};</li></ul>"
                    },
                    {
                        "uuid": "d37273ce-8ba3-404e-acd4-2f71a23444f2",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "ra-3_smt.d",
                        "description": "<ul><li>d. Review risk assessment results {{ insert: param, RA-3(d) }};</li></ul>"
                    },
                    {
                        "uuid": "ba787f25-927a-4df6-8ad0-dd976ada28e6",
                        "name": "e.",
                        "objectiveType": "",
                        "otherId": "ra-3_smt.e",
                        "description": "<ul><li>e. Disseminate risk assessment results to {{ insert: param, RA-3(e) }} ; and</li></ul>"
                    },
                    {
                        "uuid": "1c9140ee-1e8d-43ca-8b1f-1718a5e1666b",
                        "name": "f.",
                        "objectiveType": "",
                        "otherId": "ra-3_smt.f",
                        "description": "<ul><li>f. Update the risk assessment {{ insert: param, RA-3(f) }} or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "54791c66-39d8-4d2e-9b04-a386e377d36b",
                        "testId": "RA-03a.01",
                        "test": "Determine if a risk assessment is conducted to identify threats to and vulnerabilities in the system;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy.</li><li>Risk assessment procedures.</li><li>Security and privacy planning policy and procedures.</li><li>Procedures addressing organizational assessments of risk.</li><li>Risk assessment.</li><li>Risk assessment results.</li><li>Risk assessment reviews.</li><li>Risk assessment updates.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for risk assessment.</li><li>Mechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the risk assessment.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0daeb841-e846-4a77-bea4-b3c5cda42c87",
                        "testId": "RA-03a.02",
                        "test": "Determine if a risk assessment is conducted to determine the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system; the information it processes, stores, or transmits; and any related information;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy.</li><li>Risk assessment procedures.</li><li>Security and privacy planning policy and procedures.</li><li>Procedures addressing organizational assessments of risk.</li><li>Risk assessment.</li><li>Risk assessment results.</li><li>Risk assessment reviews.</li><li>Risk assessment updates.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for risk assessment.</li><li>Mechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the risk assessment.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b3b257c8-fb02-4727-9a01-3ebbeacb3171",
                        "testId": "RA-03a.03",
                        "test": "Determine if a risk assessment is conducted to determine the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy.</li><li>Risk assessment procedures.</li><li>Security and privacy planning policy and procedures.</li><li>Procedures addressing organizational assessments of risk.</li><li>Risk assessment.</li><li>Risk assessment results.</li><li>Risk assessment reviews.</li><li>Risk assessment updates.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for risk assessment.</li><li>Mechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the risk assessment.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b4368166-f207-45b2-b691-4cd0b11d856f",
                        "testId": "RA-03b.",
                        "test": "Determine if risk assessment results and risk management decisions from the organization and mission or business process perspectives are integrated with system-level risk assessments;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy.</li><li>Risk assessment procedures.</li><li>Security and privacy planning policy and procedures.</li><li>Procedures addressing organizational assessments of risk.</li><li>Risk assessment.</li><li>Risk assessment results.</li><li>Risk assessment reviews.</li><li>Risk assessment updates.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for risk assessment.</li><li>Mechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the risk assessment.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a5a73917-a931-4ea9-ad68-f9b75f109c5d",
                        "testId": "RA-03c.",
                        "test": "Determine if risk assessment results are documented in  [SELECTED PARAMETER VALUE(S): [Selection: security and privacy plans; risk assessment report; [(NESTED PARAMETER) Assignment for ra-03_odp.02: document]] ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy.</li><li>Risk assessment procedures.</li><li>Security and privacy planning policy and procedures.</li><li>Procedures addressing organizational assessments of risk.</li><li>Risk assessment.</li><li>Risk assessment results.</li><li>Risk assessment reviews.</li><li>Risk assessment updates.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for risk assessment.</li><li>Mechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the risk assessment.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5648ff16-4ade-43ce-8855-16bfdeb0aac8",
                        "testId": "RA-03d.",
                        "test": "Determine if risk assessment results are reviewed  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy.</li><li>Risk assessment procedures.</li><li>Security and privacy planning policy and procedures.</li><li>Procedures addressing organizational assessments of risk.</li><li>Risk assessment.</li><li>Risk assessment results.</li><li>Risk assessment reviews.</li><li>Risk assessment updates.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for risk assessment.</li><li>Mechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the risk assessment.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8c29b941-9383-40c3-bc4c-69fafb74d72a",
                        "testId": "RA-03e.",
                        "test": "Determine if risk assessment results are disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy.</li><li>Risk assessment procedures.</li><li>Security and privacy planning policy and procedures.</li><li>Procedures addressing organizational assessments of risk.</li><li>Risk assessment.</li><li>Risk assessment results.</li><li>Risk assessment reviews.</li><li>Risk assessment updates.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for risk assessment.</li><li>Mechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the risk assessment.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8c2c959b-b21f-4c2d-a6b9-485cd511a71b",
                        "testId": "RA-03f.",
                        "test": "Determine if the risk assessment is updated  [SELECTED PARAMETER VALUE(S): frequency ]  or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy.</li><li>Risk assessment procedures.</li><li>Security and privacy planning policy and procedures.</li><li>Procedures addressing organizational assessments of risk.</li><li>Risk assessment.</li><li>Risk assessment results.</li><li>Risk assessment reviews.</li><li>Risk assessment updates.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for risk assessment.</li><li>Mechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the risk assessment.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "12ca4930-d45d-4719-aa68-fd7157686fb7",
                        "testId": "RA-03-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Risk assessment policy.</li><li>Risk assessment procedures.</li><li>Security and privacy planning policy and procedures.</li><li>Procedures addressing organizational assessments of risk.</li><li>Risk assessment.</li><li>Risk assessment results.</li><li>Risk assessment reviews.</li><li>Risk assessment updates.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f92214d7-6695-4ec9-8ef7-c8e746fd717a",
                        "testId": "RA-03-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "58292c43-5c91-4c2c-93ec-aeba1c7d03eb",
                        "testId": "RA-03-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for risk assessment.</li><li>Mechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the risk assessment.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "0898808e-7d27-4327-8fbc-7c302e7623ac",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "RA-03 - Risk Assessment",
                "description": "<ul><li>a. Conduct a risk assessment, including:</li><ul><li>1. Identifying threats to and vulnerabilities in the system;</li><li>2. Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and</li><li>3. Determining the likelihood and impact of adverse effects on individuals arising from the processing of personally identifiable information;</li></ul><li>b. Integrate risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments;</li><li>c. Document risk assessment results in  {{ insert: param, RA-3(c) }};</li><li>d. Review risk assessment results  {{ insert: param, RA-3(d) }};</li><li>e. Disseminate risk assessment results to  {{ insert: param, RA-3(e) }} ; and</li><li>f. Update the risk assessment  {{ insert: param, RA-3(f) }}  or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.</li></ul><br/><strong>Discussion</strong><br/><p>Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.</p><p>Organizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle. Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle.</p><p>Risk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination.</p>",
                "controlId": "RA-3",
                "family": "Risk Assessment",
                "enhancements": "<strong>Enhancements</strong><ul><li>RA-3(1) - Supply Chain Risk Assessment</li><li>RA-3(2) - Use of All-source Intelligence</li><li>RA-3(3) - Dynamic Threat Awareness</li><li>RA-3(4) - Predictive Cyber Analytics</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "15e95e9b-e96e-42a5-bcbe-ac56b0c333c4",
                        "parameterId": "RA-3(1)(a)",
                        "text": "systems, system components, and system services",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined systems, system components, and system services] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ra-03.01_odp.01"
                    },
                    {
                        "uuid": "1a45b61f-c6f4-41ea-a439-77742c1c2ec7",
                        "parameterId": "RA-3(1)(b)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ra-03.01_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "24ff81c2-40da-4171-8e2d-4b9ee9cd4c08",
                        "name": "(a)",
                        "objectiveType": "",
                        "otherId": "ra-3.1_smt.a",
                        "description": "<ul><li>(a) Assess supply chain risks associated with {{ insert: param, RA-3(1)(a) }} ; and</li></ul>"
                    },
                    {
                        "uuid": "f95ac3db-d472-433a-8f77-1a2b9bbb00ac",
                        "name": "(b)",
                        "objectiveType": "",
                        "otherId": "ra-3.1_smt.b",
                        "description": "<ul><li>(b) Update the supply chain risk assessment {{ insert: param, RA-3(1)(b) }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "7d277d17-9322-4dd8-9729-69f6fe1ff4e8",
                        "testId": "RA-03(01)-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Supply chain risk management policy.</li><li>Inventory of critical systems, system components, and system services.</li><li>Risk assessment policy.</li><li>Security planning policy and procedures.</li><li>Procedures addressing organizational assessments of supply chain risk.</li><li>Risk assessment.</li><li>Risk assessment results.</li><li>Risk assessment reviews.</li><li>Risk assessment updates.</li><li>Acquisition policy.</li><li>System security plan.</li><li>Supply chain risk management plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7d02dde1-51ad-4874-bf38-d25bad06257e",
                        "testId": "RA-03(01)-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "41edffb5-e9ed-4dfc-b88f-82af65d3e84c",
                        "testId": "RA-03(01)-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for risk assessment.</li><li>Mechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the supply chain risk assessment.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9965a411-ff0e-4ed8-9194-695d458befe4",
                        "testId": "RA-03(01)(a)",
                        "test": "Determine if supply chain risks associated with  [SELECTED PARAMETER VALUE(S): systems, system components, and system services ]  are assessed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Inventory of critical systems, system components, and system services.</li><li>Risk assessment policy.</li><li>Security planning policy and procedures.</li><li>Procedures addressing organizational assessments of supply chain risk.</li><li>Risk assessment.</li><li>Risk assessment results.</li><li>Risk assessment reviews.</li><li>Risk assessment updates.</li><li>Acquisition policy.</li><li>System security plan.</li><li>Supply chain risk management plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for risk assessment.</li><li>Mechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the supply chain risk assessment.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "23bfb1eb-12b3-439c-bfd4-f2a913cf913d",
                        "testId": "RA-03(01)(b)",
                        "test": "Determine if the supply chain risk assessment is updated  [SELECTED PARAMETER VALUE(S): frequency ] , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Inventory of critical systems, system components, and system services.</li><li>Risk assessment policy.</li><li>Security planning policy and procedures.</li><li>Procedures addressing organizational assessments of supply chain risk.</li><li>Risk assessment.</li><li>Risk assessment results.</li><li>Risk assessment reviews.</li><li>Risk assessment updates.</li><li>Acquisition policy.</li><li>System security plan.</li><li>Supply chain risk management plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment responsibilities.</li><li>Organizational personnel with security responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for risk assessment.</li><li>Mechanisms supporting and/or conducting, documenting, reviewing, disseminating, and updating the supply chain risk assessment.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "a15fca0d-36b7-4a50-9c20-dd7a788fffa1",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "RA-03(01) - Supply Chain Risk Assessment",
                "description": "<ul><li>(a) Assess supply chain risks associated with  {{ insert: param, RA-3(1)(a) }} ; and</li><li>(b) Update the supply chain risk assessment  {{ insert: param, RA-3(1)(b) }} , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.</li></ul><br/><strong>Discussion</strong><br/><p>Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code. These events can have a significant impact on the confidentiality, integrity, or availability of a system and its information and, therefore, can also adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. The supply chain-related events may be unintentional or malicious and can occur at any point during the system life cycle. An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required.</p>",
                "controlId": "RA-3(1)",
                "family": "Risk Assessment",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "2ef067f6-b4ce-4cb5-be31-4dc75331cc8a",
                        "parameterId": "RA-5(a)",
                        "text": "organization-defined frequency and/or randomly in accordance with organization-defined process",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ra-5_prm_1"
                    },
                    {
                        "uuid": "a4fdd331-ff94-40d8-b8c0-cac7621bf9a7",
                        "parameterId": "RA-5(d)",
                        "text": "response times",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined response times] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ra-05_odp.03"
                    },
                    {
                        "uuid": "3db6d355-a169-4a40-a4fa-6fdd16f4a129",
                        "parameterId": "RA-5(e)",
                        "text": "personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ra-05_odp.04"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "e336fe97-7736-443c-8ccf-73575b956d3e",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "ra-5_smt.a",
                        "description": "<ul><li>a. Monitor and scan for vulnerabilities in the system and hosted applications {{ insert: param, RA-5(a) }} and when new vulnerabilities potentially affecting the system are identified and reported;</li></ul>"
                    },
                    {
                        "uuid": "b28d0e57-7169-46ce-8242-a92c5a972163",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "ra-5_smt.b",
                        "description": "<ul><li>b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:</li><ul><li>1. Enumerating platforms, software flaws, and improper configurations;</li><li>2. Formatting checklists and test procedures; and</li><li>3. Measuring vulnerability impact;</li></ul>"
                    },
                    {
                        "uuid": "80f1090f-ed0d-496b-9101-aa7bd0dcdc61",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "ra-5_smt.c",
                        "description": "<ul><li>c. Analyze vulnerability scan reports and results from vulnerability monitoring;</li></ul>"
                    },
                    {
                        "uuid": "364c3441-4224-41c3-9902-756b22cba341",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "ra-5_smt.d",
                        "description": "<ul><li>d. Remediate legitimate vulnerabilities {{ insert: param, RA-5(d) }} in accordance with an organizational assessment of risk;</li></ul>"
                    },
                    {
                        "uuid": "060293c0-ba3e-49dc-8029-9bef78316a08",
                        "name": "e.",
                        "objectiveType": "",
                        "otherId": "ra-5_smt.e",
                        "description": "<ul><li>e. Share information obtained from the vulnerability monitoring process and control assessments with {{ insert: param, RA-5(e) }} to help eliminate similar vulnerabilities in other systems; and</li></ul>"
                    },
                    {
                        "uuid": "8b0cf756-b864-4c3d-ba6e-bcd3bde16e74",
                        "name": "f.",
                        "objectiveType": "",
                        "otherId": "ra-5_smt.f",
                        "description": "<ul><li>f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "68e04ef3-48b5-4492-8533-bcfb8b865017",
                        "testId": "RA-05-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Risk assessment policy.</li><li>Procedures addressing vulnerability scanning.</li><li>Risk assessment.</li><li>Assessment report.</li><li>Vulnerability scanning tools and associated configuration documentation.</li><li>Vulnerability scanning results.</li><li>Patch and vulnerability management records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "148f49fe-e23b-480e-a029-1844e7882575",
                        "testId": "RA-05-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities.</li><li>Organizational personnel with vulnerability scan analysis responsibilities.</li><li>Organizational personnel with vulnerability remediation responsibilities.</li><li>Organizational personnel with security responsibilities.</li><li>System/network administrators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "99289376-daa1-4f6d-bc23-5e5ff4d9e2d6",
                        "testId": "RA-05-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for vulnerability scanning, analysis, remediation, and information sharing.</li><li>Mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c55de450-cc3a-4de7-9020-988986433c5b",
                        "testId": "RA-05a.[01]",
                        "test": "Determine if systems and hosted applications are monitored for vulnerabilities  [SELECTED PARAMETER VALUE(S): frequency and/or randomly in accordance with organization-defined process ]  and when new vulnerabilities potentially affecting the system are identified and reported;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy.</li><li>Procedures addressing vulnerability scanning.</li><li>Risk assessment.</li><li>Assessment report.</li><li>Vulnerability scanning tools and associated configuration documentation.</li><li>Vulnerability scanning results.</li><li>Patch and vulnerability management records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities.</li><li>Organizational personnel with vulnerability scan analysis responsibilities.</li><li>Organizational personnel with vulnerability remediation responsibilities.</li><li>Organizational personnel with security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for vulnerability scanning, analysis, remediation, and information sharing.</li><li>Mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ec3776f4-f2f0-457d-ba41-2b4c8fc4ef4a",
                        "testId": "RA-05a.[02]",
                        "test": "Determine if systems and hosted applications are scanned for vulnerabilities  [SELECTED PARAMETER VALUE(S): frequency and/or randomly in accordance with organization-defined process ]  and when new vulnerabilities potentially affecting the system are identified and reported;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy.</li><li>Procedures addressing vulnerability scanning.</li><li>Risk assessment.</li><li>Assessment report.</li><li>Vulnerability scanning tools and associated configuration documentation.</li><li>Vulnerability scanning results.</li><li>Patch and vulnerability management records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities.</li><li>Organizational personnel with vulnerability scan analysis responsibilities.</li><li>Organizational personnel with vulnerability remediation responsibilities.</li><li>Organizational personnel with security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for vulnerability scanning, analysis, remediation, and information sharing.</li><li>Mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "002409b9-f647-4c28-88d1-c2c2c8bada96",
                        "testId": "RA-05b.",
                        "test": "Determine if vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy.</li><li>Procedures addressing vulnerability scanning.</li><li>Risk assessment.</li><li>Assessment report.</li><li>Vulnerability scanning tools and associated configuration documentation.</li><li>Vulnerability scanning results.</li><li>Patch and vulnerability management records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities.</li><li>Organizational personnel with vulnerability scan analysis responsibilities.</li><li>Organizational personnel with vulnerability remediation responsibilities.</li><li>Organizational personnel with security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for vulnerability scanning, analysis, remediation, and information sharing.</li><li>Mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "fd959de3-7555-43a3-93dc-f996fd9a42a1",
                        "testId": "RA-05b.01",
                        "test": "Determine if vulnerability monitoring tools and techniques are employed to automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy.</li><li>Procedures addressing vulnerability scanning.</li><li>Risk assessment.</li><li>Assessment report.</li><li>Vulnerability scanning tools and associated configuration documentation.</li><li>Vulnerability scanning results.</li><li>Patch and vulnerability management records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities.</li><li>Organizational personnel with vulnerability scan analysis responsibilities.</li><li>Organizational personnel with vulnerability remediation responsibilities.</li><li>Organizational personnel with security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for vulnerability scanning, analysis, remediation, and information sharing.</li><li>Mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c8d1fe93-d393-4b7d-a6a3-5fff1d2c5a80",
                        "testId": "RA-05b.02",
                        "test": "Determine if vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for formatting checklists and test procedures;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy.</li><li>Procedures addressing vulnerability scanning.</li><li>Risk assessment.</li><li>Assessment report.</li><li>Vulnerability scanning tools and associated configuration documentation.</li><li>Vulnerability scanning results.</li><li>Patch and vulnerability management records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities.</li><li>Organizational personnel with vulnerability scan analysis responsibilities.</li><li>Organizational personnel with vulnerability remediation responsibilities.</li><li>Organizational personnel with security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for vulnerability scanning, analysis, remediation, and information sharing.</li><li>Mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c425f61c-4f89-421a-8968-1256b40b6352",
                        "testId": "RA-05b.03",
                        "test": "Determine if vulnerability monitoring tools and techniques are employed to facilitate interoperability among tools and to automate parts of the vulnerability management process by using standards for measuring vulnerability impact;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy.</li><li>Procedures addressing vulnerability scanning.</li><li>Risk assessment.</li><li>Assessment report.</li><li>Vulnerability scanning tools and associated configuration documentation.</li><li>Vulnerability scanning results.</li><li>Patch and vulnerability management records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities.</li><li>Organizational personnel with vulnerability scan analysis responsibilities.</li><li>Organizational personnel with vulnerability remediation responsibilities.</li><li>Organizational personnel with security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for vulnerability scanning, analysis, remediation, and information sharing.</li><li>Mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f7d08c8d-0a3f-44f2-9096-367bf5fb765b",
                        "testId": "RA-05c.",
                        "test": "Determine if vulnerability scan reports and results from vulnerability monitoring are analyzed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy.</li><li>Procedures addressing vulnerability scanning.</li><li>Risk assessment.</li><li>Assessment report.</li><li>Vulnerability scanning tools and associated configuration documentation.</li><li>Vulnerability scanning results.</li><li>Patch and vulnerability management records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities.</li><li>Organizational personnel with vulnerability scan analysis responsibilities.</li><li>Organizational personnel with vulnerability remediation responsibilities.</li><li>Organizational personnel with security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for vulnerability scanning, analysis, remediation, and information sharing.</li><li>Mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e90673f8-5ee9-4707-a632-8c4774e108e2",
                        "testId": "RA-05d.",
                        "test": "Determine if legitimate vulnerabilities are remediated  [SELECTED PARAMETER VALUE(S): response times ]  in accordance with an organizational assessment of risk;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy.</li><li>Procedures addressing vulnerability scanning.</li><li>Risk assessment.</li><li>Assessment report.</li><li>Vulnerability scanning tools and associated configuration documentation.</li><li>Vulnerability scanning results.</li><li>Patch and vulnerability management records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities.</li><li>Organizational personnel with vulnerability scan analysis responsibilities.</li><li>Organizational personnel with vulnerability remediation responsibilities.</li><li>Organizational personnel with security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for vulnerability scanning, analysis, remediation, and information sharing.</li><li>Mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a362a0b1-80ea-48b0-bc93-3cdd7d3cb47c",
                        "testId": "RA-05e.",
                        "test": "Determine if information obtained from the vulnerability monitoring process and control assessments is shared with  [SELECTED PARAMETER VALUE(S): personnel or roles ]  to help eliminate similar vulnerabilities in other systems;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy.</li><li>Procedures addressing vulnerability scanning.</li><li>Risk assessment.</li><li>Assessment report.</li><li>Vulnerability scanning tools and associated configuration documentation.</li><li>Vulnerability scanning results.</li><li>Patch and vulnerability management records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities.</li><li>Organizational personnel with vulnerability scan analysis responsibilities.</li><li>Organizational personnel with vulnerability remediation responsibilities.</li><li>Organizational personnel with security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for vulnerability scanning, analysis, remediation, and information sharing.</li><li>Mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b8b3a5bf-145e-46e4-a7f3-653e0531aa49",
                        "testId": "RA-05f.",
                        "test": "Determine if vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned are employed.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy.</li><li>Procedures addressing vulnerability scanning.</li><li>Risk assessment.</li><li>Assessment report.</li><li>Vulnerability scanning tools and associated configuration documentation.</li><li>Vulnerability scanning results.</li><li>Patch and vulnerability management records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with risk assessment, control assessment, and vulnerability scanning responsibilities.</li><li>Organizational personnel with vulnerability scan analysis responsibilities.</li><li>Organizational personnel with vulnerability remediation responsibilities.</li><li>Organizational personnel with security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for vulnerability scanning, analysis, remediation, and information sharing.</li><li>Mechanisms supporting and/or implementing vulnerability scanning, analysis, remediation, and information sharing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "6c79a991-e364-4d1f-bdcd-a8260a7adfbb",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "RA-05 - Vulnerability Monitoring and Scanning",
                "description": "<ul><li><p>a. Monitor and scan for vulnerabilities in the system and hosted applications {{ insert: param, RA-5(a) }} and when new vulnerabilities potentially affecting the system are identified and reported;</p></li><li><p>b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:</p><ul><li><p>1. Enumerating platforms, software flaws, and improper configurations;</p></li><li><p>2. Formatting checklists and test procedures; and</p></li><li><p>3. Measuring vulnerability impact;</p></li></ul></li><li><p>c. Analyze vulnerability scan reports and results from vulnerability monitoring;</p></li><li><p>d. Remediate legitimate vulnerabilities {{ insert: param, RA-5(d) }} in accordance with an organizational assessment of risk;</p></li><li><p>e. Share information obtained from the vulnerability monitoring process and control assessments with {{ insert: param, RA-5(e) }} to help eliminate similar vulnerabilities in other systems; and</p></li><li><p>f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities\u00e2\u20ac\u201dsuch as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers\u00e2\u20ac\u201dare not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.</p><p>Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).</p><p>Vulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.</p><p>Organizations may also employ the use of financial incentives (also known as bug bounties ) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization\u00e2\u20ac\u2122s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points.</p><p></p><p><strong>OT Discussion</strong></p><p>The organization makes a risk-based determination of how to monitor or scan for vulnerabilities on their system. This may include active scanning, passive monitoring, or compensating controls, depending on the system being scanned. For example, vulnerability examination may be performed using passive monitoring and manual visual inspection to maintain an up-to-date inventory of assets. That inventory can be cross-referenced against a list of known vulnerabilities (e.g., CISA advisories, NIST NVD). Production may need to be taken offline before active scans can be conducted. Scans are scheduled to occur during planned OT outages whenever possible. If vulnerability scanning tools are used on adjacent non-OT networks, extra care is taken to ensure that they do not mistakenly scan the OT network. Automated network scanning is not applicable to non-routable communications, such as serial networks. Compensating controls include providing a replicated or simulated system for conducting scans or host-based vulnerability applications.</p>",
                "controlId": "RA-5",
                "family": "Risk Assessment",
                "enhancements": "<strong>Enhancements</strong><ul><li>RA-5(2) - Update Vulnerabilities to Be Scanned</li><li>RA-5(3) - Breadth and Depth of Coverage</li><li>RA-5(4) - Discoverable Information</li><li>RA-5(5) - Privileged Access</li><li>RA-5(6) - Automated Trend Analyses</li><li>RA-5(8) - Review Historic Audit Logs</li><li>RA-5(10) - Correlate Scanning Information</li><li>RA-5(11) - Public Disclosure Program</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "553d6368-d8a1-4cfc-be08-89465ac34ab4",
                        "parameterId": "RA-5(2)",
                        "text": "[Selection (one or more): [(NESTED PARAMETER) Assignment for ra-05.02_odp.02: frequency]; prior to a new scan; when new vulnerabilities are identified and reported]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): [(NESTED PARAMETER) Assignment for ra-05.02_odp.02: frequency]; prior to a new scan; when new vulnerabilities are identified and reported]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "ra-05.02_odp.01"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "c8a001c0-43d5-473a-a356-8af86443247f",
                        "name": "RA-5(2)",
                        "objectiveType": "",
                        "otherId": "ra-5.2_smt",
                        "description": "Update the system vulnerabilities to be scanned {{ insert: param, RA-5(2) }}."
                    }
                ],
                "tests": [
                    {
                        "uuid": "e5d548e0-f029-4e23-beb4-04af637504d9",
                        "testId": "RA-05(02)",
                        "test": "Determine if the system vulnerabilities to be scanned are updated  [SELECTED PARAMETER VALUE(S): [Selection (one or more): [(NESTED PARAMETER) Assignment for ra-05.02_odp.02: frequency]; prior to a new scan; when new vulnerabilities are identified and reported] ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Procedures addressing vulnerability scanning.</li><li>Assessment report.</li><li>Vulnerability scanning tools and associated configuration documentation.</li><li>Vulnerability scanning results.</li><li>Patch and vulnerability management records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with vulnerability scanning responsibilities.</li><li>Organizational personnel with vulnerability scan analysis responsibilities.</li><li>Organizational personnel with security responsibilities.</li><li>System/network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for vulnerability scanning.</li><li>Mechanisms/tools supporting and/or implementing vulnerability scanning.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4cd53fc2-21ed-4a67-82ac-214bc9ac4879",
                        "testId": "RA-05(02)-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Procedures addressing vulnerability scanning.</li><li>Assessment report.</li><li>Vulnerability scanning tools and associated configuration documentation.</li><li>Vulnerability scanning results.</li><li>Patch and vulnerability management records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e648d67c-2ee9-42c7-9dae-1d23c6a7e37b",
                        "testId": "RA-05(02)-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with vulnerability scanning responsibilities.</li><li>Organizational personnel with vulnerability scan analysis responsibilities.</li><li>Organizational personnel with security responsibilities.</li><li>System/network administrators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e130f546-57b8-4a50-a716-748c123f9d38",
                        "testId": "RA-05(02)-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for vulnerability scanning.</li><li>Mechanisms/tools supporting and/or implementing vulnerability scanning.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "92fb5225-e389-435f-b346-8186d9c8f9a1",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "RA-05(02) - Update Vulnerabilities to Be Scanned",
                "description": "Update the system vulnerabilities to be scanned  {{ insert: param, RA-5(2) }}.<br/><strong>Discussion</strong><br/><p>Due to the complexity of modern software, systems, and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner.</p>",
                "controlId": "RA-5(2)",
                "family": "Risk Assessment",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "df04dcff-83b2-44c4-a92e-4eada82e3d1a",
                        "name": "RA-5(11)",
                        "objectiveType": "",
                        "otherId": "ra-5.11_smt",
                        "description": "Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components."
                    }
                ],
                "tests": [
                    {
                        "uuid": "3f6858f2-01c1-44d8-8bf6-d05680a151c1",
                        "testId": "RA-05(11)-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Risk assessment policy.</li><li>Procedures addressing vulnerability scanning.</li><li>Risk assessment.</li><li>Vulnerability scanning tools and techniques documentation.</li><li>Vulnerability scanning results.</li><li>Vulnerability management records.</li><li>Audit records.</li><li>Public reporting channel.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0a4222eb-4664-4da1-ade0-4ab29a418aad",
                        "testId": "RA-05(11)-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with vulnerability scanning responsibilities.</li><li>Organizational personnel with vulnerability scan analysis responsibilities.</li><li>Organizational personnel with security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "85c57984-7dcf-4219-b5e5-3f570bf31e98",
                        "testId": "RA-05(11)-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for vulnerability scanning.</li><li>Mechanisms/tools supporting and/or implementing vulnerability scanning.</li><li>Mechanisms implementing the public reporting of vulnerabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "71669673-7ccb-4be7-93ab-d5d1ef0f31a1",
                        "testId": "RA-05(11)",
                        "test": "Determine if a public reporting channel is established for receiving reports of vulnerabilities in organizational systems and system components.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy.</li><li>Procedures addressing vulnerability scanning.</li><li>Risk assessment.</li><li>Vulnerability scanning tools and techniques documentation.</li><li>Vulnerability scanning results.</li><li>Vulnerability management records.</li><li>Audit records.</li><li>Public reporting channel.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with vulnerability scanning responsibilities.</li><li>Organizational personnel with vulnerability scan analysis responsibilities.</li><li>Organizational personnel with security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for vulnerability scanning.</li><li>Mechanisms/tools supporting and/or implementing vulnerability scanning.</li><li>Mechanisms implementing the public reporting of vulnerabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "d070a87d-efed-4f37-8805-b0e887d09f97",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "RA-05(11) - Public Disclosure Program",
                "description": "<p>Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components.<br><strong>Discussion</strong><br></p><p>The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability.</p><p></p><p><strong>OT Discussion</strong></p><p>For federal organizations, CISA Binding Operational Directive 20-01 requires individual federal civilian executive branch agencies to develop and publish a vulnerability disclosure policy (VDP) for their internet-accessible systems and services and maintain processes to support their VDP. A VDP may be implemented at the organization level rather than for each individual system. Federal and non-federal organizations could achieve this control by creating and monitoring an email address published on a public-facing website for contacting the organization regarding disclosures.</p>",
                "controlId": "RA-5(11)",
                "family": "Risk Assessment",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "49a84051-a8b5-42a8-821b-446bc1853501",
                        "name": "RA-7",
                        "objectiveType": "",
                        "otherId": "ra-7_smt",
                        "description": "Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance."
                    }
                ],
                "tests": [
                    {
                        "uuid": "8912d3f4-b556-4d60-8e83-76e5815f333f",
                        "testId": "RA-07-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Risk assessment policy.</li><li>Assessment reports.</li><li>Audit records/event logs.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d890e3cc-510c-4db8-886c-5a1569a51420",
                        "testId": "RA-07-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with assessment and auditing responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "baa65e3a-702d-4485-a506-c364190fd0bb",
                        "testId": "RA-07-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for assessments and audits.</li><li>Mechanisms/tools supporting and/or implementing assessments and auditing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a0aa445e-6fc4-40b8-987b-7fc78b6cb44a",
                        "testId": "RA-07[01]",
                        "test": "Determine if findings from security assessments are responded to in accordance with organizational risk tolerance;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy.</li><li>Assessment reports.</li><li>Audit records/event logs.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with assessment and auditing responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for assessments and audits.</li><li>Mechanisms/tools supporting and/or implementing assessments and auditing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4063487f-aeee-44db-93c7-14e5b84bf24f",
                        "testId": "RA-07[02]",
                        "test": "Determine if findings from privacy assessments are responded to in accordance with organizational risk tolerance;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy.</li><li>Assessment reports.</li><li>Audit records/event logs.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with assessment and auditing responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for assessments and audits.</li><li>Mechanisms/tools supporting and/or implementing assessments and auditing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e3d677bb-b8ab-43c0-9daa-5b18bfe08322",
                        "testId": "RA-07[03]",
                        "test": "Determine if findings from monitoring are responded to in accordance with organizational risk tolerance;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy.</li><li>Assessment reports.</li><li>Audit records/event logs.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with assessment and auditing responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for assessments and audits.</li><li>Mechanisms/tools supporting and/or implementing assessments and auditing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "08831144-6975-4701-95ba-161c190c247a",
                        "testId": "RA-07[04]",
                        "test": "Determine if findings from audits are responded to in accordance with organizational risk tolerance.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Risk assessment policy.</li><li>Assessment reports.</li><li>Audit records/event logs.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with assessment and auditing responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for assessments and audits.</li><li>Mechanisms/tools supporting and/or implementing assessments and auditing.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "fd4479d4-cfce-4da6-8be0-531c4018beb7",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "RA-07 - Risk Response",
                "description": "Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.<br/><strong>Discussion</strong><br/><p>Organizations have many options for responding to risk including mitigating risk by implementing new controls or strengthening existing controls, accepting risk with appropriate justification or rationale, sharing or transferring risk, or avoiding risk. The risk tolerance of the organization influences risk response decisions and actions. Risk response addresses the need to determine an appropriate response to risk before generating a plan of action and milestones entry. For example, the response may be to accept risk or reject risk, or it may be possible to mitigate the risk immediately so that a plan of action and milestones entry is not needed. However, if the risk response is to mitigate the risk, and the mitigation cannot be completed immediately, a plan of action and milestones entry is generated.</p>",
                "controlId": "RA-7",
                "family": "Risk Assessment",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "08c3d762-fb80-4855-9f5f-4d2507a8b7d2",
                        "parameterId": "SA-1(a)",
                        "text": "organization-defined personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sa-1_prm_1"
                    },
                    {
                        "uuid": "b0c70025-e828-45da-9a3e-0a23821b8f9c",
                        "parameterId": "SA-1(a)(1)",
                        "text": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sa-01_odp.03"
                    },
                    {
                        "uuid": "b715b08f-56e2-4b46-b590-8c1b381af71e",
                        "parameterId": "SA-1(b)",
                        "text": "official",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined official] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sa-01_odp.04"
                    },
                    {
                        "uuid": "f1344c63-46b3-45f1-abd5-2ba94308eeb0",
                        "parameterId": "SA-1(c)(1)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sa-01_odp.05"
                    },
                    {
                        "uuid": "9d109b67-201a-4187-92bf-caa231d15255",
                        "parameterId": "SA-1(c)(1)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sa-01_odp.06"
                    },
                    {
                        "uuid": "f18fa623-707c-4f87-a96c-800cb6f1c3e3",
                        "parameterId": "SA-1(c)(2)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sa-01_odp.07"
                    },
                    {
                        "uuid": "94c1fe70-c17f-4eef-a5c2-b6ca52069a32",
                        "parameterId": "SA-1(c)(2)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sa-01_odp.08"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "ec7244d4-8015-4060-b885-8331d74f8a35",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "sa-1_smt.a",
                        "description": "<ul><li>a. Develop, document, and disseminate to {{ insert: param, SA-1(a) }}:</li><ul><li>1. {{ insert: param, SA-1(a)(1) }} system and services acquisition policy that:</li><ul><li>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</li><li>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</li></ul><li>2. Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;</li></ul>"
                    },
                    {
                        "uuid": "abe98b3e-62cb-418d-9fc9-5384359b8110",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "sa-1_smt.b",
                        "description": "<ul><li>b. Designate an {{ insert: param, SA-1(b) }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and</li></ul>"
                    },
                    {
                        "uuid": "9a9ab0fd-a908-4143-a7fe-a97bb13fee38",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "sa-1_smt.c",
                        "description": "<ul><li>c. Review and update the current system and services acquisition:</li><ul><li>1. Policy {{ insert: param, SA-1(c)(1)-1 }} and following {{ insert: param, SA-1(c)(1)-2 }} ; and</li><li>2. Procedures {{ insert: param, SA-1(c)(2)-1 }} and following {{ insert: param, SA-1(c)(2)-2 }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "ac94ab8f-4c06-4bd7-94e6-66691c6aa053",
                        "testId": "SA-01-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "378501d4-1101-40ce-8eff-27d0cdec990a",
                        "testId": "SA-01-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with system and services acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d0d593b1-7942-4fd5-9d9e-f9b30b836143",
                        "testId": "SA-01a.[01]",
                        "test": "Determine if a system and services acquisition policy is developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and services acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "eab967ad-fa6d-47d4-8c3e-a9e6939df348",
                        "testId": "SA-01a.[02]",
                        "test": "Determine if the system and services acquisition policy is disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and services acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "39c5eafb-e696-4103-9bbb-eb56418a45d9",
                        "testId": "SA-01a.[03]",
                        "test": "Determine if system and services acquisition procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls are developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and services acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d3250e5e-dcc3-485a-a1fd-fc5e4d2679c1",
                        "testId": "SA-01a.[04]",
                        "test": "Determine if the system and services acquisition procedures are disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and services acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6e9ffb6c-6ff3-40c7-8678-9a894d598070",
                        "testId": "SA-01a.01(a)[01]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  system and services acquisition policy addresses purpose;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and services acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "97249c4f-5127-400a-b813-8e3d7abc01db",
                        "testId": "SA-01a.01(a)[02]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  system and services acquisition policy addresses scope;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and services acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1e4042fc-9894-45e2-a1e6-ee7f9bd66826",
                        "testId": "SA-01a.01(a)[03]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  system and services acquisition policy addresses roles;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and services acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "73f185a3-610c-47c0-902b-11facb0a1f7d",
                        "testId": "SA-01a.01(a)[04]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  system and services acquisition policy addresses responsibilities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and services acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3a663d6b-2c1f-42e9-a02d-410a61092d34",
                        "testId": "SA-01a.01(a)[05]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  system and services acquisition policy addresses management commitment;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and services acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a45495ee-e383-44ad-ac6a-3ad2c65d9f1e",
                        "testId": "SA-01a.01(a)[06]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  system and services acquisition policy addresses coordination among organizational entities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and services acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a99d96ee-ddc6-4e33-9d18-a7e6d198743c",
                        "testId": "SA-01a.01(a)[07]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  system and services acquisition policy addresses compliance;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and services acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6b971361-9381-4972-b4fd-e79cc50ca114",
                        "testId": "SA-01a.01(b)",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  system and services acquisition policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and services acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4670338e-64d0-4cfe-a9da-1ca3930d6c63",
                        "testId": "SA-01b.",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): official ]  is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and services acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2c1bdede-6128-4559-8056-5b05a600f735",
                        "testId": "SA-01c.01[01]",
                        "test": "Determine if the system and services acquisition policy is reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and services acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d6603d6b-c331-4de8-bf58-a70b3a947517",
                        "testId": "SA-01c.01[02]",
                        "test": "Determine if the current system and services acquisition policy is reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and services acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "94977682-35bf-44f2-a9bc-43b4348493f1",
                        "testId": "SA-01c.02[01]",
                        "test": "Determine if the current system and services acquisition procedures are reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and services acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "afe1ca61-7f22-4ea9-ac51-0455f708e82b",
                        "testId": "SA-01c.02[02]",
                        "test": "Determine if the current system and services acquisition procedures are reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and services acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "42f7073e-3fa6-45af-8abd-24638100dd29",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SA-01 - Policy and Procedures",
                "description": "<ul><li><p>a. Develop, document, and disseminate to {{ insert: param, SA-1(a) }}:</p><ul><li><p>1. {{ insert: param, SA-1(a)(1) }} system and services acquisition policy that:</p><ul><li><p>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p></li><li><p>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p></li></ul></li><li><p>2. Procedures to facilitate the implementation of the system and services acquisition policy and the associated system and services acquisition controls;</p></li></ul></li><li><p>b. Designate an {{ insert: param, SA-1(b) }} to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and</p></li><li><p>c. Review and update the current system and services acquisition:</p><ul><li><p>1. Policy {{ insert: param, SA-1(c)(1)-1 }} and following {{ insert: param, SA-1(c)(1)-2 }} ; and</p></li><li><p>2. Procedures {{ insert: param, SA-1(c)(2)-1 }} and following {{ insert: param, SA-1(c)(2)-2 }}.</p></li></ul></li><li><p><br><strong>Discussion</strong><br></p><p>System and services acquisition policy and procedures address the controls in the SA family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and services acquisition policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and services acquisition policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.</p></li></ul><p></p><p><strong>OT Discussion</strong></p><p>The policy specifically addresses the unique properties and requirements of OT and the relationship to non-OT systems.</p>",
                "controlId": "SA-1",
                "family": "System and Services Acquisition",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "8028a8ee-3852-46bf-8c7c-eaa036d90ae8",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "sa-2_smt.a",
                        "description": "<ul><li>a. Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;</li></ul>"
                    },
                    {
                        "uuid": "765502a3-895f-41f5-824a-778948011152",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "sa-2_smt.b",
                        "description": "<ul><li>b. Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and</li></ul>"
                    },
                    {
                        "uuid": "85e86aac-a778-4055-9aca-5cb02010a49b",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "sa-2_smt.c",
                        "description": "<ul><li>c. Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "94dd8d8e-5020-400a-bb14-32395b08d54e",
                        "testId": "SA-02a.[01]",
                        "test": "Determine if the high-level information security requirements for the system or system service are determined in mission and business process planning;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>System and services acquisition strategy and plans.</li><li>Procedures addressing the allocation of resources to information security and privacy requirements.</li><li>Procedures addressing capital planning and investment control.</li><li>Organizational programming and budgeting documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Supply chain risk management policy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for determining information security and privacy requirements.</li><li>Organizational processes for capital planning, programming, and budgeting.</li><li>Mechanisms supporting and/or implementing organizational capital planning, programming, and budgeting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3ba1b77e-242a-44bf-8aa1-f9562f57dc43",
                        "testId": "SA-02a.[02]",
                        "test": "Determine if the high-level privacy requirements for the system or system service are determined in mission and business process planning;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>System and services acquisition strategy and plans.</li><li>Procedures addressing the allocation of resources to information security and privacy requirements.</li><li>Procedures addressing capital planning and investment control.</li><li>Organizational programming and budgeting documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Supply chain risk management policy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for determining information security and privacy requirements.</li><li>Organizational processes for capital planning, programming, and budgeting.</li><li>Mechanisms supporting and/or implementing organizational capital planning, programming, and budgeting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "628f8df2-bc5d-4830-8758-d51e5777e7b6",
                        "testId": "SA-02b.[01]",
                        "test": "Determine if the resources required to protect the system or system service are determined and documented as part of the organizational capital planning and investment control process;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>System and services acquisition strategy and plans.</li><li>Procedures addressing the allocation of resources to information security and privacy requirements.</li><li>Procedures addressing capital planning and investment control.</li><li>Organizational programming and budgeting documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Supply chain risk management policy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for determining information security and privacy requirements.</li><li>Organizational processes for capital planning, programming, and budgeting.</li><li>Mechanisms supporting and/or implementing organizational capital planning, programming, and budgeting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "36b593ea-f2fa-4dda-8607-205ad5785a98",
                        "testId": "SA-02b.[02]",
                        "test": "Determine if the resources required to protect the system or system service are allocated as part of the organizational capital planning and investment control process;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>System and services acquisition strategy and plans.</li><li>Procedures addressing the allocation of resources to information security and privacy requirements.</li><li>Procedures addressing capital planning and investment control.</li><li>Organizational programming and budgeting documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Supply chain risk management policy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for determining information security and privacy requirements.</li><li>Organizational processes for capital planning, programming, and budgeting.</li><li>Mechanisms supporting and/or implementing organizational capital planning, programming, and budgeting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2c94345a-6d5d-4398-847b-e2b50c4f1bdc",
                        "testId": "SA-02c.[01]",
                        "test": "Determine if a discrete line item for information security is established in organizational programming and budgeting documentation;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>System and services acquisition strategy and plans.</li><li>Procedures addressing the allocation of resources to information security and privacy requirements.</li><li>Procedures addressing capital planning and investment control.</li><li>Organizational programming and budgeting documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Supply chain risk management policy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for determining information security and privacy requirements.</li><li>Organizational processes for capital planning, programming, and budgeting.</li><li>Mechanisms supporting and/or implementing organizational capital planning, programming, and budgeting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "bdf51d14-58bd-4fe2-a693-e812e7a25209",
                        "testId": "SA-02c.[02]",
                        "test": "Determine if a discrete line item for privacy is established in organizational programming and budgeting documentation.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>System and services acquisition strategy and plans.</li><li>Procedures addressing the allocation of resources to information security and privacy requirements.</li><li>Procedures addressing capital planning and investment control.</li><li>Organizational programming and budgeting documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Supply chain risk management policy.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for determining information security and privacy requirements.</li><li>Organizational processes for capital planning, programming, and budgeting.</li><li>Mechanisms supporting and/or implementing organizational capital planning, programming, and budgeting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "832865b2-606d-49c3-84b8-8a05f2278ead",
                        "testId": "SA-02-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>System and services acquisition strategy and plans.</li><li>Procedures addressing the allocation of resources to information security and privacy requirements.</li><li>Procedures addressing capital planning and investment control.</li><li>Organizational programming and budgeting documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Supply chain risk management policy.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5f9b215d-ad1c-4e3e-82d5-dc435e4aa210",
                        "testId": "SA-02-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with capital planning, investment control, organizational programming, and budgeting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8d85e900-79c6-4957-8e04-ac63ee2f08b6",
                        "testId": "SA-02-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for determining information security and privacy requirements.</li><li>Organizational processes for capital planning, programming, and budgeting.</li><li>Mechanisms supporting and/or implementing organizational capital planning, programming, and budgeting.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "dd354f83-6f30-48a3-94c1-06e6588a3410",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SA-02 - Allocation of Resources",
                "description": "<ul><li>a. Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning;</li><li>b. Determine, document, and allocate the resources required to protect the system or system service as part of the organizational capital planning and investment control process; and</li><li>c. Establish a discrete line item for information security and privacy in organizational programming and budgeting documentation.</li></ul><br/><strong>Discussion</strong><br/><p>Resource allocation for information security and privacy includes funding for system and services acquisition, sustainment, and supply chain-related risks throughout the system development life cycle.</p>",
                "controlId": "SA-2",
                "family": "System and Services Acquisition",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "73f3b8a9-d13d-40f3-8c7c-059c221cb09e",
                        "parameterId": "SA-3(a)",
                        "text": "system-development life cycle",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined system-development life cycle] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sa-03_odp"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "0bae250d-947c-4d19-b385-22a14a00a201",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "sa-3_smt.a",
                        "description": "<ul><li>a. Acquire, develop, and manage the system using {{ insert: param, SA-3(a) }} that incorporates information security and privacy considerations;</li></ul>"
                    },
                    {
                        "uuid": "c523141f-9e24-4a25-b155-a630d087e1d0",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "sa-3_smt.b",
                        "description": "<ul><li>b. Define and document information security and privacy roles and responsibilities throughout the system development life cycle;</li></ul>"
                    },
                    {
                        "uuid": "e28da33b-3637-43bd-8090-d1c3c8cf8150",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "sa-3_smt.c",
                        "description": "<ul><li>c. Identify individuals having information security and privacy roles and responsibilities; and</li></ul>"
                    },
                    {
                        "uuid": "ca5e3206-66bb-4d76-a3ee-1d43b73b2ab9",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "sa-3_smt.d",
                        "description": "<ul><li>d. Integrate the organizational information security and privacy risk management process into system development life cycle activities.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "19f3dde4-b375-4995-9e8b-e45f708a385b",
                        "testId": "SA-03-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process.</li><li>System development life cycle documentation.</li><li>Organizational risk management strategy.</li><li>Information security and privacy risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Enterprise architecture documentation.</li><li>Role-based security and privacy training program documentation.</li><li>Data mapping documentation.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9a3849d8-cf6b-44df-a253-d779ff7c4129",
                        "testId": "SA-03-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with system life cycle development responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9797c481-6228-4424-9fb2-37f08f2a4093",
                        "testId": "SA-03-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for defining and documenting the system development life cycle.</li><li>Organizational processes for identifying system development life cycle roles and responsibilities.</li><li>Organizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle.</li><li>Mechanisms supporting and/or implementing the system development life cycle.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "891daafa-20ba-40e3-afb3-ad53d77e55c0",
                        "testId": "SA-03a.[01]",
                        "test": "Determine if the system is acquired, developed, and managed using  [SELECTED PARAMETER VALUE(S): system-development life cycle ]  that incorporates information security considerations;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process.</li><li>System development life cycle documentation.</li><li>Organizational risk management strategy.</li><li>Information security and privacy risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Enterprise architecture documentation.</li><li>Role-based security and privacy training program documentation.</li><li>Data mapping documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with system life cycle development responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for defining and documenting the system development life cycle.</li><li>Organizational processes for identifying system development life cycle roles and responsibilities.</li><li>Organizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle.</li><li>Mechanisms supporting and/or implementing the system development life cycle.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "29faf30c-9ee9-44c2-b597-0450c7799acc",
                        "testId": "SA-03a.[02]",
                        "test": "Determine if the system is acquired, developed, and managed using  [SELECTED PARAMETER VALUE(S): system-development life cycle ]  that incorporates privacy considerations;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process.</li><li>System development life cycle documentation.</li><li>Organizational risk management strategy.</li><li>Information security and privacy risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Enterprise architecture documentation.</li><li>Role-based security and privacy training program documentation.</li><li>Data mapping documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with system life cycle development responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for defining and documenting the system development life cycle.</li><li>Organizational processes for identifying system development life cycle roles and responsibilities.</li><li>Organizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle.</li><li>Mechanisms supporting and/or implementing the system development life cycle.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "fed3f113-ff69-460b-9c41-b7f4c3bd3afb",
                        "testId": "SA-03b.[01]",
                        "test": "Determine if information security roles and responsibilities are defined and documented throughout the system development life cycle;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process.</li><li>System development life cycle documentation.</li><li>Organizational risk management strategy.</li><li>Information security and privacy risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Enterprise architecture documentation.</li><li>Role-based security and privacy training program documentation.</li><li>Data mapping documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with system life cycle development responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for defining and documenting the system development life cycle.</li><li>Organizational processes for identifying system development life cycle roles and responsibilities.</li><li>Organizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle.</li><li>Mechanisms supporting and/or implementing the system development life cycle.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2be92d41-2cdc-4289-b2b7-77fd075a715d",
                        "testId": "SA-03b.[02]",
                        "test": "Determine if privacy roles and responsibilities are defined and documented throughout the system development life cycle;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process.</li><li>System development life cycle documentation.</li><li>Organizational risk management strategy.</li><li>Information security and privacy risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Enterprise architecture documentation.</li><li>Role-based security and privacy training program documentation.</li><li>Data mapping documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with system life cycle development responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for defining and documenting the system development life cycle.</li><li>Organizational processes for identifying system development life cycle roles and responsibilities.</li><li>Organizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle.</li><li>Mechanisms supporting and/or implementing the system development life cycle.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e8a8c406-6fef-4d18-a4e1-8459a35cb8f7",
                        "testId": "SA-03c.[01]",
                        "test": "Determine if individuals with information security roles and responsibilities are identified;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process.</li><li>System development life cycle documentation.</li><li>Organizational risk management strategy.</li><li>Information security and privacy risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Enterprise architecture documentation.</li><li>Role-based security and privacy training program documentation.</li><li>Data mapping documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with system life cycle development responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for defining and documenting the system development life cycle.</li><li>Organizational processes for identifying system development life cycle roles and responsibilities.</li><li>Organizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle.</li><li>Mechanisms supporting and/or implementing the system development life cycle.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ef31a8db-9d16-4c44-af8d-786af8f4e90c",
                        "testId": "SA-03c.[02]",
                        "test": "Determine if individuals with privacy roles and responsibilities are identified;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process.</li><li>System development life cycle documentation.</li><li>Organizational risk management strategy.</li><li>Information security and privacy risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Enterprise architecture documentation.</li><li>Role-based security and privacy training program documentation.</li><li>Data mapping documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with system life cycle development responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for defining and documenting the system development life cycle.</li><li>Organizational processes for identifying system development life cycle roles and responsibilities.</li><li>Organizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle.</li><li>Mechanisms supporting and/or implementing the system development life cycle.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ed76b70a-14c7-4495-8416-f2c541ecf91c",
                        "testId": "SA-03d.[01]",
                        "test": "Determine if organizational information security risk management processes are integrated into system development life cycle activities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process.</li><li>System development life cycle documentation.</li><li>Organizational risk management strategy.</li><li>Information security and privacy risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Enterprise architecture documentation.</li><li>Role-based security and privacy training program documentation.</li><li>Data mapping documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with system life cycle development responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for defining and documenting the system development life cycle.</li><li>Organizational processes for identifying system development life cycle roles and responsibilities.</li><li>Organizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle.</li><li>Mechanisms supporting and/or implementing the system development life cycle.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f3bc0009-ceaf-4974-9feb-ef78c209aef0",
                        "testId": "SA-03d.[02]",
                        "test": "Determine if organizational privacy risk management processes are integrated into system development life cycle activities.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy and supply chain risk management into the system development life cycle process.</li><li>System development life cycle documentation.</li><li>Organizational risk management strategy.</li><li>Information security and privacy risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Enterprise architecture documentation.</li><li>Role-based security and privacy training program documentation.</li><li>Data mapping documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with system life cycle development responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for defining and documenting the system development life cycle.</li><li>Organizational processes for identifying system development life cycle roles and responsibilities.</li><li>Organizational processes for integrating information security and privacy and supply chain risk management into the system development life cycle.</li><li>Mechanisms supporting and/or implementing the system development life cycle.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "aff6e481-3b77-40fc-83ea-7ee6db9a8ad2",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SA-03 - System Development Life Cycle",
                "description": "<ul><li>a. Acquire, develop, and manage the system using  {{ insert: param, SA-3(a) }}  that incorporates information security and privacy considerations;</li><li>b. Define and document information security and privacy roles and responsibilities throughout the system development life cycle;</li><li>c. Identify individuals having information security and privacy roles and responsibilities; and</li><li>d. Integrate the organizational information security and privacy risk management process into system development life cycle activities.</li></ul><br/><strong>Discussion</strong><br/><p>A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in  <a href=\"#sa-8\">SA-8</a>  help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.</p><p>The effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle.</p>",
                "controlId": "SA-3",
                "family": "System and Services Acquisition",
                "enhancements": "<strong>Enhancements</strong><ul><li>SA-3(1) - Manage Preproduction Environment</li><li>SA-3(2) - Use of Live or Operational Data</li><li>SA-3(3) - Technology Refresh</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "439ef027-d29d-402a-8dfc-09b8a9db94e7",
                        "parameterId": "SA-4",
                        "text": "[Selection (one or more): standardized contract language; [(NESTED PARAMETER) Assignment for sa-04_odp.02: contract language]]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): standardized contract language; [(NESTED PARAMETER) Assignment for sa-04_odp.02: contract language]]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sa-04_odp.01"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "cc2c08b2-649f-4704-a0a6-4cea0973250c",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "sa-4_smt.a",
                        "description": "<ul><li>a. Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, SA-4 }} in the acquisition contract for the system, system component, or system service: Security and privacy functional requirements;</li></ul>"
                    },
                    {
                        "uuid": "8e91d804-a193-4153-b98b-72b1adb34c5c",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "sa-4_smt.b",
                        "description": "<ul><li>b. Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, SA-4 }} in the acquisition contract for the system, system component, or system service: Strength of mechanism requirements;</li></ul>"
                    },
                    {
                        "uuid": "fa6b5a3e-0c76-4142-a22b-0988baa6cb6b",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "sa-4_smt.c",
                        "description": "<ul><li>c. Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, SA-4 }} in the acquisition contract for the system, system component, or system service: Security and privacy assurance requirements;</li></ul>"
                    },
                    {
                        "uuid": "e0b3e1b9-5652-4edd-a547-344beb2789bd",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "sa-4_smt.d",
                        "description": "<ul><li>d. Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, SA-4 }} in the acquisition contract for the system, system component, or system service: Controls needed to satisfy the security and privacy requirements.</li></ul>"
                    },
                    {
                        "uuid": "f1e70774-132e-4672-a5e4-bb0c6ae519b9",
                        "name": "e.",
                        "objectiveType": "",
                        "otherId": "sa-4_smt.e",
                        "description": "<ul><li>e. Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, SA-4 }} in the acquisition contract for the system, system component, or system service: Security and privacy documentation requirements;</li></ul>"
                    },
                    {
                        "uuid": "bca43254-cb96-40ba-a480-ae4b9850b7d1",
                        "name": "f.",
                        "objectiveType": "",
                        "otherId": "sa-4_smt.f",
                        "description": "<ul><li>f. Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, SA-4 }} in the acquisition contract for the system, system component, or system service: Requirements for protecting security and privacy documentation;</li></ul>"
                    },
                    {
                        "uuid": "9cc98eab-dc60-4445-8163-1f5ca3483607",
                        "name": "g.",
                        "objectiveType": "",
                        "otherId": "sa-4_smt.g",
                        "description": "<ul><li>g. Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, SA-4 }} in the acquisition contract for the system, system component, or system service: Description of the system development environment and environment in which the system is intended to operate;</li></ul>"
                    },
                    {
                        "uuid": "05398a9c-c63e-4f6a-b50c-0f460fcd40ff",
                        "name": "h.",
                        "objectiveType": "",
                        "otherId": "sa-4_smt.h",
                        "description": "<ul><li>h. Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, SA-4 }} in the acquisition contract for the system, system component, or system service: Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and</li></ul>"
                    },
                    {
                        "uuid": "24259274-7952-449b-aa25-65e0d5df885b",
                        "name": "i.",
                        "objectiveType": "",
                        "otherId": "sa-4_smt.i",
                        "description": "<ul><li>i. Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, SA-4 }} in the acquisition contract for the system, system component, or system service: Acceptance criteria.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "7b78522a-0bbb-4469-93a8-348dd002882c",
                        "testId": "SA-04-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process.</li><li>Configuration management plan.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>System design documentation.</li><li>System security plan.</li><li>Supply chain risk management plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4c6e8616-fc41-49ef-874b-1ddb29eb5339",
                        "testId": "SA-04-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8f0863a5-74e1-4de9-9af8-2a8a62e186d8",
                        "testId": "SA-04-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for determining system security and privacy functional, strength, and assurance requirements.</li><li>Organizational processes for developing acquisition contracts.</li><li>Mechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "447a85dc-d98f-42c8-8f8a-0542713beebc",
                        "testId": "SA-04a.[01]",
                        "test": "Determine if security functional requirements, descriptions, and criteria are included explicitly or by reference using  [SELECTED PARAMETER VALUE(S): [Selection (one or more): standardized contract language; [(NESTED PARAMETER) Assignment for sa-04_odp.02: contract language]] ]  in the acquisition contract for the system, system component, or system service;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process.</li><li>Configuration management plan.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>System design documentation.</li><li>System security plan.</li><li>Supply chain risk management plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for determining system security and privacy functional, strength, and assurance requirements.</li><li>Organizational processes for developing acquisition contracts.</li><li>Mechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b6e96a88-7eb5-4101-830a-5710248d99d5",
                        "testId": "SA-04a.[02]",
                        "test": "Determine if privacy functional requirements, descriptions, and criteria are included explicitly or by reference using  [SELECTED PARAMETER VALUE(S): [Selection (one or more): standardized contract language; [(NESTED PARAMETER) Assignment for sa-04_odp.02: contract language]] ]  in the acquisition contract for the system, system component, or system service;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process.</li><li>Configuration management plan.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>System design documentation.</li><li>System security plan.</li><li>Supply chain risk management plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for determining system security and privacy functional, strength, and assurance requirements.</li><li>Organizational processes for developing acquisition contracts.</li><li>Mechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5e346a63-29b3-4302-9133-f7e54c14a0ae",
                        "testId": "SA-04b.",
                        "test": "Determine if strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using  [SELECTED PARAMETER VALUE(S): [Selection (one or more): standardized contract language; [(NESTED PARAMETER) Assignment for sa-04_odp.02: contract language]] ]  in the acquisition contract for the system, system component, or system service;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process.</li><li>Configuration management plan.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>System design documentation.</li><li>System security plan.</li><li>Supply chain risk management plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for determining system security and privacy functional, strength, and assurance requirements.</li><li>Organizational processes for developing acquisition contracts.</li><li>Mechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1f44f176-1496-49a9-acc0-00ea15ffa319",
                        "testId": "SA-04c.[01]",
                        "test": "Determine if security assurance requirements, descriptions, and criteria are included explicitly or by reference using  [SELECTED PARAMETER VALUE(S): [Selection (one or more): standardized contract language; [(NESTED PARAMETER) Assignment for sa-04_odp.02: contract language]] ]  in the acquisition contract for the system, system component, or system service;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process.</li><li>Configuration management plan.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>System design documentation.</li><li>System security plan.</li><li>Supply chain risk management plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for determining system security and privacy functional, strength, and assurance requirements.</li><li>Organizational processes for developing acquisition contracts.</li><li>Mechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c1aa9188-5044-48d1-bc06-e5d8bc02a49b",
                        "testId": "SA-04c.[02]",
                        "test": "Determine if privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using  [SELECTED PARAMETER VALUE(S): [Selection (one or more): standardized contract language; [(NESTED PARAMETER) Assignment for sa-04_odp.02: contract language]] ]  in the acquisition contract for the system, system component, or system service;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process.</li><li>Configuration management plan.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>System design documentation.</li><li>System security plan.</li><li>Supply chain risk management plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for determining system security and privacy functional, strength, and assurance requirements.</li><li>Organizational processes for developing acquisition contracts.</li><li>Mechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6dc1b814-0ec8-4ebb-abd7-8fa0df4bb8e1",
                        "testId": "SA-04d.[01]",
                        "test": "Determine if controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using  [SELECTED PARAMETER VALUE(S): [Selection (one or more): standardized contract language; [(NESTED PARAMETER) Assignment for sa-04_odp.02: contract language]] ]  in the acquisition contract for the system, system component, or system service;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process.</li><li>Configuration management plan.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>System design documentation.</li><li>System security plan.</li><li>Supply chain risk management plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for determining system security and privacy functional, strength, and assurance requirements.</li><li>Organizational processes for developing acquisition contracts.</li><li>Mechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3c68fcc1-d076-4dc1-8636-44eef8579a72",
                        "testId": "SA-04d.[02]",
                        "test": "Determine if controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using  [SELECTED PARAMETER VALUE(S): [Selection (one or more): standardized contract language; [(NESTED PARAMETER) Assignment for sa-04_odp.02: contract language]] ]  in the acquisition contract for the system, system component, or system service;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process.</li><li>Configuration management plan.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>System design documentation.</li><li>System security plan.</li><li>Supply chain risk management plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for determining system security and privacy functional, strength, and assurance requirements.</li><li>Organizational processes for developing acquisition contracts.</li><li>Mechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5d96d601-6279-40b9-a813-068ac30d03e6",
                        "testId": "SA-04e.[01]",
                        "test": "Determine if security documentation requirements, descriptions, and criteria are included explicitly or by reference using  [SELECTED PARAMETER VALUE(S): [Selection (one or more): standardized contract language; [(NESTED PARAMETER) Assignment for sa-04_odp.02: contract language]] ]  in the acquisition contract for the system, system component, or system service;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process.</li><li>Configuration management plan.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>System design documentation.</li><li>System security plan.</li><li>Supply chain risk management plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for determining system security and privacy functional, strength, and assurance requirements.</li><li>Organizational processes for developing acquisition contracts.</li><li>Mechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0728532c-c0ce-4207-9a23-91651a17bef6",
                        "testId": "SA-04e.[02]",
                        "test": "Determine if privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using  [SELECTED PARAMETER VALUE(S): [Selection (one or more): standardized contract language; [(NESTED PARAMETER) Assignment for sa-04_odp.02: contract language]] ]  in the acquisition contract for the system, system component, or system service;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process.</li><li>Configuration management plan.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>System design documentation.</li><li>System security plan.</li><li>Supply chain risk management plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for determining system security and privacy functional, strength, and assurance requirements.</li><li>Organizational processes for developing acquisition contracts.</li><li>Mechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5e0205fb-d2a8-419f-a637-18fc6f89eeb9",
                        "testId": "SA-04f.[01]",
                        "test": "Determine if requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using  [SELECTED PARAMETER VALUE(S): [Selection (one or more): standardized contract language; [(NESTED PARAMETER) Assignment for sa-04_odp.02: contract language]] ]  in the acquisition contract for the system, system component, or system service;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process.</li><li>Configuration management plan.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>System design documentation.</li><li>System security plan.</li><li>Supply chain risk management plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for determining system security and privacy functional, strength, and assurance requirements.</li><li>Organizational processes for developing acquisition contracts.</li><li>Mechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "855835e4-515e-44c9-86bd-711d017c6e97",
                        "testId": "SA-04f.[02]",
                        "test": "Determine if requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using  [SELECTED PARAMETER VALUE(S): [Selection (one or more): standardized contract language; [(NESTED PARAMETER) Assignment for sa-04_odp.02: contract language]] ]  in the acquisition contract for the system, system component, or system service;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process.</li><li>Configuration management plan.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>System design documentation.</li><li>System security plan.</li><li>Supply chain risk management plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for determining system security and privacy functional, strength, and assurance requirements.</li><li>Organizational processes for developing acquisition contracts.</li><li>Mechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "84b0b08e-fa37-437d-90ad-e7cc19f9bd33",
                        "testId": "SA-04g.",
                        "test": "Determine if the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using  [SELECTED PARAMETER VALUE(S): [Selection (one or more): standardized contract language; [(NESTED PARAMETER) Assignment for sa-04_odp.02: contract language]] ]  in the acquisition contract for the system, system component, or system service;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process.</li><li>Configuration management plan.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>System design documentation.</li><li>System security plan.</li><li>Supply chain risk management plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for determining system security and privacy functional, strength, and assurance requirements.</li><li>Organizational processes for developing acquisition contracts.</li><li>Mechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a2af34e1-c325-4381-a0d6-bf8dffd9c5b5",
                        "testId": "SA-04h.[01]",
                        "test": "Determine if the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using  [SELECTED PARAMETER VALUE(S): [Selection (one or more): standardized contract language; [(NESTED PARAMETER) Assignment for sa-04_odp.02: contract language]] ]  in the acquisition contract for the system, system component, or system service;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process.</li><li>Configuration management plan.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>System design documentation.</li><li>System security plan.</li><li>Supply chain risk management plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for determining system security and privacy functional, strength, and assurance requirements.</li><li>Organizational processes for developing acquisition contracts.</li><li>Mechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b08a801e-2e70-4116-bf86-f923aad3c4dd",
                        "testId": "SA-04h.[02]",
                        "test": "Determine if the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using  [SELECTED PARAMETER VALUE(S): [Selection (one or more): standardized contract language; [(NESTED PARAMETER) Assignment for sa-04_odp.02: contract language]] ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process.</li><li>Configuration management plan.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>System design documentation.</li><li>System security plan.</li><li>Supply chain risk management plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for determining system security and privacy functional, strength, and assurance requirements.</li><li>Organizational processes for developing acquisition contracts.</li><li>Mechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ddb68b29-19fa-4f70-b108-a4d0f12aa252",
                        "testId": "SA-04h.[03]",
                        "test": "Determine if the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using  [SELECTED PARAMETER VALUE(S): [Selection (one or more): standardized contract language; [(NESTED PARAMETER) Assignment for sa-04_odp.02: contract language]] ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process.</li><li>Configuration management plan.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>System design documentation.</li><li>System security plan.</li><li>Supply chain risk management plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for determining system security and privacy functional, strength, and assurance requirements.</li><li>Organizational processes for developing acquisition contracts.</li><li>Mechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6993e709-4a3f-44c7-9cb5-e253fd7b7bfe",
                        "testId": "SA-04i.",
                        "test": "Determine if acceptance criteria requirements and descriptions are included explicitly or by reference using  [SELECTED PARAMETER VALUE(S): [Selection (one or more): standardized contract language; [(NESTED PARAMETER) Assignment for sa-04_odp.02: contract language]] ]  in the acquisition contract for the system, system component, or system service.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy and supply chain risk management into the acquisition process.</li><li>Configuration management plan.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>System design documentation.</li><li>System security plan.</li><li>Supply chain risk management plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System/network administrators.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for determining system security and privacy functional, strength, and assurance requirements.</li><li>Organizational processes for developing acquisition contracts.</li><li>Mechanisms supporting and/or implementing acquisitions and the inclusion of security and privacy requirements in contracts.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "877f536b-119e-48fc-bc06-5f8394b88dc6",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SA-04 - Acquisition Process",
                "description": "<p>Include the following requirements, descriptions, and criteria, explicitly or by reference, using {{ insert: param, SA-4 }} in the acquisition contract for the system, system component, or system service:</p><ul><li><p>a. Security and privacy functional requirements;</p></li><li><p>b. Strength of mechanism requirements;</p></li><li><p>c. Security and privacy assurance requirements;</p></li><li><p>d. Controls needed to satisfy the security and privacy requirements.</p></li><li><p>e. Security and privacy documentation requirements;</p></li><li><p>f. Requirements for protecting security and privacy documentation;</p></li><li><p>g. Description of the system development environment and environment in which the system is intended to operate;</p></li><li><p>h. Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and</p></li><li><p>i. Acceptance criteria.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in <a href=\"#sa-2\">SA-2</a> . The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. <a href=\"#e3cc0520-a366-4fc9-abc2-5272db7e3564\">SP 800-160-1</a> describes the process of requirements engineering as part of the system development life cycle.</p><p>Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.</p><p>Security and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement.</p><p></p><p><strong>OT Discussion</strong></p><p>Organizations engage with OT suppliers to raise awareness of cybersecurity needs. The SCADA/Control Systems Procurement Project provides example cybersecurity procurement language for OT.</p>",
                "controlId": "SA-4",
                "family": "System and Services Acquisition",
                "enhancements": "<strong>Enhancements</strong><ul><li>SA-4(1) - Functional Properties of Controls</li><li>SA-4(2) - Design and Implementation Information for Controls</li><li>SA-4(3) - Development Methods, Techniques, and Practices</li><li>SA-4(5) - System, Component, and Service Configurations</li><li>SA-4(6) - Use of Information Assurance Products</li><li>SA-4(7) - NIAP-approved Protection Profiles </li><li>SA-4(8) - Continuous Monitoring Plan for Controls</li><li>SA-4(9) - Functions, Ports, Protocols, and Services in Use</li><li>SA-4(10) - Use of Approved PIV Products</li><li>SA-4(11) - System of Records</li><li>SA-4(12) - Data Ownership</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "2a464038-4058-4a50-9454-442b9ea24cc2",
                        "name": "SA-4(10)",
                        "objectiveType": "",
                        "otherId": "sa-4.10_smt",
                        "description": "Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems."
                    }
                ],
                "tests": [
                    {
                        "uuid": "9eb46058-fee7-4530-a434-492b52dcc26f",
                        "testId": "SA-04(10)",
                        "test": "Determine if only information technology products on the fips 201-approved products list for the personal identity verification (piv) capability implemented within organizational systems are employed.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management plan.</li><li>System and services acquisition policy.</li><li>Procedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process.</li><li>Solicitation documentation.</li><li>Acquisition documentation.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>Service level agreements.</li><li>Fips 201 approved products list.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with the responsibility for determining system security requirements.</li><li>Organizational personnel with the responsibility for ensuring that only fips 201- approved products are implemented.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for selecting and employing fips 201-approved products.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3a7c7faf-42ab-4af4-933e-7ce89a0e4f8d",
                        "testId": "SA-04(10)-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Supply chain risk management plan.</li><li>System and services acquisition policy.</li><li>Procedures addressing the integration of security requirements, descriptions, and criteria into the acquisition process.</li><li>Solicitation documentation.</li><li>Acquisition documentation.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>Service level agreements.</li><li>Fips 201 approved products list.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "389215e0-a79a-4386-94b4-4abb0e1428bc",
                        "testId": "SA-04(10)-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with the responsibility for determining system security requirements.</li><li>Organizational personnel with the responsibility for ensuring that only fips 201- approved products are implemented.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "209ee4ce-96ae-4201-bb82-2b158089c8d6",
                        "testId": "SA-04(10)-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for selecting and employing fips 201-approved products.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "484eed52-53ef-4f43-abdf-9dd736c8a568",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SA-04(10) - Use of Approved PIV Products",
                "description": "<p>Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems.<br><strong>Discussion</strong><br></p><p>Products on the FIPS 201-approved products list meet NIST requirements for Personal Identity Verification (PIV) of Federal Employees and Contractors. PIV cards are used for multi-factor authentication in systems and organizations.</p><p></p><p><strong>OT Discussion</strong></p><p>The use of approved PIV products is only required for organizations that follow OMB Memorandum M-19-17 (e.g., federal agencies and contractors). Example compensating controls include employing external products on the FIPS 201-approved products list for PIV capabilities in conjunction with OT products.</p>",
                "controlId": "SA-4(10)",
                "family": "System and Services Acquisition",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "d6f2595c-0a88-440f-8863-8948f1e9778d",
                        "parameterId": "SA-4(12)(b)",
                        "text": "time frame",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined time frame] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sa-04.12_odp"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "1983f713-8d6f-4403-a60c-b01bd985860c",
                        "name": "(a)",
                        "objectiveType": "",
                        "otherId": "sa-4.12_smt.a",
                        "description": "<ul><li>(a) Include organizational data ownership requirements in the acquisition contract; and</li></ul>"
                    },
                    {
                        "uuid": "3704b99c-0c5a-415e-9c3c-ab9c82911716",
                        "name": "(b)",
                        "objectiveType": "",
                        "otherId": "sa-4.12_smt.b",
                        "description": "<ul><li>(b) Require all data to be removed from the contractor\u2019s system and returned to the organization within {{ insert: param, SA-4(12)(b) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "b96ba940-5681-4f90-9709-7c1bc7b73ea4",
                        "testId": "SA-04(12)(a)",
                        "test": "Determine if organizational data ownership requirements are included in the acquisition contract;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy requirements, descriptions, and criteria into the acquisition process.</li><li>Procedures addressing the disposition of personally identifiable information.</li><li>Solicitation documentation.</li><li>Acquisition documentation.</li><li>Acquisition contracts for the system or system service.</li><li>Personally identifiable information processing policy.</li><li>Service level agreements.</li><li>Information sharing agreements.</li><li>Memoranda of understanding.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with the responsibility for data management and processing requirements.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Contract management processes to verify that data is removed as required.</li><li>Vendor processes for removing data in required timeframe.</li><li>Mechanisms verifying the removal and return of data.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9b8c124b-8c20-4227-a6b8-ccf70627856d",
                        "testId": "SA-04(12)(b)",
                        "test": "Determine if all data to be removed from the contractor\u00e2\u20ac\u2122s system and returned to the organization is required within  [SELECTED PARAMETER VALUE(S): time frame ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy requirements, descriptions, and criteria into the acquisition process.</li><li>Procedures addressing the disposition of personally identifiable information.</li><li>Solicitation documentation.</li><li>Acquisition documentation.</li><li>Acquisition contracts for the system or system service.</li><li>Personally identifiable information processing policy.</li><li>Service level agreements.</li><li>Information sharing agreements.</li><li>Memoranda of understanding.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with the responsibility for data management and processing requirements.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul><br><h5>Test</h5><ul><li>Contract management processes to verify that data is removed as required.</li><li>Vendor processes for removing data in required timeframe.</li><li>Mechanisms verifying the removal and return of data.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "21ad690f-891a-4329-99d8-b5cbb1468adf",
                        "testId": "SA-04(12)-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy requirements, descriptions, and criteria into the acquisition process.</li><li>Procedures addressing the disposition of personally identifiable information.</li><li>Solicitation documentation.</li><li>Acquisition documentation.</li><li>Acquisition contracts for the system or system service.</li><li>Personally identifiable information processing policy.</li><li>Service level agreements.</li><li>Information sharing agreements.</li><li>Memoranda of understanding.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3b316626-f4d3-4f2d-ade8-c788311230d4",
                        "testId": "SA-04(12)-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with the responsibility for data management and processing requirements.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "173d87e5-0070-4616-a11b-78d60a709791",
                        "testId": "SA-04(12)-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Contract management processes to verify that data is removed as required.</li><li>Vendor processes for removing data in required timeframe.</li><li>Mechanisms verifying the removal and return of data.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "a805e509-ca5d-47f5-ad2a-02896b8eff82",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SA-04(12) - Data Ownership",
                "description": "<ul><li>(a) Include organizational data ownership requirements in the acquisition contract; and</li><li>(b) Require all data to be removed from the contractor\u00e2\u20ac\u2122s system and returned to the organization within  {{ insert: param, SA-4(12)(b) }}.</li></ul><br/><strong>Discussion</strong><br/><p>Contractors who operate a system that contains data owned by an organization initiating the contract have policies and procedures in place to remove the data from their systems and/or return the data in a time frame defined by the contract.</p>",
                "controlId": "SA-4(12)",
                "family": "System and Services Acquisition",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "3d702e7c-d823-4e29-88e6-ebd7c8a5b248",
                        "parameterId": "SA-5(c)",
                        "text": "actions",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined actions] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sa-05_odp.01"
                    },
                    {
                        "uuid": "d2e53d6a-e154-4b93-9f31-e3724c6e697a",
                        "parameterId": "SA-5(d)",
                        "text": "personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sa-05_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "b368ad43-c47d-4009-8083-fdba547850f3",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "sa-5_smt.a",
                        "description": "<ul><li>a. Obtain or develop administrator documentation for the system, system component, or system service that describes:</li><ul><li>1. Secure configuration, installation, and operation of the system, component, or service;</li><li>2. Effective use and maintenance of security and privacy functions and mechanisms; and</li><li>3. Known vulnerabilities regarding configuration and use of administrative or privileged functions;</li></ul>"
                    },
                    {
                        "uuid": "1678b66f-c2dd-41fb-851b-d5faf9c4a34d",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "sa-5_smt.b",
                        "description": "<ul><li>b. Obtain or develop user documentation for the system, system component, or system service that describes:</li><ul><li>1. User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;</li><li>2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and</li><li>3. User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;</li></ul>"
                    },
                    {
                        "uuid": "e64e4170-f215-480c-9dc6-9589f9565bc6",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "sa-5_smt.c",
                        "description": "<ul><li>c. Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take {{ insert: param, SA-5(c) }} in response; and</li></ul>"
                    },
                    {
                        "uuid": "b18de346-91d2-4858-8bd7-c47200582456",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "sa-5_smt.d",
                        "description": "<ul><li>d. Distribute documentation to {{ insert: param, SA-5(d) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "c6f6e0b3-1e45-4ae0-81d6-4c90a83b43d6",
                        "testId": "SA-05-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing system documentation.</li><li>System documentation, including administrator and user guides.</li><li>System design documentation.</li><li>Records documenting attempts to obtain unavailable or nonexistent system documentation.</li><li>List of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation.</li><li>Risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7bf8d1c5-4afe-4aad-b3dd-fe81e1c0faaa",
                        "testId": "SA-05-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System administrators.</li><li>Organizational personnel responsible for operating, using, and/or maintaining the system.</li><li>System developers.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "788a289e-c6a3-4a9b-b4a1-b6bcf3fe0ab0",
                        "testId": "SA-05-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for obtaining, protecting, and distributing system administrator and user documentation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "50224c4c-8785-4d14-9862-8593d2fa091b",
                        "testId": "SA-05a.01[01]",
                        "test": "Determine if administrator documentation for the system, system component, or system service that describes the secure configuration of the system, component, or service is obtained or developed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing system documentation.</li><li>System documentation, including administrator and user guides.</li><li>System design documentation.</li><li>Records documenting attempts to obtain unavailable or nonexistent system documentation.</li><li>List of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation.</li><li>Risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System administrators.</li><li>Organizational personnel responsible for operating, using, and/or maintaining the system.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for obtaining, protecting, and distributing system administrator and user documentation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0913aab5-bfa2-4ba4-9054-62e4f5e3160c",
                        "testId": "SA-05a.01[02]",
                        "test": "Determine if administrator documentation for the system, system component, or system service that describes the secure installation of the system, component, or service is obtained or developed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing system documentation.</li><li>System documentation, including administrator and user guides.</li><li>System design documentation.</li><li>Records documenting attempts to obtain unavailable or nonexistent system documentation.</li><li>List of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation.</li><li>Risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System administrators.</li><li>Organizational personnel responsible for operating, using, and/or maintaining the system.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for obtaining, protecting, and distributing system administrator and user documentation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1eb14277-78d3-42e0-89a3-c67fe33988b9",
                        "testId": "SA-05a.01[03]",
                        "test": "Determine if administrator documentation for the system, system component, or system service that describes the secure operation of the system, component, or service is obtained or developed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing system documentation.</li><li>System documentation, including administrator and user guides.</li><li>System design documentation.</li><li>Records documenting attempts to obtain unavailable or nonexistent system documentation.</li><li>List of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation.</li><li>Risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System administrators.</li><li>Organizational personnel responsible for operating, using, and/or maintaining the system.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for obtaining, protecting, and distributing system administrator and user documentation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a60d093f-a26b-430a-a6d1-47cf92989294",
                        "testId": "SA-05a.02[01]",
                        "test": "Determine if administrator documentation for the system, system component, or system service that describes the effective use of security functions and mechanisms is obtained or developed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing system documentation.</li><li>System documentation, including administrator and user guides.</li><li>System design documentation.</li><li>Records documenting attempts to obtain unavailable or nonexistent system documentation.</li><li>List of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation.</li><li>Risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System administrators.</li><li>Organizational personnel responsible for operating, using, and/or maintaining the system.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for obtaining, protecting, and distributing system administrator and user documentation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5f853a2f-462f-49a3-a14f-8539293bef1d",
                        "testId": "SA-05a.02[02]",
                        "test": "Determine if administrator documentation for the system, system component, or system service that describes the effective maintenance of security functions and mechanisms is obtained or developed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing system documentation.</li><li>System documentation, including administrator and user guides.</li><li>System design documentation.</li><li>Records documenting attempts to obtain unavailable or nonexistent system documentation.</li><li>List of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation.</li><li>Risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System administrators.</li><li>Organizational personnel responsible for operating, using, and/or maintaining the system.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for obtaining, protecting, and distributing system administrator and user documentation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d6cbf4c4-1a33-4a2c-a8a4-983235ad2365",
                        "testId": "SA-05a.02[03]",
                        "test": "Determine if administrator documentation for the system, system component, or system service that describes the effective use of privacy functions and mechanisms is obtained or developed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing system documentation.</li><li>System documentation, including administrator and user guides.</li><li>System design documentation.</li><li>Records documenting attempts to obtain unavailable or nonexistent system documentation.</li><li>List of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation.</li><li>Risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System administrators.</li><li>Organizational personnel responsible for operating, using, and/or maintaining the system.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for obtaining, protecting, and distributing system administrator and user documentation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ee1dd0b1-8706-4c01-a36e-60bb048d5779",
                        "testId": "SA-05a.02[04]",
                        "test": "Determine if administrator documentation for the system, system component, or system service that describes the effective maintenance of privacy functions and mechanisms is obtained or developed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing system documentation.</li><li>System documentation, including administrator and user guides.</li><li>System design documentation.</li><li>Records documenting attempts to obtain unavailable or nonexistent system documentation.</li><li>List of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation.</li><li>Risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System administrators.</li><li>Organizational personnel responsible for operating, using, and/or maintaining the system.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for obtaining, protecting, and distributing system administrator and user documentation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3c58caf2-e926-4807-b60e-f218a43ab128",
                        "testId": "SA-05a.03[01]",
                        "test": "Determine if administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the configuration of administrative or privileged functions is obtained or developed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing system documentation.</li><li>System documentation, including administrator and user guides.</li><li>System design documentation.</li><li>Records documenting attempts to obtain unavailable or nonexistent system documentation.</li><li>List of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation.</li><li>Risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System administrators.</li><li>Organizational personnel responsible for operating, using, and/or maintaining the system.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for obtaining, protecting, and distributing system administrator and user documentation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e9332229-e0b1-4653-a040-8367184090e1",
                        "testId": "SA-05a.03[02]",
                        "test": "Determine if administrator documentation for the system, system component, or system service that describes known vulnerabilities regarding the use of administrative or privileged functions is obtained or developed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing system documentation.</li><li>System documentation, including administrator and user guides.</li><li>System design documentation.</li><li>Records documenting attempts to obtain unavailable or nonexistent system documentation.</li><li>List of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation.</li><li>Risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System administrators.</li><li>Organizational personnel responsible for operating, using, and/or maintaining the system.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for obtaining, protecting, and distributing system administrator and user documentation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c54600dc-f171-4686-97b7-bda8290226bf",
                        "testId": "SA-05b.01[01]",
                        "test": "Determine if user documentation for the system, system component, or system service that describes user-accessible security functions and mechanisms is obtained or developed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing system documentation.</li><li>System documentation, including administrator and user guides.</li><li>System design documentation.</li><li>Records documenting attempts to obtain unavailable or nonexistent system documentation.</li><li>List of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation.</li><li>Risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System administrators.</li><li>Organizational personnel responsible for operating, using, and/or maintaining the system.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for obtaining, protecting, and distributing system administrator and user documentation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d396f95b-8e7f-4039-8793-189510344644",
                        "testId": "SA-05b.01[02]",
                        "test": "Determine if user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible security) functions and mechanisms is obtained or developed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing system documentation.</li><li>System documentation, including administrator and user guides.</li><li>System design documentation.</li><li>Records documenting attempts to obtain unavailable or nonexistent system documentation.</li><li>List of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation.</li><li>Risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System administrators.</li><li>Organizational personnel responsible for operating, using, and/or maintaining the system.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for obtaining, protecting, and distributing system administrator and user documentation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "fa0cdc58-8064-480a-8bd0-131a5d690628",
                        "testId": "SA-05b.01[03]",
                        "test": "Determine if user documentation for the system, system component, or system service that describes user-accessible privacy functions and mechanisms is obtained or developed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing system documentation.</li><li>System documentation, including administrator and user guides.</li><li>System design documentation.</li><li>Records documenting attempts to obtain unavailable or nonexistent system documentation.</li><li>List of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation.</li><li>Risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System administrators.</li><li>Organizational personnel responsible for operating, using, and/or maintaining the system.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for obtaining, protecting, and distributing system administrator and user documentation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e25e7cdf-36e8-4096-8d41-078024fe1d55",
                        "testId": "SA-05b.01[04]",
                        "test": "Determine if user documentation for the system, system component, or system service that describes how to effectively use those (user-accessible privacy) functions and mechanisms is obtained or developed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing system documentation.</li><li>System documentation, including administrator and user guides.</li><li>System design documentation.</li><li>Records documenting attempts to obtain unavailable or nonexistent system documentation.</li><li>List of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation.</li><li>Risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System administrators.</li><li>Organizational personnel responsible for operating, using, and/or maintaining the system.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for obtaining, protecting, and distributing system administrator and user documentation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "24f4e92a-e545-408c-8125-991fa225a6aa",
                        "testId": "SA-05b.02[01]",
                        "test": "Determine if user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service in a more secure manner is obtained or developed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing system documentation.</li><li>System documentation, including administrator and user guides.</li><li>System design documentation.</li><li>Records documenting attempts to obtain unavailable or nonexistent system documentation.</li><li>List of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation.</li><li>Risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System administrators.</li><li>Organizational personnel responsible for operating, using, and/or maintaining the system.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for obtaining, protecting, and distributing system administrator and user documentation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "021e257a-b68f-400a-870b-b29567cf6076",
                        "testId": "SA-05b.02[02]",
                        "test": "Determine if user documentation for the system, system component, or system service that describes methods for user interaction, which enable individuals to use the system, component, or service to protect individual privacy is obtained or developed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing system documentation.</li><li>System documentation, including administrator and user guides.</li><li>System design documentation.</li><li>Records documenting attempts to obtain unavailable or nonexistent system documentation.</li><li>List of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation.</li><li>Risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System administrators.</li><li>Organizational personnel responsible for operating, using, and/or maintaining the system.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for obtaining, protecting, and distributing system administrator and user documentation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0f09874a-90bb-444e-842f-1f7c98ac16f3",
                        "testId": "SA-05b.03[01]",
                        "test": "Determine if user documentation for the system, system component, or system service that describes user responsibilities for maintaining the security of the system, component, or service is obtained or developed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing system documentation.</li><li>System documentation, including administrator and user guides.</li><li>System design documentation.</li><li>Records documenting attempts to obtain unavailable or nonexistent system documentation.</li><li>List of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation.</li><li>Risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System administrators.</li><li>Organizational personnel responsible for operating, using, and/or maintaining the system.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for obtaining, protecting, and distributing system administrator and user documentation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "07caceef-0dcc-4519-b34b-0da7239b4b92",
                        "testId": "SA-05b.03[02]",
                        "test": "Determine if user documentation for the system, system component, or system service that describes user responsibilities for maintaining the privacy of individuals is obtained or developed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing system documentation.</li><li>System documentation, including administrator and user guides.</li><li>System design documentation.</li><li>Records documenting attempts to obtain unavailable or nonexistent system documentation.</li><li>List of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation.</li><li>Risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System administrators.</li><li>Organizational personnel responsible for operating, using, and/or maintaining the system.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for obtaining, protecting, and distributing system administrator and user documentation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a948f6e0-7a21-4233-8cc7-541b1a803d6e",
                        "testId": "SA-05c.[01]",
                        "test": "Determine if attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent is documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing system documentation.</li><li>System documentation, including administrator and user guides.</li><li>System design documentation.</li><li>Records documenting attempts to obtain unavailable or nonexistent system documentation.</li><li>List of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation.</li><li>Risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System administrators.</li><li>Organizational personnel responsible for operating, using, and/or maintaining the system.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for obtaining, protecting, and distributing system administrator and user documentation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f10bc3c8-b9ef-4d1d-a094-d322dd613ac4",
                        "testId": "SA-05c.[02]",
                        "test": "Determine if after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent,  [SELECTED PARAMETER VALUE(S): actions ]  are taken in response;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing system documentation.</li><li>System documentation, including administrator and user guides.</li><li>System design documentation.</li><li>Records documenting attempts to obtain unavailable or nonexistent system documentation.</li><li>List of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation.</li><li>Risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System administrators.</li><li>Organizational personnel responsible for operating, using, and/or maintaining the system.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for obtaining, protecting, and distributing system administrator and user documentation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a5f0a7af-f931-4c0a-a4a4-46f5ad77ab30",
                        "testId": "SA-05d.",
                        "test": "Determine if documentation is distributed to  [SELECTED PARAMETER VALUE(S): personnel or roles ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing system documentation.</li><li>System documentation, including administrator and user guides.</li><li>System design documentation.</li><li>Records documenting attempts to obtain unavailable or nonexistent system documentation.</li><li>List of actions to be taken in response to documented attempts to obtain system, system component, or system service documentation.</li><li>Risk management strategy documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>System administrators.</li><li>Organizational personnel responsible for operating, using, and/or maintaining the system.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for obtaining, protecting, and distributing system administrator and user documentation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "d5a21c71-6f7d-49bb-9879-19364c76ffd6",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SA-05 - System Documentation",
                "description": "<ul><li>a. Obtain or develop administrator documentation for the system, system component, or system service that describes:</li><ul><li>1. Secure configuration, installation, and operation of the system, component, or service;</li><li>2. Effective use and maintenance of security and privacy functions and mechanisms; and</li><li>3. Known vulnerabilities regarding configuration and use of administrative or privileged functions;</li></ul><li>b. Obtain or develop user documentation for the system, system component, or system service that describes:</li><ul><li>1. User-accessible security and privacy functions and mechanisms and how to effectively use those functions and mechanisms;</li><li>2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner and protect individual privacy; and</li><li>3. User responsibilities in maintaining the security of the system, component, or service and privacy of individuals;</li></ul><li>c. Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take  {{ insert: param, SA-5(c) }}  in response; and</li><li>d. Distribute documentation to  {{ insert: param, SA-5(d) }}.</li></ul><br/><strong>Discussion</strong><br/><p>System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation.</p>",
                "controlId": "SA-5",
                "family": "System and Services Acquisition",
                "enhancements": "<strong>Enhancements</strong><ul></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "906c45a3-5038-4a21-844a-a554ec6239b0",
                        "parameterId": "SA-8",
                        "text": "organization-defined systems security and privacy engineering principles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined systems security and privacy engineering principles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sa-8_prm_1"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "18f0b2b8-e9e3-41b8-84ff-d0578841d5cc",
                        "name": "SA-8",
                        "objectiveType": "",
                        "otherId": "sa-8_smt",
                        "description": "Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: {{ insert: param, SA-8 }}."
                    }
                ],
                "tests": [
                    {
                        "uuid": "c0511e86-eb32-4751-b315-34761abd0d95",
                        "testId": "SA-08[01]",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): systems security engineering principles ]  are applied in the specification of the system and system components;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Assessment and authorization procedures.</li><li>Procedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system.</li><li>System design documentation.</li><li>Security and privacy requirements and specifications for the system.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with system specification, design, development, implementation, and modification responsibilities.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification.</li><li>Mechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2aa19fd2-3780-496b-95d1-a336d52bf9e8",
                        "testId": "SA-08[02]",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): systems security engineering principles ]  are applied in the design of the system and system components;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Assessment and authorization procedures.</li><li>Procedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system.</li><li>System design documentation.</li><li>Security and privacy requirements and specifications for the system.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with system specification, design, development, implementation, and modification responsibilities.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification.</li><li>Mechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e207ca42-61bf-4eed-8c9f-419575adc953",
                        "testId": "SA-08[03]",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): systems security engineering principles ]  are applied in the development of the system and system components;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Assessment and authorization procedures.</li><li>Procedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system.</li><li>System design documentation.</li><li>Security and privacy requirements and specifications for the system.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with system specification, design, development, implementation, and modification responsibilities.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification.</li><li>Mechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8c021e91-94e4-41e0-8f25-f3565cea9cfe",
                        "testId": "SA-08[04]",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): systems security engineering principles ]  are applied in the implementation of the system and system components;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Assessment and authorization procedures.</li><li>Procedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system.</li><li>System design documentation.</li><li>Security and privacy requirements and specifications for the system.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with system specification, design, development, implementation, and modification responsibilities.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification.</li><li>Mechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "57eec7c5-2cc1-4984-a770-be478559ddbc",
                        "testId": "SA-08[05]",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): systems security engineering principles ]  are applied in the modification of the system and system components;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Assessment and authorization procedures.</li><li>Procedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system.</li><li>System design documentation.</li><li>Security and privacy requirements and specifications for the system.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with system specification, design, development, implementation, and modification responsibilities.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification.</li><li>Mechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "46992ab8-1523-4119-a0f9-6023ad5b5bf7",
                        "testId": "SA-08[06]",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): privacy engineering principles ]  are applied in the specification of the system and system components;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Assessment and authorization procedures.</li><li>Procedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system.</li><li>System design documentation.</li><li>Security and privacy requirements and specifications for the system.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with system specification, design, development, implementation, and modification responsibilities.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification.</li><li>Mechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9cce90a4-8944-44d7-8604-0ae10b5293fe",
                        "testId": "SA-08[07]",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): privacy engineering principles ]  are applied in the design of the system and system components;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Assessment and authorization procedures.</li><li>Procedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system.</li><li>System design documentation.</li><li>Security and privacy requirements and specifications for the system.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with system specification, design, development, implementation, and modification responsibilities.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification.</li><li>Mechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "25f9b6f9-9a6f-4c6e-9303-9a641de31e4e",
                        "testId": "SA-08[08]",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): privacy engineering principles ]  are applied in the development of the system and system components;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Assessment and authorization procedures.</li><li>Procedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system.</li><li>System design documentation.</li><li>Security and privacy requirements and specifications for the system.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with system specification, design, development, implementation, and modification responsibilities.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification.</li><li>Mechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "cf08b28f-746a-423c-8d70-fed21217006c",
                        "testId": "SA-08[09]",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): privacy engineering principles ]  are applied in the implementation of the system and system components;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Assessment and authorization procedures.</li><li>Procedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system.</li><li>System design documentation.</li><li>Security and privacy requirements and specifications for the system.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with system specification, design, development, implementation, and modification responsibilities.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification.</li><li>Mechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6a5c0403-4eef-4159-9494-f71f60081fc1",
                        "testId": "SA-08[10]",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): privacy engineering principles ]  are applied in the modification of the system and system components.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Assessment and authorization procedures.</li><li>Procedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system.</li><li>System design documentation.</li><li>Security and privacy requirements and specifications for the system.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with system specification, design, development, implementation, and modification responsibilities.</li><li>System developers.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification.</li><li>Mechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a52dcea3-851d-4397-9835-00a79d33323f",
                        "testId": "SA-08-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Assessment and authorization procedures.</li><li>Procedures addressing security and privacy engineering principles used in the specification, design, development, implementation, and modification of the system.</li><li>System design documentation.</li><li>Security and privacy requirements and specifications for the system.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "99d4b724-c192-4802-97e6-8b6c5c032ae7",
                        "testId": "SA-08-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with acquisition/contracting responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with system specification, design, development, implementation, and modification responsibilities.</li><li>System developers.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0af415e0-c717-4a8d-9182-3618c2167d0d",
                        "testId": "SA-08-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for applying security and privacy engineering principles in system specification, design, development, implementation, and modification.</li><li>Mechanisms supporting the application of security and privacy engineering principles in system specification, design, development, implementation, and modification.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "c04121c8-f26c-4b33-9520-4dd6ec58a2e7",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SA-08 - Security and Privacy Engineering Principles",
                "description": "Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components:  {{ insert: param, SA-8 }}.<br/><strong>Discussion</strong><br/><p>Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see  <a href=\"#sa-3\">SA-3</a> ). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.</p><p>The application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.</p><p>Organizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design.</p>",
                "controlId": "SA-8",
                "family": "System and Services Acquisition",
                "enhancements": "<strong>Enhancements</strong><ul><li>SA-8(1) - Clear Abstractions</li><li>SA-8(2) - Least Common Mechanism</li><li>SA-8(3) - Modularity and Layering</li><li>SA-8(4) - Partially Ordered Dependencies</li><li>SA-8(5) - Efficiently Mediated Access</li><li>SA-8(6) - Minimized Sharing</li><li>SA-8(7) - Reduced Complexity</li><li>SA-8(8) - Secure Evolvability</li><li>SA-8(9) - Trusted Components</li><li>SA-8(10) - Hierarchical Trust</li><li>SA-8(11) - Inverse Modification Threshold</li><li>SA-8(12) - Hierarchical Protection</li><li>SA-8(13) - Minimized Security Elements</li><li>SA-8(14) - Least Privilege</li><li>SA-8(15) - Predicate Permission</li><li>SA-8(16) - Self-reliant Trustworthiness</li><li>SA-8(17) - Secure Distributed Composition</li><li>SA-8(18) - Trusted Communications Channels</li><li>SA-8(19) - Continuous Protection</li><li>SA-8(20) - Secure Metadata Management</li><li>SA-8(21) - Self-analysis</li><li>SA-8(22) - Accountability and Traceability</li><li>SA-8(23) - Secure Defaults</li><li>SA-8(24) - Secure Failure and Recovery</li><li>SA-8(25) - Economic Security</li><li>SA-8(26) - Performance Security</li><li>SA-8(27) - Human Factored Security</li><li>SA-8(28) - Acceptable Security</li><li>SA-8(29) - Repeatable and Documented Procedures</li><li>SA-8(30) - Procedural Rigor</li><li>SA-8(31) - Secure System Modification</li><li>SA-8(32) - Sufficient Documentation</li><li>SA-8(33) - Minimization</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "77f767f5-30f7-4237-814c-4e7cc07c83b2",
                        "parameterId": "SA-9(a)",
                        "text": "controls",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined controls] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sa-09_odp.01"
                    },
                    {
                        "uuid": "abe9f37f-7636-4987-b0fc-db2c5aa2b57f",
                        "parameterId": "SA-9(c)",
                        "text": "processes, methods, and techniques",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined processes, methods, and techniques] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sa-09_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "70d54165-d437-4cb3-9676-c04cdb3daea9",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "sa-9_smt.a",
                        "description": "<ul><li>a. Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: {{ insert: param, SA-9(a) }};</li></ul>"
                    },
                    {
                        "uuid": "d784003b-04fb-44e7-9358-71e80d11c3c2",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "sa-9_smt.b",
                        "description": "<ul><li>b. Define and document organizational oversight and user roles and responsibilities with regard to external system services; and</li></ul>"
                    },
                    {
                        "uuid": "076284ed-dd72-493b-a96b-fd9831d3f7ed",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "sa-9_smt.c",
                        "description": "<ul><li>c. Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: {{ insert: param, SA-9(c) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "3152a0ee-e24e-47c9-b41d-5f24426d6520",
                        "testId": "SA-09a.[01]",
                        "test": "Determine if providers of external system services comply with organizational security requirements;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing methods and techniques for monitoring control compliance by external service providers of system services.</li><li>Acquisition documentation.</li><li>Contracts.</li><li>Service level agreements.</li><li>Interagency agreements.</li><li>Licensing agreements.</li><li>List of organizational security and privacy requirements for external provider services.</li><li>Control assessment results or reports from external providers of system services.</li><li>System security plan.</li><li>Privacy plan.</li><li>Supply chain risk management plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>External providers of system services.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis.</li><li>Mechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a04eba73-af36-4d2f-a57c-66783e44064e",
                        "testId": "SA-09a.[02]",
                        "test": "Determine if providers of external system services comply with organizational privacy requirements;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing methods and techniques for monitoring control compliance by external service providers of system services.</li><li>Acquisition documentation.</li><li>Contracts.</li><li>Service level agreements.</li><li>Interagency agreements.</li><li>Licensing agreements.</li><li>List of organizational security and privacy requirements for external provider services.</li><li>Control assessment results or reports from external providers of system services.</li><li>System security plan.</li><li>Privacy plan.</li><li>Supply chain risk management plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>External providers of system services.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis.</li><li>Mechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "483ed0c3-84cf-40ba-8f82-4e8935d70bc4",
                        "testId": "SA-09a.[03]",
                        "test": "Determine if providers of external system services employ  [SELECTED PARAMETER VALUE(S): controls ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing methods and techniques for monitoring control compliance by external service providers of system services.</li><li>Acquisition documentation.</li><li>Contracts.</li><li>Service level agreements.</li><li>Interagency agreements.</li><li>Licensing agreements.</li><li>List of organizational security and privacy requirements for external provider services.</li><li>Control assessment results or reports from external providers of system services.</li><li>System security plan.</li><li>Privacy plan.</li><li>Supply chain risk management plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>External providers of system services.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis.</li><li>Mechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d570e022-920f-4e1f-a225-735352fc0314",
                        "testId": "SA-09b.[01]",
                        "test": "Determine if organizational oversight with regard to external system services are defined and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing methods and techniques for monitoring control compliance by external service providers of system services.</li><li>Acquisition documentation.</li><li>Contracts.</li><li>Service level agreements.</li><li>Interagency agreements.</li><li>Licensing agreements.</li><li>List of organizational security and privacy requirements for external provider services.</li><li>Control assessment results or reports from external providers of system services.</li><li>System security plan.</li><li>Privacy plan.</li><li>Supply chain risk management plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>External providers of system services.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis.</li><li>Mechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "33d2b161-c8f5-4141-b5f5-4fc9a93ddc9d",
                        "testId": "SA-09b.[02]",
                        "test": "Determine if user roles and responsibilities with regard to external system services are defined and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing methods and techniques for monitoring control compliance by external service providers of system services.</li><li>Acquisition documentation.</li><li>Contracts.</li><li>Service level agreements.</li><li>Interagency agreements.</li><li>Licensing agreements.</li><li>List of organizational security and privacy requirements for external provider services.</li><li>Control assessment results or reports from external providers of system services.</li><li>System security plan.</li><li>Privacy plan.</li><li>Supply chain risk management plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>External providers of system services.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis.</li><li>Mechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "67fce4fe-bb6d-43a3-b834-ec354a133480",
                        "testId": "SA-09c.",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): processes, methods, and techniques ]  are employed to monitor control compliance by external service providers on an ongoing basis.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing methods and techniques for monitoring control compliance by external service providers of system services.</li><li>Acquisition documentation.</li><li>Contracts.</li><li>Service level agreements.</li><li>Interagency agreements.</li><li>Licensing agreements.</li><li>List of organizational security and privacy requirements for external provider services.</li><li>Control assessment results or reports from external providers of system services.</li><li>System security plan.</li><li>Privacy plan.</li><li>Supply chain risk management plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>External providers of system services.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis.</li><li>Mechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5754fd6b-593c-4ead-81eb-9dd2677ccc6c",
                        "testId": "SA-09-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing methods and techniques for monitoring control compliance by external service providers of system services.</li><li>Acquisition documentation.</li><li>Contracts.</li><li>Service level agreements.</li><li>Interagency agreements.</li><li>Licensing agreements.</li><li>List of organizational security and privacy requirements for external provider services.</li><li>Control assessment results or reports from external providers of system services.</li><li>System security plan.</li><li>Privacy plan.</li><li>Supply chain risk management plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "302034f8-326e-45cf-8bb1-649a391e6bc1",
                        "testId": "SA-09-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>External providers of system services.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "aef3b2b8-0ab7-4c9c-853d-560be4a5500a",
                        "testId": "SA-09-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis.</li><li>Mechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "1584448c-8d0f-4300-9e64-14109f728013",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SA-09 - External System Services",
                "description": "<ul><li>a. Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls:  {{ insert: param, SA-9(a) }};</li><li>b. Define and document organizational oversight and user roles and responsibilities with regard to external system services; and</li><li>c. Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis:  {{ insert: param, SA-9(c) }}.</li></ul><br/><strong>Discussion</strong><br/><p>External system services are provided by an external provider, and the organization has no direct control over the implementation of the required controls or the assessment of control effectiveness. Organizations establish relationships with external service providers in a variety of ways, including through business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, joint ventures, and supply chain exchanges. The responsibility for managing risks from the use of external system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a certain level of confidence that each provider in the consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust vary based on relationships between organizations and the external providers. Organizations document the basis for the trust relationships so that the relationships can be monitored. External system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define the expectations of performance for implemented controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance.</p>",
                "controlId": "SA-9",
                "family": "System and Services Acquisition",
                "enhancements": "<strong>Enhancements</strong><ul><li>SA-9(1) - Risk Assessments and Organizational Approvals</li><li>SA-9(2) - Identification of Functions, Ports, Protocols, and Services</li><li>SA-9(3) - Establish and Maintain Trust Relationship with Providers</li><li>SA-9(4) - Consistent Interests of Consumers and Providers</li><li>SA-9(5) - Processing, Storage, and Service Location</li><li>SA-9(6) - Organization-controlled Cryptographic Keys</li><li>SA-9(7) - Organization-controlled Integrity Checking</li><li>SA-9(8) - Processing and Storage Location \u00e2\u20ac\u201d U.S. Jurisdiction</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "f3e1083b-c0a1-4529-b7c0-fc381c22937a",
                        "parameterId": "SA-22(b)",
                        "text": "[Selection (one or more): in-house support; [(NESTED PARAMETER) Assignment for sa-22_odp.02: support from external providers]]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): in-house support; [(NESTED PARAMETER) Assignment for sa-22_odp.02: support from external providers]]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sa-22_odp.01"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "2c234ebb-486d-408b-8817-7d00147f7dd9",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "sa-22_smt.a",
                        "description": "<ul><li>a. Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or</li></ul>"
                    },
                    {
                        "uuid": "27a466ae-6181-4bd1-bb66-f455b4ff038c",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "sa-22_smt.b",
                        "description": "<ul><li>b. Provide the following options for alternative sources for continued support for unsupported components {{ insert: param, SA-22(b) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "1cf67117-6a40-4fe7-9a2f-67e41622ed47",
                        "testId": "SA-22-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System and services acquisition policy.</li><li>Procedures addressing the replacement or continued use of unsupported system components.</li><li>Documented evidence of replacing unsupported system components.</li><li>Documented approvals (including justification) for the continued use of unsupported system components.</li><li>System security plan.</li><li>Supply chain risk management plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4cfcd341-7b31-49ce-ba85-9d9a0f82e25c",
                        "testId": "SA-22-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with system and service acquisition responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with the responsibility for the system development life cycle.</li><li>Organizational personnel responsible for component replacement.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5d98c147-fe81-4b5e-bc27-e134b0145733",
                        "testId": "SA-22-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for replacing unsupported system components.</li><li>Mechanisms supporting and/or implementing the replacement of unsupported system components.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "bee1e4de-11fe-4f82-abf6-ecf4adb59d10",
                        "testId": "SA-22a.",
                        "test": "Determine if system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>Procedures addressing the replacement or continued use of unsupported system components.</li><li>Documented evidence of replacing unsupported system components.</li><li>Documented approvals (including justification) for the continued use of unsupported system components.</li><li>System security plan.</li><li>Supply chain risk management plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and service acquisition responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with the responsibility for the system development life cycle.</li><li>Organizational personnel responsible for component replacement.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for replacing unsupported system components.</li><li>Mechanisms supporting and/or implementing the replacement of unsupported system components.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "120521cc-4003-4c5a-b1a9-a983a9f720b3",
                        "testId": "SA-22b.",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): [Selection (one or more): in-house support; [(NESTED PARAMETER) Assignment for sa-22_odp.02: support from external providers]] ]  provide options for alternative sources for continued support for unsupported components.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and services acquisition policy.</li><li>Procedures addressing the replacement or continued use of unsupported system components.</li><li>Documented evidence of replacing unsupported system components.</li><li>Documented approvals (including justification) for the continued use of unsupported system components.</li><li>System security plan.</li><li>Supply chain risk management plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and service acquisition responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with the responsibility for the system development life cycle.</li><li>Organizational personnel responsible for component replacement.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for replacing unsupported system components.</li><li>Mechanisms supporting and/or implementing the replacement of unsupported system components.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "ea953155-28b4-4459-9411-e3996ed3aee9",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SA-22 - Unsupported System Components",
                "description": "<ul><li><p>a. Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or</p></li><li><p>b. Provide the following options for alternative sources for continued support for unsupported components {{ insert: param, SA-22(b) }}.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>Support for system components includes software patches, firmware updates, replacement parts, and maintenance contracts. An example of unsupported components includes when vendors no longer provide critical software patches or product updates, which can result in an opportunity for adversaries to exploit weaknesses in the installed components. Exceptions to replacing unsupported system components include systems that provide critical mission or business capabilities where newer technologies are not available or where the systems are so isolated that installing replacement components is not an option.</p><p>Alternative sources for support address the need to provide continued support for system components that are no longer supported by the original manufacturers, developers, or vendors when such components remain essential to organizational mission and business functions. If necessary, organizations can establish in-house support by developing customized patches for critical software components or, alternatively, obtain the services of external providers who provide ongoing support for the designated unsupported components through contractual relationships. Such contractual relationships can include open-source software value-added vendors. The increased risk of using unsupported system components can be mitigated, for example, by prohibiting the connection of such components to public or uncontrolled networks, or implementing other forms of isolation.</p><p></p><p><strong>OT Discussion</strong></p><p>OT systems may contain system components that are no longer supported by the developer, vendor, or manufacturer and have not been replaced due to various operational, safety, availability, or lifetime constraints. Organizations identify alternative methods to continue supported operation of such system components and consider additional compensating controls to mitigate against known threats and vulnerabilities to unsupported system components.</p>",
                "controlId": "SA-22",
                "family": "System and Services Acquisition",
                "enhancements": "<strong>Enhancements</strong><ul></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "60379fd0-3573-4542-a719-b5c2a86cf2b8",
                        "parameterId": "SC-1(a)",
                        "text": "organization-defined personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sc-1_prm_1"
                    },
                    {
                        "uuid": "7cdc0168-6ace-4812-a3d1-b6d94e8a8527",
                        "parameterId": "SC-1(a)(1)",
                        "text": "[Selection (one or more): organization-level; mission/business-process-level; system-level]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): organization-level; mission/business-process-level; system-level]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sc-01_odp.03"
                    },
                    {
                        "uuid": "fecc58f8-51e2-49fe-a156-29868cdf5906",
                        "parameterId": "SC-1(b)",
                        "text": "official",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined official] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sc-01_odp.04"
                    },
                    {
                        "uuid": "d5816eea-bd2c-4cdb-9267-35e9f2c2258b",
                        "parameterId": "SC-1(c)(1)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sc-01_odp.05"
                    },
                    {
                        "uuid": "c1d9f9cb-56a0-44e4-88ec-213cf1d64014",
                        "parameterId": "SC-1(c)(1)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sc-01_odp.06"
                    },
                    {
                        "uuid": "8b65ed3b-726f-4555-8e90-96b17c03b31c",
                        "parameterId": "SC-1(c)(2)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sc-01_odp.07"
                    },
                    {
                        "uuid": "86d40550-e0ee-4674-99ec-c2f2f736d874",
                        "parameterId": "SC-1(c)(2)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sc-01_odp.08"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "21c8b2c5-f2ed-4497-92df-b71f2d0f1923",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "sc-1_smt.a",
                        "description": "<ul><li>a. Develop, document, and disseminate to {{ insert: param, SC-1(a) }}:</li><ul><li>1. {{ insert: param, SC-1(a)(1) }} system and communications protection policy that:</li><ul><li>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</li><li>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</li></ul><li>2. Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;</li></ul>"
                    },
                    {
                        "uuid": "196ce011-0ca7-4ac7-9a70-7755fa01ec25",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "sc-1_smt.b",
                        "description": "<ul><li>b. Designate an {{ insert: param, SC-1(b) }} to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and</li></ul>"
                    },
                    {
                        "uuid": "e90d8180-0082-4247-a73c-53c0e4ce8687",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "sc-1_smt.c",
                        "description": "<ul><li>c. Review and update the current system and communications protection:</li><ul><li>1. Policy {{ insert: param, SC-1(c)(1)-1 }} and following {{ insert: param, SC-1(c)(1)-2 }} ; and</li><li>2. Procedures {{ insert: param, SC-1(c)(2)-1 }} and following {{ insert: param, SC-1(c)(2)-2 }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "3a7e76e7-dffa-4590-9b6a-b161050d65d2",
                        "testId": "SC-01-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System and communications protection policy.</li><li>System and communications protection procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f4f082ae-09a0-45fd-b34a-7e0f880c7f28",
                        "testId": "SC-01-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with system and communications protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "76dff272-e9e8-4666-b8e8-5e9fea6092d7",
                        "testId": "SC-01a.[01]",
                        "test": "Determine if a system and communications protection policy is developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>System and communications protection procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and communications protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "fc2752e8-4525-47c2-bb99-1efb1cef1c23",
                        "testId": "SC-01a.[02]",
                        "test": "Determine if the system and communications protection policy is disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>System and communications protection procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and communications protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2bd04951-3b72-40da-b9c1-a9e3f8600207",
                        "testId": "SC-01a.[03]",
                        "test": "Determine if system and communications protection procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls are developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>System and communications protection procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and communications protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f8dbec15-29f2-4a38-9c6c-e9874ced2c7d",
                        "testId": "SC-01a.[04]",
                        "test": "Determine if the system and communications protection procedures are disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>System and communications protection procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and communications protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "04dfaea3-6dbb-4659-95b6-8dd89c454f4f",
                        "testId": "SC-01a.01(a)[01]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business-process-level; system-level] ]  system and communications protection policy addresses purpose;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>System and communications protection procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and communications protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "06c253e2-50a1-46d8-b61a-32e0c751df8a",
                        "testId": "SC-01a.01(a)[02]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business-process-level; system-level] ]  system and communications protection policy addresses scope;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>System and communications protection procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and communications protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3629b24b-0db3-4a95-b48b-9d2c91b78188",
                        "testId": "SC-01a.01(a)[03]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business-process-level; system-level] ]  system and communications protection policy addresses roles;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>System and communications protection procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and communications protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "40036214-cbfc-481e-8a07-5e820d85a0da",
                        "testId": "SC-01a.01(a)[04]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business-process-level; system-level] ]  system and communications protection policy addresses responsibilities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>System and communications protection procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and communications protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "efb977e5-f98d-4362-bdea-0eb9725b060c",
                        "testId": "SC-01a.01(a)[05]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business-process-level; system-level] ]  system and communications protection policy addresses management commitment;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>System and communications protection procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and communications protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e76dc136-8bb9-4c13-ae86-3bf71984007c",
                        "testId": "SC-01a.01(a)[06]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business-process-level; system-level] ]  system and communications protection policy addresses coordination among organizational entities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>System and communications protection procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and communications protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f961e5ef-095f-4ae2-9d6d-727d9505d123",
                        "testId": "SC-01a.01(a)[07]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business-process-level; system-level] ]  system and communications protection policy addresses compliance;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>System and communications protection procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and communications protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "675b5eaf-3bde-4338-b7ac-d72c1296e683",
                        "testId": "SC-01a.01(b)",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business-process-level; system-level] ]  system and communications protection policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>System and communications protection procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and communications protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "acda1e3d-9516-4808-8b0c-ab5d651163b9",
                        "testId": "SC-01b.",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): official ]  is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>System and communications protection procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and communications protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5073bdc2-85ac-483d-a0a4-d37f25840477",
                        "testId": "SC-01c.01[01]",
                        "test": "Determine if the current system and communications protection policy is reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>System and communications protection procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and communications protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9b75396c-ed84-4c0c-857e-c44b7ddbfe80",
                        "testId": "SC-01c.01[02]",
                        "test": "Determine if the current system and communications protection policy is reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>System and communications protection procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and communications protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "60cbf5d1-c6e7-457c-b4e6-c2a3a8e1f439",
                        "testId": "SC-01c.02[01]",
                        "test": "Determine if the current system and communications protection procedures are reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>System and communications protection procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and communications protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b98c098d-cd27-4beb-8e41-00bc60320369",
                        "testId": "SC-01c.02[02]",
                        "test": "Determine if the current system and communications protection procedures are reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>System and communications protection procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Risk management strategy documentation.</li><li>Audit findings.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and communications protection responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "ea1e5e29-0e12-46ec-a456-609996f31466",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SC-01 - Policy and Procedures",
                "description": "<ul><li><p>a. Develop, document, and disseminate to {{ insert: param, SC-1(a) }}:</p><ul><li><p>1. {{ insert: param, SC-1(a)(1) }} system and communications protection policy that:</p><ul><li><p>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p></li><li><p>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p></li></ul></li><li><p>2. Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;</p></li></ul></li><li><p>b. Designate an {{ insert: param, SC-1(b) }} to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and</p></li><li><p>c. Review and update the current system and communications protection:</p><ul><li><p>1. Policy {{ insert: param, SC-1(c)(1)-1 }} and following {{ insert: param, SC-1(c)(1)-2 }} ; and</p></li><li><p>2. Procedures {{ insert: param, SC-1(c)(2)-1 }} and following {{ insert: param, SC-1(c)(2)-2 }}.</p></li></ul></li><li><p><br><strong>Discussion</strong><br></p><p>System and communications protection policy and procedures address the controls in the SC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and communications protection policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and communications protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.</p></li></ul><p></p><p><strong>OT Discussion</strong></p><p>The policy specifically addresses the unique properties and requirements of OT and the relationship to non-OT systems.</p>",
                "controlId": "SC-1",
                "family": "System and Communications Protection",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "2ae6573f-0139-4d85-9ad6-2514d3f2a20e",
                        "parameterId": "SC-5(a)-2",
                        "text": "types of denial-of-service events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined types of denial-of-service events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sc-05_odp.01"
                    },
                    {
                        "uuid": "06b10879-5b17-4067-82ad-d586aae93efe",
                        "parameterId": "SC-5(a)-1",
                        "text": "[Selection: protect against; limit]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection: protect against; limit]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sc-05_odp.02"
                    },
                    {
                        "uuid": "4f0ad693-035a-4953-9d66-355469a01faf",
                        "parameterId": "SC-5(b)",
                        "text": "controls by type of denial-of-service event",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined controls by type of denial-of-service event] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sc-05_odp.03"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "175005c0-d077-437e-ac01-14ed63651f31",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "sc-5_smt.a",
                        "description": "<ul><li>a. {{ insert: param, SC-5(a)-1 }} the effects of the following types of denial-of-service events: {{ insert: param, SC-5(a)-2 }} ; and</li></ul>"
                    },
                    {
                        "uuid": "0b6601d1-1c10-4598-b384-47c486960d4d",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "sc-5_smt.b",
                        "description": "<ul><li>b. Employ the following controls to achieve the denial-of-service objective: {{ insert: param, SC-5(b) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "2246b18d-a4c4-455e-a321-a017f9df678e",
                        "testId": "SC-05-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing denial-of-service protection.</li><li>System design documentation.</li><li>List of denial-of-service attacks requiring employment of security safeguards to protect against or limit effects of such attacks.</li><li>List of security safeguards protecting against or limiting the effects of denial-of-service attacks.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5766bf79-0b4a-401b-b704-95e621c41d27",
                        "testId": "SC-05-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with incident response responsibilities.</li><li>System developer.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "eb021262-1a88-44b5-aca6-88849f69cc88",
                        "testId": "SC-05-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms protecting against or limiting the effects of denial-of-service attacks.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3b6626a5-1c03-4044-9fd8-93794bfbde31",
                        "testId": "SC-05a.",
                        "test": "Determine if the effects of  [SELECTED PARAMETER VALUE(S): types of denial-of-service events ]  are  [SELECTED PARAMETER VALUE(S): [Selection: protect against; limit] ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing denial-of-service protection.</li><li>System design documentation.</li><li>List of denial-of-service attacks requiring employment of security safeguards to protect against or limit effects of such attacks.</li><li>List of security safeguards protecting against or limiting the effects of denial-of-service attacks.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with incident response responsibilities.</li><li>System developer.</li></ul><br><h5>Test</h5><ul><li>Mechanisms protecting against or limiting the effects of denial-of-service attacks.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "170a1c8a-7a4e-41c9-aab6-1e92d6a7be63",
                        "testId": "SC-05b.",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): controls by type of denial-of-service event ]  are employed to achieve the denial-of-service protection objective.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing denial-of-service protection.</li><li>System design documentation.</li><li>List of denial-of-service attacks requiring employment of security safeguards to protect against or limit effects of such attacks.</li><li>List of security safeguards protecting against or limiting the effects of denial-of-service attacks.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with incident response responsibilities.</li><li>System developer.</li></ul><br><h5>Test</h5><ul><li>Mechanisms protecting against or limiting the effects of denial-of-service attacks.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "3c3d0a34-3ddd-4ab5-8d4f-7b50dc108017",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SC-05 - Denial-of-service Protection",
                "description": "<ul><li><p>a. {{ insert: param, SC-5(a)-1 }} the effects of the following types of denial-of-service events: {{ insert: param, SC-5(a)-2 }} ; and</p></li><li><p>b. Employ the following controls to achieve the denial-of-service objective: {{ insert: param, SC-5(b) }}.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events.</p><p></p><p><strong>OT Discussion</strong></p><p>Some OT equipment may be more susceptible to DoS attacks due to the time criticality of some OT applications. Risk-based analysis informs the prioritization of DoS protection and the establishment of policy and procedure.</p>",
                "controlId": "SC-5",
                "family": "System and Communications Protection",
                "enhancements": "<strong>Enhancements</strong><ul><li>SC-5(1) - Restrict Ability to Attack Other Systems</li><li>SC-5(2) - Capacity, Bandwidth, and Redundancy</li><li>SC-5(3) - Detection and Monitoring</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "66a8e2c5-e8ea-41cd-9f28-29bfc784d6cf",
                        "parameterId": "SC-7(b)",
                        "text": "[Selection: physically; logically]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection: physically; logically]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sc-07_odp"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "807c7133-9794-4b85-a0ee-2d21b9b9e495",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "sc-7_smt.a",
                        "description": "<ul><li>a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;</li></ul>"
                    },
                    {
                        "uuid": "2be3d00b-a2f4-4820-ae1e-65f6c85d4d79",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "sc-7_smt.b",
                        "description": "<ul><li>b. Implement subnetworks for publicly accessible system components that are {{ insert: param, SC-7(b) }} separated from internal organizational networks; and</li></ul>"
                    },
                    {
                        "uuid": "78394549-c434-4303-8637-56589b4aa21f",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "sc-7_smt.c",
                        "description": "<ul><li>c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "0d16841e-fc88-4b3d-9908-8b017a9d175d",
                        "testId": "SC-07a.[01]",
                        "test": "Determine if communications at external managed interfaces to the system are monitored;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing boundary protection.</li><li>List of key internal boundaries of the system.</li><li>System design documentation.</li><li>Boundary protection hardware and software.</li><li>System configuration settings and associated documentation.</li><li>Enterprise security architecture documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>System developer.</li><li>Organizational personnel with boundary protection responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing boundary protection capabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3a938040-fb16-43af-b8a3-b8d9bc3093a6",
                        "testId": "SC-07a.[02]",
                        "test": "Determine if communications at external managed interfaces to the system are controlled;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing boundary protection.</li><li>List of key internal boundaries of the system.</li><li>System design documentation.</li><li>Boundary protection hardware and software.</li><li>System configuration settings and associated documentation.</li><li>Enterprise security architecture documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>System developer.</li><li>Organizational personnel with boundary protection responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing boundary protection capabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "953b81a6-a8de-4b72-a4d1-e82a0090de95",
                        "testId": "SC-07a.[03]",
                        "test": "Determine if communications at key internal managed interfaces within the system are monitored;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing boundary protection.</li><li>List of key internal boundaries of the system.</li><li>System design documentation.</li><li>Boundary protection hardware and software.</li><li>System configuration settings and associated documentation.</li><li>Enterprise security architecture documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>System developer.</li><li>Organizational personnel with boundary protection responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing boundary protection capabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f3cf2fa6-70b9-4c13-9ed4-d0189cd0e257",
                        "testId": "SC-07a.[04]",
                        "test": "Determine if communications at key internal managed interfaces within the system are controlled;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing boundary protection.</li><li>List of key internal boundaries of the system.</li><li>System design documentation.</li><li>Boundary protection hardware and software.</li><li>System configuration settings and associated documentation.</li><li>Enterprise security architecture documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>System developer.</li><li>Organizational personnel with boundary protection responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing boundary protection capabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b30218d8-351c-4b85-b23a-4ea97e578061",
                        "testId": "SC-07b.",
                        "test": "Determine if subnetworks for publicly accessible system components are  [SELECTED PARAMETER VALUE(S): [Selection: physically; logically] ]  separated from internal organizational networks;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing boundary protection.</li><li>List of key internal boundaries of the system.</li><li>System design documentation.</li><li>Boundary protection hardware and software.</li><li>System configuration settings and associated documentation.</li><li>Enterprise security architecture documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>System developer.</li><li>Organizational personnel with boundary protection responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing boundary protection capabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "63a805d4-5f44-4db0-a2b2-487063de4b96",
                        "testId": "SC-07c.",
                        "test": "Determine if external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing boundary protection.</li><li>List of key internal boundaries of the system.</li><li>System design documentation.</li><li>Boundary protection hardware and software.</li><li>System configuration settings and associated documentation.</li><li>Enterprise security architecture documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>System developer.</li><li>Organizational personnel with boundary protection responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms implementing boundary protection capabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8a1561a1-1901-41d1-a074-e06fa0ea0bb4",
                        "testId": "SC-07-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing boundary protection.</li><li>List of key internal boundaries of the system.</li><li>System design documentation.</li><li>Boundary protection hardware and software.</li><li>System configuration settings and associated documentation.</li><li>Enterprise security architecture documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c89b533a-fde3-46b1-bb7a-5ae475e75773",
                        "testId": "SC-07-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>System developer.</li><li>Organizational personnel with boundary protection responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "dbbe4a76-b463-432c-b68b-a09e5ceb6347",
                        "testId": "SC-07-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms implementing boundary protection capabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "4e721639-a78d-4152-ae84-08dd757643c6",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SC-07 - Boundary Protection",
                "description": "<ul><li>a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;</li><li>b. Implement subnetworks for publicly accessible system components that are  {{ insert: param, SC-7(b) }}  separated from internal organizational networks; and</li><li>c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.</li></ul><br/><strong>Discussion</strong><br/><p>Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses.  <a href=\"#f5edfe51-d1f2-422e-9b27-5d0e90b49c72\">SP 800-189</a>  provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary).</p>",
                "controlId": "SC-7",
                "family": "System and Communications Protection",
                "enhancements": "<strong>Enhancements</strong><ul><li>SC-7(3) - Access Points</li><li>SC-7(4) - External Telecommunications Services</li><li>SC-7(5) - Deny by Default \u00e2\u20ac\u201d Allow by Exception</li><li>SC-7(7) - Split Tunneling for Remote Devices</li><li>SC-7(8) - Route Traffic to Authenticated Proxy Servers</li><li>SC-7(9) - Restrict Threatening Outgoing Communications Traffic</li><li>SC-7(10) - Prevent Exfiltration</li><li>SC-7(11) - Restrict Incoming Communications Traffic</li><li>SC-7(12) - Host-based Protection</li><li>SC-7(13) - Isolation of Security Tools, Mechanisms, and Support Components</li><li>SC-7(14) - Protect Against Unauthorized Physical Connections</li><li>SC-7(15) - Networked Privileged Accesses</li><li>SC-7(16) - Prevent Discovery of System Components</li><li>SC-7(17) - Automated Enforcement of Protocol Formats</li><li>SC-7(18) - Fail Secure</li><li>SC-7(19) - Block Communication from Non-organizationally Configured Hosts</li><li>SC-7(20) - Dynamic Isolation and Segregation</li><li>SC-7(21) - Isolation of System Components</li><li>SC-7(22) - Separate Subnets for Connecting to Different Security Domains</li><li>SC-7(23) - Disable Sender Feedback on Protocol Validation Failure</li><li>SC-7(24) - Personally Identifiable Information</li><li>SC-7(25) - Unclassified National Security System Connections</li><li>SC-7(26) - Classified National Security System Connections</li><li>SC-7(27) - Unclassified Non-national Security System Connections</li><li>SC-7(28) - Connections to Public Networks</li><li>SC-7(29) - Separate Subnets to Isolate Functions</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "ca002fb0-3839-4c85-b298-b4de9d2ad2cd",
                        "parameterId": "SC-7(28)",
                        "text": "system",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined system] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sc-07.28_odp"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "b0a28f9d-82a2-427a-a358-e717d6cfa78a",
                        "name": "SC-7(28)",
                        "objectiveType": "",
                        "otherId": "sc-7.28_smt",
                        "description": "Prohibit the direct connection of {{ insert: param, SC-7(28) }} to a public network."
                    }
                ],
                "tests": [
                    {
                        "uuid": "af4f516a-0b78-4ea4-ab0c-027b734f8605",
                        "testId": "SC-07(28)-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing boundary protection.</li><li>System design documentation.</li><li>System hardware and software.</li><li>System architecture.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "992bea63-ab18-4569-89eb-739f9159222e",
                        "testId": "SC-07(28)-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>System developer.</li><li>Organizational personnel with boundary protection responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b0c4f089-f847-46d8-a5dd-f1008d7a49e3",
                        "testId": "SC-07(28)-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms prohibiting the direct connection of systems to an external network.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "feda4ec3-3be4-4caf-9e6f-dd25e748a1de",
                        "testId": "SC-07(28)",
                        "test": "Determine if the direct connection of the  [SELECTED PARAMETER VALUE(S): system ]  to a public network is prohibited.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing boundary protection.</li><li>System design documentation.</li><li>System hardware and software.</li><li>System architecture.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>System developer.</li><li>Organizational personnel with boundary protection responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms prohibiting the direct connection of systems to an external network.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "5dafa6bf-4d45-4b36-a215-15289c793e35",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SC-07(28) - Connections to Public Networks",
                "description": "<p>Prohibit the direct connection of {{ insert: param, SC-7(28) }} to a public network.<br><strong>Discussion</strong><br></p><p>A direct connection is a dedicated physical or virtual connection between two or more systems. A public network is a network accessible to the public, including the Internet and organizational extranets with public access.</p><p></p><p><strong>OT Discussion</strong></p><p>Organizations consider the need for a direct connection to a public network for each OT system, including potential benefits, additional threat vectors, and potential adverse impacts that are specifically relevant to the type of public access that connection introduces.</p>",
                "controlId": "SC-7(28)",
                "family": "System and Communications Protection",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "d88bbde1-3681-4841-8442-ae560bb94a99",
                        "parameterId": "SC-7(29)-1",
                        "text": "[Selection: physically; logically]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection: physically; logically]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sc-07.29_odp.01"
                    },
                    {
                        "uuid": "e400d2f3-071c-40ea-9a23-86649e2a2062",
                        "parameterId": "SC-7(29)-2",
                        "text": "critical system components and functions",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined critical system components and functions] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sc-07.29_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "c97353b2-7a3f-42e0-9f89-5b390b0b9493",
                        "name": "SC-7(29)",
                        "objectiveType": "",
                        "otherId": "sc-7.29_smt",
                        "description": "Implement {{ insert: param, SC-7(29)-1 }} separate subnetworks to isolate the following critical system components and functions: {{ insert: param, SC-7(29)-2 }}."
                    }
                ],
                "tests": [
                    {
                        "uuid": "2b49e199-c4b3-455d-80e4-d066a779d0c2",
                        "testId": "SC-07(29)",
                        "test": "Determine if subnetworks are separated  [SELECTED PARAMETER VALUE(S): [Selection: physically; logically] ]  to isolate  [SELECTED PARAMETER VALUE(S): critical system components and functions ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing boundary protection.</li><li>System design documentation.</li><li>System hardware and software.</li><li>System architecture.</li><li>System configuration settings and associated documentation.</li><li>Criticality analysis.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>System developer.</li><li>Organizational personnel with boundary protection responsibilities.</li></ul><br><h5>Test</h5><ul><li>Mechanisms separating critical system components and functions.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8577bed3-cc19-475d-bc83-4821d0bbc365",
                        "testId": "SC-07(29)-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing boundary protection.</li><li>System design documentation.</li><li>System hardware and software.</li><li>System architecture.</li><li>System configuration settings and associated documentation.</li><li>Criticality analysis.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4ef05850-e57a-4de1-a753-104cd7d83bcb",
                        "testId": "SC-07(29)-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>System developer.</li><li>Organizational personnel with boundary protection responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "383884ed-2912-4db8-8257-921de90edd38",
                        "testId": "SC-07(29)-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms separating critical system components and functions.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "aed20b9e-e40f-4fb0-a621-18f56da797f2",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SC-07(29) - Separate Subnets to Isolate Functions",
                "description": "<p>Implement {{ insert: param, SC-7(29)-1 }} separate subnetworks to isolate the following critical system components and functions: {{ insert: param, SC-7(29)-2 }}.<br><strong>Discussion</strong><br></p><p>Separating critical system components and functions from other noncritical system components and functions through separate subnetworks may be necessary to reduce susceptibility to a catastrophic or debilitating breach or compromise that results in system failure. For example, physically separating the command and control function from the in-flight entertainment function through separate subnetworks in a commercial aircraft provides an increased level of assurance in the trustworthiness of critical system functions.</p><p></p><p><strong>OT Discussion</strong></p><p>Subnets can be used to isolate low-risk functions from higher-risk ones and control from safety. Subnets should be considered along with other boundary protection technologies.</p>",
                "controlId": "SC-7(29)",
                "family": "System and Communications Protection",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "1733f085-e421-427d-ac77-c42d2d00718a",
                        "parameterId": "SC-12",
                        "text": "requirements",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined requirements] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sc-12_odp"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "b47d57c5-3a52-4d07-8d72-fb3b3d4d6639",
                        "name": "SC-12",
                        "objectiveType": "",
                        "otherId": "sc-12_smt",
                        "description": "Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ insert: param, SC-12 }}."
                    }
                ],
                "tests": [
                    {
                        "uuid": "5d002c78-2ef6-4d96-b829-9cfbe3d3edbd",
                        "testId": "SC-12[01]",
                        "test": "Determine if cryptographic keys are established when cryptography is employed within the system in accordance with  [SELECTED PARAMETER VALUE(S): requirements ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing cryptographic key establishment and management.</li><li>System design documentation.</li><li>Cryptographic mechanisms.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with responsibilities for cryptographic key establishment and/or management.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing cryptographic key establishment and management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7ecc51a6-5829-4088-83f4-5317c588992f",
                        "testId": "SC-12[02]",
                        "test": "Determine if cryptographic keys are managed when cryptography is employed within the system in accordance with  [SELECTED PARAMETER VALUE(S): requirements ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing cryptographic key establishment and management.</li><li>System design documentation.</li><li>Cryptographic mechanisms.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with responsibilities for cryptographic key establishment and/or management.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing cryptographic key establishment and management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "249b9db4-81ce-43da-b034-d99e3a909c5b",
                        "testId": "SC-12-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing cryptographic key establishment and management.</li><li>System design documentation.</li><li>Cryptographic mechanisms.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "244f1d80-a41d-4858-9e7a-2452b480a144",
                        "testId": "SC-12-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with responsibilities for cryptographic key establishment and/or management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8dee8144-78b2-4c41-8f98-619a06507d3d",
                        "testId": "SC-12-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting and/or implementing cryptographic key establishment and management.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "e80e9fe4-6769-42c5-88dd-3ccca6c36c9c",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SC-12 - Cryptographic Key Establishment and Management",
                "description": "Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements:  {{ insert: param, SC-12 }}.<br/><strong>Discussion</strong><br/><p>Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems.  <a href=\"#1acdc775-aafb-4d11-9341-dc6a822e9d38\">NIST CMVP</a>  and  <a href=\"#84dc1b0c-acb7-4269-84c4-00dbabacd78c\">NIST CAVP</a>  provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment.</p>",
                "controlId": "SC-12",
                "family": "System and Communications Protection",
                "enhancements": "<strong>Enhancements</strong><ul><li>SC-12(1) - Availability</li><li>SC-12(2) - Symmetric Keys</li><li>SC-12(3) - Asymmetric Keys</li><li>SC-12(6) - Physical Control of Keys</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "8bd5e7da-6ed6-47ed-a3dc-840fd760c784",
                        "parameterId": "SC-13(a)",
                        "text": "cryptographic uses",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined cryptographic uses] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sc-13_odp.01"
                    },
                    {
                        "uuid": "524d0a47-35fd-44c6-ae61-f4a576275129",
                        "parameterId": "SC-13(b)",
                        "text": "types of cryptography",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined types of cryptography] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sc-13_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "244b5f2f-e6fe-47bb-9dd6-293e5fbd3310",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "sc-13_smt.a",
                        "description": "<ul><li>a. Determine the {{ insert: param, SC-13(a) }} ; and</li></ul>"
                    },
                    {
                        "uuid": "8b2c4775-32df-4250-bfeb-e8f3d733cbbc",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "sc-13_smt.b",
                        "description": "<ul><li>b. Implement the following types of cryptography required for each specified cryptographic use: {{ insert: param, SC-13(b) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "f10bbe08-1535-4668-8c84-192412539b4e",
                        "testId": "SC-13-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing cryptographic protection.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Cryptographic module validation certificates.</li><li>List of fips-validated cryptographic modules.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4f613495-5e91-4f4f-9609-abd648e93373",
                        "testId": "SC-13-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>System developer.</li><li>Organizational personnel with responsibilities for cryptographic protection.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c7dd1a9a-e500-4473-b5aa-6fc93456af65",
                        "testId": "SC-13-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting and/or implementing cryptographic protection.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "202ef5dc-6a4b-4134-bee6-4628ef0ef9a7",
                        "testId": "SC-13a.",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): cryptographic uses ]  are identified;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing cryptographic protection.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Cryptographic module validation certificates.</li><li>List of fips-validated cryptographic modules.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>System developer.</li><li>Organizational personnel with responsibilities for cryptographic protection.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing cryptographic protection.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c60fa8c4-d844-42cf-9ee3-cb2c6404fd7f",
                        "testId": "SC-13b.",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): types of cryptography ]  for each specified cryptographic use (defined in sc-13_odp[01]) are implemented.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing cryptographic protection.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Cryptographic module validation certificates.</li><li>List of fips-validated cryptographic modules.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>System developer.</li><li>Organizational personnel with responsibilities for cryptographic protection.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing cryptographic protection.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "1ae613e9-a5f6-4e87-ba6d-a09ee5114064",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SC-13 - Cryptographic Protection",
                "description": "<ul><li>a. Determine the  {{ insert: param, SC-13(a) }} ; and</li><li>b. Implement the following types of cryptography required for each specified cryptographic use:  {{ insert: param, SC-13(b) }}.</li></ul><br/><strong>Discussion</strong><br/><p>Cryptography can be employed to support a variety of security solutions, including the protection of classified information and controlled unclassified information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals. Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. For example, organizations that need to protect classified information may specify the use of NSA-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.</p>",
                "controlId": "SC-13",
                "family": "System and Communications Protection",
                "enhancements": "<strong>Enhancements</strong><ul></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "78063a73-c4f0-4d50-8822-ebaaf85c51d6",
                        "parameterId": "SC-15(a)",
                        "text": "exceptions where remote activation is to be allowed",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined exceptions where remote activation is to be allowed] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sc-15_odp"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "b7c23479-53a3-45cf-9eda-a76469db3d38",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "sc-15_smt.a",
                        "description": "<ul><li>a. Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ insert: param, SC-15(a) }} ; and</li></ul>"
                    },
                    {
                        "uuid": "b3dbc6a0-0fa7-49b5-b757-de8531d4bb69",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "sc-15_smt.b",
                        "description": "<ul><li>b. Provide an explicit indication of use to users physically present at the devices.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "f00e8c49-51bc-45fa-b0e1-2847b6ed70d3",
                        "testId": "SC-15a.",
                        "test": "Determine if remote activation of collaborative computing devices and applications is prohibited except  [SELECTED PARAMETER VALUE(S): exceptions where remote activation is to be allowed ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing collaborative computing.</li><li>Access control policy and procedures.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>System developer.</li><li>Organizational personnel with responsibilities for managing collaborative computing devices.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing the management of remote activation of collaborative computing devices.</li><li>Mechanisms providing an indication of use of collaborative computing devices.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2d95d894-8bd9-4f68-849e-97429c1e310f",
                        "testId": "SC-15b.",
                        "test": "Determine if an explicit indication of use is provided to users physically present at the devices.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing collaborative computing.</li><li>Access control policy and procedures.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>System developer.</li><li>Organizational personnel with responsibilities for managing collaborative computing devices.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing the management of remote activation of collaborative computing devices.</li><li>Mechanisms providing an indication of use of collaborative computing devices.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f5bd6610-264a-4de1-b6af-f09107572d6a",
                        "testId": "SC-15-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing collaborative computing.</li><li>Access control policy and procedures.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3d18b704-8b46-4c8b-957d-8bcfb3fbd0ba",
                        "testId": "SC-15-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>System developer.</li><li>Organizational personnel with responsibilities for managing collaborative computing devices.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5cc5a36e-a115-462e-a2ca-5ee4e70ca67a",
                        "testId": "SC-15-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting and/or implementing the management of remote activation of collaborative computing devices.</li><li>Mechanisms providing an indication of use of collaborative computing devices.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "c47a651c-47ca-4cad-aa01-bfb01668990f",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SC-15 - Collaborative Computing Devices and Applications",
                "description": "<ul><li>a. Prohibit remote activation of collaborative computing devices and applications with the following exceptions:  {{ insert: param, SC-15(a) }} ; and</li><li>b. Provide an explicit indication of use to users physically present at the devices.</li></ul><br/><strong>Discussion</strong><br/><p>Collaborative computing devices and applications include remote meeting devices and applications, networked white boards, cameras, and microphones. The explicit indication of use includes signals to users when collaborative computing devices and applications are activated.</p>",
                "controlId": "SC-15",
                "family": "System and Communications Protection",
                "enhancements": "<strong>Enhancements</strong><ul><li>SC-15(1) - Physical or Logical Disconnect</li><li>SC-15(3) - Disabling and Removal in Secure Work Areas</li><li>SC-15(4) - Explicitly Indicate Current Participants</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "944fe517-3f06-4b66-b68c-451bc3e1d9a8",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "sc-20_smt.a",
                        "description": "<ul><li>a. Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and</li></ul>"
                    },
                    {
                        "uuid": "af565649-e127-41e3-9e68-9a14fb831e10",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "sc-20_smt.b",
                        "description": "<ul><li>b. Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "8462f5f6-d475-4fae-b542-c1b1a8049348",
                        "testId": "SC-20-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing secure name/address resolution services (authoritative source).</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "15e5b9ec-d404-4e8b-832a-076e6ea385a2",
                        "testId": "SC-20-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with responsibilities for managing dns.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "390559c4-e1b4-4c38-af6b-fa017f30d011",
                        "testId": "SC-20-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting and/or implementing secure name/address resolution services.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f9dcefef-ef8a-499c-a78d-005b21e74678",
                        "testId": "SC-20a.[01]",
                        "test": "Determine if additional data origin authentication is provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing secure name/address resolution services (authoritative source).</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with responsibilities for managing dns.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing secure name/address resolution services.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "788ac340-1b09-4949-9914-ddd2c1b337f5",
                        "testId": "SC-20a.[02]",
                        "test": "Determine if integrity verification artifacts are provided along with the authoritative name resolution data that the system returns in response to external name/address resolution queries;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing secure name/address resolution services (authoritative source).</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with responsibilities for managing dns.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing secure name/address resolution services.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "64ccf880-2b65-4c68-96c6-0e53e2509e8e",
                        "testId": "SC-20b.[01]",
                        "test": "Determine if the means to indicate the security status of child zones (and if the child supports secure resolution services) is provided when operating as part of a distributed, hierarchical namespace;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing secure name/address resolution services (authoritative source).</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with responsibilities for managing dns.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing secure name/address resolution services.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b63cd37d-9266-426c-a8e3-d77ab1220110",
                        "testId": "SC-20b.[02]",
                        "test": "Determine if the means to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace is provided.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing secure name/address resolution services (authoritative source).</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with responsibilities for managing dns.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing secure name/address resolution services.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "1b59b77d-00bb-40fc-8bf7-fe1434352893",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SC-20 - Secure Name/Address Resolution Service (Authoritative Source)",
                "description": "<ul><li><p>a. Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and</p></li><li><p>b. Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include domain name system (DNS) servers. Additional artifacts include DNS Security Extensions (DNSSEC) digital signatures and cryptographic keys. Authoritative data includes DNS resource records. The means for indicating the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data.</p><p></p><p><strong>OT Discussion</strong></p><p>Secure name/address resolution services should only be used after careful consideration and verification that they do not adversely impact the operational performance of the OT.</p>",
                "controlId": "SC-20",
                "family": "System and Communications Protection",
                "enhancements": "<strong>Enhancements</strong><ul><li>SC-20(2) - Data Origin and Integrity</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "1f201db2-0c41-44f0-b8f6-6be8a43ff453",
                        "name": "SC-21",
                        "objectiveType": "",
                        "otherId": "sc-21_smt",
                        "description": "Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources."
                    }
                ],
                "tests": [
                    {
                        "uuid": "8233c120-c1cc-4a0a-a5d3-0c347ff80c5b",
                        "testId": "SC-21-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing secure name/address resolution services (recursive or caching resolver).</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "fc8c5df0-392c-4fac-9935-357c4661377f",
                        "testId": "SC-21-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with responsibilities for managing dns.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "35616052-d53b-421c-a0e8-47c9a22d3c2f",
                        "testId": "SC-21-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting and/or implementing data origin authentication and data integrity verification for name/address resolution services.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1bb5c8a6-d85c-477c-b093-7a1742c40589",
                        "testId": "SC-21[01]",
                        "test": "Determine if data origin authentication is requested for the name/address resolution responses that the system receives from authoritative sources;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing secure name/address resolution services (recursive or caching resolver).</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with responsibilities for managing dns.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing data origin authentication and data integrity verification for name/address resolution services.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6a13296e-a8ff-4239-9739-8ca22308e66a",
                        "testId": "SC-21[02]",
                        "test": "Determine if data origin authentication is performed on the name/address resolution responses that the system receives from authoritative sources;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing secure name/address resolution services (recursive or caching resolver).</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with responsibilities for managing dns.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing data origin authentication and data integrity verification for name/address resolution services.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3ef7e260-7e02-48ef-a658-eaefdfdc4a1c",
                        "testId": "SC-21[03]",
                        "test": "Determine if data integrity verification is requested for the name/address resolution responses that the system receives from authoritative sources;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing secure name/address resolution services (recursive or caching resolver).</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with responsibilities for managing dns.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing data origin authentication and data integrity verification for name/address resolution services.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b1965ae1-97d8-4f63-9866-479f305ac660",
                        "testId": "SC-21[04]",
                        "test": "Determine if data integrity verification is performed on the name/address resolution responses that the system receives from authoritative sources.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing secure name/address resolution services (recursive or caching resolver).</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with responsibilities for managing dns.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing data origin authentication and data integrity verification for name/address resolution services.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "b9c517c4-7cb1-4be6-bbc8-667efe70f026",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SC-21 - Secure Name/Address Resolution Service (Recursive or Caching Resolver)",
                "description": "<p>Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.<br><strong>Discussion</strong><br></p><p>Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host and service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data.</p><p></p><p><strong>OT Discussion</strong></p><p>Secure name/address resolution services should only be used after careful consideration and verification that they do not adversely impact the operational performance of the OT.</p>",
                "controlId": "SC-21",
                "family": "System and Communications Protection",
                "enhancements": "<strong>Enhancements</strong><ul></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "9c7de988-d648-489c-a0c8-a54aea19fd23",
                        "name": "SC-22",
                        "objectiveType": "",
                        "otherId": "sc-22_smt",
                        "description": "Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation."
                    }
                ],
                "tests": [
                    {
                        "uuid": "935f4b69-1387-41df-83b4-bae58760854d",
                        "testId": "SC-22[01]",
                        "test": "Determine if the systems that collectively provide name/address resolution services for an organization are fault-tolerant;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing architecture and provisioning for name/address resolution services.</li><li>Access control policy and procedures.</li><li>System design documentation.</li><li>Assessment results from independent testing organizations.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with responsibilities for managing dns.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing name/address resolution services for fault tolerance and role separation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7863c3a3-3248-492a-a87d-9611bbbb9651",
                        "testId": "SC-22[02]",
                        "test": "Determine if the systems that collectively provide name/address resolution services for an organization implement internal role separation;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing architecture and provisioning for name/address resolution services.</li><li>Access control policy and procedures.</li><li>System design documentation.</li><li>Assessment results from independent testing organizations.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with responsibilities for managing dns.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing name/address resolution services for fault tolerance and role separation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7fc2d0f0-628c-4b9d-853a-addd83dd698a",
                        "testId": "SC-22[03]",
                        "test": "Determine if the systems that collectively provide name/address resolution services for an organization implement external role separation.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing architecture and provisioning for name/address resolution services.</li><li>Access control policy and procedures.</li><li>System design documentation.</li><li>Assessment results from independent testing organizations.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with responsibilities for managing dns.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing name/address resolution services for fault tolerance and role separation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "89eb5a80-be75-413a-84f4-2e6e96475c43",
                        "testId": "SC-22-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing architecture and provisioning for name/address resolution services.</li><li>Access control policy and procedures.</li><li>System design documentation.</li><li>Assessment results from independent testing organizations.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f31af881-d5da-4239-b48c-0f3eeca315d7",
                        "testId": "SC-22-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with responsibilities for managing dns.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6689845f-11a2-4c44-b016-6a190508b8a6",
                        "testId": "SC-22-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting and/or implementing name/address resolution services for fault tolerance and role separation.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "7f8f62e9-ec23-48c6-97b9-752c6e7d795e",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SC-22 - Architecture and Provisioning for Name/Address Resolution Service",
                "description": "<p>Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.<br><strong>Discussion</strong><br></p><p>Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers\u00e2\u20ac\u201done configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists).</p><p></p><p><strong>OT Discussion</strong></p><p>Secure name/address resolution services should only be used after careful consideration and verification that they do not adversely impact the operational performance of the OT.</p>",
                "controlId": "SC-22",
                "family": "System and Communications Protection",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "8b67f7ef-21c1-4881-9295-8c2bc3a73aa7",
                        "name": "SC-39",
                        "objectiveType": "",
                        "otherId": "sc-39_smt",
                        "description": "Maintain a separate execution domain for each executing system process."
                    }
                ],
                "tests": [
                    {
                        "uuid": "4f99f794-6ddb-4e34-bac2-b5619cd5a2b5",
                        "testId": "SC-39",
                        "test": "Determine if a separate execution domain is maintained for each executing system process.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System design documentation.</li><li>System architecture.</li><li>Independent verification and validation documentation.</li><li>Testing and evaluation documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System developers/integrators.</li><li>System security architect.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing separate execution domains for each executing process.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b76d9e11-82db-4c73-acda-6abd8c576d9e",
                        "testId": "SC-39-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System design documentation.</li><li>System architecture.</li><li>Independent verification and validation documentation.</li><li>Testing and evaluation documentation.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8e65fb45-3abc-4789-ad4b-fb42298f039b",
                        "testId": "SC-39-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>System developers/integrators.</li><li>System security architect.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d5125568-bca0-420c-a430-779ce21dd308",
                        "testId": "SC-39-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting and/or implementing separate execution domains for each executing process.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "bb0d61bb-a483-43a7-a00b-3fae465fa76d",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SC-39 - Process Isolation",
                "description": "<p>Maintain a separate execution domain for each executing system process.<br><strong>Discussion</strong><br></p><p>Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process. Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies.</p><p></p><p><strong>OT Discussion</strong></p><p>Example compensating controls include partition processes to separate platforms.</p>",
                "controlId": "SC-39",
                "family": "System and Communications Protection",
                "enhancements": "<strong>Enhancements</strong><ul><li>SC-39(1) - Hardware Separation</li><li>SC-39(2) - Separate Execution Domain Per Thread</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "a578030a-b9ad-4750-a246-3ee35f775d4f",
                        "parameterId": "SC-41-2",
                        "text": "connection ports or input/output devices",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined connection ports or input/output devices] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sc-41_odp.01"
                    },
                    {
                        "uuid": "0b03cc8b-65d0-4b92-9326-36e663271a6f",
                        "parameterId": "SC-41-1",
                        "text": "[Selection: physically; logically]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection: physically; logically]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sc-41_odp.02"
                    },
                    {
                        "uuid": "1316f7fb-bde1-453a-b041-6d232ed1f016",
                        "parameterId": "SC-41-3",
                        "text": "systems or system components",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined systems or system components] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sc-41_odp.03"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "e9502d8e-7e64-4714-a74a-5caa9944f913",
                        "name": "SC-41",
                        "objectiveType": "",
                        "otherId": "sc-41_smt",
                        "description": "{{ insert: param, SC-41-1 }} disable or remove {{ insert: param, SC-41-2 }} on the following systems or system components: {{ insert: param, SC-41-3 }}."
                    }
                ],
                "tests": [
                    {
                        "uuid": "e3208b3a-3167-49cf-84f4-080d7aa94e33",
                        "testId": "SC-41",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): connection ports or input/output devices ]  are  [SELECTED PARAMETER VALUE(S): [Selection: physically; logically] ]  disabled or removed on  [SELECTED PARAMETER VALUE(S): systems or system components ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>Access control policy and procedures.</li><li>Procedures addressing port and input/output device access.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System architecture.</li><li>Systems or system components.</li><li>List of connection ports or input/output devices to be physically disabled or removed on systems or system components.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel installing, configuring, and/or maintaining the system.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing the disabling of connection ports or input/output devices.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7a7d1507-8a35-46a5-bb8c-900c86aabc16",
                        "testId": "SC-41-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System and communications protection policy.</li><li>Access control policy and procedures.</li><li>Procedures addressing port and input/output device access.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System architecture.</li><li>Systems or system components.</li><li>List of connection ports or input/output devices to be physically disabled or removed on systems or system components.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ccc7be40-8099-4f38-802e-f45390486999",
                        "testId": "SC-41-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel installing, configuring, and/or maintaining the system.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "107004ab-5d5a-4866-9864-1dbcb6b9d770",
                        "testId": "SC-41-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting and/or implementing the disabling of connection ports or input/output devices.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "44f6a213-e54e-451c-8393-d5a0e83ead92",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SC-41 - Port and I/O Device Access",
                "description": "{{ insert: param, SC-41-1 }}  disable or remove  {{ insert: param, SC-41-2 }}  on the following systems or system components:  {{ insert: param, SC-41-3 }}.<br/><strong>Discussion</strong><br/><p>Connection ports include Universal Serial Bus (USB), Thunderbolt, and Firewire (IEEE 1394). Input/output (I/O) devices include compact disc and digital versatile disc drives. Disabling or removing such connection ports and I/O devices helps prevent the exfiltration of information from systems and the introduction of malicious code from those ports or devices. Physically disabling or removing ports and/or devices is the stronger action.</p>",
                "controlId": "SC-41",
                "family": "System and Communications Protection",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "31c969be-54a5-4a58-9b9c-6b384feb9639",
                        "name": "SC-45",
                        "objectiveType": "",
                        "otherId": "sc-45_smt",
                        "description": "Synchronize system clocks within and between systems and system components."
                    }
                ],
                "tests": [
                    {
                        "uuid": "b40ed106-2268-446c-9ea2-8010045ce5de",
                        "testId": "SC-45",
                        "test": "Determine if system clocks are synchronized within and between systems and system components.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing time synchronization.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel installing, configuring, and/or maintaining the system.</li></ul><br><h5>Test</h5><ul><li>Mechanisms supporting and/or implementing system time synchronization.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c9a5b2e4-c4e3-4cc3-8459-021ec31e7f0e",
                        "testId": "SC-45-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System and communications protection policy.</li><li>Procedures addressing time synchronization.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5bdefdb4-bf65-4274-97c3-e17f16ed5525",
                        "testId": "SC-45-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel installing, configuring, and/or maintaining the system.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7a19bc35-f4be-4ec6-86e1-d1e14a9cb4e0",
                        "testId": "SC-45-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Mechanisms supporting and/or implementing system time synchronization.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "a5db139d-64a1-4896-b487-08a7a3e56832",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SC-45 - System Time Synchronization",
                "description": "<p>Synchronize system clocks within and between systems and system components.<br><strong>Discussion</strong><br></p><p>Time synchronization of system clocks is essential for the correct execution of many system services, including identification and authentication processes that involve certificates and time-of-day restrictions as part of access control. Denial of service or failure to deny expired credentials may result without properly synchronized clocks within and between systems and system components. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. The granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, such as clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for system components. Time service can be critical to other security capabilities\u00e2\u20ac\u201dsuch as access control and identification and authentication\u00e2\u20ac\u201ddepending on the nature of the mechanisms used to support the capabilities.</p><p></p><p><strong>OT Discussion</strong></p><p>Organizations coordinate time synchronization on OT to allow for accurate troubleshooting and forensics.</p>",
                "controlId": "SC-45",
                "family": "System and Communications Protection",
                "enhancements": "<strong>Enhancements</strong><ul><li>SC-45(1) - Synchronization with Authoritative Time Source</li><li>SC-45(2) - Secondary Authoritative Time Source</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "f50ea35c-409d-4d67-8165-213873b75eae",
                        "parameterId": "SI-1(a)",
                        "text": "organization-defined personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "si-1_prm_1"
                    },
                    {
                        "uuid": "6a472295-c156-4e60-b1a4-d18f43efa030",
                        "parameterId": "SI-1(a)(1)",
                        "text": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "si-01_odp.03"
                    },
                    {
                        "uuid": "fe3cc851-afbd-45f5-9e30-2dacf8586d48",
                        "parameterId": "SI-1(b)",
                        "text": "official",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined official] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "si-01_odp.04"
                    },
                    {
                        "uuid": "b690d9ee-e339-4c96-89ac-5d0fdbb92f43",
                        "parameterId": "SI-1(c)(1)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "si-01_odp.05"
                    },
                    {
                        "uuid": "3b3fce60-be76-4985-98b7-688349f2594f",
                        "parameterId": "SI-1(c)(1)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "si-01_odp.06"
                    },
                    {
                        "uuid": "7238e475-219c-44cc-8301-5a55888e5af4",
                        "parameterId": "SI-1(c)(2)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "si-01_odp.07"
                    },
                    {
                        "uuid": "680d297d-1b19-4e9b-a587-fd93f3b479ca",
                        "parameterId": "SI-1(c)(2)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "si-01_odp.08"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "11e455a0-d7d9-4f58-a566-4ae9efbe98ca",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "si-1_smt.a",
                        "description": "<ul><li>a. Develop, document, and disseminate to {{ insert: param, SI-1(a) }}:</li><ul><li>1. {{ insert: param, SI-1(a)(1) }} system and information integrity policy that:</li><ul><li>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</li><li>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</li></ul><li>2. Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;</li></ul>"
                    },
                    {
                        "uuid": "a49ed606-3267-42c1-8e84-3d723fb4c1e2",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "si-1_smt.b",
                        "description": "<ul><li>b. Designate an {{ insert: param, SI-1(b) }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and</li></ul>"
                    },
                    {
                        "uuid": "e74ea5ee-528b-4891-bcbc-c9def8b1ef16",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "si-1_smt.c",
                        "description": "<ul><li>c. Review and update the current system and information integrity:</li><ul><li>1. Policy {{ insert: param, SI-1(c)(1)-1 }} and following {{ insert: param, SI-1(c)(1)-2 }} ; and</li><li>2. Procedures {{ insert: param, SI-1(c)(2)-1 }} and following {{ insert: param, SI-1(c)(2)-2 }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "5511191d-eef2-4f35-a5b6-8a570731e5f9",
                        "testId": "SI-01a.[01]",
                        "test": "Determine if a system and information integrity policy is developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and information integrity responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5bd44376-a13b-47db-8aa2-2cb62939ce71",
                        "testId": "SI-01a.[02]",
                        "test": "Determine if the system and information integrity policy is disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and information integrity responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f6dbf1a1-6b62-4e2f-89a3-851df84e24f1",
                        "testId": "SI-01a.[03]",
                        "test": "Determine if system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and information integrity responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a8958cef-aec5-4d83-9694-b651a826a545",
                        "testId": "SI-01a.[04]",
                        "test": "Determine if the system and information integrity procedures are disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and information integrity responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d846dfc7-3937-448a-9d17-e8636806c61a",
                        "testId": "SI-01a.01(a)[01]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  system and information integrity policy addresses purpose;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and information integrity responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "81a8d09e-b3b7-4ce7-946b-4cb54166cee6",
                        "testId": "SI-01a.01(a)[02]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  system and information integrity policy addresses scope;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and information integrity responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8e9aad20-28e4-4d12-a0a4-852a660a3267",
                        "testId": "SI-01a.01(a)[03]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  system and information integrity policy addresses roles;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and information integrity responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "47fcb9b1-242f-4534-af49-08cef27b6f2d",
                        "testId": "SI-01a.01(a)[04]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  system and information integrity policy addresses responsibilities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and information integrity responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "11443ffa-8001-4233-a7f3-2c0a89adcbe3",
                        "testId": "SI-01a.01(a)[05]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  system and information integrity policy addresses management commitment;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and information integrity responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "68b5e8ef-d4c1-4b75-bdf5-69f9938138f8",
                        "testId": "SI-01a.01(a)[06]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  system and information integrity policy addresses coordination among organizational entities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and information integrity responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "02bd290d-d6b6-4403-ab6d-79e65fbbe8bb",
                        "testId": "SI-01a.01(a)[07]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  system and information integrity policy addresses compliance;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and information integrity responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "95de3b14-9510-45c8-afef-bc9eaf156a38",
                        "testId": "SI-01a.01(b)",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  system and information integrity policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and information integrity responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a83b581c-d829-4597-af1b-e4de6406cdd0",
                        "testId": "SI-01b.",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): official ]  is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and information integrity responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4b679d73-6454-41d3-b6e4-dc6f7f66d1fe",
                        "testId": "SI-01c.01[01]",
                        "test": "Determine if the current system and information integrity policy is reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and information integrity responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "32959fd8-e786-41d3-aff5-768cce184bd8",
                        "testId": "SI-01c.01[02]",
                        "test": "Determine if the current system and information integrity policy is reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and information integrity responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8c32f444-9707-421f-92d8-9fe32716cc17",
                        "testId": "SI-01c.02[01]",
                        "test": "Determine if the current system and information integrity procedures are reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and information integrity responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "654bc77e-06ce-42ff-9876-29cbe886cc3f",
                        "testId": "SI-01c.02[02]",
                        "test": "Determine if the current system and information integrity procedures are reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and information integrity responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "82133a9b-bb4b-4aab-a17e-aa3872cd32d1",
                        "testId": "SI-01-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "194106c9-8b14-4711-81de-6a4214fffe82",
                        "testId": "SI-01-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with system and information integrity responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "92abb9fd-0038-4772-9c6a-81f6e204ab3f",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SI-01 - Policy and Procedures",
                "description": "<ul><li><p>a. Develop, document, and disseminate to {{ insert: param, SI-1(a) }}:</p><ul><li><p>1. {{ insert: param, SI-1(a)(1) }} system and information integrity policy that:</p><ul><li><p>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p></li><li><p>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p></li></ul></li><li><p>2. Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;</p></li></ul></li><li><p>b. Designate an {{ insert: param, SI-1(b) }} to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and</p></li><li><p>c. Review and update the current system and information integrity:</p><ul><li><p>1. Policy {{ insert: param, SI-1(c)(1)-1 }} and following {{ insert: param, SI-1(c)(1)-2 }} ; and</p></li><li><p>2. Procedures {{ insert: param, SI-1(c)(2)-1 }} and following {{ insert: param, SI-1(c)(2)-2 }}.</p></li></ul></li><li><p><br><strong>Discussion</strong><br></p><p>System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.</p></li></ul><p></p><p><strong>OT Discussion</strong></p><p>The policy specifically addresses the unique properties and requirements of OT and the relationship to non-OT systems.</p>",
                "controlId": "SI-1",
                "family": "System and Information Integrity",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "eb69c2f4-11ba-4186-b632-996b09a03f16",
                        "parameterId": "SI-2(c)",
                        "text": "time period",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined time period] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "si-02_odp"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "69f859a6-6822-4018-bfb7-f48555a2a166",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "si-2_smt.a",
                        "description": "<ul><li>a. Identify, report, and correct system flaws;</li></ul>"
                    },
                    {
                        "uuid": "f0f1a2fb-3953-4ff5-9415-7351b0d4917e",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "si-2_smt.b",
                        "description": "<ul><li>b. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;</li></ul>"
                    },
                    {
                        "uuid": "e21e3291-e5bf-431d-a6a5-b1f52de1c44c",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "si-2_smt.c",
                        "description": "<ul><li>c. Install security-relevant software and firmware updates within {{ insert: param, SI-2(c) }} of the release of the updates; and</li></ul>"
                    },
                    {
                        "uuid": "4ebc52ee-b0f0-4a04-8ffa-e6b26d339454",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "si-2_smt.d",
                        "description": "<ul><li>d. Incorporate flaw remediation into the organizational configuration management process.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "3878cacd-2e1f-4c1a-a6d1-908c4ce2d6c9",
                        "testId": "SI-02-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Procedures addressing flaw remediation.</li><li>Procedures addressing configuration management.</li><li>List of flaws and vulnerabilities potentially affecting the system.</li><li>List of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws).</li><li>Test results from the installation of software and firmware updates to correct system flaws.</li><li>Installation/change control records for security-relevant software and firmware updates.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "db2dde5c-0201-4e84-b273-09f8bcf3dc7d",
                        "testId": "SI-02-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel responsible for installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for flaw remediation.</li><li>Organizational personnel with configuration management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d62e08f4-ef5f-400c-84c2-96cfdfba24dd",
                        "testId": "SI-02-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for identifying, reporting, and correcting system flaws.</li><li>Organizational process for installing software and firmware updates.</li><li>Mechanisms supporting and/or implementing the reporting and correcting of system flaws.</li><li>Mechanisms supporting and/or implementing testing software and firmware updates.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ab7d545a-c2db-4f8b-9a75-c82629ca4889",
                        "testId": "SI-02a.[01]",
                        "test": "Determine if system flaws are identified;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Procedures addressing flaw remediation.</li><li>Procedures addressing configuration management.</li><li>List of flaws and vulnerabilities potentially affecting the system.</li><li>List of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws).</li><li>Test results from the installation of software and firmware updates to correct system flaws.</li><li>Installation/change control records for security-relevant software and firmware updates.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel responsible for installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for flaw remediation.</li><li>Organizational personnel with configuration management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for identifying, reporting, and correcting system flaws.</li><li>Organizational process for installing software and firmware updates.</li><li>Mechanisms supporting and/or implementing the reporting and correcting of system flaws.</li><li>Mechanisms supporting and/or implementing testing software and firmware updates.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6036a1fa-478c-440c-9b08-27b64af7711e",
                        "testId": "SI-02a.[02]",
                        "test": "Determine if system flaws are reported;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Procedures addressing flaw remediation.</li><li>Procedures addressing configuration management.</li><li>List of flaws and vulnerabilities potentially affecting the system.</li><li>List of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws).</li><li>Test results from the installation of software and firmware updates to correct system flaws.</li><li>Installation/change control records for security-relevant software and firmware updates.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel responsible for installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for flaw remediation.</li><li>Organizational personnel with configuration management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for identifying, reporting, and correcting system flaws.</li><li>Organizational process for installing software and firmware updates.</li><li>Mechanisms supporting and/or implementing the reporting and correcting of system flaws.</li><li>Mechanisms supporting and/or implementing testing software and firmware updates.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a67920af-b7ef-41ee-93a2-d0240509d70c",
                        "testId": "SI-02a.[03]",
                        "test": "Determine if system flaws are corrected;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Procedures addressing flaw remediation.</li><li>Procedures addressing configuration management.</li><li>List of flaws and vulnerabilities potentially affecting the system.</li><li>List of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws).</li><li>Test results from the installation of software and firmware updates to correct system flaws.</li><li>Installation/change control records for security-relevant software and firmware updates.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel responsible for installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for flaw remediation.</li><li>Organizational personnel with configuration management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for identifying, reporting, and correcting system flaws.</li><li>Organizational process for installing software and firmware updates.</li><li>Mechanisms supporting and/or implementing the reporting and correcting of system flaws.</li><li>Mechanisms supporting and/or implementing testing software and firmware updates.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1ac12e08-c23e-4448-93f0-90269544ece2",
                        "testId": "SI-02b.[01]",
                        "test": "Determine if software updates related to flaw remediation are tested for effectiveness before installation;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Procedures addressing flaw remediation.</li><li>Procedures addressing configuration management.</li><li>List of flaws and vulnerabilities potentially affecting the system.</li><li>List of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws).</li><li>Test results from the installation of software and firmware updates to correct system flaws.</li><li>Installation/change control records for security-relevant software and firmware updates.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel responsible for installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for flaw remediation.</li><li>Organizational personnel with configuration management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for identifying, reporting, and correcting system flaws.</li><li>Organizational process for installing software and firmware updates.</li><li>Mechanisms supporting and/or implementing the reporting and correcting of system flaws.</li><li>Mechanisms supporting and/or implementing testing software and firmware updates.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "42bf04d9-681f-41d1-a074-9676760f883f",
                        "testId": "SI-02b.[02]",
                        "test": "Determine if software updates related to flaw remediation are tested for potential side effects before installation;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Procedures addressing flaw remediation.</li><li>Procedures addressing configuration management.</li><li>List of flaws and vulnerabilities potentially affecting the system.</li><li>List of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws).</li><li>Test results from the installation of software and firmware updates to correct system flaws.</li><li>Installation/change control records for security-relevant software and firmware updates.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel responsible for installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for flaw remediation.</li><li>Organizational personnel with configuration management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for identifying, reporting, and correcting system flaws.</li><li>Organizational process for installing software and firmware updates.</li><li>Mechanisms supporting and/or implementing the reporting and correcting of system flaws.</li><li>Mechanisms supporting and/or implementing testing software and firmware updates.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a6bbaa60-e7d8-4e3a-90bb-ca25c8c9565e",
                        "testId": "SI-02b.[03]",
                        "test": "Determine if firmware updates related to flaw remediation are tested for effectiveness before installation;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Procedures addressing flaw remediation.</li><li>Procedures addressing configuration management.</li><li>List of flaws and vulnerabilities potentially affecting the system.</li><li>List of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws).</li><li>Test results from the installation of software and firmware updates to correct system flaws.</li><li>Installation/change control records for security-relevant software and firmware updates.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel responsible for installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for flaw remediation.</li><li>Organizational personnel with configuration management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for identifying, reporting, and correcting system flaws.</li><li>Organizational process for installing software and firmware updates.</li><li>Mechanisms supporting and/or implementing the reporting and correcting of system flaws.</li><li>Mechanisms supporting and/or implementing testing software and firmware updates.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "391a2cd1-c3a9-4673-bcea-2960ffa29864",
                        "testId": "SI-02b.[04]",
                        "test": "Determine if firmware updates related to flaw remediation are tested for potential side effects before installation;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Procedures addressing flaw remediation.</li><li>Procedures addressing configuration management.</li><li>List of flaws and vulnerabilities potentially affecting the system.</li><li>List of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws).</li><li>Test results from the installation of software and firmware updates to correct system flaws.</li><li>Installation/change control records for security-relevant software and firmware updates.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel responsible for installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for flaw remediation.</li><li>Organizational personnel with configuration management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for identifying, reporting, and correcting system flaws.</li><li>Organizational process for installing software and firmware updates.</li><li>Mechanisms supporting and/or implementing the reporting and correcting of system flaws.</li><li>Mechanisms supporting and/or implementing testing software and firmware updates.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8fbee0ae-1677-41a8-b852-367469e2eca9",
                        "testId": "SI-02c.[01]",
                        "test": "Determine if security-relevant software updates are installed within  [SELECTED PARAMETER VALUE(S): time period ]  of the release of the updates;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Procedures addressing flaw remediation.</li><li>Procedures addressing configuration management.</li><li>List of flaws and vulnerabilities potentially affecting the system.</li><li>List of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws).</li><li>Test results from the installation of software and firmware updates to correct system flaws.</li><li>Installation/change control records for security-relevant software and firmware updates.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel responsible for installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for flaw remediation.</li><li>Organizational personnel with configuration management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for identifying, reporting, and correcting system flaws.</li><li>Organizational process for installing software and firmware updates.</li><li>Mechanisms supporting and/or implementing the reporting and correcting of system flaws.</li><li>Mechanisms supporting and/or implementing testing software and firmware updates.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "dd14f069-b15d-4057-9c2a-9d50116b64a6",
                        "testId": "SI-02c.[02]",
                        "test": "Determine if security-relevant firmware updates are installed within  [SELECTED PARAMETER VALUE(S): time period ]  of the release of the updates;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Procedures addressing flaw remediation.</li><li>Procedures addressing configuration management.</li><li>List of flaws and vulnerabilities potentially affecting the system.</li><li>List of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws).</li><li>Test results from the installation of software and firmware updates to correct system flaws.</li><li>Installation/change control records for security-relevant software and firmware updates.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel responsible for installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for flaw remediation.</li><li>Organizational personnel with configuration management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for identifying, reporting, and correcting system flaws.</li><li>Organizational process for installing software and firmware updates.</li><li>Mechanisms supporting and/or implementing the reporting and correcting of system flaws.</li><li>Mechanisms supporting and/or implementing testing software and firmware updates.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c9f4c393-d3af-4388-9efb-0a2a2623298a",
                        "testId": "SI-02d.",
                        "test": "Determine if flaw remediation is incorporated into the organizational configuration management process.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Procedures addressing flaw remediation.</li><li>Procedures addressing configuration management.</li><li>List of flaws and vulnerabilities potentially affecting the system.</li><li>List of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws).</li><li>Test results from the installation of software and firmware updates to correct system flaws.</li><li>Installation/change control records for security-relevant software and firmware updates.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel responsible for installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for flaw remediation.</li><li>Organizational personnel with configuration management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for identifying, reporting, and correcting system flaws.</li><li>Organizational process for installing software and firmware updates.</li><li>Mechanisms supporting and/or implementing the reporting and correcting of system flaws.</li><li>Mechanisms supporting and/or implementing testing software and firmware updates.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "c6f06954-1669-4ebc-b8bc-cb47bc3bf3bf",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SI-02 - Flaw Remediation",
                "description": "<ul><li><p>a. Identify, report, and correct system flaws;</p></li><li><p>b. Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;</p></li><li><p>c. Install security-relevant software and firmware updates within {{ insert: param, SI-2(c) }} of the release of the updates; and</p></li><li><p>d. Incorporate flaw remediation into the organizational configuration management process.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.</p><p>Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.</p><p></p><p><strong>OT Discussion</strong></p><p>Flaw remediation, or patching, is complicated since many OT employ OSs and other software that are no longer maintained by the vendors. OT operators may also not have the resources or capability to test patches and are dependent on vendors to validate the operability of a patch. Sometimes, the organization has no choice but to accept additional risk if no vendor patch is available, if patching requires additional time to complete validation or testing, or if deployment requires an unacceptable operations shutdown. In these situations, compensating controls should be implemented (e.g., limiting the exposure of the vulnerable system, restricting vulnerable services, implementing virtual patching). Other compensating controls that do not decrease the residual risk but increase the ability to respond may be desirable (e.g., provide a timely response in case of an incident, devise a plan to ensure that the OT can identify exploitation of the flaw). Testing flaw remediation in an OT may exceed the organization\u2019s available resources.</p>",
                "controlId": "SI-2",
                "family": "System and Information Integrity",
                "enhancements": "<strong>Enhancements</strong><ul><li>SI-2(2) - Automated Flaw Remediation Status</li><li>SI-2(3) - Time to Remediate Flaws and Benchmarks for Corrective Actions</li><li>SI-2(4) - Automated Patch Management Tools</li><li>SI-2(5) - Automatic Software and Firmware Updates</li><li>SI-2(6) - Removal of Previous Versions of Software and Firmware</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "38394961-05d7-41f2-864b-caa12bf791eb",
                        "parameterId": "SI-3(a)",
                        "text": "[Selection (one or more): signature-based; non-signature-based]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): signature-based; non-signature-based]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "si-03_odp.01"
                    },
                    {
                        "uuid": "c61eed3b-fe3b-4548-9c57-e78aecddd400",
                        "parameterId": "SI-3(c)(1)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "si-03_odp.02"
                    },
                    {
                        "uuid": "c1376d75-0a66-4114-8e9d-96db04bfb635",
                        "parameterId": "SI-3(c)(1)-2",
                        "text": "[Selection (one or more): endpoint; network entry and exit points]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): endpoint; network entry and exit points]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "si-03_odp.03"
                    },
                    {
                        "uuid": "0280cd56-6f48-4d8e-be03-90d1ea290ba2",
                        "parameterId": "SI-3(c)(2)-1",
                        "text": "[Selection (one or more): block malicious code; quarantine malicious code; take [(NESTED PARAMETER) Assignment for si-03_odp.05: action]]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): block malicious code; quarantine malicious code; take [(NESTED PARAMETER) Assignment for si-03_odp.05: action]]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "si-03_odp.04"
                    },
                    {
                        "uuid": "a23b9320-aac5-434b-b07a-e4ff9c6073ce",
                        "parameterId": "SI-3(c)(2)-2",
                        "text": "personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "si-03_odp.06"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "4dd597fe-87b8-4086-9633-c4fc89f8f1ab",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "si-3_smt.a",
                        "description": "<ul><li>a. Implement {{ insert: param, SI-3(a) }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;</li></ul>"
                    },
                    {
                        "uuid": "9498052e-f6eb-4f58-beb5-ba84bccb8316",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "si-3_smt.b",
                        "description": "<ul><li>b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;</li></ul>"
                    },
                    {
                        "uuid": "557dc8f0-b7e8-4375-8714-5f7d3497d255",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "si-3_smt.c",
                        "description": "<ul><li>c. Configure malicious code protection mechanisms to:</li><ul><li>1. Perform periodic scans of the system {{ insert: param, SI-3(c)(1)-1 }} and real-time scans of files from external sources at {{ insert: param, SI-3(c)(1)-2 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and</li><li>2. {{ insert: param, SI-3(c)(2)-1 }} ; and send alert to {{ insert: param, SI-3(c)(2)-2 }} in response to malicious code detection; and</li></ul>"
                    },
                    {
                        "uuid": "135f4482-4625-4baf-89fa-2c0c2b7e56df",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "si-3_smt.d",
                        "description": "<ul><li>d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "5b9b1b4b-8f5d-42e1-a821-20728a701158",
                        "testId": "SI-03-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Configuration management policy and procedures.</li><li>Procedures addressing malicious code protection.</li><li>Malicious code protection mechanisms.</li><li>Records of malicious code protection updates.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Scan results from malicious code protection mechanisms.</li><li>Record of actions initiated by malicious code protection mechanisms in response to malicious code detection.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2eeb7751-f2cc-4b88-9093-c9c008b91c26",
                        "testId": "SI-03-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for malicious code protection.</li><li>Organizational personnel with configuration management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ea85dddd-6854-4ddc-92ce-5a3c048e46dc",
                        "testId": "SI-03-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for employing, updating, and configuring malicious code protection mechanisms.</li><li>Organizational processes for addressing false positives and resulting potential impacts.</li><li>Mechanisms supporting and/or implementing, employing, updating, and configuring malicious code protection mechanisms.</li><li>Mechanisms supporting and/or implementing malicious code scanning and subsequent actions.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1a49af8d-9c1d-40f8-9847-c1ef6b02c371",
                        "testId": "SI-03a.[01]",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): [Selection (one or more): signature-based; non-signature-based] ]  malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Configuration management policy and procedures.</li><li>Procedures addressing malicious code protection.</li><li>Malicious code protection mechanisms.</li><li>Records of malicious code protection updates.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Scan results from malicious code protection mechanisms.</li><li>Record of actions initiated by malicious code protection mechanisms in response to malicious code detection.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for malicious code protection.</li><li>Organizational personnel with configuration management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for employing, updating, and configuring malicious code protection mechanisms.</li><li>Organizational processes for addressing false positives and resulting potential impacts.</li><li>Mechanisms supporting and/or implementing, employing, updating, and configuring malicious code protection mechanisms.</li><li>Mechanisms supporting and/or implementing malicious code scanning and subsequent actions.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "58c1cd6e-72f8-4bea-a3ab-2335afcc00ea",
                        "testId": "SI-03a.[02]",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): [Selection (one or more): signature-based; non-signature-based] ]  malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Configuration management policy and procedures.</li><li>Procedures addressing malicious code protection.</li><li>Malicious code protection mechanisms.</li><li>Records of malicious code protection updates.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Scan results from malicious code protection mechanisms.</li><li>Record of actions initiated by malicious code protection mechanisms in response to malicious code detection.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for malicious code protection.</li><li>Organizational personnel with configuration management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for employing, updating, and configuring malicious code protection mechanisms.</li><li>Organizational processes for addressing false positives and resulting potential impacts.</li><li>Mechanisms supporting and/or implementing, employing, updating, and configuring malicious code protection mechanisms.</li><li>Mechanisms supporting and/or implementing malicious code scanning and subsequent actions.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ede45b30-5ba6-4f67-9f7b-79b2ec598adc",
                        "testId": "SI-03b.",
                        "test": "Determine if malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Configuration management policy and procedures.</li><li>Procedures addressing malicious code protection.</li><li>Malicious code protection mechanisms.</li><li>Records of malicious code protection updates.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Scan results from malicious code protection mechanisms.</li><li>Record of actions initiated by malicious code protection mechanisms in response to malicious code detection.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for malicious code protection.</li><li>Organizational personnel with configuration management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for employing, updating, and configuring malicious code protection mechanisms.</li><li>Organizational processes for addressing false positives and resulting potential impacts.</li><li>Mechanisms supporting and/or implementing, employing, updating, and configuring malicious code protection mechanisms.</li><li>Mechanisms supporting and/or implementing malicious code scanning and subsequent actions.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "452439a5-9c84-4d1a-b2b8-6ceb7cbbf2c2",
                        "testId": "SI-03c.01[01]",
                        "test": "Determine if malicious code protection mechanisms are configured to perform periodic scans of the system  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Configuration management policy and procedures.</li><li>Procedures addressing malicious code protection.</li><li>Malicious code protection mechanisms.</li><li>Records of malicious code protection updates.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Scan results from malicious code protection mechanisms.</li><li>Record of actions initiated by malicious code protection mechanisms in response to malicious code detection.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for malicious code protection.</li><li>Organizational personnel with configuration management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for employing, updating, and configuring malicious code protection mechanisms.</li><li>Organizational processes for addressing false positives and resulting potential impacts.</li><li>Mechanisms supporting and/or implementing, employing, updating, and configuring malicious code protection mechanisms.</li><li>Mechanisms supporting and/or implementing malicious code scanning and subsequent actions.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "59b761dd-206a-4d71-a5e8-f2fe9428046a",
                        "testId": "SI-03c.01[02]",
                        "test": "Determine if malicious code protection mechanisms are configured to perform real-time scans of files from external sources at  [SELECTED PARAMETER VALUE(S): [Selection (one or more): endpoint; network entry and exit points] ]  as the files are downloaded, opened, or executed in accordance with organizational policy;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Configuration management policy and procedures.</li><li>Procedures addressing malicious code protection.</li><li>Malicious code protection mechanisms.</li><li>Records of malicious code protection updates.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Scan results from malicious code protection mechanisms.</li><li>Record of actions initiated by malicious code protection mechanisms in response to malicious code detection.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for malicious code protection.</li><li>Organizational personnel with configuration management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for employing, updating, and configuring malicious code protection mechanisms.</li><li>Organizational processes for addressing false positives and resulting potential impacts.</li><li>Mechanisms supporting and/or implementing, employing, updating, and configuring malicious code protection mechanisms.</li><li>Mechanisms supporting and/or implementing malicious code scanning and subsequent actions.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9ba41293-8d68-410a-9fb9-9ed86a0714a3",
                        "testId": "SI-03c.02[01]",
                        "test": "Determine if malicious code protection mechanisms are configured to  [SELECTED PARAMETER VALUE(S): [Selection (one or more): block malicious code; quarantine malicious code; take [(NESTED PARAMETER) Assignment for si-03_odp.05: action]] ]  in response to malicious code detection;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Configuration management policy and procedures.</li><li>Procedures addressing malicious code protection.</li><li>Malicious code protection mechanisms.</li><li>Records of malicious code protection updates.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Scan results from malicious code protection mechanisms.</li><li>Record of actions initiated by malicious code protection mechanisms in response to malicious code detection.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for malicious code protection.</li><li>Organizational personnel with configuration management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for employing, updating, and configuring malicious code protection mechanisms.</li><li>Organizational processes for addressing false positives and resulting potential impacts.</li><li>Mechanisms supporting and/or implementing, employing, updating, and configuring malicious code protection mechanisms.</li><li>Mechanisms supporting and/or implementing malicious code scanning and subsequent actions.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "7d7343f0-54ae-4eaa-b205-15b5182eb8df",
                        "testId": "SI-03c.02[02]",
                        "test": "Determine if malicious code protection mechanisms are configured to send alerts to  [SELECTED PARAMETER VALUE(S): personnel or roles ]  in response to malicious code detection;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Configuration management policy and procedures.</li><li>Procedures addressing malicious code protection.</li><li>Malicious code protection mechanisms.</li><li>Records of malicious code protection updates.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Scan results from malicious code protection mechanisms.</li><li>Record of actions initiated by malicious code protection mechanisms in response to malicious code detection.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for malicious code protection.</li><li>Organizational personnel with configuration management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for employing, updating, and configuring malicious code protection mechanisms.</li><li>Organizational processes for addressing false positives and resulting potential impacts.</li><li>Mechanisms supporting and/or implementing, employing, updating, and configuring malicious code protection mechanisms.</li><li>Mechanisms supporting and/or implementing malicious code scanning and subsequent actions.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f7fcbc2b-0e33-4b66-bb8e-f5886181394b",
                        "testId": "SI-03d.",
                        "test": "Determine if the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Configuration management policy and procedures.</li><li>Procedures addressing malicious code protection.</li><li>Malicious code protection mechanisms.</li><li>Records of malicious code protection updates.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>Scan results from malicious code protection mechanisms.</li><li>Record of actions initiated by malicious code protection mechanisms in response to malicious code detection.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for malicious code protection.</li><li>Organizational personnel with configuration management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for employing, updating, and configuring malicious code protection mechanisms.</li><li>Organizational processes for addressing false positives and resulting potential impacts.</li><li>Mechanisms supporting and/or implementing, employing, updating, and configuring malicious code protection mechanisms.</li><li>Mechanisms supporting and/or implementing malicious code scanning and subsequent actions.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "3c94d63e-34e0-4b6c-82d1-cfcf8c035735",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SI-03 - Malicious Code Protection",
                "description": "<ul><li><p>a. Implement {{ insert: param, SI-3(a) }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;</p></li><li><p>b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;</p></li><li><p>c. Configure malicious code protection mechanisms to:</p><ul><li><p>1. Perform periodic scans of the system {{ insert: param, SI-3(c)(1)-1 }} and real-time scans of files from external sources at {{ insert: param, SI-3(c)(1)-2 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and</p></li><li><p>2. {{ insert: param, SI-3(c)(2)-1 }} ; and send alert to {{ insert: param, SI-3(c)(2)-2 }} in response to malicious code detection; and</p></li></ul></li><li><p>d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.</p><p>Malicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.</p><p>In situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files.</p><p></p><p><strong>OT Discussion</strong></p><p>Malicious code protection should only be deployed after careful consideration and verification that it does not adversely impact the operation of the OT. Malicious code protection tools should be configured to minimize their potential impact on the OT (e.g., employ notification rather than quarantine). Example compensating controls include increased traffic monitoring and auditing.</p>",
                "controlId": "SI-3",
                "family": "System and Information Integrity",
                "enhancements": "<strong>Enhancements</strong><ul><li>SI-3(4) - Updates Only by Privileged Users</li><li>SI-3(6) - Testing and Verification</li><li>SI-3(8) - Detect Unauthorized Commands</li><li>SI-3(10) - Malicious Code Analysis</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "7d6558cc-60be-489d-98d2-9b4c898d3546",
                        "parameterId": "SI-4(a)(1)",
                        "text": "monitoring objectives",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined monitoring objectives] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "si-04_odp.01"
                    },
                    {
                        "uuid": "142e44e4-6446-455e-8082-6bb4f12b81b9",
                        "parameterId": "SI-4(b)",
                        "text": "techniques and methods",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined techniques and methods] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "si-04_odp.02"
                    },
                    {
                        "uuid": "af5b3cb3-43c6-4ae1-b653-daef5ecd4563",
                        "parameterId": "SI-4(g)-1",
                        "text": "system monitoring information",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined system monitoring information] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "si-04_odp.03"
                    },
                    {
                        "uuid": "1ab05dea-8539-4966-82f2-727cddfae06d",
                        "parameterId": "SI-4(g)-2",
                        "text": "personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "si-04_odp.04"
                    },
                    {
                        "uuid": "234f01d5-18a9-449d-9534-6d3f33231178",
                        "parameterId": "SI-4(g)-3",
                        "text": "[Selection (one or more): as needed; [(NESTED PARAMETER) Assignment for si-04_odp.06: frequency]]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): as needed; [(NESTED PARAMETER) Assignment for si-04_odp.06: frequency]]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "si-04_odp.05"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "9dca79f0-42d5-43f3-bce1-dce43c7d10a4",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "si-4_smt.a",
                        "description": "<ul><li>a. Monitor the system to detect:</li><ul><li>1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ insert: param, SI-4(a)(1) }} ; and</li><li>2. Unauthorized local, network, and remote connections;</li></ul>"
                    },
                    {
                        "uuid": "7f9eaccf-587b-4c56-8704-d68632253e0b",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "si-4_smt.b",
                        "description": "<ul><li>b. Identify unauthorized use of the system through the following techniques and methods: {{ insert: param, SI-4(b) }};</li></ul>"
                    },
                    {
                        "uuid": "52e19e9f-d057-4b98-9ca4-c0f6fbb8bd38",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "si-4_smt.c",
                        "description": "<ul><li>c. Invoke internal monitoring capabilities or deploy monitoring devices:</li><ul><li>1. Strategically within the system to collect organization-determined essential information; and</li><li>2. At ad hoc locations within the system to track specific types of transactions of interest to the organization;</li></ul>"
                    },
                    {
                        "uuid": "224b9f90-af85-4981-9c46-79c4e16299f0",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "si-4_smt.d",
                        "description": "<ul><li>d. Analyze detected events and anomalies;</li></ul>"
                    },
                    {
                        "uuid": "ae390024-73ee-4e29-ac86-5b429023e419",
                        "name": "e.",
                        "objectiveType": "",
                        "otherId": "si-4_smt.e",
                        "description": "<ul><li>e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;</li></ul>"
                    },
                    {
                        "uuid": "0a160e19-0aed-479a-a7dc-fc77a5f05186",
                        "name": "f.",
                        "objectiveType": "",
                        "otherId": "si-4_smt.f",
                        "description": "<ul><li>f. Obtain legal opinion regarding system monitoring activities; and</li></ul>"
                    },
                    {
                        "uuid": "48cfe2cd-0b75-4b4e-9dff-493a242ab7c0",
                        "name": "g.",
                        "objectiveType": "",
                        "otherId": "si-4_smt.g",
                        "description": "<ul><li>g. Provide {{ insert: param, SI-4(g)-1 }} to {{ insert: param, SI-4(g)-2 }} {{ insert: param, SI-4(g)-3 }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "15bb0b88-891a-4db2-bfed-b4fbcf12075f",
                        "testId": "SI-04a.01",
                        "test": "Determine if the system is monitored to detect attacks and indicators of potential attacks in accordance with  [SELECTED PARAMETER VALUE(S): monitoring objectives ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Procedures addressing system monitoring tools and techniques.</li><li>Continuous monitoring strategy.</li><li>Facility diagram/layout.</li><li>System design documentation.</li><li>System monitoring tools and techniques documentation.</li><li>Locations within the system where monitoring devices are deployed.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for monitoring the system.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system monitoring.</li><li>Mechanisms supporting and/or implementing system monitoring capabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "62c3126e-ab45-4a46-9c4d-2d781a5aeb7f",
                        "testId": "SI-04a.02[01]",
                        "test": "Determine if the system is monitored to detect unauthorized local connections;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Procedures addressing system monitoring tools and techniques.</li><li>Continuous monitoring strategy.</li><li>Facility diagram/layout.</li><li>System design documentation.</li><li>System monitoring tools and techniques documentation.</li><li>Locations within the system where monitoring devices are deployed.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for monitoring the system.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system monitoring.</li><li>Mechanisms supporting and/or implementing system monitoring capabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0c2637f2-a7ef-402c-a851-e9010df9b3a0",
                        "testId": "SI-04a.02[02]",
                        "test": "Determine if the system is monitored to detect unauthorized network connections;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Procedures addressing system monitoring tools and techniques.</li><li>Continuous monitoring strategy.</li><li>Facility diagram/layout.</li><li>System design documentation.</li><li>System monitoring tools and techniques documentation.</li><li>Locations within the system where monitoring devices are deployed.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for monitoring the system.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system monitoring.</li><li>Mechanisms supporting and/or implementing system monitoring capabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ef516260-07b9-4487-9fb3-3381c17cca27",
                        "testId": "SI-04a.02[03]",
                        "test": "Determine if the system is monitored to detect unauthorized remote connections;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Procedures addressing system monitoring tools and techniques.</li><li>Continuous monitoring strategy.</li><li>Facility diagram/layout.</li><li>System design documentation.</li><li>System monitoring tools and techniques documentation.</li><li>Locations within the system where monitoring devices are deployed.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for monitoring the system.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system monitoring.</li><li>Mechanisms supporting and/or implementing system monitoring capabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1235655d-4436-4f77-970d-7834b39f017a",
                        "testId": "SI-04b.",
                        "test": "Determine if unauthorized use of the system is identified through  [SELECTED PARAMETER VALUE(S): techniques and methods ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Procedures addressing system monitoring tools and techniques.</li><li>Continuous monitoring strategy.</li><li>Facility diagram/layout.</li><li>System design documentation.</li><li>System monitoring tools and techniques documentation.</li><li>Locations within the system where monitoring devices are deployed.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for monitoring the system.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system monitoring.</li><li>Mechanisms supporting and/or implementing system monitoring capabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ae591be4-4c0a-490f-9760-a2f77738ae6b",
                        "testId": "SI-04c.01",
                        "test": "Determine if internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Procedures addressing system monitoring tools and techniques.</li><li>Continuous monitoring strategy.</li><li>Facility diagram/layout.</li><li>System design documentation.</li><li>System monitoring tools and techniques documentation.</li><li>Locations within the system where monitoring devices are deployed.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for monitoring the system.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system monitoring.</li><li>Mechanisms supporting and/or implementing system monitoring capabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "74cdf543-e486-40a5-a405-fd96caa1cff4",
                        "testId": "SI-04c.02",
                        "test": "Determine if internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Procedures addressing system monitoring tools and techniques.</li><li>Continuous monitoring strategy.</li><li>Facility diagram/layout.</li><li>System design documentation.</li><li>System monitoring tools and techniques documentation.</li><li>Locations within the system where monitoring devices are deployed.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for monitoring the system.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system monitoring.</li><li>Mechanisms supporting and/or implementing system monitoring capabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5731e412-ff14-4bdc-ab5c-c977f8b81895",
                        "testId": "SI-04d.[01]",
                        "test": "Determine if detected events are analyzed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Procedures addressing system monitoring tools and techniques.</li><li>Continuous monitoring strategy.</li><li>Facility diagram/layout.</li><li>System design documentation.</li><li>System monitoring tools and techniques documentation.</li><li>Locations within the system where monitoring devices are deployed.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for monitoring the system.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system monitoring.</li><li>Mechanisms supporting and/or implementing system monitoring capabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "18ddbc5f-a9b1-4522-ba72-377cab53d5be",
                        "testId": "SI-04d.[02]",
                        "test": "Determine if detected anomalies are analyzed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Procedures addressing system monitoring tools and techniques.</li><li>Continuous monitoring strategy.</li><li>Facility diagram/layout.</li><li>System design documentation.</li><li>System monitoring tools and techniques documentation.</li><li>Locations within the system where monitoring devices are deployed.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for monitoring the system.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system monitoring.</li><li>Mechanisms supporting and/or implementing system monitoring capabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6d7c1000-36b1-4ba7-a8f4-c48ad64fffdf",
                        "testId": "SI-04e.",
                        "test": "Determine if the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the nation;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Procedures addressing system monitoring tools and techniques.</li><li>Continuous monitoring strategy.</li><li>Facility diagram/layout.</li><li>System design documentation.</li><li>System monitoring tools and techniques documentation.</li><li>Locations within the system where monitoring devices are deployed.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for monitoring the system.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system monitoring.</li><li>Mechanisms supporting and/or implementing system monitoring capabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "9f8c5f56-2189-4adc-9a0f-b91c964b1e62",
                        "testId": "SI-04f.",
                        "test": "Determine if a legal opinion regarding system monitoring activities is obtained;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Procedures addressing system monitoring tools and techniques.</li><li>Continuous monitoring strategy.</li><li>Facility diagram/layout.</li><li>System design documentation.</li><li>System monitoring tools and techniques documentation.</li><li>Locations within the system where monitoring devices are deployed.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for monitoring the system.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system monitoring.</li><li>Mechanisms supporting and/or implementing system monitoring capabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "03b51ee7-ca2f-4078-87db-a312e75c2585",
                        "testId": "SI-04g.",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): system monitoring information ]  is provided to  [SELECTED PARAMETER VALUE(S): personnel or roles ], [SELECTED PARAMETER VALUE(S): [Selection (one or more): as needed; [(NESTED PARAMETER) Assignment for si-04_odp.06: frequency]] ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Procedures addressing system monitoring tools and techniques.</li><li>Continuous monitoring strategy.</li><li>Facility diagram/layout.</li><li>System design documentation.</li><li>System monitoring tools and techniques documentation.</li><li>Locations within the system where monitoring devices are deployed.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for monitoring the system.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for system monitoring.</li><li>Mechanisms supporting and/or implementing system monitoring capabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a12d1691-2a0e-4aa6-aaeb-630ebd52345a",
                        "testId": "SI-04-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Procedures addressing system monitoring tools and techniques.</li><li>Continuous monitoring strategy.</li><li>Facility diagram/layout.</li><li>System design documentation.</li><li>System monitoring tools and techniques documentation.</li><li>Locations within the system where monitoring devices are deployed.</li><li>System configuration settings and associated documentation.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "91265b31-d0fe-48e1-8374-049a1f534f84",
                        "testId": "SI-04-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel installing, configuring, and/or maintaining the system.</li><li>Organizational personnel responsible for monitoring the system.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f228942b-356d-4e06-ac1f-141434552f6a",
                        "testId": "SI-04-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for system monitoring.</li><li>Mechanisms supporting and/or implementing system monitoring capabilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "a681be71-9a8f-4186-940c-feaf379f14a3",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SI-04 - System Monitoring",
                "description": "<ul><li><p>a. Monitor the system to detect:</p><ul><li><p>1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: {{ insert: param, SI-4(a)(1) }} ; and</p></li><li><p>2. Unauthorized local, network, and remote connections;</p></li></ul></li><li><p>b. Identify unauthorized use of the system through the following techniques and methods: {{ insert: param, SI-4(b) }};</p></li><li><p>c. Invoke internal monitoring capabilities or deploy monitoring devices:</p><ul><li><p>1. Strategically within the system to collect organization-determined essential information; and</p></li><li><p>2. At ad hoc locations within the system to track specific types of transactions of interest to the organization;</p></li></ul></li><li><p>d. Analyze detected events and anomalies;</p></li><li><p>e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;</p></li><li><p>f. Obtain legal opinion regarding system monitoring activities; and</p></li><li><p>g. Provide {{ insert: param, SI-4(g)-1 }} to {{ insert: param, SI-4(g)-2 }}{{ insert: param, SI-4(g)-3 }}.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.</p><p>Depending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls <a href=\"#sc-7\">SC-7</a> and <a href=\"#ac-17\">AC-17</a> . The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., <a href=\"#ac-2_smt.g\">AC-2g</a>, <a href=\"#ac-2.7\">AC-2(7)</a>, <a href=\"#ac-2.12_smt.a\">AC-2(12)(a)</a>, <a href=\"#ac-17.1\">AC-17(1)</a>, <a href=\"#au-13\">AU-13</a>, <a href=\"#au-13.1\">AU-13(1)</a>, <a href=\"#au-13.2\">AU-13(2)</a>, <a href=\"#cm-3_smt.f\">CM-3f</a>, <a href=\"#cm-6_smt.d\">CM-6d</a>, <a href=\"#ma-3_smt.a\">MA-3a</a>, <a href=\"#ma-4_smt.a\">MA-4a</a>, <a href=\"#sc-5.3_smt.b\">SC-5(3)(b)</a>, <a href=\"#sc-7_smt.a\">SC-7a</a>, <a href=\"#sc-7.24_smt.b\">SC-7(24)(b)</a>, <a href=\"#sc-18_smt.b\">SC-18b</a>, <a href=\"#sc-43_smt.b\">SC-43b</a> ). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.</p><p></p><p><strong>OT Discussion</strong></p><p>The organization ensures that the use of monitoring tools and techniques does not adversely impact the operational performance of the OT. Example compensating controls include deploying sufficient network, process, and physical monitoring.</p>",
                "controlId": "SI-4",
                "family": "System and Information Integrity",
                "enhancements": "<strong>Enhancements</strong><ul><li>SI-4(1) - System-wide Intrusion Detection System</li><li>SI-4(2) - Automated Tools and Mechanisms for Real-time Analysis</li><li>SI-4(3) - Automated Tool and Mechanism Integration</li><li>SI-4(4) - Inbound and Outbound Communications Traffic</li><li>SI-4(5) - System-generated Alerts</li><li>SI-4(7) - Automated Response to Suspicious Events</li><li>SI-4(9) - Testing of Monitoring Tools and Mechanisms</li><li>SI-4(10) - Visibility of Encrypted Communications</li><li>SI-4(11) - Analyze Communications Traffic Anomalies</li><li>SI-4(12) - Automated Organization-generated Alerts</li><li>SI-4(13) - Analyze Traffic and Event Patterns</li><li>SI-4(14) - Wireless Intrusion Detection</li><li>SI-4(15) - Wireless to Wireline Communications</li><li>SI-4(16) - Correlate Monitoring Information</li><li>SI-4(17) - Integrated Situational Awareness</li><li>SI-4(18) - Analyze Traffic and Covert Exfiltration</li><li>SI-4(19) - Risk for Individuals</li><li>SI-4(20) - Privileged Users</li><li>SI-4(21) - Probationary Periods</li><li>SI-4(22) - Unauthorized Network Services</li><li>SI-4(23) - Host-based Devices</li><li>SI-4(24) - Indicators of Compromise</li><li>SI-4(25) - Optimize Network Traffic Analysis</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "771032d6-e3ab-44c6-909f-41f05492f5f1",
                        "parameterId": "SI-5(a)",
                        "text": "external organizations",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined external organizations] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "si-05_odp.01"
                    },
                    {
                        "uuid": "c1fc9f93-bef0-4a53-8c55-c05bc9406f6a",
                        "parameterId": "SI-5(c)",
                        "text": "[Selection (one or more): [(NESTED PARAMETER) Assignment for si-05_odp.03: personnel or roles]; [(NESTED PARAMETER) Assignment for si-05_odp.04: elements]; [(NESTED PARAMETER) Assignment for si-05_odp.05: external organizations]]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): [(NESTED PARAMETER) Assignment for si-05_odp.03: personnel or roles]; [(NESTED PARAMETER) Assignment for si-05_odp.04: elements]; [(NESTED PARAMETER) Assignment for si-05_odp.05: external organizations]]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "si-05_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "52e1f858-4d61-43e1-b4c9-b6cd59be2745",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "si-5_smt.a",
                        "description": "<ul><li>a. Receive system security alerts, advisories, and directives from {{ insert: param, SI-5(a) }} on an ongoing basis;</li></ul>"
                    },
                    {
                        "uuid": "0a06bd9e-dba4-4bc8-8228-c5a9db2ab197",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "si-5_smt.b",
                        "description": "<ul><li>b. Generate internal security alerts, advisories, and directives as deemed necessary;</li></ul>"
                    },
                    {
                        "uuid": "02faeb73-ae38-4ca4-b70e-050fb38f4366",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "si-5_smt.c",
                        "description": "<ul><li>c. Disseminate security alerts, advisories, and directives to: {{ insert: param, SI-5(c) }} ; and</li></ul>"
                    },
                    {
                        "uuid": "7c33a97e-85c5-4425-9cba-2d4e7fa46c70",
                        "name": "d.",
                        "objectiveType": "",
                        "otherId": "si-5_smt.d",
                        "description": "<ul><li>d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "74c31259-8bfd-4913-a1d8-2bf125f63d6d",
                        "testId": "SI-05a.",
                        "test": "Determine if system security alerts, advisories, and directives are received from  [SELECTED PARAMETER VALUE(S): external organizations ]  on an ongoing basis;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Procedures addressing security alerts, advisories, and directives.</li><li>Records of security alerts and advisories.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with security alert and advisory responsibilities.</li><li>Organizational personnel implementing, operating, maintaining, and using the system.</li><li>Organizational personnel, organizational elements, and/or external organizations to whom alerts, advisories, and directives are to be disseminated.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives.</li><li>Mechanisms supporting and/or implementing the definition, receipt, generation, and dissemination of security alerts, advisories, and directives.</li><li>Mechanisms supporting and/or implementing security directives.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e65ec5df-0287-4fa4-8c31-1e7913e02b74",
                        "testId": "SI-05b.",
                        "test": "Determine if internal security alerts, advisories, and directives are generated as deemed necessary;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Procedures addressing security alerts, advisories, and directives.</li><li>Records of security alerts and advisories.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with security alert and advisory responsibilities.</li><li>Organizational personnel implementing, operating, maintaining, and using the system.</li><li>Organizational personnel, organizational elements, and/or external organizations to whom alerts, advisories, and directives are to be disseminated.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives.</li><li>Mechanisms supporting and/or implementing the definition, receipt, generation, and dissemination of security alerts, advisories, and directives.</li><li>Mechanisms supporting and/or implementing security directives.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d2e3ec97-f800-47d7-91bc-1b4a9a02e460",
                        "testId": "SI-05c.",
                        "test": "Determine if security alerts, advisories, and directives are disseminated to  [SELECTED PARAMETER VALUE(S): [Selection (one or more): [(NESTED PARAMETER) Assignment for si-05_odp.03: personnel or roles]; [(NESTED PARAMETER) Assignment for si-05_odp.04: elements]; [(NESTED PARAMETER) Assignment for si-05_odp.05: external organizations]] ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Procedures addressing security alerts, advisories, and directives.</li><li>Records of security alerts and advisories.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with security alert and advisory responsibilities.</li><li>Organizational personnel implementing, operating, maintaining, and using the system.</li><li>Organizational personnel, organizational elements, and/or external organizations to whom alerts, advisories, and directives are to be disseminated.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives.</li><li>Mechanisms supporting and/or implementing the definition, receipt, generation, and dissemination of security alerts, advisories, and directives.</li><li>Mechanisms supporting and/or implementing security directives.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0350c9de-abf6-4373-9fde-1f21f79dcef3",
                        "testId": "SI-05d.",
                        "test": "Determine if security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Procedures addressing security alerts, advisories, and directives.</li><li>Records of security alerts and advisories.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with security alert and advisory responsibilities.</li><li>Organizational personnel implementing, operating, maintaining, and using the system.</li><li>Organizational personnel, organizational elements, and/or external organizations to whom alerts, advisories, and directives are to be disseminated.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives.</li><li>Mechanisms supporting and/or implementing the definition, receipt, generation, and dissemination of security alerts, advisories, and directives.</li><li>Mechanisms supporting and/or implementing security directives.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ea3e1d2a-b9f1-4bfd-ba53-ee1800721202",
                        "testId": "SI-05-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Procedures addressing security alerts, advisories, and directives.</li><li>Records of security alerts and advisories.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f6bd7e14-d900-421d-9f24-fde0c191028f",
                        "testId": "SI-05-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with security alert and advisory responsibilities.</li><li>Organizational personnel implementing, operating, maintaining, and using the system.</li><li>Organizational personnel, organizational elements, and/or external organizations to whom alerts, advisories, and directives are to be disseminated.</li><li>System/network administrators.</li><li>Organizational personnel with information security responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "cde8a2d6-4d3f-41a9-b554-d5299a1eed1d",
                        "testId": "SI-05-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives.</li><li>Mechanisms supporting and/or implementing the definition, receipt, generation, and dissemination of security alerts, advisories, and directives.</li><li>Mechanisms supporting and/or implementing security directives.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "6fa2390c-2353-4dbc-9ac0-69d9ce914086",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SI-05 - Security Alerts, Advisories, and Directives",
                "description": "<ul><li><p>a. Receive system security alerts, advisories, and directives from {{ insert: param, SI-5(a) }} on an ongoing basis;</p></li><li><p>b. Generate internal security alerts, advisories, and directives as deemed necessary;</p></li><li><p>c. Disseminate security alerts, advisories, and directives to: {{ insert: param, SI-5(c) }} ; and</p></li><li><p>d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.</p></li></ul><p><br><strong>Discussion</strong><br></p><p>The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations.</p><p></p><p><strong>OT Discussion</strong></p><p>CISA generates security alerts and advisories relative to OT at https://www.cisa.gov/uscert/ics. Industry-specific ISACs often provide tailored advisories and alerts, which can be found at https://www.nationalisacs.org/.</p>",
                "controlId": "SI-5",
                "family": "System and Information Integrity",
                "enhancements": "<strong>Enhancements</strong><ul><li>SI-5(1) - Automated Alerts and Advisories</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "52ef9c75-a00f-4ad2-b112-84fc19a6bcf7",
                        "name": "SI-12",
                        "objectiveType": "",
                        "otherId": "si-12_smt",
                        "description": "Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements."
                    }
                ],
                "tests": [
                    {
                        "uuid": "b0c26629-5365-4ce0-924c-a8d5f6ab2543",
                        "testId": "SI-12[01]",
                        "test": "Determine if information within the system is managed in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and operational requirements;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Personally identifiable information processing policy.</li><li>Records retention and disposition policy.</li><li>Records retention and disposition procedures.</li><li>Federal laws, executive orders, directives, policies, regulations, standards, and operational requirements applicable to information management and retention.</li><li>Media protection policy.</li><li>Media protection procedures.</li><li>Audit findings.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Personally identifiable information inventory.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information and records management, retention, and disposition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for information management, retention, and disposition.</li><li>Automated mechanisms supporting and/or implementing information management, retention, and disposition.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ebf47d37-a508-457b-8ef4-e439b516a51c",
                        "testId": "SI-12[02]",
                        "test": "Determine if information within the system is retained in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and operational requirements;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Personally identifiable information processing policy.</li><li>Records retention and disposition policy.</li><li>Records retention and disposition procedures.</li><li>Federal laws, executive orders, directives, policies, regulations, standards, and operational requirements applicable to information management and retention.</li><li>Media protection policy.</li><li>Media protection procedures.</li><li>Audit findings.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Personally identifiable information inventory.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information and records management, retention, and disposition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for information management, retention, and disposition.</li><li>Automated mechanisms supporting and/or implementing information management, retention, and disposition.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e8bfbbbf-573f-450a-a065-6b35de9fe721",
                        "testId": "SI-12[03]",
                        "test": "Determine if information output from the system is managed in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and operational requirements;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Personally identifiable information processing policy.</li><li>Records retention and disposition policy.</li><li>Records retention and disposition procedures.</li><li>Federal laws, executive orders, directives, policies, regulations, standards, and operational requirements applicable to information management and retention.</li><li>Media protection policy.</li><li>Media protection procedures.</li><li>Audit findings.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Personally identifiable information inventory.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information and records management, retention, and disposition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for information management, retention, and disposition.</li><li>Automated mechanisms supporting and/or implementing information management, retention, and disposition.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1da701c5-bee9-4187-9303-8febbb358a4b",
                        "testId": "SI-12[04]",
                        "test": "Determine if information output from the system is retained in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines, and operational requirements.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Personally identifiable information processing policy.</li><li>Records retention and disposition policy.</li><li>Records retention and disposition procedures.</li><li>Federal laws, executive orders, directives, policies, regulations, standards, and operational requirements applicable to information management and retention.</li><li>Media protection policy.</li><li>Media protection procedures.</li><li>Audit findings.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Personally identifiable information inventory.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information and records management, retention, and disposition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Network administrators.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for information management, retention, and disposition.</li><li>Automated mechanisms supporting and/or implementing information management, retention, and disposition.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "afb65bfb-4573-402c-ba6d-b395de3bd412",
                        "testId": "SI-12-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Personally identifiable information processing policy.</li><li>Records retention and disposition policy.</li><li>Records retention and disposition procedures.</li><li>Federal laws, executive orders, directives, policies, regulations, standards, and operational requirements applicable to information management and retention.</li><li>Media protection policy.</li><li>Media protection procedures.</li><li>Audit findings.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Personally identifiable information inventory.</li><li>Privacy impact assessment.</li><li>Privacy risk assessment documentation.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "854b40f7-ab3d-488d-a2fb-7afc55b3d055",
                        "testId": "SI-12-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with information and records management, retention, and disposition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Network administrators.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "ae0bc7bc-c1df-49a0-a8ba-a8fcc8b12338",
                        "testId": "SI-12-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for information management, retention, and disposition.</li><li>Automated mechanisms supporting and/or implementing information management, retention, and disposition.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "d8d3351b-0b34-42a0-9d4a-a1cabe310a75",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SI-12 - Information Management and Retention",
                "description": "Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.<br/><strong>Discussion</strong><br/><p>Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1,  <a href=\"#ac-6.9\">AC-6(9)</a>,  <a href=\"#at-4\">AT-4</a>,  <a href=\"#au-12\">AU-12</a>,  <a href=\"#ca-2\">CA-2</a>,  <a href=\"#ca-3\">CA-3</a>,  <a href=\"#ca-5\">CA-5</a>,  <a href=\"#ca-6\">CA-6</a>,  <a href=\"#ca-7\">CA-7</a>,  <a href=\"#ca-8\">CA-8</a>,  <a href=\"#ca-9\">CA-9</a>,  <a href=\"#cm-2\">CM-2</a>,  <a href=\"#cm-3\">CM-3</a>,  <a href=\"#cm-4\">CM-4</a>,  <a href=\"#cm-6\">CM-6</a>,  <a href=\"#cm-8\">CM-8</a>,  <a href=\"#cm-9\">CM-9</a>,  <a href=\"#cm-12\">CM-12</a>,  <a href=\"#cm-13\">CM-13</a>,  <a href=\"#cp-2\">CP-2</a>,  <a href=\"#ir-6\">IR-6</a>,  <a href=\"#ir-8\">IR-8</a>,  <a href=\"#ma-2\">MA-2</a>,  <a href=\"#ma-4\">MA-4</a>,  <a href=\"#pe-2\">PE-2</a>,  <a href=\"#pe-8\">PE-8</a>,  <a href=\"#pe-16\">PE-16</a>,  <a href=\"#pe-17\">PE-17</a>,  <a href=\"#pl-2\">PL-2</a>,  <a href=\"#pl-4\">PL-4</a>,  <a href=\"#pl-7\">PL-7</a>,  <a href=\"#pl-8\">PL-8</a>,  <a href=\"#pm-5\">PM-5</a>,  <a href=\"#pm-8\">PM-8</a>,  <a href=\"#pm-9\">PM-9</a>,  <a href=\"#pm-18\">PM-18</a>,  <a href=\"#pm-21\">PM-21</a>,  <a href=\"#pm-27\">PM-27</a>,  <a href=\"#pm-28\">PM-28</a>,  <a href=\"#pm-30\">PM-30</a>,  <a href=\"#pm-31\">PM-31</a>,  <a href=\"#ps-2\">PS-2</a>,  <a href=\"#ps-6\">PS-6</a>,  <a href=\"#ps-7\">PS-7</a>,  <a href=\"#pt-2\">PT-2</a>,  <a href=\"#pt-3\">PT-3</a>,  <a href=\"#pt-7\">PT-7</a>,  <a href=\"#ra-2\">RA-2</a>,  <a href=\"#ra-3\">RA-3</a>,  <a href=\"#ra-5\">RA-5</a>,  <a href=\"#ra-8\">RA-8</a>,  <a href=\"#sa-4\">SA-4</a>,  <a href=\"#sa-5\">SA-5</a>,  <a href=\"#sa-8\">SA-8</a>,  <a href=\"#sa-10\">SA-10</a>,  <a href=\"#si-4\">SI-4</a>,  <a href=\"#sr-2\">SR-2</a>,  <a href=\"#sr-4\">SR-4</a>,  <a href=\"#sr-8\">SR-8</a>.</p>",
                "controlId": "SI-12",
                "family": "System and Information Integrity",
                "enhancements": "<strong>Enhancements</strong><ul><li>SI-12(1) - Limit Personally Identifiable Information Elements</li><li>SI-12(2) - Minimize Personally Identifiable Information in Testing, Training, and Research</li><li>SI-12(3) - Information Disposal</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "02e058b5-a351-47d4-92d6-16620272de19",
                        "parameterId": "SI-17",
                        "text": "organization-defined list of failure conditions and associated fail-safe procedures",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined list of failure conditions and associated fail-safe procedures] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "si-17_prm_1"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "a167d89b-2ccd-4e22-88a5-d4bc1251946c",
                        "name": "SI-17",
                        "objectiveType": "",
                        "otherId": "si-17_smt",
                        "description": "Implement the indicated fail-safe procedures when the indicated failures occur: {{ insert: param, SI-17 }}."
                    }
                ],
                "tests": [
                    {
                        "uuid": "c72ef973-f9af-40d2-a315-0152f09a20bc",
                        "testId": "SI-17-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Documentation addressing fail-safe procedures for the system.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of security safeguards protecting the system memory from unauthorized code execution.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "94ced6a8-6699-4326-96af-3e9b7d537fa2",
                        "testId": "SI-17-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel responsible for fail-safe procedures.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developer.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "c7e9d4d5-c5bd-4e5b-8499-13a09d480814",
                        "testId": "SI-17-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational fail-safe procedures.</li><li>Automated mechanisms supporting and/or implementing fail-safe procedures.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8bf7163a-573e-487c-bfde-ab950b39e384",
                        "testId": "SI-17",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): fail-safe procedures ]  are implemented when  [SELECTED PARAMETER VALUE(S): list of failure conditions ]  occur.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>System and information integrity policy.</li><li>System and information integrity procedures.</li><li>Documentation addressing fail-safe procedures for the system.</li><li>System design documentation.</li><li>System configuration settings and associated documentation.</li><li>List of security safeguards protecting the system memory from unauthorized code execution.</li><li>System audit records.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel responsible for fail-safe procedures.</li><li>Organizational personnel with information security responsibilities.</li><li>System/network administrators.</li><li>System developer.</li></ul><br><h5>Test</h5><ul><li>Organizational fail-safe procedures.</li><li>Automated mechanisms supporting and/or implementing fail-safe procedures.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "a2e1ec3b-effd-4f40-8166-40b4680333b1",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SI-17 - Fail-safe Procedures",
                "description": "<p>Implement the indicated fail-safe procedures when the indicated failures occur: {{ insert: param, SI-17 }}.<br><strong>Discussion</strong><br></p><p>Failure conditions include the loss of communications among critical system components or between system components and operational facilities. Fail-safe procedures include alerting operator personnel and providing specific instructions on subsequent steps to take. Subsequent steps may include doing nothing, reestablishing system settings, shutting down processes, restarting the system, or contacting designated organizational personnel.</p><p></p><p><strong>OT Discussion</strong></p><p>The selected failure conditions and corresponding procedures may vary among baselines. The same failure event may trigger different responses, depending on the impact level. Mechanical and analog systems can be used to provide mechanisms to ensure fail-safe procedures. Fail-safe states should incorporate potential impacts to human safety, physical systems, and the environment. A related controls is CP-6.</p>",
                "controlId": "SI-17",
                "family": "System and Information Integrity",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "45a4e5aa-305b-4e14-85bf-6f8fd0a0fcf0",
                        "parameterId": "SR-1(a)",
                        "text": "organization-defined personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization-defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sr-1_prm_1"
                    },
                    {
                        "uuid": "adc05a17-bd46-45fa-a284-237adfab7a68",
                        "parameterId": "SR-1(a)(1)",
                        "text": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): organization-level; mission/business process-level; system-level]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sr-01_odp.03"
                    },
                    {
                        "uuid": "b73d5c2a-7bb3-4a9f-a63f-59046e539ca3",
                        "parameterId": "SR-1(b)",
                        "text": "official",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined official] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sr-01_odp.04"
                    },
                    {
                        "uuid": "1ca51107-6c8c-478a-a1e7-6098a50bfaf2",
                        "parameterId": "SR-1(c)(1)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sr-01_odp.05"
                    },
                    {
                        "uuid": "5bec85de-a84d-4379-b929-c29d3b07eb77",
                        "parameterId": "SR-1(c)(1)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sr-01_odp.06"
                    },
                    {
                        "uuid": "8f5dfc39-ab7b-4f0a-bdbd-89c775a20730",
                        "parameterId": "SR-1(c)(2)-1",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sr-01_odp.07"
                    },
                    {
                        "uuid": "6b5163d1-304e-4b88-aa20-a1fdda4ef4ce",
                        "parameterId": "SR-1(c)(2)-2",
                        "text": "events",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined events] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sr-01_odp.08"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "284e3369-ba65-4dd7-a8b5-6e8350abcb00",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "sr-1_smt.a",
                        "description": "<ul><li>a. Develop, document, and disseminate to {{ insert: param, SR-1(a) }}:</li><ul><li>1. {{ insert: param, SR-1(a)(1) }} supply chain risk management policy that:</li><ul><li>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</li><li>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</li></ul><li>2. Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;</li></ul>"
                    },
                    {
                        "uuid": "4a3fbebf-8953-4572-bfbe-ab9c69cf7c24",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "sr-1_smt.b",
                        "description": "<ul><li>b. Designate an {{ insert: param, SR-1(b) }} to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and</li></ul>"
                    },
                    {
                        "uuid": "653d1da7-7af3-405f-914c-37aecfae96c2",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "sr-1_smt.c",
                        "description": "<ul><li>c. Review and update the current supply chain risk management:</li><ul><li>1. Policy {{ insert: param, SR-1(c)(1)-1 }} and following {{ insert: param, SR-1(c)(1)-2 }} ; and</li><li>2. Procedures {{ insert: param, SR-1(c)(2)-1 }} and following {{ insert: param, SR-1(c)(2)-2 }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "b7c13424-64e7-48cf-8b39-5b8cbaf4ba5e",
                        "testId": "SR-01-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4d7f474a-4b88-4512-86c5-96a9bee6d5bb",
                        "testId": "SR-01-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "b6edb1dd-de30-47f1-a233-fb05e80805c6",
                        "testId": "SR-01a.[01]",
                        "test": "Determine if a supply chain risk management policy is developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "2230c887-f817-4be8-8816-e8010cc565cf",
                        "testId": "SR-01a.[02]",
                        "test": "Determine if the supply chain risk management policy is disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "996ccfd3-1a4e-4334-8305-137a1b108551",
                        "testId": "SR-01a.[03]",
                        "test": "Determine if supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e5907203-2dca-4414-b562-6b5bb12ffd29",
                        "testId": "SR-01a.[04]",
                        "test": "Determine if the supply chain risk management procedures are disseminated to  [SELECTED PARAMETER VALUE(S): personnel or roles ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "58cb0ffb-87fb-4687-9c92-debfdcb08152",
                        "testId": "SR-01a.01(a)[01]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  supply chain risk management policy addresses purpose;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5e77fa00-da0c-4e9b-a0fd-15c144aaa283",
                        "testId": "SR-01a.01(a)[02]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  supply chain risk management policy addresses scope; <br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3e43a9db-2be0-4eaa-9367-504a6ec45ca2",
                        "testId": "SR-01a.01(a)[03]",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  supply chain risk management policy addresses roles;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "bc10f1ca-6076-4367-8a3a-333d69e47ecd",
                        "testId": "SR-01a.01(a)[04]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  supply chain risk management policy addresses responsibilities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e89755f2-deff-4e26-99d0-a7e5811a1d9b",
                        "testId": "SR-01a.01(a)[05]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  supply chain risk management policy addresses management commitment;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1f615dbf-2fb5-489c-8538-acf436833278",
                        "testId": "SR-01a.01(a)[06]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  supply chain risk management policy addresses coordination among organizational entities;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3c80cca4-82cb-4fb8-ba04-56d485643cef",
                        "testId": "SR-01a.01(a)[07]",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  supply chain risk management policy addresses compliance.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a27b3e67-2290-4242-9a4b-13a029751c41",
                        "testId": "SR-01a.01(b)",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): [Selection (one or more): organization-level; mission/business process-level; system-level] ]  supply chain risk management policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5bb2283f-3a1b-4a11-ae22-d3f2738819f9",
                        "testId": "SR-01b.",
                        "test": "Determine if the  [SELECTED PARAMETER VALUE(S): official ]  is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "443e6d4f-6039-428e-8adc-c9de83cd3b89",
                        "testId": "SR-01c.01[01]",
                        "test": "Determine if the current supply chain risk management policy is reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "894681f3-fd3b-4c13-b946-18b49f0cb149",
                        "testId": "SR-01c.01[02]",
                        "test": "Determine if the current supply chain risk management policy is reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "cc05b6f2-3dca-4501-b02a-0f0f64a4b19b",
                        "testId": "SR-01c.02[01]",
                        "test": "Determine if the current supply chain risk management procedures are reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "4489c45e-48e1-4796-94b2-9c0c3161a23e",
                        "testId": "SR-01c.02[02]",
                        "test": "Determine if the current supply chain risk management procedures are reviewed and updated following  [SELECTED PARAMETER VALUE(S): events ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "66e90d71-60ec-40ba-801c-3229c79195fb",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SR-01 - Policy and Procedures",
                "description": "<ul><li><p>a. Develop, document, and disseminate to {{ insert: param, SR-1(a) }}:</p><ul><li><p>1. {{ insert: param, SR-1(a)(1) }} supply chain risk management policy that:</p><ul><li><p>(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and</p></li><li><p>(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and</p></li></ul></li><li><p>2. Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;</p></li></ul></li><li><p>b. Designate an {{ insert: param, SR-1(b) }} to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and</p></li><li><p>c. Review and update the current supply chain risk management:</p><ul><li><p>1. Policy {{ insert: param, SR-1(c)(1)-1 }} and following {{ insert: param, SR-1(c)(1)-2 }} ; and</p></li><li><p>2. Procedures {{ insert: param, SR-1(c)(2)-1 }} and following {{ insert: param, SR-1(c)(2)-2 }}.</p></li></ul></li><li><p><br><strong>Discussion</strong><br></p><p>Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.</p></li></ul><p></p><p><strong>OT Discussion</strong></p><p>Supply chain policies and procedures for OT should consider both components received and components produced. Many OT systems use legacy components that cannot meet modern supply chain expectations. Appropriate compensating controls should be developed to achieve organizational supply chain expectations for legacy systems.</p>",
                "controlId": "SR-1",
                "family": "Supply Chain Risk Management",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "338b267d-e9bc-4396-8ef6-d848f9e7abdb",
                        "parameterId": "SR-2(a)",
                        "text": "systems, system components, or system services",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined systems, system components, or system services] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sr-02_odp.01"
                    },
                    {
                        "uuid": "74e79711-b5d7-4082-a493-59e860bd3e68",
                        "parameterId": "SR-2(b)",
                        "text": "frequency",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined frequency] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sr-02_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "2ea08642-71ab-4b2b-a221-ccedffc22b08",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "sr-2_smt.a",
                        "description": "<ul><li>a. Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: {{ insert: param, SR-2(a) }};</li></ul>"
                    },
                    {
                        "uuid": "2f00866b-cbc7-4963-a666-f19f9b87ab8f",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "sr-2_smt.b",
                        "description": "<ul><li>b. Review and update the supply chain risk management plan {{ insert: param, SR-2(b) }} or as required, to address threat, organizational or environmental changes; and</li></ul>"
                    },
                    {
                        "uuid": "06d1cb26-ef8f-4a74-96de-b63178c5ca10",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "sr-2_smt.c",
                        "description": "<ul><li>c. Protect the supply chain risk management plan from unauthorized disclosure and modification.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "490fb3b8-dea0-4ac0-b1bd-4cb7968f6b05",
                        "testId": "SR-02a.[01]",
                        "test": "Determine if a plan for managing supply chain risks is developed;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing supply chain protection.</li><li>Procedures for protecting the supply chain risk management plan from unauthorized disclosure and modification.</li><li>System development life cycle procedures.</li><li>Procedures addressing the integration of information security and privacy requirements into the acquisition process.</li><li>Acquisition documentation.</li><li>Service level agreements.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>List of supply chain threats.</li><li>List of safeguards to be taken against supply chain threats.</li><li>System life cycle documentation.</li><li>Inter-organizational agreements and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for defining and documenting the system development life cycle (sdlc).</li><li>Organizational processes for identifying sdlc roles and responsibilities.</li><li>Organizational processes for integrating supply chain risk management into the sdlc.</li><li>Mechanisms supporting and/or implementing the sdlc.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "90974bfb-40d5-4abb-9a64-e724e54b699f",
                        "testId": "SR-02a.[02]",
                        "test": "Determine if the supply chain risk management plan addresses risks associated with the research and development of  [SELECTED PARAMETER VALUE(S): systems, system components, or system services ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing supply chain protection.</li><li>Procedures for protecting the supply chain risk management plan from unauthorized disclosure and modification.</li><li>System development life cycle procedures.</li><li>Procedures addressing the integration of information security and privacy requirements into the acquisition process.</li><li>Acquisition documentation.</li><li>Service level agreements.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>List of supply chain threats.</li><li>List of safeguards to be taken against supply chain threats.</li><li>System life cycle documentation.</li><li>Inter-organizational agreements and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for defining and documenting the system development life cycle (sdlc).</li><li>Organizational processes for identifying sdlc roles and responsibilities.</li><li>Organizational processes for integrating supply chain risk management into the sdlc.</li><li>Mechanisms supporting and/or implementing the sdlc.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5d5aba85-d834-408b-a8ee-6635cd278339",
                        "testId": "SR-02a.[03]",
                        "test": "Determine if the supply chain risk management plan addresses risks associated with the design of  [SELECTED PARAMETER VALUE(S): systems, system components, or system services ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing supply chain protection.</li><li>Procedures for protecting the supply chain risk management plan from unauthorized disclosure and modification.</li><li>System development life cycle procedures.</li><li>Procedures addressing the integration of information security and privacy requirements into the acquisition process.</li><li>Acquisition documentation.</li><li>Service level agreements.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>List of supply chain threats.</li><li>List of safeguards to be taken against supply chain threats.</li><li>System life cycle documentation.</li><li>Inter-organizational agreements and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for defining and documenting the system development life cycle (sdlc).</li><li>Organizational processes for identifying sdlc roles and responsibilities.</li><li>Organizational processes for integrating supply chain risk management into the sdlc.</li><li>Mechanisms supporting and/or implementing the sdlc.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "773244cd-32bb-4b9c-8e30-0d05a93748c1",
                        "testId": "SR-02a.[04]",
                        "test": "Determine if the supply chain risk management plan addresses risks associated with the manufacturing of  [SELECTED PARAMETER VALUE(S): systems, system components, or system services ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing supply chain protection.</li><li>Procedures for protecting the supply chain risk management plan from unauthorized disclosure and modification.</li><li>System development life cycle procedures.</li><li>Procedures addressing the integration of information security and privacy requirements into the acquisition process.</li><li>Acquisition documentation.</li><li>Service level agreements.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>List of supply chain threats.</li><li>List of safeguards to be taken against supply chain threats.</li><li>System life cycle documentation.</li><li>Inter-organizational agreements and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for defining and documenting the system development life cycle (sdlc).</li><li>Organizational processes for identifying sdlc roles and responsibilities.</li><li>Organizational processes for integrating supply chain risk management into the sdlc.</li><li>Mechanisms supporting and/or implementing the sdlc.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d7d594f9-3a72-43c5-aabe-36b4bb28b86e",
                        "testId": "SR-02a.[05]",
                        "test": "Determine if the supply chain risk management plan addresses risks associated with the acquisition of  [SELECTED PARAMETER VALUE(S): systems, system components, or system services ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing supply chain protection.</li><li>Procedures for protecting the supply chain risk management plan from unauthorized disclosure and modification.</li><li>System development life cycle procedures.</li><li>Procedures addressing the integration of information security and privacy requirements into the acquisition process.</li><li>Acquisition documentation.</li><li>Service level agreements.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>List of supply chain threats.</li><li>List of safeguards to be taken against supply chain threats.</li><li>System life cycle documentation.</li><li>Inter-organizational agreements and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for defining and documenting the system development life cycle (sdlc).</li><li>Organizational processes for identifying sdlc roles and responsibilities.</li><li>Organizational processes for integrating supply chain risk management into the sdlc.</li><li>Mechanisms supporting and/or implementing the sdlc.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "34d78b95-14f8-4d4d-ab83-8a7040831ace",
                        "testId": "SR-02a.[06]",
                        "test": "Determine if the supply chain risk management plan addresses risks associated with the delivery of  [SELECTED PARAMETER VALUE(S): systems, system components, or system services ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing supply chain protection.</li><li>Procedures for protecting the supply chain risk management plan from unauthorized disclosure and modification.</li><li>System development life cycle procedures.</li><li>Procedures addressing the integration of information security and privacy requirements into the acquisition process.</li><li>Acquisition documentation.</li><li>Service level agreements.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>List of supply chain threats.</li><li>List of safeguards to be taken against supply chain threats.</li><li>System life cycle documentation.</li><li>Inter-organizational agreements and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for defining and documenting the system development life cycle (sdlc).</li><li>Organizational processes for identifying sdlc roles and responsibilities.</li><li>Organizational processes for integrating supply chain risk management into the sdlc.</li><li>Mechanisms supporting and/or implementing the sdlc.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f38e15f2-9a88-4588-932d-c885521001f4",
                        "testId": "SR-02a.[07]",
                        "test": "Determine if the supply chain risk management plan addresses risks associated with the integration of  [SELECTED PARAMETER VALUE(S): systems, system components, or system services ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing supply chain protection.</li><li>Procedures for protecting the supply chain risk management plan from unauthorized disclosure and modification.</li><li>System development life cycle procedures.</li><li>Procedures addressing the integration of information security and privacy requirements into the acquisition process.</li><li>Acquisition documentation.</li><li>Service level agreements.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>List of supply chain threats.</li><li>List of safeguards to be taken against supply chain threats.</li><li>System life cycle documentation.</li><li>Inter-organizational agreements and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for defining and documenting the system development life cycle (sdlc).</li><li>Organizational processes for identifying sdlc roles and responsibilities.</li><li>Organizational processes for integrating supply chain risk management into the sdlc.</li><li>Mechanisms supporting and/or implementing the sdlc.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "954f003c-84fb-41f9-ba26-0fccd928629a",
                        "testId": "SR-02a.[08]",
                        "test": "Determine if the supply chain risk management plan addresses risks associated with the operation and maintenance of  [SELECTED PARAMETER VALUE(S): systems, system components, or system services ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing supply chain protection.</li><li>Procedures for protecting the supply chain risk management plan from unauthorized disclosure and modification.</li><li>System development life cycle procedures.</li><li>Procedures addressing the integration of information security and privacy requirements into the acquisition process.</li><li>Acquisition documentation.</li><li>Service level agreements.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>List of supply chain threats.</li><li>List of safeguards to be taken against supply chain threats.</li><li>System life cycle documentation.</li><li>Inter-organizational agreements and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for defining and documenting the system development life cycle (sdlc).</li><li>Organizational processes for identifying sdlc roles and responsibilities.</li><li>Organizational processes for integrating supply chain risk management into the sdlc.</li><li>Mechanisms supporting and/or implementing the sdlc.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d75afbc6-137e-4d3d-94d0-391ca8ca2d6f",
                        "testId": "SR-02a.[09]",
                        "test": "Determine if the supply chain risk management plan addresses risks associated with the disposal of  [SELECTED PARAMETER VALUE(S): systems, system components, or system services ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing supply chain protection.</li><li>Procedures for protecting the supply chain risk management plan from unauthorized disclosure and modification.</li><li>System development life cycle procedures.</li><li>Procedures addressing the integration of information security and privacy requirements into the acquisition process.</li><li>Acquisition documentation.</li><li>Service level agreements.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>List of supply chain threats.</li><li>List of safeguards to be taken against supply chain threats.</li><li>System life cycle documentation.</li><li>Inter-organizational agreements and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for defining and documenting the system development life cycle (sdlc).</li><li>Organizational processes for identifying sdlc roles and responsibilities.</li><li>Organizational processes for integrating supply chain risk management into the sdlc.</li><li>Mechanisms supporting and/or implementing the sdlc.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e7dd4f67-d6da-469b-b8ac-5cb756cd2345",
                        "testId": "SR-02b.",
                        "test": "Determine if the supply chain risk management plan is reviewed and updated  [SELECTED PARAMETER VALUE(S): frequency ]  or as required to address threat, organizational, or environmental changes;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing supply chain protection.</li><li>Procedures for protecting the supply chain risk management plan from unauthorized disclosure and modification.</li><li>System development life cycle procedures.</li><li>Procedures addressing the integration of information security and privacy requirements into the acquisition process.</li><li>Acquisition documentation.</li><li>Service level agreements.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>List of supply chain threats.</li><li>List of safeguards to be taken against supply chain threats.</li><li>System life cycle documentation.</li><li>Inter-organizational agreements and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for defining and documenting the system development life cycle (sdlc).</li><li>Organizational processes for identifying sdlc roles and responsibilities.</li><li>Organizational processes for integrating supply chain risk management into the sdlc.</li><li>Mechanisms supporting and/or implementing the sdlc.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d1ea95c0-b55c-43c0-bc1b-359d2f40a3cc",
                        "testId": "SR-02c.[01]",
                        "test": "Determine if the supply chain risk management plan is protected from unauthorized disclosure;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing supply chain protection.</li><li>Procedures for protecting the supply chain risk management plan from unauthorized disclosure and modification.</li><li>System development life cycle procedures.</li><li>Procedures addressing the integration of information security and privacy requirements into the acquisition process.</li><li>Acquisition documentation.</li><li>Service level agreements.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>List of supply chain threats.</li><li>List of safeguards to be taken against supply chain threats.</li><li>System life cycle documentation.</li><li>Inter-organizational agreements and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for defining and documenting the system development life cycle (sdlc).</li><li>Organizational processes for identifying sdlc roles and responsibilities.</li><li>Organizational processes for integrating supply chain risk management into the sdlc.</li><li>Mechanisms supporting and/or implementing the sdlc.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1f738fb2-816b-46bc-b7ef-8f89294b1ee3",
                        "testId": "SR-02c.[02]",
                        "test": "Determine if the supply chain risk management plan is protected from unauthorized modification.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing supply chain protection.</li><li>Procedures for protecting the supply chain risk management plan from unauthorized disclosure and modification.</li><li>System development life cycle procedures.</li><li>Procedures addressing the integration of information security and privacy requirements into the acquisition process.</li><li>Acquisition documentation.</li><li>Service level agreements.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>List of supply chain threats.</li><li>List of safeguards to be taken against supply chain threats.</li><li>System life cycle documentation.</li><li>Inter-organizational agreements and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for defining and documenting the system development life cycle (sdlc).</li><li>Organizational processes for identifying sdlc roles and responsibilities.</li><li>Organizational processes for integrating supply chain risk management into the sdlc.</li><li>Mechanisms supporting and/or implementing the sdlc.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "edb7cc5b-4f89-4f53-9ce5-52756533ae91",
                        "testId": "SR-02-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing supply chain protection.</li><li>Procedures for protecting the supply chain risk management plan from unauthorized disclosure and modification.</li><li>System development life cycle procedures.</li><li>Procedures addressing the integration of information security and privacy requirements into the acquisition process.</li><li>Acquisition documentation.</li><li>Service level agreements.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>List of supply chain threats.</li><li>List of safeguards to be taken against supply chain threats.</li><li>System life cycle documentation.</li><li>Inter-organizational agreements and procedures.</li><li>System security plan.</li><li>Privacy plan.</li><li>Privacy program plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "5dd552be-cc87-4e91-8d85-45310760fb4d",
                        "testId": "SR-02-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "18a2e218-0d84-4947-9189-4960fedafc6d",
                        "testId": "SR-02-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for defining and documenting the system development life cycle (sdlc).</li><li>Organizational processes for identifying sdlc roles and responsibilities.</li><li>Organizational processes for integrating supply chain risk management into the sdlc.</li><li>Mechanisms supporting and/or implementing the sdlc.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "16aa3826-c280-4e34-a98c-124ae64c30d1",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SR-02 - Supply Chain Risk Management Plan",
                "description": "<ul><li>a. Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services:  {{ insert: param, SR-2(a) }};</li><li>b. Review and update the supply chain risk management plan  {{ insert: param, SR-2(b) }}  or as required, to address threat, organizational or environmental changes; and</li><li>c. Protect the supply chain risk management plan from unauthorized disclosure and modification.</li></ul><br/><strong>Discussion</strong><br/><p>The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development/sustainment of systems across the SDLC to support mission and business functions.</p><p>Because supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see  <a href=\"#sa-8\">SA-8</a>).</p>",
                "controlId": "SR-2",
                "family": "Supply Chain Risk Management",
                "enhancements": "<strong>Enhancements</strong><ul><li>SR-2(1) - Establish SCRM Team</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "2435a2ab-a831-48a0-a4ea-7a491cc2b249",
                        "parameterId": "SR-2(1)-1",
                        "text": "personnel, roles and responsibilities",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined personnel, roles and responsibilities] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sr-02.01_odp.01"
                    },
                    {
                        "uuid": "0d616c3d-42d4-4415-bfd4-dd7fa2c389cd",
                        "parameterId": "SR-2(1)-2",
                        "text": "supply chain risk management activities",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined supply chain risk management activities] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sr-02.01_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "a2d2e38d-f0c4-488f-ab90-53cd0b9866eb",
                        "name": "SR-2(1)",
                        "objectiveType": "",
                        "otherId": "sr-2.1_smt",
                        "description": "Establish a supply chain risk management team consisting of {{ insert: param, SR-2(1)-1 }} to lead and support the following SCRM activities: {{ insert: param, SR-2(1)-2 }}."
                    }
                ],
                "tests": [
                    {
                        "uuid": "ec72fa08-dc3b-45b3-b650-2386b227f179",
                        "testId": "SR-02(01)-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management team charter documentation.</li><li>Supply chain risk management strategy.</li><li>Supply chain risk management implementation plan.</li><li>Procedures addressing supply chain protection.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8c588bb9-56b1-4474-a57f-38f2374a9ebb",
                        "testId": "SR-02(01)-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li><li>Legal counsel.</li><li>Organizational personnel with business continuity responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d08a9c73-061a-47d6-b1d9-a12477d7ad64",
                        "testId": "SR-02(01)",
                        "test": "Determine if a supply chain risk management team consisting of  [SELECTED PARAMETER VALUE(S): personnel, roles and responsibilities ]  is established to lead and support  [SELECTED PARAMETER VALUE(S): supply chain risk management activities ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management team charter documentation.</li><li>Supply chain risk management strategy.</li><li>Supply chain risk management implementation plan.</li><li>Procedures addressing supply chain protection.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with enterprise risk management responsibilities.</li><li>Legal counsel.</li><li>Organizational personnel with business continuity responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "2c344031-62b5-4386-81f9-008b360cd789",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SR-02(01) - Establish SCRM Team",
                "description": "Establish a supply chain risk management team consisting of  {{ insert: param, SR-2(1)-1 }}  to lead and support the following SCRM activities:  {{ insert: param, SR-2(1)-2 }}.<br/><strong>Discussion</strong><br/><p>To implement supply chain risk management plans, organizations establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions. Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team.</p>",
                "controlId": "SR-2(1)",
                "family": "Supply Chain Risk Management",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "458954a7-9f02-44fa-8521-12e06c952b30",
                        "parameterId": "SR-3(a)-1",
                        "text": "system or system component",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined system or system component] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sr-03_odp.01"
                    },
                    {
                        "uuid": "49b0500a-f11d-401b-88e1-c5001a0d6e3a",
                        "parameterId": "SR-3(a)-2",
                        "text": "supply chain personnel",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined supply chain personnel] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sr-03_odp.02"
                    },
                    {
                        "uuid": "e7f70d16-fdc5-428d-ba16-5cedd1dc1fb7",
                        "parameterId": "SR-3(b)",
                        "text": "supply chain controls",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined supply chain controls] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sr-03_odp.03"
                    },
                    {
                        "uuid": "44bdd413-bd53-4c31-a900-a09c327b8388",
                        "parameterId": "SR-3(c)",
                        "text": "[Selection (one or more): security and privacy plans; supply chain risk management plan; [(NESTED PARAMETER) Assignment for sr-03_odp.05: document]]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): security and privacy plans; supply chain risk management plan; [(NESTED PARAMETER) Assignment for sr-03_odp.05: document]]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sr-03_odp.04"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "4eb60822-68ab-4af0-9f25-54cac1a39dfe",
                        "name": "a.",
                        "objectiveType": "",
                        "otherId": "sr-3_smt.a",
                        "description": "<ul><li>a. Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of {{ insert: param, SR-3(a)-1 }} in coordination with {{ insert: param, SR-3(a)-2 }};</li></ul>"
                    },
                    {
                        "uuid": "4df69b8a-ae14-44b9-971c-803731e1169f",
                        "name": "b.",
                        "objectiveType": "",
                        "otherId": "sr-3_smt.b",
                        "description": "<ul><li>b. Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: {{ insert: param, SR-3(b) }} ; and</li></ul>"
                    },
                    {
                        "uuid": "caa82bb1-ca11-4585-b48f-674d79f618ef",
                        "name": "c.",
                        "objectiveType": "",
                        "otherId": "sr-3_smt.c",
                        "description": "<ul><li>c. Document the selected and implemented supply chain processes and controls in {{ insert: param, SR-3(c) }}.</li></ul>"
                    }
                ],
                "tests": [
                    {
                        "uuid": "fc490ebf-616b-4f14-8e5a-82223d85b115",
                        "testId": "SR-03a.[01]",
                        "test": "Determine if a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of  [SELECTED PARAMETER VALUE(S): system or system component ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management strategy.</li><li>Supply chain risk management plan.</li><li>Systems and critical system components inventory documentation.</li><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy requirements into the acquisition process.</li><li>Solicitation documentation.</li><li>Acquisition documentation (including purchase orders).</li><li>Service level agreements.</li><li>Acquisition contracts for systems or services.</li><li>Risk register documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for identifying and addressing supply chain element and process deficiencies.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "42f9ed8e-f9b5-4b3e-99b5-6f005a80a7b4",
                        "testId": "SR-03a.[02]",
                        "test": "Determine if the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of  [SELECTED PARAMETER VALUE(S): system or system component ]  is/are coordinated with  [SELECTED PARAMETER VALUE(S): supply chain personnel ];<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management strategy.</li><li>Supply chain risk management plan.</li><li>Systems and critical system components inventory documentation.</li><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy requirements into the acquisition process.</li><li>Solicitation documentation.</li><li>Acquisition documentation (including purchase orders).</li><li>Service level agreements.</li><li>Acquisition contracts for systems or services.</li><li>Risk register documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for identifying and addressing supply chain element and process deficiencies.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f8ec7c7f-ded3-4d2a-83d3-cdb9dfed5b3d",
                        "testId": "SR-03b.",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): supply chain controls ]  are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management strategy.</li><li>Supply chain risk management plan.</li><li>Systems and critical system components inventory documentation.</li><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy requirements into the acquisition process.</li><li>Solicitation documentation.</li><li>Acquisition documentation (including purchase orders).</li><li>Service level agreements.</li><li>Acquisition contracts for systems or services.</li><li>Risk register documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for identifying and addressing supply chain element and process deficiencies.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d0d21a54-f1fb-41e1-a603-afb0c1e5df09",
                        "testId": "SR-03c.",
                        "test": "Determine if the selected and implemented supply chain processes and controls are documented in  [SELECTED PARAMETER VALUE(S): [Selection (one or more): security and privacy plans; supply chain risk management plan; [(NESTED PARAMETER) Assignment for sr-03_odp.05: document]] ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management strategy.</li><li>Supply chain risk management plan.</li><li>Systems and critical system components inventory documentation.</li><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy requirements into the acquisition process.</li><li>Solicitation documentation.</li><li>Acquisition documentation (including purchase orders).</li><li>Service level agreements.</li><li>Acquisition contracts for systems or services.</li><li>Risk register documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for identifying and addressing supply chain element and process deficiencies.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3f0944c1-a729-48e1-a58b-2d1bc232f44a",
                        "testId": "SR-03-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management strategy.</li><li>Supply chain risk management plan.</li><li>Systems and critical system components inventory documentation.</li><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing the integration of information security and privacy requirements into the acquisition process.</li><li>Solicitation documentation.</li><li>Acquisition documentation (including purchase orders).</li><li>Service level agreements.</li><li>Acquisition contracts for systems or services.</li><li>Risk register documentation.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "dc88b795-933c-4511-9836-43ce213550da",
                        "testId": "SR-03-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "3a7a99e7-56e9-4056-aaff-ca825de31c77",
                        "testId": "SR-03-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for identifying and addressing supply chain element and process deficiencies.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "60b10cbc-91ae-4cff-b051-d6ee1912afcd",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SR-03 - Supply Chain Controls and Processes",
                "description": "<ul><li>a. Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of  {{ insert: param, SR-3(a)-1 }}  in coordination with  {{ insert: param, SR-3(a)-2 }};</li><li>b. Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events:  {{ insert: param, SR-3(b) }} ; and</li><li>c. Document the selected and implemented supply chain processes and controls in  {{ insert: param, SR-3(c) }}.</li></ul><br/><strong>Discussion</strong><br/><p>Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain.</p>",
                "controlId": "SR-3",
                "family": "Supply Chain Risk Management",
                "enhancements": "<strong>Enhancements</strong><ul><li>SR-3(1) - Diverse Supply Base</li><li>SR-3(2) - Limitation of Harm</li><li>SR-3(3) - Sub-tier Flow Down</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "bf834ec1-5e0a-478a-8a78-3468bfc7264b",
                        "parameterId": "SR-5",
                        "text": "strategies, tools, and methods",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined strategies, tools, and methods] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sr-05_odp"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "3e21ee39-31e8-4d63-8230-63761f16a9ae",
                        "name": "SR-5",
                        "objectiveType": "",
                        "otherId": "sr-5_smt",
                        "description": "Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: {{ insert: param, SR-5 }}."
                    }
                ],
                "tests": [
                    {
                        "uuid": "6a52bf84-310f-4de3-90e3-5bfccaa69630",
                        "testId": "SR-05-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing supply chain protection.</li><li>Procedures addressing the integration of information security and privacy requirements into the acquisition process.</li><li>Solicitation documentation.</li><li>Acquisition documentation (including purchase orders).</li><li>Service level agreements.</li><li>Acquisition contracts for systems, system components, or services.</li><li>Documentation of training, education, and awareness programs for personnel regarding supply chain risk.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "dd3cb43d-b32b-4e49-80c1-8d34d21d77c2",
                        "testId": "SR-05-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "63d7bf43-22eb-475c-b7ea-6f74f9e9a90c",
                        "testId": "SR-05-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods.</li><li>Mechanisms supporting and/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "f65ba78c-c502-43bf-abcb-a7a32a64769a",
                        "testId": "SR-05[01]",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): strategies, tools, and methods ]  are employed to protect against supply chain risks;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing supply chain protection.</li><li>Procedures addressing the integration of information security and privacy requirements into the acquisition process.</li><li>Solicitation documentation.</li><li>Acquisition documentation (including purchase orders).</li><li>Service level agreements.</li><li>Acquisition contracts for systems, system components, or services.</li><li>Documentation of training, education, and awareness programs for personnel regarding supply chain risk.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods.</li><li>Mechanisms supporting and/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "917575d5-c4aa-4b27-92f6-025379eef3cc",
                        "testId": "SR-05[02]",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): strategies, tools, and methods ]  are employed to identify supply chain risks;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing supply chain protection.</li><li>Procedures addressing the integration of information security and privacy requirements into the acquisition process.</li><li>Solicitation documentation.</li><li>Acquisition documentation (including purchase orders).</li><li>Service level agreements.</li><li>Acquisition contracts for systems, system components, or services.</li><li>Documentation of training, education, and awareness programs for personnel regarding supply chain risk.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods.</li><li>Mechanisms supporting and/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8fcb752a-c061-4701-9bbe-cd22bfeeb8bb",
                        "testId": "SR-05[03]",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): strategies, tools, and methods ]  are employed to mitigate supply chain risks.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy.</li><li>Supply chain risk management procedures.</li><li>Supply chain risk management plan.</li><li>System and services acquisition policy.</li><li>System and services acquisition procedures.</li><li>Procedures addressing supply chain protection.</li><li>Procedures addressing the integration of information security and privacy requirements into the acquisition process.</li><li>Solicitation documentation.</li><li>Acquisition documentation (including purchase orders).</li><li>Service level agreements.</li><li>Acquisition contracts for systems, system components, or services.</li><li>Documentation of training, education, and awareness programs for personnel regarding supply chain risk.</li><li>System security plan.</li><li>Privacy plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with acquisition responsibilities.</li><li>Organizational personnel with information security and privacy responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods.</li><li>Mechanisms supporting and/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "be8976a6-e0aa-4d25-9154-9b20b092deb4",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SR-05 - Acquisition Strategies, Tools, and Methods",
                "description": "Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks:  {{ insert: param, SR-5 }}.<br/><strong>Discussion</strong><br/><p>The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements.</p>",
                "controlId": "SR-5",
                "family": "Supply Chain Risk Management",
                "enhancements": "<strong>Enhancements</strong><ul><li>SR-5(1) - Adequate Supply</li><li>SR-5(2) - Assessments Prior to Selection, Acceptance, Modification, or Update</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "f89f75a7-543e-45e3-bf1a-63830e6a2dbd",
                        "parameterId": "SR-8",
                        "text": "[Selection (one or more): notification of supply chain compromises; [(NESTED PARAMETER) Assignment for sr-08_odp.02: results of assessments or audits]]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): notification of supply chain compromises; [(NESTED PARAMETER) Assignment for sr-08_odp.02: results of assessments or audits]]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sr-08_odp.01"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "dd5c7846-06c7-4555-b254-45619c3981a7",
                        "name": "SR-8",
                        "objectiveType": "",
                        "otherId": "sr-8_smt",
                        "description": "Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ insert: param, SR-8 }}."
                    }
                ],
                "tests": [
                    {
                        "uuid": "a0575ff7-c425-4923-b575-dc5f238dffb3",
                        "testId": "SR-08-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Supply chain risk management policy and procedures.</li><li>Supply chain risk management plan.</li><li>System and services acquisition policy.</li><li>Procedures addressing supply chain protection.</li><li>Acquisition documentation.</li><li>Service level agreements.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>Inter-organizational agreements and procedures.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e26b9b4a-a801-4359-a53a-db603709abcf",
                        "testId": "SR-08-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with system and service acquisition responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "461e0dc2-3e3d-41f3-91a7-5718cc252c63",
                        "testId": "SR-08-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "8ef0b277-7353-492a-98f1-d43a66916e8e",
                        "testId": "SR-08",
                        "test": "Determine if agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for  [SELECTED PARAMETER VALUE(S): [Selection (one or more): notification of supply chain compromises; [(NESTED PARAMETER) Assignment for sr-08_odp.02: results of assessments or audits]] ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy and procedures.</li><li>Supply chain risk management plan.</li><li>System and services acquisition policy.</li><li>Procedures addressing supply chain protection.</li><li>Acquisition documentation.</li><li>Service level agreements.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>Inter-organizational agreements and procedures.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and service acquisition responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "fabb47f2-2d26-4c24-a7d1-436e3808810b",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SR-08 - Notification Agreements",
                "description": "Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the  {{ insert: param, SR-8 }}.<br/><strong>Discussion</strong><br/><p>The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes.</p>",
                "controlId": "SR-8",
                "family": "Supply Chain Risk Management",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "8601cb38-e79d-4eac-b5cf-a59ed57e2e7b",
                        "parameterId": "SR-10-2",
                        "text": "systems or system components",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined systems or system components] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sr-10_odp.01"
                    },
                    {
                        "uuid": "2f550b53-bf01-4803-b219-bde11b430770",
                        "parameterId": "SR-10-1",
                        "text": "[Selection (one or more): at random; at [(NESTED PARAMETER) Assignment for sr-10_odp.03: frequency]; upon [(NESTED PARAMETER) Assignment for sr-10_odp.04: indications of need for inspection]]",
                        "constraints": "",
                        "guidance": "",
                        "default": "[Selection (one or more): at random; at [(NESTED PARAMETER) Assignment for sr-10_odp.03: frequency]; upon [(NESTED PARAMETER) Assignment for sr-10_odp.04: indications of need for inspection]]",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sr-10_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "fc62f892-79f0-4e98-9ac6-2375a65d41f9",
                        "name": "SR-10",
                        "objectiveType": "",
                        "otherId": "sr-10_smt",
                        "description": "Inspect the following systems or system components {{ insert: param, SR-10-1 }} to detect tampering: {{ insert: param, SR-10-2 }}."
                    }
                ],
                "tests": [
                    {
                        "uuid": "505c9a91-1da3-413f-acd6-d646f5400391",
                        "testId": "SR-10",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): systems or system components ]  are inspected  [SELECTED PARAMETER VALUE(S): [Selection (one or more): at random; at [(NESTED PARAMETER) Assignment for sr-10_odp.03: frequency]; upon [(NESTED PARAMETER) Assignment for sr-10_odp.04: indications of need for inspection]] ]  to detect tampering.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy and procedures.</li><li>Supply chain risk management plan.</li><li>System and services acquisition policy.</li><li>Records of random inspections.</li><li>Inspection reports/results.</li><li>Assessment reports/results.</li><li>Acquisition documentation.</li><li>Service level agreements.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>Inter-organizational agreements and procedures.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and services acquisition responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities.</li><li>Organizational processes to inspect for tampering.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0f43c988-a2b2-445e-a13d-15fafef21972",
                        "testId": "SR-10-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Supply chain risk management policy and procedures.</li><li>Supply chain risk management plan.</li><li>System and services acquisition policy.</li><li>Records of random inspections.</li><li>Inspection reports/results.</li><li>Assessment reports/results.</li><li>Acquisition documentation.</li><li>Service level agreements.</li><li>Acquisition contracts for the system, system component, or system service.</li><li>Inter-organizational agreements and procedures.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0b744978-df74-45ff-b5b7-588237b4b6c3",
                        "testId": "SR-10-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with system and services acquisition responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "29d3aba8-5d73-4cb4-91b5-e212ad30be13",
                        "testId": "SR-10-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities.</li><li>Organizational processes to inspect for tampering.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "c0639fe5-613f-4076-aad7-c832c9a699af",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SR-10 - Inspection of Systems or Components",
                "description": "Inspect the following systems or system components  {{ insert: param, SR-10-1 }}  to detect tampering:  {{ insert: param, SR-10-2 }}.<br/><strong>Discussion</strong><br/><p>The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations.</p>",
                "controlId": "SR-10",
                "family": "Supply Chain Risk Management",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [],
                "ccis": [],
                "objectives": [],
                "tests": [],
                "externalMappings": [],
                "uuid": "a8a0c696-6025-4439-a5d3-c47271afe21d",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SR-11 - Component Authenticity",
                "description": "<ul><li>a. Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and</li><li>b. Report counterfeit system components to  {{ insert: param, sr-11_odp.01 }}.</li></ul><br/><strong>Discussion</strong><br/><p>Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA.</p>",
                "controlId": "SR-11",
                "family": "Supply Chain Risk Management",
                "enhancements": "<strong>Enhancements</strong><ul><li>SR-11(1) - Anti-counterfeit Training</li><li>SR-11(2) - Configuration Control for Component Service and Repair</li><li>SR-11(3) - Anti-counterfeit Scanning</li></ul>",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "d5d43311-1a3a-4bba-a095-df639ae4afed",
                        "parameterId": "SR-11(1)",
                        "text": "personnel or roles",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined personnel or roles] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sr-11.01_odp"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "c54c6b98-f03e-4e04-a0f6-ce38bc152980",
                        "name": "SR-11(1)",
                        "objectiveType": "",
                        "otherId": "sr-11.1_smt",
                        "description": "Train {{ insert: param, SR-11(1) }} to detect counterfeit system components (including hardware, software, and firmware)."
                    }
                ],
                "tests": [
                    {
                        "uuid": "026b1897-2add-4e33-8a7c-97735f408e34",
                        "testId": "SR-11(01)",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): personnel or roles ]  are trained to detect counterfeit system components (including hardware, software, and firmware).<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy and procedures.</li><li>Supply chain risk management plan.</li><li>System and services acquisition policy.</li><li>Anti-counterfeit plan.</li><li>Anti-counterfeit policy and procedures.</li><li>Media disposal policy.</li><li>Media protection policy.</li><li>Incident response policy.</li><li>Training materials addressing counterfeit system components.</li><li>Training records on the detection and prevention of counterfeit components entering the system.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with responsibilities for anti-counterfeit policies, procedures, and training.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for anti-counterfeit training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "6e21631b-a0d6-4ab4-950f-58c7a09656b5",
                        "testId": "SR-11(01)-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Supply chain risk management policy and procedures.</li><li>Supply chain risk management plan.</li><li>System and services acquisition policy.</li><li>Anti-counterfeit plan.</li><li>Anti-counterfeit policy and procedures.</li><li>Media disposal policy.</li><li>Media protection policy.</li><li>Incident response policy.</li><li>Training materials addressing counterfeit system components.</li><li>Training records on the detection and prevention of counterfeit components entering the system.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1bf972bb-5c2c-42e8-9a7d-573b8b6844c7",
                        "testId": "SR-11(01)-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li><li>Organizational personnel with responsibilities for anti-counterfeit policies, procedures, and training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "05a14580-bcee-43ff-89da-618e8cc660ee",
                        "testId": "SR-11(01)-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for anti-counterfeit training.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "226b9b7e-1979-45c6-b1a1-2df5444df5bc",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SR-11(01) - Anti-counterfeit Training",
                "description": "Train  {{ insert: param, SR-11(1) }}  to detect counterfeit system components (including hardware, software, and firmware).<br/><strong>Discussion</strong><br/><p>None.</p>",
                "controlId": "SR-11(1)",
                "family": "Supply Chain Risk Management",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "425b9e4d-eadb-415b-9854-972ed1a196d0",
                        "parameterId": "SR-11(2)",
                        "text": "system components",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined system components] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sr-11.02_odp"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "0163bcb6-296f-4136-875f-0e212e1d31f1",
                        "name": "SR-11(2)",
                        "objectiveType": "",
                        "otherId": "sr-11.2_smt",
                        "description": "Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: {{ insert: param, SR-11(2) }}."
                    }
                ],
                "tests": [
                    {
                        "uuid": "7e78e00f-285f-4615-a595-d48ed83187fc",
                        "testId": "SR-11(02)-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Supply chain risk management policy and procedures.</li><li>Supply chain risk management plan.</li><li>Configuration control procedures.</li><li>Acquisition documentation.</li><li>Service level agreements.</li><li>Acquisition contracts for the system component.</li><li>Inter-organizational agreements and procedures.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "0addf8d3-6db7-47b8-a0ce-da4048a6541a",
                        "testId": "SR-11(02)-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with system and services acquisition responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "62e9353c-bb11-4716-97a3-634cedcdbfbc",
                        "testId": "SR-11(02)-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities.</li><li>Organizational configuration control processes.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "1ca17464-d4ed-48e4-bc85-001570b61fc8",
                        "testId": "SR-11(02)[01]",
                        "test": "Determine if configuration control over  [SELECTED PARAMETER VALUE(S): system components ]  awaiting service or repair is maintained;<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy and procedures.</li><li>Supply chain risk management plan.</li><li>Configuration control procedures.</li><li>Acquisition documentation.</li><li>Service level agreements.</li><li>Acquisition contracts for the system component.</li><li>Inter-organizational agreements and procedures.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and services acquisition responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities.</li><li>Organizational configuration control processes.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "64825957-3843-42e9-a311-a5e2c6c41e86",
                        "testId": "SR-11(02)[02]",
                        "test": "Determine if configuration control over serviced or repaired  [SELECTED PARAMETER VALUE(S): system components ]  awaiting return to service is maintained.<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy and procedures.</li><li>Supply chain risk management plan.</li><li>Configuration control procedures.</li><li>Acquisition documentation.</li><li>Service level agreements.</li><li>Acquisition contracts for the system component.</li><li>Inter-organizational agreements and procedures.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system and services acquisition responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with supply chain risk management responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities.</li><li>Organizational configuration control processes.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "ba61e2e8-716b-4e81-9be9-7200727b5aa5",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SR-11(02) - Configuration Control for Component Service and Repair",
                "description": "Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service:  {{ insert: param, SR-11(2) }}.<br/><strong>Discussion</strong><br/><p>None.</p>",
                "controlId": "SR-11(2)",
                "family": "Supply Chain Risk Management",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            },
            {
                "parameters": [
                    {
                        "uuid": "14bd5f1c-c174-46e3-bb99-6b37f666cdc0",
                        "parameterId": "SR-12-1",
                        "text": "data, documentation, tools, or system components",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined data, documentation, tools, or system components] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sr-12_odp.01"
                    },
                    {
                        "uuid": "bce79e3b-d65d-4aaa-bd34-2cae16c52a24",
                        "parameterId": "SR-12-2",
                        "text": "techniques and methods",
                        "constraints": "",
                        "guidance": "",
                        "default": " [Assignment: organization defined techniques and methods] ",
                        "displayName": "",
                        "dataType": "",
                        "otherId": "sr-12_odp.02"
                    }
                ],
                "ccis": [],
                "objectives": [
                    {
                        "uuid": "26e16101-0d0e-4793-9f1a-25ef0cc73317",
                        "name": "SR-12",
                        "objectiveType": "",
                        "otherId": "sr-12_smt",
                        "description": "Dispose of {{ insert: param, SR-12-1 }} using the following techniques and methods: {{ insert: param, SR-12-2 }}."
                    }
                ],
                "tests": [
                    {
                        "uuid": "752c5aaf-a1fb-4cf6-8c4d-21a2fd5d964f",
                        "testId": "SR-12-Examine",
                        "test": "<br><h5>EXAMINE</h5><ul><li>Supply chain risk management policy and procedures.</li><li>Supply chain risk management plan.</li><li>Disposal procedures addressing supply chain protection.</li><li>Media disposal policy.</li><li>Media protection policy.</li><li>Disposal records for system components.</li><li>Documentation of the system components identified for disposal.</li><li>Documentation of the disposal techniques and methods employed for system components.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "e1656066-8cd0-4b8a-b54f-77d13d214f28",
                        "testId": "SR-12-Interview",
                        "test": "<br><h5>INTERVIEW</h5><ul><li>Organizational personnel with system component disposal responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with supply chain protection responsibilities.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "a4c3ddd4-307d-4b89-ba90-0b7c93d4ac7e",
                        "testId": "SR-12-Test",
                        "test": "<br><h5>TEST</h5><ul><li>Organizational techniques and methods for system component disposal.</li><li>Mechanisms supporting and/or implementing system component disposal.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    },
                    {
                        "uuid": "d6c1da2a-4e9c-4bba-9bb2-2ec4dac5116c",
                        "testId": "SR-12",
                        "test": "Determine if [SELECTED PARAMETER VALUE(S): data, documentation, tools, or system components ]  are disposed of using  [SELECTED PARAMETER VALUE(S): techniques and methods ].<br><br>POTENTIAL ASSESSMENT METHODS AND OBJECTS:<br><h5>Examine</h5><ul><li>Supply chain risk management policy and procedures.</li><li>Supply chain risk management plan.</li><li>Disposal procedures addressing supply chain protection.</li><li>Media disposal policy.</li><li>Media protection policy.</li><li>Disposal records for system components.</li><li>Documentation of the system components identified for disposal.</li><li>Documentation of the disposal techniques and methods employed for system components.</li><li>System security plan.</li><li>Other relevant documents or records.</li></ul><br><h5>Interview</h5><ul><li>Organizational personnel with system component disposal responsibilities.</li><li>Organizational personnel with information security responsibilities.</li><li>Organizational personnel with supply chain protection responsibilities.</li></ul><br><h5>Test</h5><ul><li>Organizational techniques and methods for system component disposal.</li><li>Mechanisms supporting and/or implementing system component disposal.</li></ul>",
                        "otherId": null,
                        "defaultText": null
                    }
                ],
                "externalMappings": [],
                "uuid": "34c9e836-3ec1-4c44-96c8-9ea97e153e7d",
                "subControls": "",
                "mappings": "",
                "assessmentPlan": "",
                "practiceLevel": "",
                "weight": 0.0,
                "title": "SR-12 - Component Disposal",
                "description": "Dispose of  {{ insert: param, SR-12-1 }}  using the following techniques and methods:  {{ insert: param, SR-12-2 }}.<br/><strong>Discussion</strong><br/><p>Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market.</p>",
                "controlId": "SR-12",
                "family": "Supply Chain Risk Management",
                "enhancements": "",
                "sortId": "",
                "references": "",
                "relatedControls": "",
                "otherId": ""
            }
        ],
        "uuid": "4d68be60-0652-11ef-8523-f049f357030d",
        "title": "NIST 800-82-R3 - Low Impact - Guide to Operational Technology (OT) Security",
        "datePublished": "2024-12-18T08:00:00",
        "lastRevisionDate": "2024-12-18T08:00:00",
        "url": "https://doi.org/10.6028/NIST.SP.800-82r3",
        "keywords": "computer security; distributed control systems (DCS); industrial control systems (ICS); information security; network security; operational technology (OT); programmable logic controllers (PLC); risk management; security controls; supervisory control and data acquisition (SCADA) systems",
        "abstract": "This document provides guidance on how to secure operational technology (OT) while addressing their unique performance, reliability, and safety requirements. OT encompasses a broad range of programmable systems and devices that interact with the physical  environment (or manage devices that interact with the physical environment). These systems and devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include industrial control systems, building automation systems, transportation systems, physical access control systems, physical environment monitoring systems, and physical environment measurement systems. The document provides an overview of OT and typical system topologies, identifies common threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks.",
        "description": "RegScale catalog for NIST SP 800-82 Rev. 3 Guide to Operational Technology (OT) Security. For additional information, see the corresponding NIST webpage at https://csrc.nist.gov/pubs/sp/800/82/r3/final.",
        "defaultName": "nist-800-82-r3-low",
        "downloadURL": "https://regscaleblob.blob.core.windows.net/catalogs/nist-800-82-r3-low.json",
        "regulationDatePublished": "2023-09-01T00:00:00",
        "regulationDateModified": null,
        "requireUniqueControlId": false,
        "sourceOscalURL": "",
        "externalId": "",
        "originator": 0,
        "category": "Cyber Security"
    }
}