last sync: 2024-Oct-04 17:51:30 UTC

Document security strength requirements in acquisition contracts | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Document security strength requirements in acquisition contracts
Id ebb0ba89-6d8c-84a7-252b-7393881e43de
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0203 - Document security strength requirements in acquisition contracts
Additional metadata Name/Id: CMA_0203 / CMA_0203
Category: Documentation
Title: Document security strength requirements in acquisition contracts
Ownership: Customer
Description: Microsoft recommends that your organization include its security strength requirements in any acquisition contracts for information systems, system components, or information system services. Your organization should consider creating and maintaining System Acquisition policies and standard operating procedures that define your organization's security strength requirements and including those requirements in acquisition contracts for information systems, components, or services.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 70 compliance controls are associated with this Policy definition 'Document security strength requirements in acquisition contracts' (ebb0ba89-6d8c-84a7-252b-7393881e43de)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 IA-5(1) FedRAMP_High_R4_IA-5(1) FedRAMP High IA-5 (1) Identification And Authentication Password-Based Authentication Shared n/a The information system, for password-based authentication: (a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; (c) Stores and transmits only encrypted representations of passwords; (d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum]; (e) Prohibits password reuse for [Assignment: organization-defined number] generations; and (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6. link 15
FedRAMP_High_R4 IA-5(4) FedRAMP_High_R4_IA-5(4) FedRAMP High IA-5 (4) Identification And Authentication Automated Support For Password Strength Determination Shared n/a The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements]. Supplemental Guidance: This control enhancement focuses on the creation of strong passwords and the characteristics of such passwords (e.g., complexity) prior to use, the enforcement of which is carried out by organizational information systems in IA-5 (1). Related controls: CA-2, CA-7, RA-5. link 3
FedRAMP_High_R4 SA-4 FedRAMP_High_R4_SA-4 FedRAMP High SA-4 System And Services Acquisition Acquisition Process Shared n/a The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: a. Security functional requirements; b. Security strength requirements; c. Security assurance requirements; d. Security-related documentation requirements; e. Requirements for protecting security-related documentation; f. Description of the information system development environment and environment in which the system is intended to operate; and g. Acceptance criteria. Supplemental Guidance: Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle. Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA. Related controls: CM-6, PL-2, PS-7, SA-3, SA-5, SA-8, SA-11, SA-12. References: HSPD-12; ISO/IEC 15408; FIPS Publications 140-2, 201; NIST Special Publications 800-23, 800-35, 800-36, 800-37, 800-64, 800-70, 800-137; Federal Acquisition Regulation; Web: http://www.niap-ccevs.org, http://fips201ep.cio.gov, http://www.acquisition.gov/far. link 11
FedRAMP_Moderate_R4 IA-5(1) FedRAMP_Moderate_R4_IA-5(1) FedRAMP Moderate IA-5 (1) Identification And Authentication Password-Based Authentication Shared n/a The information system, for password-based authentication: (a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; (c) Stores and transmits only encrypted representations of passwords; (d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum]; (e) Prohibits password reuse for [Assignment: organization-defined number] generations; and (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6. link 15
FedRAMP_Moderate_R4 IA-5(4) FedRAMP_Moderate_R4_IA-5(4) FedRAMP Moderate IA-5 (4) Identification And Authentication Automated Support For Password Strength Determination Shared n/a The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements]. Supplemental Guidance: This control enhancement focuses on the creation of strong passwords and the characteristics of such passwords (e.g., complexity) prior to use, the enforcement of which is carried out by organizational information systems in IA-5 (1). Related controls: CA-2, CA-7, RA-5. link 3
FedRAMP_Moderate_R4 SA-4 FedRAMP_Moderate_R4_SA-4 FedRAMP Moderate SA-4 System And Services Acquisition Acquisition Process Shared n/a The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: a. Security functional requirements; b. Security strength requirements; c. Security assurance requirements; d. Security-related documentation requirements; e. Requirements for protecting security-related documentation; f. Description of the information system development environment and environment in which the system is intended to operate; and g. Acceptance criteria. Supplemental Guidance: Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle. Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA. Related controls: CM-6, PL-2, PS-7, SA-3, SA-5, SA-8, SA-11, SA-12. References: HSPD-12; ISO/IEC 15408; FIPS Publications 140-2, 201; NIST Special Publications 800-23, 800-35, 800-36, 800-37, 800-64, 800-70, 800-137; Federal Acquisition Regulation; Web: http://www.niap-ccevs.org, http://fips201ep.cio.gov, http://www.acquisition.gov/far. link 11
hipaa 0640.10k2Organizational.1012-10.k hipaa-0640.10k2Organizational.1012-10.k 0640.10k2Organizational.1012-10.k 06 Configuration Management 0640.10k2Organizational.1012-10.k 10.05 Security In Development and Support Processes Shared n/a Where development is outsourced, change control procedures to address security are included in the contract(s) and specifically require the developer to track security flaws and flaw resolution within the system, component, or service and report findings to organization-defined personnel or roles. 22
hipaa 0837.09.n2Organizational.2-09.n hipaa-0837.09.n2Organizational.2-09.n 0837.09.n2Organizational.2-09.n 08 Network Protection 0837.09.n2Organizational.2-09.n 09.06 Network Security Management Shared n/a Formal agreements with external information system providers include specific obligations for security and privacy. 20
hipaa 0888.09n2Organizational.6-09.n hipaa-0888.09n2Organizational.6-09.n 0888.09n2Organizational.6-09.n 08 Network Protection 0888.09n2Organizational.6-09.n 09.06 Network Security Management Shared n/a The contract with the external/outsourced service provider includes the specification that the service provider is responsible for the protection of covered information shared. 17
hipaa 1004.01d1System.8913-01.d hipaa-1004.01d1System.8913-01.d 1004.01d1System.8913-01.d 10 Password Management 1004.01d1System.8913-01.d 01.02 Authorized Access to Information Systems Shared n/a The organization maintains a list of commonly-used, expected, or compromised passwords, and updates the list (i) at least every 180 days and (ii) when organizational passwords are suspected to have been compromised (either directly or indirectly); allows users to select long passwords and passphrases, including spaces and all printable characters; employs automated tools to assist the user in selecting strong passwords and authenticators; and verifies, when users create or update passwords, that the passwords are not found on the organization-defined list of commonly-used, expected, or compromised passwords. 8
hipaa 1005.01d1System.1011-01.d hipaa-1005.01d1System.1011-01.d 1005.01d1System.1011-01.d 10 Password Management 1005.01d1System.1011-01.d 01.02 Authorized Access to Information Systems Shared n/a The organization transmits passwords only when cryptographically-protected and stores passwords using an approved hash algorithm. 6
hipaa 1009.01d2System.4-01.d hipaa-1009.01d2System.4-01.d 1009.01d2System.4-01.d 10 Password Management 1009.01d2System.4-01.d 01.02 Authorized Access to Information Systems Shared n/a Temporary passwords are unique and not guessable. 4
hipaa 1014.01d1System.12-01.d hipaa-1014.01d1System.12-01.d 1014.01d1System.12-01.d 10 Password Management 1014.01d1System.12-01.d 01.02 Authorized Access to Information Systems Shared n/a The organization avoids the use of third-parties or unprotected (clear text) electronic mail messages for the dissemination of passwords. 11
hipaa 1022.01d1System.15-01.d hipaa-1022.01d1System.15-01.d 1022.01d1System.15-01.d 10 Password Management 1022.01d1System.15-01.d 01.02 Authorized Access to Information Systems Shared n/a Password policies, applicable to mobile devices, are documented and enforced through technical controls on all company devices or devices approved for BYOD usage, and prohibit the changing of password/PIN lengths and authentication requirements. 8
hipaa 1031.01d1System.34510-01.d hipaa-1031.01d1System.34510-01.d 1031.01d1System.34510-01.d 10 Password Management 1031.01d1System.34510-01.d 01.02 Authorized Access to Information Systems Shared n/a The organization changes passwords for default system accounts, whenever there is any indication of password compromise, at first logon following the issuance of a temporary password, and requires immediate selection of a new password upon account recovery. 6
hipaa 1116.01j1Organizational.145-01.j hipaa-1116.01j1Organizational.145-01.j 1116.01j1Organizational.145-01.j 11 Access Control 1116.01j1Organizational.145-01.j 01.04 Network Access Control Shared n/a Strong authentication methods are implemented for all external connections to the organization’s network. 6
hipaa 1406.05k1Organizational.110-05.k hipaa-1406.05k1Organizational.110-05.k 1406.05k1Organizational.110-05.k 14 Third Party Assurance 1406.05k1Organizational.110-05.k 05.02 External Parties Shared n/a A standard agreement with third-parties is defined and includes the required security controls in accordance with the organization's security policies. 11
hipaa 1409.09e2System.1-09.e hipaa-1409.09e2System.1-09.e 1409.09e2System.1-09.e 14 Third Party Assurance 1409.09e2System.1-09.e 09.02 Control Third Party Service Delivery Shared n/a The organization develops, disseminates and annually reviews/updates a list of current service providers, which includes a description of services provided. 15
hipaa 1410.09e2System.23-09.e hipaa-1410.09e2System.23-09.e 1410.09e2System.23-09.e 14 Third Party Assurance 1410.09e2System.23-09.e 09.02 Control Third Party Service Delivery Shared n/a The organization addresses information security and other business considerations when acquiring systems or services; including maintaining security during transitions and continuity following a failure or disaster. 11
hipaa 1416.10l1Organizational.1-10.l hipaa-1416.10l1Organizational.1-10.l 1416.10l1Organizational.1-10.l 14 Third Party Assurance 1416.10l1Organizational.1-10.l 10.05 Security In Development and Support Processes Shared n/a Where software development is outsourced, formal contracts are in place to address the ownership and security of the code and application. 11
hipaa 1417.10l2Organizational.1-10.l hipaa-1417.10l2Organizational.1-10.l 1417.10l2Organizational.1-10.l 14 Third Party Assurance 1417.10l2Organizational.1-10.l 10.05 Security In Development and Support Processes Shared n/a Where software development is outsourced, the development process is monitored by the organization and includes independent security and code reviews. 12
hipaa 1419.05j1Organizational.12-05.j hipaa-1419.05j1Organizational.12-05.j 1419.05j1Organizational.12-05.j 14 Third Party Assurance 1419.05j1Organizational.12-05.j 05.02 External Parties Shared n/a The organization ensures that customers are aware of their obligations and rights, and accept the responsibilities and liabilities prior to accessing, processing, communicating, or managing the organization's information and information assets. 11
ISO27001-2013 A.10.1.2 ISO27001-2013_A.10.1.2 ISO 27001:2013 A.10.1.2 Cryptography Key Management Shared n/a A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle. link 15
ISO27001-2013 A.14.1.1 ISO27001-2013_A.14.1.1 ISO 27001:2013 A.14.1.1 System Acquisition, Development And Maintenance Information security requirements analysis and specification Shared n/a The information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems. link 24
ISO27001-2013 A.14.2.7 ISO27001-2013_A.14.2.7 ISO 27001:2013 A.14.2.7 System Acquisition, Development And Maintenance Outsourced development Shared n/a The organization shall supervise and monitor the activity of outsourced system development. link 28
ISO27001-2013 A.14.2.9 ISO27001-2013_A.14.2.9 ISO 27001:2013 A.14.2.9 System Acquisition, Development And Maintenance System acceptance testing Shared n/a Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions. link 14
ISO27001-2013 A.15.1.2 ISO27001-2013_A.15.1.2 ISO 27001:2013 A.15.1.2 Supplier Relationships Addressing security within supplier agreement Shared n/a All relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization's information. link 24
ISO27001-2013 A.15.2.2 ISO27001-2013_A.15.2.2 ISO 27001:2013 A.15.2.2 Supplier Relationships Managing changes to supplier services Shared n/a Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks. link 15
ISO27001-2013 A.5.1.1 ISO27001-2013_A.5.1.1 ISO 27001:2013 A.5.1.1 Information Security Policies Policies for information security Shared n/a A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. link 42
ISO27001-2013 A.6.1.1 ISO27001-2013_A.6.1.1 ISO 27001:2013 A.6.1.1 Organization of Information Security Information security roles and responsibilities Shared n/a All information security responsibilities shall be clearly defined and allocated. link 73
ISO27001-2013 A.6.1.5 ISO27001-2013_A.6.1.5 ISO 27001:2013 A.6.1.5 Organization of Information Security Information security in project management Shared n/a Information security shall be addressed in project management, regardless of the type of the project. link 25
ISO27001-2013 A.7.1.2 ISO27001-2013_A.7.1.2 ISO 27001:2013 A.7.1.2 Human Resources Security Terms and conditions of employment Shared n/a The contractual agreements with employees and contractors shall state their and the organization's responsibilities for information security. link 24
ISO27001-2013 A.7.2.1 ISO27001-2013_A.7.2.1 ISO 27001:2013 A.7.2.1 Human Resources Security Management responsibilities Shared n/a Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization. link 26
ISO27001-2013 A.9.2.4 ISO27001-2013_A.9.2.4 ISO 27001:2013 A.9.2.4 Access Control Management of secret authentication information of users Shared n/a The allocation of secret authentication information shall be controlled through a formal management process. link 21
ISO27001-2013 A.9.3.1 ISO27001-2013_A.9.3.1 ISO 27001:2013 A.9.3.1 Access Control Use of secret authentication information Shared n/a Users shall be required to follow the organization's practices in the use of secret authentication information. link 15
ISO27001-2013 A.9.4.3 ISO27001-2013_A.9.4.3 ISO 27001:2013 A.9.4.3 Access Control Password management system Shared n/a Password management systems shall be interactive and shall ensure quality password. link 22
ISO27001-2013 C.4.3.c ISO27001-2013_C.4.3.c ISO 27001:2013 C.4.3.c Context of the organization Determining the scope of the information security management system Shared n/a The organization shall determine the boundaries and applicability of the information security management system to establish its scope. When determining this scope, the organization shall consider: c) interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations. The scope shall be available as documented information. link 18
mp.per.1 Job characterization mp.per.1 Job characterization 404 not found n/a n/a 41
mp.per.2 Duties and obligations mp.per.2 Duties and obligations 404 not found n/a n/a 40
mp.s.1 E-mail protection mp.s.1 E-mail protection 404 not found n/a n/a 48
mp.s.2 Protection of web services and applications mp.s.2 Protection of web services and applications 404 not found n/a n/a 102
mp.sw.1 IT Aplications development mp.sw.1 IT Aplications development 404 not found n/a n/a 51
mp.sw.2 Acceptance and commissioning mp.sw.2 Acceptance and commissioning 404 not found n/a n/a 60
NIST_SP_800-171_R2_3 .5.7 NIST_SP_800-171_R2_3.5.7 NIST SP 800-171 R2 3.5.7 Identification and Authentication Enforce a minimum password complexity and change of characters when new passwords are created. Shared Microsoft and the customer share responsibilities for implementing this requirement. This requirement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are used as part of multifactor authenticators. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. To mitigate certain brute force attacks against passwords, organizations may also consider salting passwords. link 8
NIST_SP_800-53_R4 IA-5(1) NIST_SP_800-53_R4_IA-5(1) NIST SP 800-53 Rev. 4 IA-5 (1) Identification And Authentication Password-Based Authentication Shared n/a The information system, for password-based authentication: (a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number]; (c) Stores and transmits only encrypted representations of passwords; (d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum]; (e) Prohibits password reuse for [Assignment: organization-defined number] generations; and (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password. Supplemental Guidance: This control enhancement applies to single-factor authentication of individuals using passwords as individual or group authenticators, and in a similar manner, when passwords are part of multifactor authenticators. This control enhancement does not apply when passwords are used to unlock hardware authenticators (e.g., Personal Identity Verification cards). The implementation of such password mechanisms may not meet all of the requirements in the enhancement. Encrypted representations of passwords include, for example, encrypted versions of passwords and one-way cryptographic hashes of passwords. The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password. Password lifetime restrictions do not apply to temporary passwords. Related control: IA-6. link 15
NIST_SP_800-53_R4 IA-5(4) NIST_SP_800-53_R4_IA-5(4) NIST SP 800-53 Rev. 4 IA-5 (4) Identification And Authentication Automated Support For Password Strength Determination Shared n/a The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy [Assignment: organization-defined requirements]. Supplemental Guidance: This control enhancement focuses on the creation of strong passwords and the characteristics of such passwords (e.g., complexity) prior to use, the enforcement of which is carried out by organizational information systems in IA-5 (1). Related controls: CA-2, CA-7, RA-5. link 3
NIST_SP_800-53_R4 SA-4 NIST_SP_800-53_R4_SA-4 NIST SP 800-53 Rev. 4 SA-4 System And Services Acquisition Acquisition Process Shared n/a The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs: a. Security functional requirements; b. Security strength requirements; c. Security assurance requirements; d. Security-related documentation requirements; e. Requirements for protecting security-related documentation; f. Description of the information system development environment and environment in which the system is intended to operate; and g. Acceptance criteria. Supplemental Guidance: Information system components are discrete, identifiable information technology assets (e.g., hardware, software, or firmware) that represent the building blocks of an information system. Information system components include commercial information technology products. Security functional requirements include security capabilities, security functions, and security mechanisms. Security strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to direct attack, and resistance to tampering or bypass. Security assurance requirements include: (i) development processes, procedures, practices, and methodologies; and (ii) evidence from development and assessment activities providing grounds for confidence that the required security functionality has been implemented and the required security strength has been achieved. Security documentation requirements address all phases of the system development life cycle. Security functionality, assurance, and documentation requirements are expressed in terms of security controls and control enhancements that have been selected through the tailoring process. The security control tailoring process includes, for example, the specification of parameter values through the use of assignment and selection statements and the specification of platform dependencies and implementation information. Security documentation provides user and administrator guidance regarding the implementation and operation of security controls. The level of detail required in security documentation is based on the security category or classification level of the information system and the degree to which organizations depend on the stated security capability, functions, or mechanisms to meet overall risk response expectations (as defined in the organizational risk management strategy). Security requirements can also include organizationally mandated configuration settings specifying allowed functions, ports, protocols, and services. Acceptance criteria for information systems, information system components, and information system services are defined in the same manner as such criteria for any organizational acquisition or procurement. The Federal Acquisition Regulation (FAR) Section 7.103 contains information security requirements from FISMA. Related controls: CM-6, PL-2, PS-7, SA-3, SA-5, SA-8, SA-11, SA-12. References: HSPD-12; ISO/IEC 15408; FIPS Publications 140-2, 201; NIST Special Publications 800-23, 800-35, 800-36, 800-37, 800-64, 800-70, 800-137; Federal Acquisition Regulation; Web: http://www.niap-ccevs.org, http://fips201ep.cio.gov, http://www.acquisition.gov/far. link 11
NIST_SP_800-53_R5 IA-5(1) NIST_SP_800-53_R5_IA-5(1) NIST SP 800-53 Rev. 5 IA-5 (1) Identification and Authentication Password-based Authentication Shared n/a For password-based authentication: (a) Maintain a list of commonly-used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised directly or indirectly; (b) Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a); (c) Transmit passwords only over cryptographically-protected channels; (d) Store passwords using an approved salted key derivation function, preferably using a keyed hash; (e) Require immediate selection of a new password upon account recovery; (f) Allow user selection of long passwords and passphrases, including spaces and all printable characters; (g) Employ automated tools to assist the user in selecting strong password authenticators; and (h) Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules]. link 15
NIST_SP_800-53_R5 SA-4 NIST_SP_800-53_R5_SA-4 NIST SP 800-53 Rev. 5 SA-4 System and Services Acquisition Acquisition Process Shared n/a Include the following requirements, descriptions, and criteria, explicitly or by reference, using [Selection (OneOrMore): standardized contract language; [Assignment: organization-defined contract language] ] in the acquisition contract for the system, system component, or system service: a. Security and privacy functional requirements; b. Strength of mechanism requirements; c. Security and privacy assurance requirements; d. Controls needed to satisfy the security and privacy requirements. e. Security and privacy documentation requirements; f. Requirements for protecting security and privacy documentation; g. Description of the system development environment and environment in which the system is intended to operate; h. Allocation of responsibility or identification of parties responsible for information security, privacy, and supply chain risk management; and i. Acceptance criteria. link 11
op.acc.1 Identification op.acc.1 Identification 404 not found n/a n/a 66
op.acc.2 Access requirements op.acc.2 Access requirements 404 not found n/a n/a 64
op.acc.5 Authentication mechanism (external users) op.acc.5 Authentication mechanism (external users) 404 not found n/a n/a 72
op.exp.10 Cryptographic key protection op.exp.10 Cryptographic key protection 404 not found n/a n/a 53
op.ext.1 Contracting and service level agreements op.ext.1 Contracting and service level agreements 404 not found n/a n/a 35
op.ext.2 Daily management op.ext.2 Daily management 404 not found n/a n/a 15
op.nub.1 Cloud service protection op.nub.1 Cloud service protection 404 not found n/a n/a 33
op.pl.3 Acquisition of new components op.pl.3 Acquisition of new components 404 not found n/a n/a 61
op.pl.5 Certified components op.pl.5 Certified components 404 not found n/a n/a 26
org.1 Security policy org.1 Security policy 404 not found n/a n/a 94
PCI_DSS_v4.0 12.8.2 PCI_DSS_v4.0_12.8.2 PCI DSS v4.0 12.8.2 Requirement 12: Support Information Security with Organizational Policies and Programs Risk to information assets associated with third-party service provider (TPSP) relationships is managed Shared n/a Written agreements with TPSPs are maintained as follows: • Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE. • Written agreements include acknowledgments from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the security of the entity’s CDE. link 15
PCI_DSS_v4.0 12.8.5 PCI_DSS_v4.0_12.8.5 PCI DSS v4.0 12.8.5 Requirement 12: Support Information Security with Organizational Policies and Programs Risk to information assets associated with third-party service provider (TPSP) relationships is managed Shared n/a Information is maintained about which PCI DSS requirements are managed by each TPSP, which are managed by the entity, and any that are shared between the TPSP and the entity. link 13
PCI_DSS_v4.0 8.3.6 PCI_DSS_v4.0_8.3.6 PCI DSS v4.0 8.3.6 Requirement 08: Identify Users and Authenticate Access to System Components Strong authentication for users and administrators is established and managed Shared n/a If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity: • A minimum length of 12 characters (or IF the system does not support 12 characters, a minimum length of eight characters). • Contain both numeric and alphabetic characters. link 9
PCI_DSS_v4.0 8.6.3 PCI_DSS_v4.0_8.6.3 PCI DSS v4.0 8.6.3 Requirement 08: Identify Users and Authenticate Access to System Components Use of application and system accounts and associated authentication factors is strictly managed Shared n/a Passwords/passphrases for any application and system accounts are protected against misuse as follows: • Passwords/passphrases are changed periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1) and upon suspicion or confirmation of compromise. • Passwords/passphrases are constructed with sufficient complexity appropriate for how frequently the entity changes the passwords/passphrases. link 6
SOC_2 CC5.2 SOC_2_CC5.2 SOC 2 Type 2 CC5.2 Control Activities COSO Principle 11 Shared The customer is responsible for implementing this recommendation. • Determines Dependency Between the Use of Technology in Business Processes and Technology General Controls — Management understands and determines the dependency and linkage between business processes, automated control activities, and technology general controls. • Establishes Relevant Technology Infrastructure Control Activities — Management selects and develops control activities over the technology infrastructure, which are designed and implemented to help ensure the completeness, accuracy, and availability of technology processing. • Establishes Relevant Security Management Process Controls Activities — Management selects and develops control activities that are designed and implemented to restrict technology access rights to authorized users commensurate with their job responsibilities and to protect the entity’s assets from external threats. • Establishes Relevant Technology Acquisition, Development, and Maintenance Process Control Activities — Management selects and develops control activities over the acquisition, development and maintenance of technology and its infrastructure to achieve management's objectives. 18
SOC_2 CC9.2 SOC_2_CC9.2 SOC 2 Type 2 CC9.2 Risk Mitigation Vendors and business partners risk management Shared The customer is responsible for implementing this recommendation. Establishes Requirements for Vendor and Business Partner Engagements — The entity establishes specific requirements for a vendor and business partner engagement that includes (1) scope of services and product specifications, (2) roles and responsibilities, (3) compliance requirements, and (4) service levels. • Assesses Vendor and Business Partner Risks — The entity assesses, on a periodic basis, the risks that vendors and business partners (and those entities’ vendors and business partners) represent to the achievement of the entity's objectives. • Assigns Responsibility and Accountability for Managing Vendors and Business Partners — The entity assigns responsibility and accountability for the management of risks associated with vendors and business partners. • Establishes Communication Protocols for Vendors and Business Partners — The entity establishes communication and resolution protocols for service or product issues related to vendors and business partners. • Establishes Exception Handling Procedures From Vendors and Business Partners — The entity establishes exception handling procedures for service or product issues related to vendors and business partners. • Assesses Vendor and Business Partner Performance — The entity periodically assesses the performance of vendors and business partners. • Implements Procedures for Addressing Issues Identified During Vendor and Business Partner Assessments — The entity implements procedures for addressing issues identified with vendor and business partner relationships. • Implements Procedures for Terminating Vendor and Business Partner Relationships — The entity implements procedures for terminating vendor and business partner relationships. Additional points of focus that apply only to an engagement using the trust services criteria for confidentiality: • Obtains Confidentiality Commitments from Vendors and Business Partners — The entity obtains confidentiality commitments that are consistent with the entity’s confidentiality commitments and requirements from vendors and business partners who have access to confidential information. • Assesses Compliance With Confidentiality Commitments of Vendors and Business Partners — On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s confidentiality commitments and requirements. Additional points of focus that apply only to an engagement using the trust services criteria for privacy: • Obtains Privacy Commitments from Vendors and Business Partners — The entity obtains privacy commitments, consistent with the entity’s privacy commitments and requirements, from vendors and business partners who have access to personal information. • Assesses Compliance with Privacy Commitments of Vendors and Business Partners — On a periodic and as-needed basis, the entity assesses compliance by vendors and business partners with the entity’s privacy commitments and requirements and takes corrective action as necessary 20
SOC_2 P6.1 SOC_2_P6.1 SOC 2 Type 2 P6.1 Additional Criteria For Privacy Personal information third party disclosure Shared The customer is responsible for implementing this recommendation. • Communicates Privacy Policies to Third Parties — Privacy policies or other specific instructions or requirements for handling personal information are communicated to third parties to whom personal information is disclosed. • Discloses Personal Information Only When Appropriate — Personal information is disclosed to third parties only for the purposes for which it was collected or created and only when implicit or explicit consent has been obtained from the data subject, unless a law or regulation specifically requires otherwise. • Discloses Personal Information Only to Appropriate Third Parties — Personal information is disclosed only to third parties who have agreements with the entity to protect personal information in a manner consistent with the relevant aspects of the entity’s privacy notice or other specific instructions or requirements. The entity has procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement, instructions, or requirements. • Discloses Information to Third Parties for New Purposes and Uses — Personal information is disclosed to third parties for new purposes or uses only with the prior implicit or explicit consent of data subjects. 15
SOC_2 P6.5 SOC_2_P6.5 SOC 2 Type 2 P6.5 Additional Criteria For Privacy Third party unauthorized disclosure notification Shared The customer is responsible for implementing this recommendation. • Remediates Misuse of Personal Information by a Third Party — The entity takes remedial action in response to misuse of personal information by a third party to whom the entity has transferred such information. • Reports Actual or Suspected Unauthorized Disclosures — A process exists for obtaining commitments from vendors and other third parties to report to the entity actual or suspected unauthorized disclosures of personal information. 12
SWIFT_CSCF_v2022 2.8A SWIFT_CSCF_v2022_2.8A SWIFT CSCF v2022 2.8A 2. Reduce Attack Surface and Vulnerabilities Ensure the protection of the local SWIFT infrastructure from risks exposed by the outsourcing of critical activities. Shared n/a Critical outsourced activities are protected, at a minimum, to the same standard of care as if operated within the originating organisation. link 11
SWIFT_CSCF_v2022 4.1 SWIFT_CSCF_v2022_4.1 SWIFT CSCF v2022 4.1 4. Prevent Compromise of Credentials Ensure passwords are sufficiently resistant against common password attacks by implementing and enforcing an effective password policy. Shared n/a All application and operating system accounts enforce passwords with appropriate parameters such as length, complexity, validity, and the number of failed login attempts. Similarly, personal tokens and mobile devices enforce passwords or a Personal Identification Number (PIN) with appropriate parameters. link 17
SWIFT_CSCF_v2022 5.4 SWIFT_CSCF_v2022_5.4 SWIFT CSCF v2022 5.4 5. Manage Identities and Segregate Privileges Protect physically and logically the repository of recorded passwords. Shared n/a Recorded passwords are stored in a protected physical or logical location, with access restricted on a need-to-know basis. link 6
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
SOC 2 Type 2 4054785f-702b-4a98-9215-009cbd58b141 Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add ebb0ba89-6d8c-84a7-252b-7393881e43de
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC