compliance controls are associated with this Policy definition 'Document security strength requirements in acquisition contracts' (ebb0ba89-6d8c-84a7-252b-7393881e43de)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
FedRAMP_High_R4 |
IA-5(1) |
FedRAMP_High_R4_IA-5(1) |
FedRAMP High IA-5 (1) |
Identification And Authentication |
Password-Based Authentication |
Shared |
n/a |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only encrypted representations of passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.
Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6. |
link |
15 |
FedRAMP_High_R4 |
IA-5(4) |
FedRAMP_High_R4_IA-5(4) |
FedRAMP High IA-5 (4) |
Identification And Authentication |
Automated Support For Password Strength Determination |
Shared |
n/a |
The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements].
Supplemental Guidance: This control enhancement focuses on the creation of strong passwords and the characteristics of such passwords (e.g., complexity) prior to use, the enforcement of which is carried out by organizational information systems in IA-5 (1). Related controls: CA-2, CA-7, RA-5. |
link |
3 |
FedRAMP_High_R4 |
SA-4 |
FedRAMP_High_R4_SA-4 |
FedRAMP High SA-4 |
System And Services Acquisition |
Acquisition Process |
Shared |
n/a |
The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:
a. Security functional requirements;
b. Security strength requirements;
c. Security assurance requirements;
d. Security-related documentation requirements;
e. Requirements for protecting security-related documentation;
f. Description of the information system development environment and environment in which the system is intended to operate; and
g. Acceptance criteria.
Supplemental Guidance: Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle.
Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA. Related controls: CM-6, PL-2, PS-7, SA-3, SA-5, SA-8, SA-11, SA-12.
References: HSPD-12; ISO/IEC 15408; FIPS Publications 140-2, 201; NIST Special Publications 800-23, 800-35, 800-36, 800-37, 800-64, 800-70, 800-137; Federal Acquisition Regulation; Web: http://www.niap-ccevs.org, http://fips201ep.cio.gov, http://www.acquisition.gov/far. |
link |
11 |
FedRAMP_Moderate_R4 |
IA-5(1) |
FedRAMP_Moderate_R4_IA-5(1) |
FedRAMP Moderate IA-5 (1) |
Identification And Authentication |
Password-Based Authentication |
Shared |
n/a |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only encrypted representations of passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.
Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6. |
link |
15 |
FedRAMP_Moderate_R4 |
IA-5(4) |
FedRAMP_Moderate_R4_IA-5(4) |
FedRAMP Moderate IA-5 (4) |
Identification And Authentication |
Automated Support For Password Strength Determination |
Shared |
n/a |
The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements].
Supplemental Guidance: This control enhancement focuses on the creation of strong passwords and the characteristics of such passwords (e.g., complexity) prior to use, the enforcement of which is carried out by organizational information systems in IA-5 (1). Related controls: CA-2, CA-7, RA-5. |
link |
3 |
FedRAMP_Moderate_R4 |
SA-4 |
FedRAMP_Moderate_R4_SA-4 |
FedRAMP Moderate SA-4 |
System And Services Acquisition |
Acquisition Process |
Shared |
n/a |
The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:
a. Security functional requirements;
b. Security strength requirements;
c. Security assurance requirements;
d. Security-related documentation requirements;
e. Requirements for protecting security-related documentation;
f. Description of the information system development environment and environment in which the system is intended to operate; and
g. Acceptance criteria.
Supplemental Guidance: Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle.
Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA. Related controls: CM-6, PL-2, PS-7, SA-3, SA-5, SA-8, SA-11, SA-12.
References: HSPD-12; ISO/IEC 15408; FIPS Publications 140-2, 201; NIST Special Publications 800-23, 800-35, 800-36, 800-37, 800-64, 800-70, 800-137; Federal Acquisition Regulation; Web: http://www.niap-ccevs.org, http://fips201ep.cio.gov, http://www.acquisition.gov/far. |
link |
11 |
hipaa |
0640.10k2Organizational.1012-10.k |
hipaa-0640.10k2Organizational.1012-10.k |
0640.10k2Organizational.1012-10.k |
06 Configuration Management |
0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes |
Shared |
n/a |
Where development is outsourced, change control procedures to address security are included in the contract(s) and specifically require the developer to track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel or roles. |
|
22 |
hipaa |
0837.09.n2Organizational.2-09.n |
hipaa-0837.09.n2Organizational.2-09.n |
0837.09.n2Organizational.2-09.n |
08 Network Protection |
0837.09.n2Organizational.2-09.n 09.06 Network Security Management |
Shared |
n/a |
Formal agreements with external information system providers include specific obligations for security and privacy. |
|
20 |
hipaa |
0888.09n2Organizational.6-09.n |
hipaa-0888.09n2Organizational.6-09.n |
0888.09n2Organizational.6-09.n |
08 Network Protection |
0888.09n2Organizational.6-09.n 09.06 Network Security Management |
Shared |
n/a |
The contract with the external/outsourced service provider includes the specification that the service provider is responsible for the protection of covered information shared. |
|
17 |
hipaa |
1004.01d1System.8913-01.d |
hipaa-1004.01d1System.8913-01.d |
1004.01d1System.8913-01.d |
10 Password Management |
1004.01d1System.8913-01.d 01.02 Authorized Access to Information Systems |
Shared |
n/a |
The organization maintains a list of commonly-used, expected, or compromised passwords, and updates the list (i) at least every 180 days and (ii) when organizational passwords are suspected to have been compromised (either directly or indirectly); allows users to select long passwords and passphrases, including spaces and all printable characters; employs automated tools to assist the user in selecting strong passwords and authenticators; and verifies, when users create or update passwords, that the passwords are not found on the organization-defined list of commonly-used, expected, or compromised passwords. |
|
8 |
hipaa |
1005.01d1System.1011-01.d |
hipaa-1005.01d1System.1011-01.d |
1005.01d1System.1011-01.d |
10 Password Management |
1005.01d1System.1011-01.d 01.02 Authorized Access to Information Systems |
Shared |
n/a |
The organization transmits passwords only when cryptographically-protected and stores passwords using an approved hash algorithm. |
|
6 |
hipaa |
1009.01d2System.4-01.d |
hipaa-1009.01d2System.4-01.d |
1009.01d2System.4-01.d |
10 Password Management |
1009.01d2System.4-01.d 01.02 Authorized Access to Information Systems |
Shared |
n/a |
Temporary passwords are unique and not guessable. |
|
4 |
hipaa |
1014.01d1System.12-01.d |
hipaa-1014.01d1System.12-01.d |
1014.01d1System.12-01.d |
10 Password Management |
1014.01d1System.12-01.d 01.02 Authorized Access to Information Systems |
Shared |
n/a |
The organization avoids the use of third-parties or unprotected (clear text) electronic mail messages for the dissemination of passwords. |
|
11 |
hipaa |
1022.01d1System.15-01.d |
hipaa-1022.01d1System.15-01.d |
1022.01d1System.15-01.d |
10 Password Management |
1022.01d1System.15-01.d 01.02 Authorized Access to Information Systems |
Shared |
n/a |
Password policies, applicable to mobile devices, are documented and enforced through technical controls on all company devices or devices approved for BYOD usage, and prohibit the changing of password/PIN lengths and authentication requirements. |
|
8 |
hipaa |
1031.01d1System.34510-01.d |
hipaa-1031.01d1System.34510-01.d |
1031.01d1System.34510-01.d |
10 Password Management |
1031.01d1System.34510-01.d 01.02 Authorized Access to Information Systems |
Shared |
n/a |
The organization changes passwords for default system accounts, whenever there is any indication of password compromise, at first logon following the issuance of a temporary password, and requires immediate selection of a new password upon account recovery. |
|
6 |
hipaa |
1116.01j1Organizational.145-01.j |
hipaa-1116.01j1Organizational.145-01.j |
1116.01j1Organizational.145-01.j |
11 Access Control |
1116.01j1Organizational.145-01.j 01.04 Network Access Control |
Shared |
n/a |
Strong authentication methods are implemented for all external connections to the organization’s network. |
|
6 |
hipaa |
1406.05k1Organizational.110-05.k |
hipaa-1406.05k1Organizational.110-05.k |
1406.05k1Organizational.110-05.k |
14 Third Party Assurance |
1406.05k1Organizational.110-05.k 05.02 External Parties |
Shared |
n/a |
A standard agreement with third-parties is defined and includes the required security controls in accordance with the organization's security policies. |
|
11 |
hipaa |
1409.09e2System.1-09.e |
hipaa-1409.09e2System.1-09.e |
1409.09e2System.1-09.e |
14 Third Party Assurance |
1409.09e2System.1-09.e 09.02 Control Third Party Service Delivery |
Shared |
n/a |
The organization develops, disseminates and annually reviews/updates a list of current service providers, which includes a description of services provided. |
|
15 |
hipaa |
1410.09e2System.23-09.e |
hipaa-1410.09e2System.23-09.e |
1410.09e2System.23-09.e |
14 Third Party Assurance |
1410.09e2System.23-09.e 09.02 Control Third Party Service Delivery |
Shared |
n/a |
The organization addresses information security and other business considerations when acquiring systems or services; including maintaining security during transitions and continuity following a failure or disaster. |
|
11 |
hipaa |
1416.10l1Organizational.1-10.l |
hipaa-1416.10l1Organizational.1-10.l |
1416.10l1Organizational.1-10.l |
14 Third Party Assurance |
1416.10l1Organizational.1-10.l 10.05 Security In Development and Support Processes |
Shared |
n/a |
Where software development is outsourced, formal contracts are in place to address the ownership and security of the code and application. |
|
11 |
hipaa |
1417.10l2Organizational.1-10.l |
hipaa-1417.10l2Organizational.1-10.l |
1417.10l2Organizational.1-10.l |
14 Third Party Assurance |
1417.10l2Organizational.1-10.l 10.05 Security In Development and Support Processes |
Shared |
n/a |
Where software development is outsourced, the development process is monitored by the organization and includes independent security and code reviews. |
|
12 |
hipaa |
1419.05j1Organizational.12-05.j |
hipaa-1419.05j1Organizational.12-05.j |
1419.05j1Organizational.12-05.j |
14 Third Party Assurance |
1419.05j1Organizational.12-05.j 05.02 External Parties |
Shared |
n/a |
The organization ensures that customers are aware of their obligations and rights, and accept the responsibilities and liabilities prior to accessing, processing, communicating, or managing the organization's information and information assets. |
|
11 |
ISO27001-2013 |
A.10.1.2 |
ISO27001-2013_A.10.1.2 |
ISO 27001:2013 A.10.1.2 |
Cryptography |
Key Management |
Shared |
n/a |
A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle. |
link |
15 |
ISO27001-2013 |
A.14.1.1 |
ISO27001-2013_A.14.1.1 |
ISO 27001:2013 A.14.1.1 |
System Acquisition, Development And Maintenance |
Information security requirements analysis and specification |
Shared |
n/a |
The information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems. |
link |
24 |
ISO27001-2013 |
A.14.2.7 |
ISO27001-2013_A.14.2.7 |
ISO 27001:2013 A.14.2.7 |
System Acquisition, Development And Maintenance |
Outsourced development |
Shared |
n/a |
The organization shall supervise and monitor the activity of outsourced system development. |
link |
28 |
ISO27001-2013 |
A.14.2.9 |
ISO27001-2013_A.14.2.9 |
ISO 27001:2013 A.14.2.9 |
System Acquisition, Development And Maintenance |
System acceptance testing |
Shared |
n/a |
Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions. |
link |
14 |
ISO27001-2013 |
A.15.1.2 |
ISO27001-2013_A.15.1.2 |
ISO 27001:2013 A.15.1.2 |
Supplier Relationships |
Addressing security within supplier agreement |
Shared |
n/a |
All relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization's information. |
link |
24 |
ISO27001-2013 |
A.15.2.2 |
ISO27001-2013_A.15.2.2 |
ISO 27001:2013 A.15.2.2 |
Supplier Relationships |
Managing changes to supplier services |
Shared |
n/a |
Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks. |
link |
15 |
ISO27001-2013 |
A.5.1.1 |
ISO27001-2013_A.5.1.1 |
ISO 27001:2013 A.5.1.1 |
Information Security Policies |
Policies for information security |
Shared |
n/a |
A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. |
link |
42 |
ISO27001-2013 |
A.6.1.1 |
ISO27001-2013_A.6.1.1 |
ISO 27001:2013 A.6.1.1 |
Organization of Information Security |
Information security roles and responsibilities |
Shared |
n/a |
All information security responsibilities shall be clearly defined and allocated. |
link |
73 |
ISO27001-2013 |
A.6.1.5 |
ISO27001-2013_A.6.1.5 |
ISO 27001:2013 A.6.1.5 |
Organization of Information Security |
Information security in project management |
Shared |
n/a |
Information security shall be addressed in project management, regardless of the type of the project. |
link |
25 |
ISO27001-2013 |
A.7.1.2 |
ISO27001-2013_A.7.1.2 |
ISO 27001:2013 A.7.1.2 |
Human Resources Security |
Terms and conditions of employment |
Shared |
n/a |
The contractual agreements with employees and contractors shall state their and the organization's responsibilities for information security. |
link |
24 |
ISO27001-2013 |
A.7.2.1 |
ISO27001-2013_A.7.2.1 |
ISO 27001:2013 A.7.2.1 |
Human Resources Security |
Management responsibilities |
Shared |
n/a |
Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization. |
link |
26 |
ISO27001-2013 |
A.9.2.4 |
ISO27001-2013_A.9.2.4 |
ISO 27001:2013 A.9.2.4 |
Access Control |
Management of secret authentication information of users |
Shared |
n/a |
The allocation of secret authentication information shall be controlled through a formal management process. |
link |
21 |
ISO27001-2013 |
A.9.3.1 |
ISO27001-2013_A.9.3.1 |
ISO 27001:2013 A.9.3.1 |
Access Control |
Use of secret authentication information |
Shared |
n/a |
Users shall be required to follow the organization's practices in the use of secret authentication information. |
link |
15 |
ISO27001-2013 |
A.9.4.3 |
ISO27001-2013_A.9.4.3 |
ISO 27001:2013 A.9.4.3 |
Access Control |
Password management system |
Shared |
n/a |
Password management systems shall be interactive and shall ensure quality password. |
link |
22 |
ISO27001-2013 |
C.4.3.c |
ISO27001-2013_C.4.3.c |
ISO 27001:2013 C.4.3.c |
Context of the organization |
Determining the scope of the information security management system |
Shared |
n/a |
The organization shall determine the boundaries and applicability of the information security
management system to establish its scope.
When determining this scope, the organization shall consider:
c) interfaces and dependencies between activities performed by the organization, and those that are
performed by other organizations.
The scope shall be available as documented information. |
link |
18 |
|
mp.per.1 Job characterization |
mp.per.1 Job characterization |
404 not found |
|
|
|
n/a |
n/a |
|
41 |
|
mp.per.2 Duties and obligations |
mp.per.2 Duties and obligations |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
|
mp.s.1 E-mail protection |
mp.s.1 E-mail protection |
404 not found |
|
|
|
n/a |
n/a |
|
48 |
|
mp.s.2 Protection of web services and applications |
mp.s.2 Protection of web services and applications |
404 not found |
|
|
|
n/a |
n/a |
|
102 |
|
mp.sw.1 IT Aplications development |
mp.sw.1 IT Aplications development |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
|
mp.sw.2 Acceptance and commissioning |
mp.sw.2 Acceptance and commissioning |
404 not found |
|
|
|
n/a |
n/a |
|
60 |
NIST_SP_800-171_R2_3 |
.5.7 |
NIST_SP_800-171_R2_3.5.7 |
NIST SP 800-171 R2 3.5.7 |
Identification and Authentication |
Enforce a minimum password complexity and change of characters when new passwords are created. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. |
link |
8 |
NIST_SP_800-53_R4 |
IA-5(1) |
NIST_SP_800-53_R4_IA-5(1) |
NIST SP 800-53 Rev. 4 IA-5 (1) |
Identification And Authentication |
Password-Based Authentication |
Shared |
n/a |
The information system, for password-based authentication:
(a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];
(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];
(c) Stores and transmits only encrypted representations of passwords;
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum];
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
(f) Allows the use of a temporary password for system logons with an immediate change to a permanent password.
Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6. |
link |
15 |
NIST_SP_800-53_R4 |
IA-5(4) |
NIST_SP_800-53_R4_IA-5(4) |
NIST SP 800-53 Rev. 4 IA-5 (4) |
Identification And Authentication |
Automated Support For Password Strength Determination |
Shared |
n/a |
The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements].
Supplemental Guidance: This control enhancement focuses on the creation of strong passwords and the characteristics of such passwords (e.g., complexity) prior to use, the enforcement of which is carried out by organizational information systems in IA-5 (1). Related controls: CA-2, CA-7, RA-5. |
link |
3 |
NIST_SP_800-53_R4 |
SA-4 |
NIST_SP_800-53_R4_SA-4 |
NIST SP 800-53 Rev. 4 SA-4 |
System And Services Acquisition |
Acquisition Process |
Shared |
n/a |
The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:
a. Security functional requirements;
b. Security strength requirements;
c. Security assurance requirements;
d. Security-related documentation requirements;
e. Requirements for protecting security-related documentation;
f. Description of the information system development environment and environment in which the system is intended to operate; and
g. Acceptance criteria.
Supplemental Guidance: Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle.
Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA. Related controls: CM-6, PL-2, PS-7, SA-3, SA-5, SA-8, SA-11, SA-12.
References: HSPD-12; ISO/IEC 15408; FIPS Publications 140-2, 201; NIST Special Publications 800-23, 800-35, 800-36, 800-37, 800-64, 800-70, 800-137; Federal Acquisition Regulation; Web: http://www.niap-ccevs.org, http://fips201ep.cio.gov, http://www.acquisition.gov/far. |
link |
11 |
NIST_SP_800-53_R5 |
IA-5(1) |
NIST_SP_800-53_R5_IA-5(1) |
NIST SP 800-53 Rev. 5 IA-5 (1) |
Identification and Authentication |
Password-based Authentication |
Shared |
n/a |
For password-based authentication:
(a) Maintain a list of commonly-used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised directly or indirectly;
(b) Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);
(c) Transmit passwords only over cryptographically-protected channels;
(d) Store passwords using an approved salted key derivation function, preferably using a keyed hash;
(e) Require immediate selection of a new password upon account recovery;
(f) Allow user selection of long passwords and passphrases, including spaces and all printable characters;
(g) Employ automated tools to assist the user in selecting strong password authenticators; and
(h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules]. |
link |
15 |
NIST_SP_800-53_R5 |
SA-4 |
NIST_SP_800-53_R5_SA-4 |
NIST SP 800-53 Rev. 5 SA-4 |
System and Services Acquisition |
Acquisition Process |
Shared |
n/a |
Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (OneOrMore): standardized contract language; [Assignment: organization-defined contract language] ] in the acquisition contract for the system, system component, or system service:
a. Security and privacy functional requirements;
b. Strength of mechanism requirements;
c. Security and privacy assurance requirements;
d. Controls needed to satisfy the security and privacy requirements.
e. Security and privacy documentation requirements;
f. Requirements for protecting security and privacy documentation;
g. Description of the system development environment and environment in which the system is intended to operate;
h. Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and
i. Acceptance criteria. |
link |
11 |
|
op.acc.1 Identification |
op.acc.1 Identification |
404 not found |
|
|
|
n/a |
n/a |
|
66 |
|
op.acc.2 Access requirements |
op.acc.2 Access requirements |
404 not found |
|
|
|
n/a |
n/a |
|
64 |
|
op.acc.5 Authentication mechanism (external users) |
op.acc.5 Authentication mechanism (external users) |
404 not found |
|
|
|
n/a |
n/a |
|
72 |
|
op.exp.10 Cryptographic key protection |
op.exp.10 Cryptographic key protection |
404 not found |
|
|
|
n/a |
n/a |
|
53 |
|
op.ext.1 Contracting and service level agreements |
op.ext.1 Contracting and service level agreements |
404 not found |
|
|
|
n/a |
n/a |
|
35 |
|
op.ext.2 Daily management |
op.ext.2 Daily management |
404 not found |
|
|
|
n/a |
n/a |
|
15 |
|
op.nub.1 Cloud service protection |
op.nub.1 Cloud service protection |
404 not found |
|
|
|
n/a |
n/a |
|
33 |
|
op.pl.3 Acquisition of new components |
op.pl.3 Acquisition of new components |
404 not found |
|
|
|
n/a |
n/a |
|
61 |
|
op.pl.5 Certified components |
op.pl.5 Certified components |
404 not found |
|
|
|
n/a |
n/a |
|
26 |
|
org.1 Security policy |
org.1 Security policy |
404 not found |
|
|
|
n/a |
n/a |
|
94 |
PCI_DSS_v4.0 |
12.8.2 |
PCI_DSS_v4.0_12.8.2 |
PCI DSS v4.0 12.8.2 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Risk to information assets associated with third-party service provider (TPSP) relationships is managed |
Shared |
n/a |
Written agreements with TPSPs are maintained as follows:
• Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE.
• Written agreements include acknowledgments from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the security of the entity’s CDE. |
link |
15 |
PCI_DSS_v4.0 |
12.8.5 |
PCI_DSS_v4.0_12.8.5 |
PCI DSS v4.0 12.8.5 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Risk to information assets associated with third-party service provider (TPSP) relationships is managed |
Shared |
n/a |
Information is maintained about which PCI DSS requirements are managed by each TPSP, which are managed by the entity, and any that are shared between the TPSP and the entity. |
link |
13 |
PCI_DSS_v4.0 |
8.3.6 |
PCI_DSS_v4.0_8.3.6 |
PCI DSS v4.0 8.3.6 |
Requirement 08: Identify Users and Authenticate Access to System Components |
Strong authentication for users and administrators is established and managed |
Shared |
n/a |
If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity:
• A minimum length of 12 characters (or IF the system does not support 12 characters, a minimum length of eight characters).
• Contain both numeric and alphabetic characters. |
link |
9 |
PCI_DSS_v4.0 |
8.6.3 |
PCI_DSS_v4.0_8.6.3 |
PCI DSS v4.0 8.6.3 |
Requirement 08: Identify Users and Authenticate Access to System Components |
Use of application and system accounts and associated authentication factors is strictly managed |
Shared |
n/a |
Passwords/passphrases for any application and system accounts are protected against misuse as follows:
• Passwords/passphrases are changed periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1) and upon suspicion or confirmation of compromise.
• Passwords/passphrases are constructed with sufficient complexity appropriate for how frequently the entity changes the passwords/passphrases. |
link |
6 |
SOC_2 |
CC5.2 |
SOC_2_CC5.2 |
SOC 2 Type 2 CC5.2 |
Control Activities |
COSO Principle 11 |
Shared |
The customer is responsible for implementing this recommendation. |
• Determines Dependency Between the Use of Technology in Business Processes and
Technology General Controls — Management understands and determines the dependency and linkage between business processes, automated control activities, and
technology general controls.
• Establishes Relevant Technology Infrastructure Control Activities — Management
selects and develops control activities over the technology infrastructure, which are
designed and implemented to help ensure the completeness, accuracy, and availability of technology processing.
• Establishes Relevant Security Management Process Controls Activities — Management selects and develops control activities that are designed and implemented
to restrict technology access rights to authorized users commensurate with their job
responsibilities and to protect the entity’s assets from external threats.
• Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities — Management selects and develops control activities over the acquisition, development and maintenance of technology and its infrastructure to achieve management's objectives. |
|
18 |
SOC_2 |
CC9.2 |
SOC_2_CC9.2 |
SOC 2 Type 2 CC9.2 |
Risk Mitigation |
Vendors and business partners risk management |
Shared |
The customer is responsible for implementing this recommendation. |
Establishes Requirements for Vendor and Business Partner Engagements — The entity establishes specific requirements for a vendor and business partner engagement
that includes (1) scope of services and product specifications, (2) roles and responsibilities, (3) compliance requirements, and (4) service levels.
• Assesses Vendor and Business Partner Risks — The entity assesses, on a periodic
basis, the risks that vendors and business partners (and those entities’ vendors and
business partners) represent to the achievement of the entity's objectives.
• Assigns Responsibility and Accountability for Managing Vendors and Business
Partners — The entity assigns responsibility and accountability for the management
of risks associated with vendors and business partners.
• Establishes Communication Protocols for Vendors and Business Partners — The
entity establishes communication and resolution protocols for service or product issues related to vendors and business partners.
• Establishes Exception Handling Procedures From Vendors and Business Partners
— The entity establishes exception handling procedures for service or product issues related to vendors and business partners.
• Assesses Vendor and Business Partner Performance — The entity periodically assesses the performance of vendors and business partners.
• Implements Procedures for Addressing Issues Identified During Vendor and Business Partner Assessments — The entity implements procedures for addressing issues identified with vendor and business partner relationships.
• Implements Procedures for Terminating Vendor and Business Partner Relationships
— The entity implements procedures for terminating vendor and business partner
relationships.
Additional points of focus that apply only to an engagement using the trust services criteria for
confidentiality:
• Obtains Confidentiality Commitments from Vendors and Business Partners — The
entity obtains confidentiality commitments that are consistent with the entity’s confidentiality commitments and requirements from vendors and business partners who
have access to confidential information.
• Assesses Compliance With Confidentiality Commitments of Vendors and Business
Partners — On a periodic and as-needed basis, the entity assesses compliance by
vendors and business partners with the entity’s confidentiality commitments and requirements.
Additional points of focus that apply only to an engagement using the trust services criteria for
privacy:
• Obtains Privacy Commitments from Vendors and Business Partners — The entity
obtains privacy commitments, consistent with the entity’s privacy commitments and
requirements, from vendors and business partners who have access to personal information.
• Assesses Compliance with Privacy Commitments of Vendors and Business Partners
— On a periodic and as-needed basis, the entity assesses compliance by vendors
and business partners with the entity’s privacy commitments and requirements and
takes corrective action as necessary |
|
20 |
SOC_2 |
P6.1 |
SOC_2_P6.1 |
SOC 2 Type 2 P6.1 |
Additional Criteria For Privacy |
Personal information third party disclosure |
Shared |
The customer is responsible for implementing this recommendation. |
• Communicates Privacy Policies to Third Parties — Privacy policies or other specific
instructions or requirements for handling personal information are communicated
to third parties to whom personal information is disclosed.
• Discloses Personal Information Only When Appropriate — Personal information is
disclosed to third parties only for the purposes for which it was collected or created
and only when implicit or explicit consent has been obtained from the data subject,
unless a law or regulation specifically requires otherwise.
• Discloses Personal Information Only to Appropriate Third Parties — Personal information
is disclosed only to third parties who have agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the
entity’s privacy notice or other specific instructions or requirements. The entity has
procedures in place to evaluate that the third parties have effective controls to meet
the terms of the agreement, instructions, or requirements.
• Discloses Information to Third Parties for New Purposes and Uses — Personal information
is disclosed to third parties for new purposes or uses only with the prior
implicit or explicit consent of data subjects. |
|
15 |
SOC_2 |
P6.5 |
SOC_2_P6.5 |
SOC 2 Type 2 P6.5 |
Additional Criteria For Privacy |
Third party unauthorized disclosure notification |
Shared |
The customer is responsible for implementing this recommendation. |
• Remediates Misuse of Personal Information by a Third Party — The entity takes
remedial action in response to misuse of personal information by a third party to
whom the entity has transferred such information.
• Reports Actual or Suspected Unauthorized Disclosures — A process exists for obtaining
commitments from vendors and other third parties to report to the entity actual
or suspected unauthorized disclosures of personal information. |
|
12 |
SWIFT_CSCF_v2022 |
2.8A |
SWIFT_CSCF_v2022_2.8A |
SWIFT CSCF v2022 2.8A |
2. Reduce Attack Surface and Vulnerabilities |
Ensure the protection of the local SWIFT infrastructure from risks exposed by the outsourcing of critical activities. |
Shared |
n/a |
Critical outsourced activities are protected, at a minimum, to the same standard of care as if operated within the originating organisation. |
link |
11 |
SWIFT_CSCF_v2022 |
4.1 |
SWIFT_CSCF_v2022_4.1 |
SWIFT CSCF v2022 4.1 |
4. Prevent Compromise of Credentials |
Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. |
Shared |
n/a |
All application and operating system accounts enforce passwords with appropriate parameters such as length, complexity, validity, and the number of failed login attempts. Similarly, personal tokens and mobile devices enforce passwords or a Personal Identification Number (PIN) with appropriate parameters. |
link |
17 |
SWIFT_CSCF_v2022 |
5.4 |
SWIFT_CSCF_v2022_5.4 |
SWIFT CSCF v2022 5.4 |
5. Manage Identities and Segregate Privileges |
Protect physically and logically the repository of recorded passwords. |
Shared |
n/a |
Recorded passwords are stored in a protected physical or logical location, with access restricted on a need-to-know basis. |
link |
6 |