You are on page 1of 57

High Level Cyber Security

February 01, 2012

Assessor: J. Doe

Advisory
CSET is only one component of the overall cybersecurity picture and should be complemented with a robust cybersecurity program within the organization. A self-assessment with CSET cannot reveal all types of security weaknesses, and should not be the sole means of determining an organizations security posture. The tool will not provide an architectural analysis of the network or a detailed network hardware/software configuration review. It is not a risk analysis tool so it will not generate a complex risk assessment. CSET is not intended as a substitute for in depth analysis of control system vulnerabilities as performed by trained professionals. Periodic onsite reviews and inspections must still be conducted using a holistic approach including facility walkdowns, interviews, and observation and examination of facility practices. Consideration should also be given to additional steps including scanning, penetration testing, and exercises on surrogate, training, or non-production systems, or systems where failures, unexpected faults, or other unexpected results will not compromise production or safety. CSET assessments cannot be completed effectively by any one individual. A cross-functional team consisting of representatives from operational, maintenance, information technology, business, and security areas is essential. The representatives must be subject matter experts with significant expertise in their respective areas. No one individual has the span of responsibility or knowledge to effectively answer all the questions. Data and reports generated by the tool should be managed securely and marked, stored, and distributed in a manner appropriate to their sensitivity.

Table of Contents
Assessment Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Evaluation Against Selected Standards and Question Sets . . . . . . . . . . . . . . . . . . . . . . . . . Standards Compliance - Key Reqs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Calculated General Security Assurance Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ranked Subject Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Key Reqs Gap Analysis Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Key Reqs Questions and Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2 3 6 7 8 9 10 31

Assessment Information
Assessment Name: Assessment Date, (MM/DD/YYYY): Facility Name: City or Site Name: State, Province or Region: Principal Assessor Name: Assessor E-mail: Assessor Telephone: Description of Assessment: High Level Cyber Security Assessment 02/01/2012 ABC Manufacturing - Complex A Industry City CA J. Doe j.doe@abcm.com (555) 555-1212 This report presents the results of a cyber security assessment performed using the Cyber Security Evaluation Tool (CSET), a stand alone, desktop software application developed for the U.S. Department of Homeland Security (DHS). Before generating this report, the assessor was presented with a list of recognized industrial and governmental standards, guidelines, and best practices. A series of requirements-based questions were generated for each selected standard. If a network topology diagram was created, component-specific questions were also generated. The tool then combined the answered questions with encoded weights and ranking values to determine the facility's cyber security posture.

Additional Notes and Comments: (1) Name, Title and Role of Contact: J.T. Langill ICS Cyber Security Specialist SCADAhacker Outside Consultant

(2) Name, Title and Role of Contact: (3) Name, Title and Role of Contact: (4) Name, Title and Role of Contact: Other Contacts used in Assessment:

Assessment Information - 03/01/2012

Page 1 of 54

This report presents the results of a cyber security assessment performed using the Cyber Security Evaluation Tool (CSET), a stand alone, desktop software application developed for the U.S. Department of Homeland Security (DHS). Before generating this report, the assessor was presented with a list of recognized industrial and governmental standards, guidelines, and best practices. A series of requirements-based questions were generated for each selected standard. If a network topology diagram was created, component-specific questions were also generated. The tool then combined the answered questions with encoded weights and ranking values to determine the facility's cyber security posture.

Cyber terrorism is a real and growing threat. Standards and guides have been developed, vetted, and widely accepted to assist with protection from cyber attacks. The Cyber Security Evaluation Tool (CSET) includes a selectable array of these standards for a tailored assessment of cyber vulnerabilities. Once the standards were selected and the resulting question sets answered, the CSET created a compliance summary, compiled variance statistics, ranked top areas of concern, and generated security recommendations. The compliance summary charts below provide a high level overview of assessment results. The Summary Percent Compliance chart shows overall security status as well as a breakdown between compliance to selected standards (known as administrative) and compliance of those components depicted on the network diagram. The next two sets of graphs provide greater detail on compliance to selected standards and component compliance. The Areas of Concern - Top Subject and Question section lists the five areas of greatest vulnerability. Addressing these areas quickly will provide the greatest return on investment.

Executive Summary - 03/01/2012

Page 2 of 54

Introduction
The Cyber Security Evaluation Tool (CSET) provides (1) a framework for analyzing control system component security vulnerabilities and (2) a consistent and technically sound methodology to identify, analyze, and communicate to security professionals the overall security posture of the control or information system under evaluation.

Background
Before generating this report, the user selects the standards against which the subject control system should be evaluated. Based on that selection, the tool displays a questionnaire for each standard. If the user elects to evaluate the components in the subject control system and has, therefore, created a component diagram to represent the control system, the tool auto-generates a questionnaire containing questions for each of the components in the diagram. The users answers to the questions determine the systems compliance to the selected standards. The tool accomplishes this by assigning a compliance level to each selected answer and compares it against a user-selected security level. The method of specifying the security level varies, depending on the standards selected by the user. For NIST and DoD standards, it is assumed that the required security levels are known and fixed, so the user has to specify these levels before answering any questions. For the NERC and CAG standards, the results are pass or fail; so the user does not need to specify a security level. For the ISO standard and component questionnaire, the user has to specify a numeric security level prior to generating this report. To assist in determining the numeric security level, a General Security Assurance Level (SAL) questionnaire requests the user to evaluate various consequences of a compromised control system.

Scope
This report presents the results of the completed assessment. The sections included may vary, depending on the standards selected by the user at the start of the assessment and the subreports selected prior to report generation. The sections that may be included in this report are described below. Assessment Information This section contains the assessment information supplied by the user. Document Library This section contains a list of documents and other files that are saved with the assessment. Description of Assessment This section contains a brief description of the assessment process. Executive Summary This section contains the executive summary text as modified by the user. Summary Reports These sections provide the self-assessment team and senior management with a snapshot of the overall security status. Each selected standard is shown on a separate bar chart that shows the percentage of questions that passed in specific subject areas.

Introduction - 03/01/2012

Page 3 of 54

Component Diagram The user-created network diagram is displayed on a single page. Network Summary Reports These sections provide the self-assessment team and senior management with a snapshot of the overall security status of the network as depicted on the user-created network diagram. Any warnings or recommendations found during the network analysis are also listed in this section. Security Assurance Levels This section contains the results of the General, NIST, and DoD SAL questionnaire(s). Ranked Subject Areas This chart groups all of the selected standard questions into common subject areas and ranks the selected answers. Subject areas at the top of the chart should be addressed first. Gap Analysis This section lists those standards-based and component questions the answers of which did not meet the minimum level of rigor needed to comply with the associated requirement at the selected security levels. Any unanswered question is included as a gap. Each section is specific to the standard selected. Color codes are included to present the full compliance picture for each question. Both the subject question and the requirement are shown to help the user put the provided information into context. The questions, except for NERC and CAG questions, are assigned a target percentage that constitutes a rough measure of how well the question satisfies the associated requirement. For some standards, the target percentage is also adjusted to reflect the criticality of the requirement. The tool sorts the questions within a component using this percentage, where the least compliant questions are displayed first. This section may also include a top-20 gap analysis for components, which lists the 20 questions that have the smallest target percentage (are least compliant) across all the components. The target value is adjusted to some extent by both the criticality of the requirement and the importance of the component. The components importance is the priority value assigned to it when it was inserted into the diagram. Requirements and Questions This section contains information related to compliance to each requirement of the NERC/CIP 002009 standard. It lists the requirement text, along with all questions associated with the requirement and the selected answers, in the same order as the parent standard. Color indicators denote compliance. Questions and Answers These sections summarize and group the answered questions (including component questions) and the supplied answers. A color code is provided as an indication of compliance. Any comments or documents saved with the questions are presented here. Question Comments This section simply shows any user comments that were associated with a standard's questions.

Introduction - 03/01/2012

Page 4 of 54

Compensating Control Comments This section displays the questions and comments associated with answers that specify compensating security controls that are being used in lieu of the NIST SP800-53 Appendix I recommended controls. Questions Marked for Review If a user would like to return to a question shortly after assessment completion, the tool allows the user to specifically mark it for easy identification. A list of marked questions is included in this section along with any added comments discussing why the question was marked.

Summary
CSET is meant to broadly cover areas of potential risk across your control or information system rather than provide an in-depth analysis of a particular technology or process. To that end, this report should be used as a preliminary guide to help you focus on specific areas that require more rigorous attention. It cannot replace a focused assessment performed by trained assessment professionals.

Introduction - 03/01/2012

Page 5 of 54

Key Reqs

Evaluation Against Selected Standards and Question Sets - 03/01/2012

Page 6 of 54

Standards Compliance - Key Reqs

Standards Compliance - Key Reqs - 03/01/2012

Page 7 of 54

Calculated General Security Assurance Levels


Calculated Level: Question Name
On-Site Injury Potential On-Site Injury (Hospital) On-Site Death Potential Site Capital Assets Site Economic Impact Site Env Cleanup Off-Site Injury Potential Off-Site Injury Hospital Off-Site Death Potential Off-Site Capital Assets Off-Site Economic Impact Off-Site Env Cleanup

Answer Level

NIST SP800-60 (FIPS 199) Based Security Assurance Levels


Name
Confidentiality Integrity Availability

Level
Moderate High High

DoD 8500.1 Based Security Assurance Levels


Name
Confidentiality Selection MAC Level Selection

Level

Calculated General Security Assurance Levels - 03/01/2012

Page 8 of 54

Ranked Subject Areas


This graph shows areas needing the most attention. It represents the total (100%) of the security variances identified ranked by area. Each of the area bars represents the percentage of the total security variances that were identified in that particular area. The security variance is a combination of both the importance of the requirement missed and the area of concern.

Ranked Subject Areas - 03/01/2012

Page 9 of 54

Key Reqs Gap Analysis Report

Rank:

Requirement: Administrative-2.1.1

Subject: Security Policy & Procedures

Requirement:

The organization develops, implements, and periodically reviews and updates: 1. A formal, documented, control system security policy that addresses: a. The purpose of the security program as it relates to protecting the organization's personnel and assets. b. The scope of the security program as it applies to all organizational staff and third-party contractors. c. The roles, responsibilities, management commitment, and coordination among organizational entities of the security program to ensure compliance with the organization's security policy and other regulatory commitments. 2. Formal, documented procedures to implement the security policy and associated requirements. A control system security policy considers controls from each family contained in this document. How does the organization implement security policies and procedures?

Question: 1.

Level Not Met Low

Answer(s) The organization does not implement security policy and procedures as defined. The organization develops, implements, and periodically reviews and updates a formal, documented, system security policy that addresses: a. The purpose of the security program as it relates to protecting the organization's personnel and assets, b. The scope of the security program as it applies to all organizational staff and third-party contractors, and c. The roles, responsibilities, management commitment, and coordination among organizational entities of the security program to ensure compliance with the organization's security policy and other regulatory commitments. The organization develops, implements, and periodically reviews and updates formal, documented procedures to implement the security policy and associated requirements. A control system security policy considers controls from each family contained in this document.

Moderate

The organization develops, implements, and periodically reviews and updates a formal, documented, system security policy that addresses: a. The purpose of the security program as it relates to protecting the organization's personnel and assets, b. The scope of the security program as it applies to all organizational staff and third-party contractors, and c. The roles, responsibilities, management commitment, and coordination among organizational entities of the security program to ensure compliance with the organization's security policy and other regulatory commitments. The organization develops, implements, and periodically reviews and updates formal, documented procedures to implement the security policy and associated requirements. A control system security policy considers controls from each family contained in this document.

High

The organization develops, implements, and periodically reviews and updates a formal, documented, system security policy that addresses: a. The purpose of the security program as it relates to protecting the organization's personnel and assets, b. The scope of the security program as it applies to all organizational staff and third-party contractors, and c. The roles, responsibilities, management commitment, and coordination among organizational entities of the security program to ensure compliance with the organization's security policy and other regulatory commitments. The organization develops, implements, and periodically reviews and updates formal, documented procedures to implement the security policy and associated requirements. A control system security policy considers controls from each family contained in this document.

Key Reqs Gap Analysis Report - 03/01/2012

Page 10 of 54

Very High

The organization develops, implements, and periodically reviews and updates a formal, documented, system security policy that addresses: a. The purpose of the security program as it relates to protecting the organization's personnel and assets, b. The scope of the security program as it applies to all organizational staff and third-party contractors, and c. The roles, responsibilities, management commitment, and coordination among organizational entities of the security program to ensure compliance with the organization's security policy and other regulatory commitments. The organization develops, implements, and periodically reviews and updates formal, documented procedures to implement the security policy and associated requirements. A control system security policy considers controls from each family contained in this document.

Level Specific Requirement: The organization develops, implements, and periodically reviews and updates: 1. A formal, documented, control system security policy that addresses: a. The purpose of the security program as it relates to protecting the organization's personnel and assets. b. The scope of the security program as it applies to all organizational staff and third-party contractors. c. The roles, responsibilities, management commitment, and coordination among organizational entities of the security program to ensure compliance with the organization's security policy and other regulatory commitments. 2. Formal, documented procedures to implement the security policy and associated requirements. A control system security policy considers controls from each family contained in this document.

Rank:

15

Requirement: Administrative-2.5.4

Subject: System & Services Acquisition

Requirement:

The organization includes the following requirements and specifications, explicitly or by reference, in control system acquisition contracts based on an assessment of risk and in accordance with applicable laws, directives, policies, regulations, and standards: - Security functional requirements/specifications - Security-related documentation requirements - Developmental and evaluation-related assurance requirements. Requirements Enhancement 1 - The organization requires in acquisition documents that vendors/contractors provide information describing the functional properties of the security controls employed within the control system. Requirements Enhancement 2 - The organization requires in acquisition documents that vendors/contractors provide information describing the design and implementation details of the security controls employed within the control system (including functional interfaces among control components). Requirements Enhancement 3 - The organization limits the acquisition of commercial technology products with security capabilities to products that have been evaluated and validated through a government-approved process. How does the organization include requirements/specifications in acquisition contracts?

Question: 12.

Level Not Met Low

Answer(s) Acquisition contracts do not include the defined requirements. The organization includes security functional requirements and specifications explicitly or by reference, in control system acquisition contracts based on an assessment of risk and in accordance with applicable laws, directives, policies, regulations, and standards. The organization includes security-related documentation requirements explicitly or by reference, in control system acquisition contracts based on an assessment of risk and in accordance with applicable laws, directives, policies, regulations, and standards. The organization includes developmental and evaluation-related assurance requirements explicitly or by reference, in control system acquisition contracts based on an assessment of risk and in accordance with applicable laws, directives, policies, regulations, and standards.

Moderate

The organization includes security functional requirements and specifications explicitly or by reference, in control system acquisition contracts based on an assessment of risk and in accordance with applicable laws, directives, policies, regulations, and standards. The organization includes security-related documentation requirements explicitly or by reference, in control system acquisition contracts based on an assessment of risk and in accordance with applicable laws, directives, policies, regulations, and standards. The organization includes developmental and evaluation-related assurance requirements explicitly or by reference, in control system acquisition contracts based on an assessment of risk and in accordance with applicable laws, directives, policies, regulations, and standards. Requirements Enhancement 1 - The organization requires in acquisition documents that vendors/contractors provide information describing the functional properties of the security controls employed within the control system.

Key Reqs Gap Analysis Report - 03/01/2012

Page 11 of 54

High

The organization includes security functional requirements and specifications explicitly or by reference, in control system acquisition contracts based on an assessment of risk and in accordance with applicable laws, directives, policies, regulations, and standards. The organization includes security-related documentation requirements explicitly or by reference, in control system acquisition contracts based on an assessment of risk and in accordance with applicable laws, directives, policies, regulations, and standards. The organization includes developmental and evaluation-related assurance requirements explicitly or by reference, in control system acquisition contracts based on an assessment of risk and in accordance with applicable laws, directives, policies, regulations, and standards. Requirements Enhancement 1 - The organization requires in acquisition documents that vendors/contractors provide information describing the functional properties of the security controls employed within the control system. Requirements Enhancement 2 - The organization requires in acquisition documents that vendors/contractors provide information describing the design and implementation details of the security controls employed within the control system (including functional interfaces among control components).

Very High

The organization includes security functional requirements and specifications explicitly or by reference, in control system acquisition contracts based on an assessment of risk and in accordance with applicable laws, directives, policies, regulations, and standards. The organization includes security-related documentation requirements explicitly or by reference, in control system acquisition contracts based on an assessment of risk and in accordance with applicable laws, directives, policies, regulations, and standards. The organization includes developmental and evaluation-related assurance requirements explicitly or by reference, in control system acquisition contracts based on an assessment of risk and in accordance with applicable laws, directives, policies, regulations, and standards. Requirements Enhancement 1 - The organization requires in acquisition documents that vendors/contractors provide information describing the functional properties of the security controls employed within the control system. Requirements Enhancement 2 - The organization requires in acquisition documents that vendors/contractors provide information describing the design and implementation details of the security controls employed within the control system (including functional interfaces among control components). Requirements Enhancement 3 - The organization limits the acquisition of commercial technology products with security capabilities to products that have been evaluated and validated through a government-approved process.

Level Specific Requirement: The organization includes the following requirements and specifications, explicitly or by reference, in control system acquisition contracts based on an assessment of risk and in accordance with applicable laws, directives, policies, regulations, and standards: - Security functional requirements/specifications - Security-related documentation requirements - Developmental and evaluation-related assurance requirements. Requirements Enhancement 1 - The organization requires in acquisition documents that vendors/contractors provide information describing the functional properties of the security controls employed within the control system.

Rank:

11

Requirement: Administrative-2.6.2

Subject: Configuration Management

Requirement:

The organization develops, documents, and maintains a current baseline configuration of the control system and an inventory of the system's constituent components. Requirement Enhancement 1 - The organization reviews and updates the baseline configuration as an integral part of control system component installations. Requirement Enhancement 2 - The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the control system. Requirement Enhancement 3 - The organization maintains a baseline configuration for development and test environments that is managed separately from the operational baseline configuration. Requirement Enhancement 4 - The organization employs a deny-all, permit-by-exception authorization policy to identify software allowed on organizational control systems. How does the organization implement a system baseline?

Question: 18.

Level Not Met Low

Answer(s) The configuration baseline is not implemented as defined. The organization develops, documents, and maintains a current baseline configuration of the control system and an inventory of the system's constituent components.

Key Reqs Gap Analysis Report - 03/01/2012

Page 12 of 54

Moderate

The organization develops, documents, and maintains a current baseline configuration of the control system and an inventory of the system's constituent components. Requirement Enhancement 1 - The organization reviews and updates the baseline configuration as an integral part of control system component installations.

High

The organization develops, documents, and maintains a current baseline configuration of the control system and an inventory of the system's constituent components. Requirement Enhancement 1 - The organization reviews and updates the baseline configuration as an integral part of control system component installations. Requirement Enhancement 2 - The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the control system. Requirement Enhancement 3 - The organization maintains a baseline configuration for development and test environments that is managed separately from the operational baseline configuration. Requirement Enhancement 4 - The organization employs a deny-all, permit-by-exception authorization policy to identify software allowed on organizational control systems.

Very High

The organization develops, documents, and maintains a current baseline configuration of the control system and an inventory of the system's constituent components. Requirement Enhancement 1 - The organization reviews and updates the baseline configuration as an integral part of control system component installations. Requirement Enhancement 2 - The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the control system. Requirement Enhancement 3 - The organization maintains a baseline configuration for development and test environments that is managed separately from the operational baseline configuration. Requirement Enhancement 4 - The organization employs a deny-all, permit-by-exception authorization policy to identify software allowed on organizational control systems.

Level Specific Requirement: The organization develops, documents, and maintains a current baseline configuration of the control system and an inventory of the system's constituent components. Requirement Enhancement 1 - The organization reviews and updates the baseline configuration as an integral part of control system component installations. Requirement Enhancement 2 - The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the control system. Requirement Enhancement 3 - The organization maintains a baseline configuration for development and test environments that is managed separately from the operational baseline configuration. Requirement Enhancement 4 - The organization employs a deny-all, permit-by-exception authorization policy to identify software allowed on organizational control systems.

Rank:

13

Requirement: Administrative-2.6.3

Subject: Configuration Management

Requirement:

The organization: 1. Authorizes and documents changes to the control system. 2. Retains and reviews records of configuration-managed changes to the system. 3. Audits activities associated with configuration-managed changes to the system. Requirement Enhancement 1 - The organization employs automated mechanisms to: a. Document proposed changes to the control system. b. Notify appropriate approval authorities. c. Highlight approvals that have not been received in a timely manner. d. Inhibit change until necessary approvals are received. e. Document completed changes to the control system. Requirement Enhancement 2 - The organization tests, validates, and documents configuration changes (e.g., patches and updates) before installing them on the operational control system. The organization ensures that testing does not interfere with control system operations. The tester fully understands the corporate cyber and control system security policies and procedures and the specific health, safety, and environmental risks associated with a particular facility and/or process. How does the organization implement configuration change control?

Question: 19.

Level Not Met Low

Answer(s) Configuration change control is not implemented as defined. Configuration change control is not implemented as defined.

Key Reqs Gap Analysis Report - 03/01/2012

Page 13 of 54

Moderate

The organization authorizes and documents changes to the control system. The organization retains and reviews records of configuration-managed changes to the system. The organization audits activities associated with configuration-managed changes to the system.

High

The organization authorizes and documents changes to the control system. The organization retains and reviews records of configuration-managed changes to the system. The organization audits activities associated with configuration-managed changes to the system. Requirement Enhancement 1 - The organization employs automated mechanisms to: a. document proposed changes to the control system, b. notify appropriate approval authorities, c. highlight approvals that have not been received in a timely manner, d. inhibit change until necessary approvals are received, and e. document completed changes to the control system. Requirement Enhancement 2 - The organization tests, validates, and documents configuration changes (e.g., patches and updates) before installing them on the operational control system. The organization ensures that testing does not interfere with control system operations. The tester fully understands the corporate cyber and control system security policies and procedures and the specific health, safety, and environmental risks associated with a particular facility and/or process.

Very High

The organization authorizes and documents changes to the control system. The organization retains and reviews records of configuration-managed changes to the system. The organization audits activities associated with configuration-managed changes to the system. Requirement Enhancement 1 - The organization employs automated mechanisms to: a. document proposed changes to the control system, b. notify appropriate approval authorities, c. highlight approvals that have not been received in a timely manner, d. inhibit change until necessary approvals are received, and e. document completed changes to the control system. Requirement Enhancement 2 - The organization tests, validates, and documents configuration changes (e.g., patches and updates) before installing them on the operational control system. The organization ensures that testing does not interfere with control system operations. The tester fully understands the corporate cyber and control system security policies and procedures and the specific health, safety, and environmental risks associated with a particular facility and/or process.

Level Specific Requirement: The organization: 1. Authorizes and documents changes to the control system. 2. Retains and reviews records of configuration-managed changes to the system. 3. Audits activities associated with configuration-managed changes to the system. Requirement Enhancement 1 - The organization employs automated mechanisms to: a. Document proposed changes to the control system. b. Notify appropriate approval authorities. e. Highlight approvals that have not been received in a timely manner. d. Inhibit change until necessary approvals are received. e. Document completed changes to the control system. Requirement Enhancement 2 - The organization tests, validates, and documents configuration changes (e.g., patches and updates) before installing them on the operational control system. The organization ensures that testing does not interfere with control system operations. The tester fully understands the corporate cyber and control system security policies and procedures and the specific health, safety, and environmental risks associated with a particular facility and/or process.

Rank:

Requirement: Administrative-2.11.1

Subject: Security Awareness & Trainning

Requirement:

The organization develops, disseminates, and periodically reviews and updates: 1. A formal, documented, security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. 2. Formal, documented procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls. How does the organization implement security awareness and training policies and procedures?

Question: 41.

Level Not Met

Answer(s) Security awareness and training policy and procedures are not implemented as defined.

Key Reqs Gap Analysis Report - 03/01/2012

Page 14 of 54

Low

The organization develops, disseminates, and periodically reviews and updates a formal, documented, security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. The organization develops, disseminates, and periodically reviews and updates formal, documented procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls.

Moderate

The organization develops, disseminates, and periodically reviews and updates a formal, documented, security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. The organization develops, disseminates, and periodically reviews and updates formal, documented procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls.

High

The organization develops, disseminates, and periodically reviews and updates a formal, documented, security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. The organization develops, disseminates, and periodically reviews and updates formal, documented procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls.

Very High

The organization develops, disseminates, and periodically reviews and updates a formal, documented, security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. The organization develops, disseminates, and periodically reviews and updates formal, documented procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls.

Level Specific Requirement: The organization develops, disseminates, and periodically reviews and updates: 1. A formal, documented, security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. 2. Formal, documented procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls.

Rank:

12

Requirement: Administrative-2.12.15

Subject: Incident Response

Requirement:

The organization identifies an alternate control center, necessary telecommunications, and initiates necessary agreements to permit the resumption of control system operations for critical functions within an organization-prescribed time period when the primary control center is unavailable. Requirement Enhancement 1 - The organization identifies an alternate control center that is geographically separated from the primary control center so it is not susceptible to the same hazards. Requirement Enhancement 2 - The organization identifies potential accessibility problems to the alternate control center in the event of an areawide disruption or disaster and outlines explicit mitigation actions. Requirement Enhancement 3 - The organization develops alternate control center agreements that contain priority-of-service provisions in accordance with the organization's availability requirements. Requirement Enhancement 4 - The organization fully configures the alternate control center and telecommunications so that they are ready to be used as the operational site supporting a minimum required operational capability. Requirement Enhancement 5 - The organization ensures that the alternate processing site provides information security measures equivalent to that of the primary site. How does the organization implement an alternate control center?

Question: 46.

Level Not Met Low

Answer(s) An alternate control center is not implemented as defined. An alternate control center is not implemented as defined.

Key Reqs Gap Analysis Report - 03/01/2012

Page 15 of 54

Moderate

The organization identifies an alternate control center, necessary telecommunications, and initiates necessary agreements to permit the resumption of control system operations for critical functions within an organizationprescribed time period when the primary control center is unavailable. Requirement Enhancement 1 - The organization identifies an alternate control center that is geographically separated from the primary control center so it is not susceptible to the same hazards. Requirement Enhancement 2 - The organization identifies potential accessibility problems to the alternate control center in the event of an areawide disruption or disaster and outlines explicit mitigation actions. Requirement Enhancement 3 - The organization develops alternate control center agreements that contain priority-of-service provisions in accordance with the organization's availability requirements. Requirement Enhancement 5 - The organization ensures that the alternate processing site provides information security measures equivalent to that of the primary site.

High

The organization identifies an alternate control center, necessary telecommunications, and initiates necessary agreements to permit the resumption of control system operations for critical functions within an organizationprescribed time period when the primary control center is unavailable. Requirement Enhancement 1 - The organization identifies an alternate control center that is geographically separated from the primary control center so it is not susceptible to the same hazards. Requirement Enhancement 2 - The organization identifies potential accessibility problems to the alternate control center in the event of an areawide disruption or disaster and outlines explicit mitigation actions. Requirement Enhancement 3 - The organization develops alternate control center agreements that contain priority-of-service provisions in accordance with the organization's availability requirements. Requirement Enhancement 4 - The organization fully configures the alternate control center and telecommunications so that they are ready to be used as the operational site supporting a minimum required operational capability. Requirement Enhancement 5 - The organization ensures that the alternate processing site provides information security measures equivalent to that of the primary site.

Very High

The organization identifies an alternate control center, necessary telecommunications, and initiates necessary agreements to permit the resumption of control system operations for critical functions within an organizationprescribed time period when the primary control center is unavailable. Requirement Enhancement 1 - The organization identifies an alternate control center that is geographically separated from the primary control center so it is not susceptible to the same hazards. Requirement Enhancement 2 - The organization identifies potential accessibility problems to the alternate control center in the event of an areawide disruption or disaster and outlines explicit mitigation actions. Requirement Enhancement 3 - The organization develops alternate control center agreements that contain priority-of-service provisions in accordance with the organization's availability requirements. Requirement Enhancement 4 - The organization fully configures the alternate control center and telecommunications so that they are ready to be used as the operational site supporting a minimum required operational capability. Requirement Enhancement 5 - The organization ensures that the alternate processing site provides information security measures equivalent to that of the primary site.

Level Specific Requirement: The organization identifies an alternate control center, necessary telecommunications, and initiates necessary agreements to permit the resumption of control system operations for critical functions within an organization-prescribed time period when the primary control center is unavailable. Requirement Enhancement 1 - The organization identifies an alternate control center that is geographically separated from the primary control center so it is not susceptible to the same hazards. Requirement Enhancement 2 - The organization identifies potential accessibility problems to the alternate control center in the event of an areawide disruption or disaster and outlines explicit mitigation actions. Requirement Enhancement 3 - The organization develops alternate control center agreements that contain priority-of-service provisions in accordance with the organization's availability requirements. Requirement Enhancement 4 - The organization fully configures the alternate control center and telecommunications so that they are ready to be used as the operational site supporting a minimum required operational capability. Requirement Enhancement 5 - The organization ensures that the alternate processing site provides information security measures equivalent to that of the primary site.

Key Reqs Gap Analysis Report - 03/01/2012

Page 16 of 54

Rank:

10

Requirement: Administrative-2.12.16

Subject: Incident Response

Requirement:

The organization: 1. Conducts backups of user-level information contained in the system on an organization-defined frequency. 2. Conducts backups of system-level information (including system state information) contained in the system on an organization-defined frequency. 3. Protects the confidentiality and integrity of backup information at the storage location. Requirement Enhancement 1 - The organization tests backup information periodically to verify media reliability and information integrity. Requirement Enhancement 2 - The organization selectively uses backup information in the restoration of control system functions as part of contingency plan testing. Requirement Enhancement 3 - The organization stores backup copies of the operating system and other critical control system software in a separate facility or in a fire-rated container that is not collocated with the operational software. How does the organization implement system and user backups?

Question: 47.

Level Not Met Low System backups are not implemented as defined.

Answer(s)

The organization conducts backups of user-level information contained in the system on an organization-defined frequency. The organization conducts backups of system-level information (including system state information) contained in the system on an organization-defined frequency. The organization protects the confidentiality and integrity of backup information at the storage location.

Moderate

The organization conducts backups of user-level information contained in the system on an organization-defined frequency. The organization conducts backups of system-level information (including system state information) contained in the system on an organization-defined frequency. The organization protects the confidentiality and integrity of backup information at the storage location. Requirement Enhancement 1 - The organization tests backup information periodically to verify media reliability and information integrity.

High

The organization conducts backups of user-level information contained in the system on an organization-defined frequency. The organization conducts backups of system-level information (including system state information) contained in the system on an organization-defined frequency. The organization protects the confidentiality and integrity of backup information at the storage location. Requirement Enhancement 1 - The organization tests backup information periodically to verify media reliability and information integrity. Requirement Enhancement 2 - The organization selectively uses backup information in the restoration of control system functions as part of contingency plan testing. Requirement Enhancement 3 - The organization stores backup copies of the operating system and other critical control system software in a separate facility or in a fire-rated container that is not collocated with the operational software.

Very High

The organization conducts backups of user-level information contained in the system on an organization-defined frequency. The organization conducts backups of system-level information (including system state information) contained in the system on an organization-defined frequency. The organization protects the confidentiality and integrity of backup information at the storage location. Requirement Enhancement 1 - The organization tests backup information periodically to verify media reliability and information integrity. Requirement Enhancement 2 - The organization selectively uses backup information in the restoration of control system functions as part of contingency plan testing. Requirement Enhancement 3 - The organization stores backup copies of the operating system and other critical control system software in a separate facility or in a fire-rated container that is not collocated with the operational software.

Level Specific Requirement: The organization: 1. Conducts backups of user-level information contained in the system on an organization-defined frequency. 2. Conducts backups of system-level information (including system state information) contained in the system on an organization-defined

Key Reqs Gap Analysis Report - 03/01/2012

Page 17 of 54

frequency. 3. Protects the confidentiality and integrity of backup information at the storage location. Requirement Enhancement 1 - The organization tests backup information periodically to verify media reliability and information integrity. Requirement Enhancement 2 - The organization selectively uses backup information in the restoration of control system functions as part of contingency plan testing. Requirement Enhancement 3 - The organization stores backup copies of the operating system and other critical control system software in a separate facility or in a fire-rated container that is not collocated with the operational software.

Rank:

Requirement: Administrative-2.12.17

Subject: Incident Response

Requirement:

The organization provides the capability to recover and reconstitute the system to a known secure state after a disruption, compromise, or failure. Requirement Enhancement 1 - The organization implements transaction recovery for systems that are transaction-based (e.g., database management systems). Requirement Enhancement 2 - The organization provides compensating security controls (including procedures or mechanisms) for the organization-defined circumstances that inhibit recovery to a known, secure state. Requirement Enhancement 3 - The organization provides the capability to re-image system components in accordance with organization-defined restoration time periods from configuration-controlled and integrity-protected disk images representing a secure, operational state for the components. How does the organization implement system recovery and reconstitution?

Question: 48.

Level Not Met Low Moderate

Answer(s) Recovery and reconstitution controls are not implemented as defined. The organization provides the capability to recover and reconstitute the system to a known secure state after a disruption, compromise, or failure. The organization provides the capability to recover and reconstitute the system to a known secure state after a disruption, compromise, or failure. Requirement Enhancement 1 - The organization implements transaction recovery for systems that are transaction-based (e.g., database management systems). Requirement Enhancement 2 - The organization provides compensating security controls (including procedures or mechanisms) for the organization-defined circumstances that inhibit recovery to a known, secure state.

High

The organization provides the capability to recover and reconstitute the system to a known secure state after a disruption, compromise, or failure. Requirement Enhancement 1 - The organization implements transaction recovery for systems that are transaction-based (e.g., database management systems). Requirement Enhancement 2 - The organization provides compensating security controls (including procedures or mechanisms) for the organization-defined circumstances that inhibit recovery to a known, secure state. Requirement Enhancement 3 - The organization provides the capability to re-image system components in accordance with organization-defined restoration time periods from configuration-controlled and integrityprotected disk images representing a secure, operational state for the components.

Very High

The organization provides the capability to recover and reconstitute the system to a known secure state after a disruption, compromise, or failure. Requirement Enhancement 1 - The organization implements transaction recovery for systems that are transaction-based (e.g., database management systems). Requirement Enhancement 2 - The organization provides compensating security controls (including procedures or mechanisms) for the organization-defined circumstances that inhibit recovery to a known, secure state. Requirement Enhancement 3 - The organization provides the capability to re-image system components in accordance with organization-defined restoration time periods from configuration-controlled and integrityprotected disk images representing a secure, operational state for the components.

Level Specific Requirement: The organization provides the capability to recover and reconstitute the system to a known secure state after a disruption, compromise, or failure. Requirement Enhancement 2 - The organization provides compensating security controls (including procedures or mechanisms) for the organization-defined circumstances that inhibit recovery to a known, secure state. Requirement Enhancement 3 - The organization provides the capability to re-image system components in accordance with organizationdefined restoration time periods from configuration-controlled and integrity-protected disk images representing a secure, operational state for the components.

Key Reqs Gap Analysis Report - 03/01/2012

Page 18 of 54

Rank:

Requirement: Administrative-2.15.3

Subject: Access Control

Requirement:

The organization manages system accounts, including: 1. Identifying account types (i.e., individual, group, and system). 2. Establishing conditions for group membership. 3. Identifying authorized users of the system and specifying access rights and privileges. 4. Requiring appropriate approvals for requests to establish accounts. 5. Authorizing, establishing, activating, modifying, disabling, and removing accounts. 6. Reviewing accounts on a defined frequency. 7. Specifically authorizing and monitoring the use of guest/anonymous accounts. 8. Notifying account managers when system users are terminated, transferred, or system usage or need to-know/need-toshare changes. 9. Granting access to the system based on a valid need-to-know or need-to-share that is determined by assigned official duties and satisfying all personnel security criteria and intended system usage. Requirement Enhancement 1 - The organization employs automated mechanisms to support the management of system accounts. Requirement Enhancement 2 - The system automatically terminates temporary and emergency accounts after a defined time period for each type of account. Requirement Enhancement 3 - The system automatically disables inactive accounts after a defined time period. Requirement Enhancement 4 - The system automatically audits account creation, modification, disabling, and termination actions and notifies, as required, appropriate individuals. Requirement Enhancement 5 - The organization reviews currently active system accounts on a defined frequency to verify that temporary accounts and accounts of terminated or transferred users have been deactivated in accordance with organizational policy. Requirement Enhancement 6 - The organization prohibits the use of system account identifiers as the identifiers for user electronic mail accounts. How does the organization manage information system accounts?

Question: 59.

Level Not Met Low

Answer(s) Account management is not implemented as defined. The organization manages system accounts, including identifying account types (i.e., individual, group, and system). The organization manages system accounts, including establishing conditions for group membership. The organization manages system accounts, including identifying authorized users of the system and specifying access rights and privileges. The organization manages system accounts, including requiring appropriate approvals for requests to establish accounts. The organization manages system accounts, including authorizing, establishing, activating, modifying, disabling, and removing accounts. The organization manages system accounts, including reviewing accounts on an organization-defined frequency. The organization manages system accounts, including specifically authorizing and monitoring the use of guest/anonymous accounts. The organization manages system accounts, including notifying account managers when system users are terminated; transferred, or system usage or need-to-know/need-to-share changes. The organization manages system accounts, including granting access to the system based on a valid need-toknow or need-to-share that is determined by assigned official duties and satisfying all personnel security criteria and intended system usage.

Key Reqs Gap Analysis Report - 03/01/2012

Page 19 of 54

Moderate

The organization manages system accounts, including identifying account types (i.e., individual, group, and system). The organization manages system accounts, including establishing conditions for group membership. The organization manages system accounts, including identifying authorized users of the system and specifying access rights and privileges. The organization manages system accounts, including requiring appropriate approvals for requests to establish accounts. The organization manages system accounts, including authorizing, establishing, activating, modifying, disabling, and removing accounts. The organization manages system accounts, including reviewing accounts on an organization-defined frequency. The organization manages system accounts, including specifically authorizing and monitoring the use of guest/anonymous accounts. The organization manages system accounts, including notifying account managers when system users are terminated; transferred, or system usage or need-to-know/need-to-share changes. The organization manages system accounts, including granting access to the system based on a valid need-toknow or need-to-share that is determined by assigned official duties and satisfying all personnel security criteria and intended system usage. Requirement Enhancement 1 - The organization employs automated mechanisms to support the management of system accounts. Requirement Enhancement 2 - The system automatically terminates temporary and emergency accounts after an organization-defined time period for each type of account. Requirement Enhancement 3 - The system automatically disables inactive accounts after a defined time period. Requirement Enhancement 4 - The system automatically audits account creation, modification, disabling, and termination actions and notifies, as required, appropriate individuals. Requirement Enhancement 5 - The organization reviews currently active system accounts on a defined frequency to verify that temporary accounts and accounts of terminated or transferred users have been deactivated in accordance with organizational policy. Requirement Enhancement 6 - The organization prohibits the use of system account identifiers as the identifiers for user electronic mail accounts.

High

The organization manages system accounts, including identifying account types (i.e., individual, group, and system). The organization manages system accounts, including establishing conditions for group membership. The organization manages system accounts, including identifying authorized users of the system and specifying access rights and privileges. The organization manages system accounts, including requiring appropriate approvals for requests to establish accounts. The organization manages system accounts, including authorizing, establishing, activating, modifying, disabling, and removing accounts. The organization manages system accounts, including reviewing accounts on an organization-defined frequency. The organization manages system accounts, including specifically authorizing and monitoring the use of guest/anonymous accounts. The organization manages system accounts, including notifying account managers when system users are terminated; transferred, or system usage or need-to-know/need-to-share changes. The organization manages system accounts, including granting access to the system based on a valid need-toknow or need-to-share that is determined by assigned official duties and satisfying all personnel security criteria and intended system usage. Requirement Enhancement 1 - The organization employs automated mechanisms to support the management of system accounts. Requirement Enhancement 2 - The system automatically terminates temporary and emergency accounts after an organization-defined time period for each type of account. Requirement Enhancement 3 - The system automatically disables inactive accounts after a defined time period. Requirement Enhancement 4 - The system automatically audits account creation, modification, disabling, and termination actions and notifies, as required, appropriate individuals. Requirement Enhancement 5 - The organization reviews currently active system accounts on a defined frequency to verify that temporary accounts and accounts of terminated or transferred users have been deactivated in accordance with organizational policy. Requirement Enhancement 6 - The organization prohibits the use of system account identifiers as the identifiers for user electronic mail accounts.

Key Reqs Gap Analysis Report - 03/01/2012

Page 20 of 54

Very High

The organization manages system accounts, including identifying account types (i.e., individual, group, and system). The organization manages system accounts, including establishing conditions for group membership. The organization manages system accounts, including identifying authorized users of the system and specifying access rights and privileges. The organization manages system accounts, including requiring appropriate approvals for requests to establish accounts. The organization manages system accounts, including authorizing, establishing, activating, modifying, disabling, and removing accounts. The organization manages system accounts, including reviewing accounts on an organization-defined frequency. The organization manages system accounts, including specifically authorizing and monitoring the use of guest/anonymous accounts. The organization manages system accounts, including notifying account managers when system users are terminated; transferred, or system usage or need-to-know/need-to-share changes. The organization manages system accounts, including granting access to the system based on a valid need-toknow or need-to-share that is determined by assigned official duties and satisfying all personnel security criteria and intended system usage. Requirement Enhancement 1 - The organization employs automated mechanisms to support the management of system accounts. Requirement Enhancement 2 - The system automatically terminates temporary and emergency accounts after an organization-defined time period for each type of account. Requirement Enhancement 3 - The system automatically disables inactive accounts after a defined time period. Requirement Enhancement 4 - The system automatically audits account creation, modification, disabling, and termination actions and notifies, as required, appropriate individuals. Requirement Enhancement 5 - The organization reviews currently active system accounts on a defined frequency to verify that temporary accounts and accounts of terminated or transferred users have been deactivated in accordance with organizational policy. Requirement Enhancement 6 - The organization prohibits the use of system account identifiers as the identifiers for user electronic mail accounts.

Level Specific Requirement: The organization manages system accounts, including: 1. Identifying account types (i.e., individual, group, and system). 2. Establishing conditions for group membership. 3. Identifying authorized users of the system and specifying access rights and privileges. 4. Requiring appropriate approvals for requests to establish accounts. 5. Authorizing, establishing, activating, modifying, disabling, and removing accounts. 6. Reviewing accounts on a defined frequency. 7. Specifically authorizing and monitoring the use of guest/anonymous accounts. 8. Notifying account managers when system users are terminated, transferred, or system usage or need to-know/need-to-share changes. 9. Granting access to the system based on a valid need-to-know or need-to-share that is determined by assigned official duties and satisfying all personnel security criteria and intended system usage. Requirement Enhancement 1 - The organization employs automated mechanisms to support the management of system accounts. Requirement Enhancement 2 - The system automatically terminates temporary and emergency accounts after a defined time period for each type of account. Requirement Enhancement 3 - The system automatically disables inactive accounts after a defined time period. Requirement Enhancement 4 - The system automatically audits account creation, modification, disabling, and termination actions and notifies, as required, appropriate individuals. Requirement Enhancement 5 - The organization reviews currently active system accounts on a defined frequency to verify that temporary accounts and accounts of terminated or transferred users have been deactivated in accordance with organizational policy. Requirement Enhancement 6 - The organization prohibits the use of system account identifiers as the identifiers for user electronic mail accounts.

Rank:

Requirement: Administrative-2.15.4

Subject: Access Control

Requirement:

The organization manages system identifiers for users and devices by: 1. Receiving authorization from a designated organizational official to assign a user or device identifier. 2. Selecting an identifier that uniquely identifies an individual or device. 3. Assigning the user identifier to the intended party or the device identifier to the intended device. 4. Archiving previous user or device identifiers. How does the organization manage system identifiers for users and devices?

Question: 60.

Key Reqs Gap Analysis Report - 03/01/2012

Page 21 of 54

Level Not Met Low

Answer(s) Identifier management controls are not implemented as defined. The organization manages system identifiers for users and devices by receiving authorization from a designated organizational official to assign a user or device identifier. The organization manages system identifiers for users and devices by selecting an identifier that uniquely identifies an individual or device. The organization manages system identifiers for users and devices by assigning the user identifier to the intended party or the device identifier to the intended device. The organization manages system identifiers for users and devices by archiving previous user or device identifiers.

Moderate

The organization manages system identifiers for users and devices by receiving authorization from a designated organizational official to assign a user or device identifier. The organization manages system identifiers for users and devices by selecting an identifier that uniquely identifies an individual or device. The organization manages system identifiers for users and devices by assigning the user identifier to the intended party or the device identifier to the intended device. The organization manages system identifiers for users and devices by archiving previous user or device identifiers.

High

The organization manages system identifiers for users and devices by receiving authorization from a designated organizational official to assign a user or device identifier. The organization manages system identifiers for users and devices by selecting an identifier that uniquely identifies an individual or device. The organization manages system identifiers for users and devices by assigning the user identifier to the intended party or the device identifier to the intended device. The organization manages system identifiers for users and devices by archiving previous user or device identifiers.

Very High

The organization manages system identifiers for users and devices by receiving authorization from a designated organizational official to assign a user or device identifier. The organization manages system identifiers for users and devices by selecting an identifier that uniquely identifies an individual or device. The organization manages system identifiers for users and devices by assigning the user identifier to the intended party or the device identifier to the intended device. The organization manages system identifiers for users and devices by archiving previous user or device identifiers.

Level Specific Requirement: The organization manages system identifiers for users and devices by: 1. Receiving authorization from a designated organizational official to assign a user or device identifier. 2. Selecting an identifier that uniquely identifies an individual or device. 3. Assigning the user identifier to the intended party or the device identifier to the intended device. 4. Archiving previous user or device identifiers.

Rank:

Requirement: Administrative-2.15.16

Subject: Access Control

Requirement:

The organization develops and enforces policies and procedures for control system users concerning the generation and use of passwords. These policies stipulate rules of complexity, based on the criticality level of the systems to be accessed. Requirement Enhancement - ICS deployment will require two-factor authentication or comparable compensating measures to ensure only approved authorized access is allowed How does the organization implement passwords?

Question: 67.

Level Not Met Low

Answer(s) Password policy and procedures are not implemented as defined. The organization develops and enforces policies and procedures for control system users concerning the generation and use of passwords. The password policies stipulate rules of complexity, based on the criticality level of the systems to be accessed.

Key Reqs Gap Analysis Report - 03/01/2012

Page 22 of 54

Moderate

The organization develops and enforces policies and procedures for control system users concerning the generation and use of passwords. The password policies stipulate rules of complexity, based on the criticality level of the systems to be accessed.

High

The organization develops and enforces policies and procedures for control system users concerning the generation and use of passwords. The password policies stipulate rules of complexity, based on the criticality level of the systems to be accessed.

Very High

The organization develops and enforces policies and procedures for control system users concerning the generation and use of passwords. The password policies stipulate rules of complexity, based on the criticality level of the systems to be accessed. Requirement Enhancement - ICS deployment will require two-factor authentication or comparable compensating measures to ensure only approved authorized access is allowed

Level Specific Requirement: The organization develops and enforces policies and procedures for control system users concerning the generation and use of passwords. These policies stipulate rules of complexity, based on the criticality level of the systems to be accessed.

Rank:

Requirement: Administrative-2.15.24

Subject: Access Control

Requirement:

The organization authorizes, monitors, and manages all methods of remote access to the control system. Requirement Enhancement 1 - The organization employs automated mechanisms to facilitate the monitoring and control of remote access methods. Requirement Enhancement 2 - The organization uses cryptography to protect the confidentiality and integrity of remote access sessions. Note: The encryption strength of mechanism is selected based on the FIPS 199 impact level of the information. Requirement Enhancement 3 - The system routes all remote accesses through a limited number of managed access control points. Requirement Enhancement 4 - The organization authorizes remote access for privileged commands and security-relevant information only for compelling operational needs and documents the rationale for such access in the security plan for the system. Requirement Enhancement 5 - The system protects wireless access to the system using authentication and encryption. Note: Authentication applies to user, device, or both as necessary. Requirement Enhancement 6 - The organization monitors for unauthorized remote connections to the system, including scanning for unauthorized wireless access points on an organization-defined frequency and takes appropriate action if an unauthorized connection is discovered. Note: Organizations proactively search for unauthorized remote connections including the conduct of thorough scans for unauthorized wireless access points. The scan is not necessarily limited to those areas within the facility containing the systems. Yet, the scan is conducted outside those areas only as needed to verify that unauthorized wireless access points are not connected to the system. Requirement Enhancement 7 - The organization disables, when not intended for use, wireless networking capabilities internally embedded within system components prior to issue. Requirement Enhancement 8 - The organization does not allow users to independently configure wireless networking capabilities. Requirement Enhancement 9 - The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure. Requirement Enhancement 10 - The organization ensures that remote sessions for accessing an organization-defined list of security functions and security-relevant information employ additional security measures (organization defined security measures) and are audited. Requirement Enhancement 11 - The organization disables peer-to-peer wireless networking capability within the system except for explicitly identified components in support of specific operational requirements. Requirement Enhancement 12 - The organization disables Bluetooth wireless networking capability within the system except for explicitly identified components in support of specific operational requirements. How does the organization manage remote access?

Question: 72.

Level Not Met Low

Answer(s) Remote access controls are not implemented as defined. The organization authorizes, monitors, and manages all methods of remote access to the control system.

Key Reqs Gap Analysis Report - 03/01/2012

Page 23 of 54

Moderate

The organization authorizes, monitors, and manages all methods of remote access to the control system. Requirement Enhancement 1 - The organization employs automated mechanisms to facilitate the monitoring and control of remote access methods. Requirement Enhancement 2 - The organization uses cryptography to protect the confidentiality and integrity of remote access sessions. Note: The encryption strength of mechanism is selected based on the FIPS 199 impact level of the information. Requirement Enhancement 3 - The system routes all remote accesses through a limited number of managed access control points. Requirement Enhancement 4 - The organization authorizes remote access for privileged commands and securityrelevant information only for compelling operational needs and documents the rationale for such access in the security plan for the system. Requirement Enhancement 5 - The system protects wireless access to the system using authentication and encryption. Note: Authentication applies to user, device, or both as necessary. Requirement Enhancement 6 - The organization monitors for unauthorized remote connections to the system, including scanning for unauthorized wireless access points on an organization-defined frequency and takes appropriate action if an unauthorized connection is discovered. Note: Organizations proactively search for unauthorized remote connections including the conduct of thorough scans for unauthorized wireless access points. The scan is not necessarily limited to those areas within the facility containing the systems. Yet, the scan is conducted outside those areas only as needed to verify that unauthorized wireless access points are not connected to the system. Requirement Enhancement 10 - The organization ensures that remote sessions for accessing an organizationdefined list of security functions and security-relevant information employ additional security measures (organization defined security measures) and are audited. Requirement Enhancement 11 - The organization disables peer-to-peer wireless networking capability within the system except for explicitly identified components in support of specific operational requirements. Requirement Enhancement 12 - The organization disables Bluetooth wireless networking capability within the system except for explicitly identified components in support of specific operational requirements.

High

The organization authorizes, monitors, and manages all methods of remote access to the control system. Requirement Enhancement 1 - The organization employs automated mechanisms to facilitate the monitoring and control of remote access methods. Requirement Enhancement 2 - The organization uses cryptography to protect the confidentiality and integrity of remote access sessions. Note: The encryption strength of mechanism is selected based on the FIPS 199 impact level of the information. Requirement Enhancement 3 - The system routes all remote accesses through a limited number of managed access control points. Requirement Enhancement 4 - The organization authorizes remote access for privileged commands and securityrelevant information only for compelling operational needs and documents the rationale for such access in the security plan for the system. Requirement Enhancement 5 - The system protects wireless access to the system using authentication and encryption. Note: Authentication applies to user, device, or both as necessary. Requirement Enhancement 6 - The organization monitors for unauthorized remote connections to the system, including scanning for unauthorized wireless access points on an organization-defined frequency and takes appropriate action if an unauthorized connection is discovered. Note: Organizations proactively search for unauthorized remote connections including the conduct of thorough scans for unauthorized wireless access points. The scan is not necessarily limited to those areas within the facility containing the systems. Yet, the scan is conducted outside those areas only as needed to verify that unauthorized wireless access points are not connected to the system. Requirement Enhancement 10 - The organization ensures that remote sessions for accessing an organizationdefined list of security functions and security-relevant information employ additional security measures (organization defined security measures) and are audited. Requirement Enhancement 11 - The organization disables peer-to-peer wireless networking capability within the system except for explicitly identified components in support of specific operational requirements. Requirement Enhancement 12 - The organization disables Bluetooth wireless networking capability within the system except for explicitly identified components in support of specific operational requirements.

Key Reqs Gap Analysis Report - 03/01/2012

Page 24 of 54

Very High

The organization authorizes, monitors, and manages all methods of remote access to the control system. Requirement Enhancement 1 - The organization employs automated mechanisms to facilitate the monitoring and control of remote access methods. Requirement Enhancement 2 - The organization uses cryptography to protect the confidentiality and integrity of remote access sessions. Note: The encryption strength of mechanism is selected based on the FIPS 199 impact level of the information. Requirement Enhancement 3 - The system routes all remote accesses through a limited number of managed access control points. Requirement Enhancement 4 - The organization authorizes remote access for privileged commands and securityrelevant information only for compelling operational needs and documents the rationale for such access in the security plan for the system. Requirement Enhancement 5 - The system protects wireless access to the system using authentication and encryption. Note: Authentication applies to user, device, or both as necessary. Requirement Enhancement 6 - The organization monitors for unauthorized remote connections to the system, including scanning for unauthorized wireless access points on an organization-defined frequency and takes appropriate action if an unauthorized connection is discovered. Note: Organizations proactively search for unauthorized remote connections including the conduct of thorough scans for unauthorized wireless access points. The scan is not necessarily limited to those areas within the facility containing the systems. Yet, the scan is conducted outside those areas only as needed to verify that unauthorized wireless access points are not connected to the system. Requirement Enhancement 7 - The organization disables, when not intended for use, wireless networking capabilities internally embedded within system components prior to issue. Requirement Enhancement 8 - The organization does not allow users to independently configure wireless networking capabilities. Requirement Enhancement 9 - The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure. Requirement Enhancement 10 - The organization ensures that remote sessions for accessing an organizationdefined list of security functions and security-relevant information employ additional security measures (organization defined security measures) and are audited. Requirement Enhancement 11 - The organization disables peer-to-peer wireless networking capability within the system except for explicitly identified components in support of specific operational requirements. Requirement Enhancement 12 - The organization disables Bluetooth wireless networking capability within the system except for explicitly identified components in support of specific operational requirements.

Level Specific Requirement: The organization authorizes, monitors, and manages all methods of remote access to the control system. Requirement Enhancement 1 - The organization employs automated mechanisms to facilitate the monitoring and control of remote access methods. Requirement Enhancement 2 - The organization uses cryptography to protect the confidentiality and integrity of remote access sessions. Note: The encryption strength of mechanism is selected based on the FIPS 199 impact level of the information. Requirement Enhancement 3 - The system routes all remote accesses through a limited number of managed access control points. Requirement Enhancement 4 - The organization authorizes remote access for privileged commands and security-relevant information only for compelling operational needs and documents the rationale for such access in the security plan for the system. Requirement Enhancement 5 - The system protects wireless access to the system using authentication and encryption. Note: Authentication applies to user, device, or both as necessary. Requirement Enhancement 6 - The organization monitors for unauthorized remote connections to the system, including scanning for unauthorized wireless access points on an organization-defined frequency and takes appropriate action if an unauthorized connection is discovered. Note: Organizations proactively search for unauthorized remote connections including the conduct of thorough scans for unauthorized wireless access points. The scan is not necessarily limited to those areas within the facility containing the systems. Yet, the scan is conducted outside those areas only as needed to verify that unauthorized wireless access points are not connected to the system.

Rank:

Requirement: Administrative-2.15.25

Subject: Access Control

Requirement:

The organization: 1. Establishes usage restrictions and implementation guidance for organization-controlled mobile devices. 2. Authorizes connection of mobile devices to organizational systems. 3. Monitors for unauthorized connections of mobile devices to organizational systems. 4. Enforces requirements for the connection of mobile devices to organizational systems. 5. Disables system functionality that provides the capability for automatic execution of code on removable media without user direction. 6. Issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. 7. Applies specified measures to mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures.

Key Reqs Gap Analysis Report - 03/01/2012

Page 25 of 54

Requirement Enhancement 1 - The organization restricts the use of writable, removable media in organizational systems. Requirement Enhancement 2 - The organization prohibits the use of personally owned, removable media in organizational systems. Requirement Enhancement 3 - The organization prohibits the use of removable media in organizational systems when the media have no identifiable owner. Note: An identifiable owner for removable media helps reduce the risk of employing such technology by assigning responsibility and accountability for addressing known vulnerabilities in the media (e.g., malicious code insertion). Question: 73. How does the organization manage mobile devices?

Level Not Met Low

Answer(s) Mobile and portable device controls are not implemented as defined. The organization establishes usage restrictions and implementation guidance for organization-controlled mobile devices. The organization authorizes connection of mobile devices to organizational systems. The organization monitors for unauthorized connections of mobile devices to organizational system. The organization enforces requirements for the connection of mobile devices to organizational systems. The organization disables system functionality that provides the capability for automatic execution of code on removable media without user direction. The organization issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. The organization applies specified measures to mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures.

Moderate

The organization establishes usage restrictions and implementation guidance for organization-controlled mobile devices. The organization authorizes connection of mobile devices to organizational systems. The organization monitors for unauthorized connections of mobile devices to organizational system. The organization enforces requirements for the connection of mobile devices to organizational systems. The organization disables system functionality that provides the capability for automatic execution of code on removable media without user direction. The organization issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. The organization applies specified measures to mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. Requirement Enhancement 1 - The organization restricts the use of writable, removable media in organizational systems. Requirement Enhancement 2 - The organization prohibits the use of personally owned, removable media in organizational systems. Requirement Enhancement 3 - The organization prohibits the use of removable media in organizational systems when the media have no identifiable owner. Note: An identifiable owner for removable media helps reduce the risk of employing such technology by assigning responsibility and accountability for addressing known vulnerabilities in the media (e.g., malicious code insertion).

Key Reqs Gap Analysis Report - 03/01/2012

Page 26 of 54

High

The organization establishes usage restrictions and implementation guidance for organization-controlled mobile devices. The organization authorizes connection of mobile devices to organizational systems. The organization monitors for unauthorized connections of mobile devices to organizational system. The organization enforces requirements for the connection of mobile devices to organizational systems. The organization disables system functionality that provides the capability for automatic execution of code on removable media without user direction. The organization issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. The organization applies specified measures to mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. Requirement Enhancement 1 - The organization restricts the use of writable, removable media in organizational systems. Requirement Enhancement 2 - The organization prohibits the use of personally owned, removable media in organizational systems. Requirement Enhancement 3 - The organization prohibits the use of removable media in organizational systems when the media have no identifiable owner. Note: An identifiable owner for removable media helps reduce the risk of employing such technology by assigning responsibility and accountability for addressing known vulnerabilities in the media (e.g., malicious code insertion).

Very High

The organization establishes usage restrictions and implementation guidance for organization-controlled mobile devices. The organization authorizes connection of mobile devices to organizational systems. The organization monitors for unauthorized connections of mobile devices to organizational system. The organization enforces requirements for the connection of mobile devices to organizational systems. The organization disables system functionality that provides the capability for automatic execution of code on removable media without user direction. The organization issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. The organization applies specified measures to mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. Requirement Enhancement 1 - The organization restricts the use of writable, removable media in organizational systems. Requirement Enhancement 2 - The organization prohibits the use of personally owned, removable media in organizational systems. Requirement Enhancement 3 - The organization prohibits the use of removable media in organizational systems when the media have no identifiable owner. Note: An identifiable owner for removable media helps reduce the risk of employing such technology by assigning responsibility and accountability for addressing known vulnerabilities in the media (e.g., malicious code insertion).

Level Specific Requirement: The organization: 1. Establishes usage restrictions and implementation guidance for organization-controlled mobile devices. 2. Authorizes connection of mobile devices to organizational systems. 3. Monitors for unauthorized connections of mobile devices to organizational systems. 4. Enforces requirements for the connection of mobile devices to organizational systems. 5. Disables system functionality that provides the capability for automatic execution of code on removable media without user direction. 6. Issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. 7. Applies specified measures to mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. Requirement Enhancement 1 - The organization restricts the use of writable, removable media in organizational systems. Requirement Enhancement 2 - The organization prohibits the use of personally owned, removable media in organizational systems. Requirement Enhancement 3 - The organization prohibits the use of removable media in organizational systems when the media have no identifiable owner. Note: An identifiable owner for removable media helps reduce the risk of employing such technology by assigning responsibility and accountability for addressing known vulnerabilities in the media (e.g., malicious code insertion).

Key Reqs Gap Analysis Report - 03/01/2012

Page 27 of 54

Rank:

Requirement: Administrative-2.18.5

Subject: Risk Mangement & Assessement

Requirement:

The organization: 1. Authorizes all connections from the system to other systems outside the authorization boundary through the use of system connection agreements. 2. Documents the system connections and associated security requirements for each connection. 3. Monitors the system connections on an ongoing basis verifying enforcement of documented security requirements. How does the organization implement system connections?

Question: 79.

Level Not Met Low System connections are not identified as defined.

Answer(s)

The organization authorizes all connections from the system to other systems outside the authorization boundary through the use of system connection agreements. The organization documents the system connections and associated security requirements for each connection. The organization monitors the system connections on an ongoing basis verifying enforcement of documented security requirements.

Moderate

The organization authorizes all connections from the system to other systems outside the authorization boundary through the use of system connection agreements. The organization documents the system connections and associated security requirements for each connection. The organization monitors the system connections on an ongoing basis verifying enforcement of documented security requirements.

High

The organization authorizes all connections from the system to other systems outside the authorization boundary through the use of system connection agreements. The organization documents the system connections and associated security requirements for each connection. The organization monitors the system connections on an ongoing basis verifying enforcement of documented security requirements.

Very High

The organization authorizes all connections from the system to other systems outside the authorization boundary through the use of system connection agreements. The organization documents the system connections and associated security requirements for each connection. The organization monitors the system connections on an ongoing basis verifying enforcement of documented security requirements.

Level Specific Requirement: The organization: 1. Authorizes all connections from the system to other systems outside the authorization boundary through the use of system connection agreements. 2. Documents the system connections and associated security requirements for each connection. 3. Monitors the system connections on an ongoing basis verifying enforcement of documented security requirements.

Rank:

14

Requirement: Administrative-2.18.11

Subject: Risk Mangement & Assessement

Requirement:

The organization: 1. Scans for vulnerabilities in the system on an organization-defined frequency and randomly in accordance with organizationdefined process and when new vulnerabilities potentially affecting the system are identified and reported. 2. Employs vulnerability scanning tools and techniques that promote interoperability among tools and automate parts of the vulnerability management process by using standards for (a) enumerating platforms, software flaws, and improper configurations; (b) formatting and making transparent checklists and test procedures; and (c) measuring vulnerability impact. 3. Analyzes vulnerability scan reports and remediates legitimate vulnerabilities within a defined timeframe based on an assessment of risk. 4. Shares information obtained from the vulnerability scanning process with designated personnel throughout the organization to help eliminate similar vulnerabilities in other systems. Requirement Enhancement 1 - The organization employs vulnerability scanning tools that include the capability to readily update the list of system vulnerabilities scanned. Requirement Enhancement 2 - The organization updates the list of system vulnerabilities scanned on an organization-defined frequency or when new vulnerabilities are identified and reported. Requirement Enhancement 3 - The organization employs vulnerability scanning procedures that can demonstrate the breadth and depth of coverage (i.e., system components scanned and vulnerabilities checked). Requirement Enhancement 4 - The organization attempts to discern what information about the system is discoverable by adversaries. Requirement Enhancement 5 - The organization performs security testing to determine the level of difficulty in circumventing

Key Reqs Gap Analysis Report - 03/01/2012

Page 28 of 54

the security controls of the system. Requirement Enhancement 6 - The organization includes privileged access authorization to organization-defined system components for selected vulnerability scanning activities to facilitate more thorough scanning. Requirement Enhancement 7 - The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in system vulnerabilities. Requirement Enhancement 8 - The organization employs automated mechanisms on an organization-defined frequency to detect the presence of unauthorized software on organizational systems and notify designated organizational officials. Question: 80. How does the organization implement vulnerability scanning?

Level Not Met Low

Answer(s) Vulnerability assessments are not implemented as defined. The organization scans for vulnerabilities in the system on an organization-defined frequency and randomly in accordance with organization-defined process and when new vulnerabilities potentially affecting the system are identified and reported. The organization employs vulnerability scanning tools and techniques that promote interoperability among tools and automate parts of the vulnerability management process by using standards for: (a) enumerating platforms, software flaws, and improper configurations; (b) formatting and making transparent, checklists, and test procedures; and (c) measuring vulnerability impact. The organization analyzes vulnerability scan reports and remediates legitimate vulnerabilities for an organizationdefined response time and organizational assessment of risk. The organization shares information obtained from the vulnerability scanning process with designated personnel throughout the organization to help eliminate similar vulnerabilities in other systems.

Moderate

The organization scans for vulnerabilities in the system on an organization-defined frequency and randomly in accordance with organization-defined process and when new vulnerabilities potentially affecting the system are identified and reported. The organization employs vulnerability scanning tools and techniques that promote interoperability among tools and automate parts of the vulnerability management process by using standards for: (a) enumerating platforms, software flaws, and improper configurations; (b) formatting and making transparent, checklists, and test procedures; and (c) measuring vulnerability impact. The organization analyzes vulnerability scan reports and remediates legitimate vulnerabilities for an organizationdefined response time and organizational assessment of risk. The organization shares information obtained from the vulnerability scanning process with designated personnel throughout the organization to help eliminate similar vulnerabilities in other systems. Requirement Enhancement 1 - The organization employs vulnerability scanning tools that include the capability to readily update the list of system vulnerabilities scanned.

High

The organization scans for vulnerabilities in the system on an organization-defined frequency and randomly in accordance with organization-defined process and when new vulnerabilities potentially affecting the system are identified and reported. The organization employs vulnerability scanning tools and techniques that promote interoperability among tools and automate parts of the vulnerability management process by using standards for: (a) enumerating platforms, software flaws, and improper configurations; (b) formatting and making transparent, checklists, and test procedures; and (c) measuring vulnerability impact. The organization analyzes vulnerability scan reports and remediates legitimate vulnerabilities for an organizationdefined response time and organizational assessment of risk. The organization shares information obtained from the vulnerability scanning process with designated personnel throughout the organization to help eliminate similar vulnerabilities in other systems. Requirement Enhancement 1 - The organization employs vulnerability scanning tools that include the capability to readily update the list of system vulnerabilities scanned. Requirement Enhancement 2 - The organization updates the list of system vulnerabilities scanned on an organization-defined frequency or when new vulnerabilities are identified and reported. Requirement Enhancement 3 - The organization employs vulnerability scanning procedures that can demonstrate the breadth and depth of coverage (i.e., system components scanned and vulnerabilities checked). Requirement Enhancement 4 - The organization attempts to discern what information about the system is discoverable by adversaries. Requirement Enhancement 5 - The organization performs security testing to determine the level of difficulty in circumventing the security controls of the system. Requirement Enhancement 8 - The organization employs automated mechanisms on an organization-defined frequency to detect the presence of unauthorized software on organizational systems and notify designated organizational officials.

Key Reqs Gap Analysis Report - 03/01/2012

Page 29 of 54

Very High

The organization scans for vulnerabilities in the system on an organization-defined frequency and randomly in accordance with organization-defined process and when new vulnerabilities potentially affecting the system are identified and reported. The organization employs vulnerability scanning tools and techniques that promote interoperability among tools and automate parts of the vulnerability management process by using standards for: (a) enumerating platforms, software flaws, and improper configurations; (b) formatting and making transparent, checklists, and test procedures; and (c) measuring vulnerability impact. The organization analyzes vulnerability scan reports and remediates legitimate vulnerabilities for an organizationdefined response time and organizational assessment of risk. The organization shares information obtained from the vulnerability scanning process with designated personnel throughout the organization to help eliminate similar vulnerabilities in other systems. Requirement Enhancement 1 - The organization employs vulnerability scanning tools that include the capability to readily update the list of system vulnerabilities scanned. Requirement Enhancement 2 - The organization updates the list of system vulnerabilities scanned on an organization-defined frequency or when new vulnerabilities are identified and reported. Requirement Enhancement 3 - The organization employs vulnerability scanning procedures that can demonstrate the breadth and depth of coverage (i.e., system components scanned and vulnerabilities checked). Requirement Enhancement 4 - The organization attempts to discern what information about the system is discoverable by adversaries. Requirement Enhancement 5 - The organization performs security testing to determine the level of difficulty in circumventing the security controls of the system. Requirement Enhancement 6 - The organization includes privileged access authorization to organization-defined system components for selected vulnerability scanning activities to facilitate more thorough scanning. Requirement Enhancement 7 - The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in system vulnerabilities. Requirement Enhancement 8 - The organization employs automated mechanisms on an organization-defined frequency to detect the presence of unauthorized software on organizational systems and notify designated organizational officials.

Level Specific Requirement: The organization: 1. Scans for vulnerabilities in the system on an organization-defined frequency and randomly in accordance with organization-defined process and when new vulnerabilities potentially affecting the system are identified and reported. 2. Employs vulnerability scanning tools and techniques that promote interoperability among tools and automate parts of the vulnerability management process by using standards for (a) enumerating platforms, software flaws, and improper configurations; (b) formatting and making transparent checklists and test procedures; and (c) measuring vulnerability impact. 3. Analyzes vulnerability scan reports and remediates legitimate vulnerabilities within a defined timeframe based on an assessment of risk. 4. Shares information obtained from the vulnerability scanning process with designated personnel throughout the organization to help eliminate similar vulnerabilities in other systems. Requirement Enhancement 1 - The organization employs vulnerability scanning tools that include the capability to readily update the list of system vulnerabilities scanned. Requirement Enhancement 2 - The organization updates the list of system vulnerabilities scanned on an organization-defined frequency or when new vulnerabilities are identified and reported. Requirement Enhancement 3 - The organization employs vulnerability scanning procedures that can demonstrate the breadth and depth of coverage (i.e., system components scanned and vulnerabilities checked). Requirement Enhancement 4 - The organization attempts to discern what information about the system is discoverable by adversaries. Requirement Enhancement 5 - The organization performs security testing to determine the level of difficulty in circumventing the security controls of the system. Requirement Enhancement 8 - The organization employs automated mechanisms on an organization-defined frequency to detect the presence of unauthorized software on organizational systems and notify designated organizational officials.

Key Reqs Gap Analysis Report - 03/01/2012

Page 30 of 54

Key Reqs Questions and Answers


The individual bullets each represent the degree of complinace to the desired SAL Level as indicated:
Off by 0 - this requirement passes Off by 1 Off by 2 Off by 3 Off by 4 Not Applicable

Question 1. How does the organization implement security policies and procedures?

Answer The organization develops, implements, and periodically reviews and updates a formal, documented, system security policy that addresses: a. The purpose of the security program as it relates to protecting the organization's personnel and assets, b. The scope of the security program as it applies to all organizational staff and thirdparty contractors, and c. The roles, responsibilities, management commitment, and coordination among organizational entities of the security program to ensure compliance with the organization's security policy and other regulatory commitments.

2. How does the organization implement risk designations to all positions?

The organization assigns a risk designation to all positions and establishes screening criteria for individuals filling those positions. The organization reviews and revises position risk designations periodically based on the organization's requirements or regulatory commitments.

3. How does the organization screen individuals?

The organization screens individuals requiring access to the control system before access is authorized.

4. How does the organization implement signed access agreements?

The organization completes appropriate agreements for control system access before access is granted, including third parties and contractors who require access to the system. Access agreements are periodically reviewed and updated.

Key Reqs Questions and Answers - 03/01/2012

Page 31 of 54

Question 5. How does the organization implement security requirements for third-party providers?

Answer The organization enforces security controls for third-party personnel and monitors service provider behavior and compliance.

6. How does the organization implement physical access authorizations?

The organization develops and maintains lists of personnel with authorized access to facilities containing control systems (except for areas within facilities officially designated as publicly accessible) and issue appropriate authorization credentials (e.g., badges, identification cards, smart cards). Designated officials within the organization review and approve the access list and authorization credentials at least annually, removing from the access list personnel no longer requiring access.

7. How does the organization implement physical access controls?

The organization enforces physical access authorizations for all physical access points (including designated entry/exit points) to the facility where the control system resides (excluding those areas within the facility officially designated as publicly accessible). The organization verifies individual access authorizations before granting access to the facility. The organization controls entry to facilities containing control systems using physical access devices and guards. The organization controls access to areas officially designated as publicly accessible in accordance with the organization's assessment of risk. The organization secures keys, combinations, and other physical access devices. The organization inventories physical access devices on a periodic basis. The organization changes combinations and keys on an organization-defined frequency and when keys are lost, combinations are compromised, or individuals are transferred or terminated. The organization controls and verifies physical access to information system distribution and transmission lines of communications within the organizational facilities. The organization controls physical access to information system output devices (e.g., monitors, speakers, printers) to prevent unauthorized individuals from observing and obtaining information access. Requirement Enhancement 1 - The organization limits physical access to control system assets independent of the physical access security mechanisms for the facility.

Key Reqs Questions and Answers - 03/01/2012

Page 32 of 54

Question 8. How does the organization monitor physical access?

Answer The organization monitors physical access to the control system to detect and respond to physical security incidents. The organization reviews physical access logs on an organizationdefined frequency. The organization coordinates results of reviews and investigations with the organization's incident response capability. Requirement Enhancement 1 - The organization monitors real-time physical intrusion alarms and surveillance equipment. Requirement Enhancement 2 - The organization implements automated mechanisms to recognize potential intrusions and initiates designated response actions.

9. How does the organization implement alternate worksite controls?

The organization establishes an alternate control center with proper equipment and communication infrastructure to compensate for the loss of the primary control system worksite. The organization implements appropriate management, operational, and technical security measures at alternate control centers. Requirement Enhancement - The organization provides methods for employees to communicate with control system security staff in case of security problems.

10. How does the organization implement controls for portable media?

The organization establishes usage restrictions and implementation guidance for organization-controlled mobile devices. The organization authorizes connection of mobile devices to organizational control systems. The organization monitors for unauthorized connections of mobile devices to organizational control systems. The organization enforces requirements for the connection of mobile devices to organizational control systems. The organization disables control system functionality that provides the capability for automatic execution of code on removable media without user direction. The organization issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. The organization applies specified measures to mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. Requirement Enhancement 1 - The organization restricts the use of writable, removable media in organizational control systems. Requirement Enhancement 2 - The organization prohibits the use of

Key Reqs Questions and Answers - 03/01/2012

Page 33 of 54

Question

Answer personally owned, removable media in organizational control systems. Requirement Enhancement 3 - The organization prohibits the use of removable media in organizational control systems when the media have no identifiable owner.

11. How does the organization implement device access control?

The organization employs hardware (cages, locks, cases, etc.) to detect and deter unauthorized physical access to control system devices. Requirement Enhancement - The organization ensures that the ability to respond appropriately in the event of an emergency is not hindered by using tamper-evident hardware.

12. How does the organization include requirements/specifications in acquisition contracts?

The organization includes security functional requirements and specifications explicitly or by reference, in control system acquisition contracts based on an assessment of risk and in accordance with applicable laws, directives, policies, regulations, and standards. The organization includes security-related documentation requirements explicitly or by reference, in control system acquisition contracts based on an assessment of risk and in accordance with applicable laws, directives, policies, regulations, and standards. Requirements Enhancement 1 - The organization requires in acquisition documents that vendors/contractors provide information describing the functional properties of the security controls employed within the control system. Requirements Enhancement 2 - The organization requires in acquisition documents that vendors/contractors provide information describing the design and implementation details of the security controls employed within the control system (including functional interfaces among control components).

13. How does the organization control user-installed software?

The organization implements policies and procedures to enforce explicit rules and management expectations governing user installation of software.

14. How does the organization implement security controls for outsourced system services?

The organization requires that providers of external control system services employ security controls in accordance with applicable laws, directives, policies, regulations, standards, guidance, and established service level agreements. The organization defines government oversight and user roles and responsibilities with regard to external control system services. The organization monitors security control compliance by external service providers.

Key Reqs Questions and Answers - 03/01/2012

Page 34 of 54

Question

Answer

15. How does the organization require that developers create/implement a security test and evaluation plan?

The control system developer/integrator develops a security test and evaluation plan. The control system developer/integrator implements a verifiable error remediation process to correct weaknesses and deficiencies identified during the security testing and evaluation process. The control system developer/integrator documents the result of the security testing/evaluation and error remediation processes.

16. How does the organization control Critical Information and System Components?

The organization defines and documents all critical hardware and software system components that are in service. The organization upgrades existing limited legacy equipment with current or custom developed information system components.

17. How does the organization implement configuration management policies and procedures?

The organization develops, disseminates, and periodically reviews and updates a formal, documented configuration management policy that addresses: a. The purpose of the configuration management policy as it relates to protecting the organization's personnel and assets, b. The scope of the configuration management policy as it applies to all organizational staff and third-party contractors, c. The roles, responsibilities, management accountability structure, and coordination among organizational entities contained in the configuration management policy to ensure compliance with the organization's security policy and other regulatory commitments. The organization develops, disseminates, and periodically reviews and updates formal documented procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. The organization develops, disseminates, and periodically reviews and updates the personnel qualification levels required to make changes, the conditions under which changes are allowed, and what approvals are required for those changes.

18. How does the organization implement a system baseline?

The organization develops, documents, and maintains a current baseline configuration of the control system and an inventory of the system's constituent components. Requirement Enhancement 1 - The organization reviews and updates the baseline configuration as an integral part of control system component installations. Requirement Enhancement 4 - The organization employs a deny-all, permit-by-exception authorization policy to identify software allowed on organizational control systems.

Key Reqs Questions and Answers - 03/01/2012

Page 35 of 54

Question

Answer

19. How does the organization implement configuration change control?

The organization authorizes and documents changes to the control system. The organization retains and reviews records of configurationmanaged changes to the system. Requirement Enhancement 1 - The organization employs automated mechanisms to: a. document proposed changes to the control system, b. notify appropriate approval authorities, c. highlight approvals that have not been received in a timely manner, d. inhibit change until necessary approvals are received, and e. document completed changes to the control system. Requirement Enhancement 2 - The organization tests, validates, and documents configuration changes (e.g., patches and updates) before installing them on the operational control system. The organization ensures that testing does not interfere with control system operations. The tester fully understands the corporate cyber and control system security policies and procedures and the specific health, safety, and environmental risks associated with a particular facility and/or process.

20. How does the organization analyze changes for security impact to the system?

The organization implements a process to monitor changes to the control system and conducts security impact analyses to determine the effects of the changes.

21. How does the organization implement a system component inventory?

The organization develops, documents, and maintains an inventory of the components of the system that accurately reflects the current control system. The organization develops, documents, and maintains an inventory of the components of the system that is consistent with the authorization boundary of the control system. The organization develops, documents, and maintains an inventory of the components of the system that is at the level of granularity deemed necessary for tracking and reporting. The organization develops, documents, and maintains an inventory of the components of the system that includes defined information deemed necessary to achieve effective property accountability. Requirement Enhancement 1 - The organization updates the inventory of control system components and programming as an integral part of component installation, replacement and system updates. Requirement Enhancement 2 - The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of control system components, configuration files and setpoints, alarm settings and other required operational settings. Requirement Enhancement 3 - The organization employs automated mechanisms to detect the addition of unauthorized components/devices/component settings into the control system.

Key Reqs Questions and Answers - 03/01/2012

Page 36 of 54

Question

Answer Requirement Enhancement 4 - The organization disables network access by such components/devices or notifies designated organizational officials.

22. How does the organization manage factory default authentication credentials?

The organization changes all factory default authentication credentials on control system components and applications upon installation. Requirement Enhancement - Known legacy operational equipment needs compensatory access restrictions to protect against loss of authentication. In addition, these components need to be identified, tested, and documented to verify that proposed compensatory measures are effective.

23. How does the organization implement a system security plan?

The organization develops a security plan for the system that aligns with the organization's enterprise architecture. The organization develops a security plan for the system that explicitly defines the authorization boundary for the system. The organization develops a security plan for the system that describes relationships with or connections to other systems. The organization develops a security plan for the system that provides an overview of the security requirements for the system. The organization develops a security plan for the system that describes the security controls in place or planned for meeting those requirements. The organization specifies the authorizing official or authorizing official designated representative who reviews and approves the control system security plan prior to implementation. The organization reviews the security plan for the system on an organization-defined frequency, at least annually. The organization revises the plan to address changes to the system/environment or problems identified during plan implementation or security control assessments.

24. How does the organization implement roles and responsibilities?

The organization's control system security plan defines and communicates the specific roles and responsibilities in relation to various types of incidents.

Key Reqs Questions and Answers - 03/01/2012

Page 37 of 54

Question 25. How does the organization implement system rules of behavior?

Answer The organization establishes and makes readily available to all control system users a set of rules that describes their responsibilities and expected behavior with regard to control system usage. The organization obtains signed acknowledgment from users indicating that they have read, understand, and agree to abide by the rules of behavior before authorizing access to the control system.

26. How does the system prevent unauthorized and unintended transfer via shared system resources?

The control system prevents unauthorized or unintended information transfer via shared system resources.

27. How does the system protect against denial-of-service attacks?

The control system protects against or limits the effects of denial-ofservice attacks based on an organization's defined list of types of denial-of-service attacks.

28. How does the system implement boundary protection?

The organization defines the external boundaries of the control system. Procedural and policy security functions define the operational system boundary, the strength required of the boundary, and the respective barriers to unauthorized access and control of system assets and components. The control system monitors and manages communications at the operational system boundary and at key internal boundaries within the system. Requirement Enhancement 1 - The organization physically allocates publicly accessible control system components to separate subnetworks with separate, physical network interfaces. Publicly accessible control system components include public web servers. Generally, no control system information should be publicly accessible. Requirement Enhancement 2 - The organization prevents public access into the organization's internal control system networks except as appropriately mediated. Requirement Enhancement 3 - The organization limits the number of access points to the control system to allow for better monitoring of inbound and outbound network traffic. Requirement Enhancement 4 - The organization implements a managed interface (boundary protection devices in an effective security architecture) with any external telecommunication service, implementing security measures appropriate to the required protection of the integrity and confidentiality of the information being transmitted. Requirement Enhancement 5 - The control system denies network traffic by default and allows network traffic by exception (i.e., deny all, permit by exception). Requirement Enhancement 6 - The organization prevents the unauthorized release of information outside the control system

Key Reqs Questions and Answers - 03/01/2012

Page 38 of 54

Question

Answer boundary or any unauthorized communication through the control system boundary when an operational failure occurs of the boundary protection mechanisms. Requirement Enhancement 7 - The organization prevents the unauthorized release of information across managed interfaces. Requirement Enhancement 8 - The control system checks incoming communications to ensure that the communications are coming from an authorized source and routed to an authorized destination. Requirement Enhancement 9 - The control system at managed interfaces, denies network traffic and audits internal users (or malicious code) posing a threat to external systems. Requirement Enhancement 10 - The control system prevents remote devices that have established connections with the system from communicating outside that communications path with resources on uncontrolled/unauthorized networks. Requirement Enhancement 11 - The control system routes all internal communications traffic to the Internet through authenticated proxy servers within the managed interfaces of boundary protection devices.

29. How does the system protect the integrity of transmitted information?

The control system design and implementation protects the integrity of electronically communicated information. Requirement Enhancement 1 - The organization employs cryptographic mechanisms to ensure recognition of changes to information during transmission unless otherwise protected by alternative physical measures (e.g., protective distribution systems).

30. How does the system establish a trusted communications path?

The control system establishes a trusted communications path between the user and the system.

31. How does the organization establish and manage cryptographic keys for required cryptography employed within the system?

When cryptography is required and employed within the control system, the organization establishes and manages cryptographic keys using automated mechanisms with supporting procedures or manual procedures. Requirement Enhancement - The organization maintains availability of information in the event of the loss of cryptographic keys by users.

32. How does the system implement cryptographic protection?

The organization develops and implements a policy governing the use of cryptographic mechanisms for the protection of control system information. The organization ensures all cryptographic mechanisms comply with applicable laws, regulatory requirements, directives, policies, standards, and guidance.

Key Reqs Questions and Answers - 03/01/2012

Page 39 of 54

Question

Answer

33. Are all external system and communication connections identified and protected from tampering or damage?

All external control system and communication connections are identified and protected from tampering or damage.

34. Does the system design and implementation specify security roles and responsibilities for users of the system?

The control system design and implementation specifies the security roles and responsibilities for the users of the system.

35. How does the system implement session authenticity?

The control system provides mechanisms to protect the authenticity of device-to-device communications sessions.

36. How does the organization implement document management policies and procedures?

The organization develops, disseminates, and periodically reviews and updates a formal, documented, system information and document management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. The organization develops, disseminates, and periodically reviews and updates formal, documented procedures to facilitate the implementation of the system information and document management policy and associated system maintenance controls.

37. How does the organization implement information and document classification?

The organization develops policies and procedures to classify data, including establishing retention policies and procedures for both electronic and paper media. The organization develops policies and procedures to classify data, including establishing classification policies and methods (e.g., restricted, classified, general). The organization develops policies and procedures to classify data, including establishing access and control policies, to include sharing, copying, transmittal, and distribution appropriate for the level of protection required. The organization develops policies and procedures to classify data, including establishing access to the data based on formally assigned roles and responsibilities for the control system.

38. How does the organization implement media marking?

The organization marks, in accordance with organizational policies and procedures, removable system media and system output indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information. The organization exempts an organization-defined list of media types or hardware components from marking as long as the exempted items remain within the organization-defined protected environment.

Key Reqs Questions and Answers - 03/01/2012

Page 40 of 54

Question

Answer

39. How does the organization implement system monitoring and evaluation?

The organization conducts periodic security vulnerability assessments according to the risk management plan. The control system is then updated to address any identified vulnerabilities in accordance with organization's control system maintenance policy.

40. How does the organization implement system backup and recovery?

The organization makes and secures backups of critical system software, applications, and data for use if the control system operating system software becomes corrupted or destroyed.

41. How does the organization implement security awareness and training policies and procedures?

The organization develops, disseminates, and periodically reviews and updates a formal, documented, security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.

42. How does the organization provide security awareness training?

The organization provides basic security awareness training to all control system users (including managers, senior executives, and contractors) before authorizing access to the system, when required by system changes, and at least annually thereafter. The effectiveness of security awareness training, at the organization level, needs to be reviewed once a year at a minimum.

43. How does the organization provide role-based security-related training?

The organization defines and documents system security roles and responsibilities throughout the system development life cycle. The organization identifies individuals having system security roles and responsibilities. The organization provides security-related technical training before authorizing access to the system or performing assigned duties; when required by system changes and on an organization-defined frequency thereafter.

44. How does the organization implement continuity of operations?

The organization develops and implements a continuity of operations plan dealing with the overall issue of maintaining or re-establishing production in case of an undesirable interruption for a control system. The plan addresses roles, responsibilities, assigned individuals with contact information, and activities associated with restoring system operations after a disruption or failure. Designated officials within the organization review and approve the continuity of operations plan. Requirement Enhancement 1 - The continuity of operations plan delineates that at the time of the disruption to normal system operations, the organization executes its incident response policies

Key Reqs Questions and Answers - 03/01/2012

Page 41 of 54

Question

Answer and procedures to place the system in a safe configuration and initiates the necessary notifications to regulatory authorities. Requirement Enhancement 2 - The organization initiates a root cause analysis for the event and submits any findings from the analysis to the organizations corrective action program. Requirement Enhancement 3 - The organization then resumes normal operation of the system in accordance with its policies and procedures.

45. How does the organization implement incident handling capability?

The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery. The organization coordinates incident handling activities with contingency planning activities. The organization incorporates lessons learned from ongoing incident handling activities into incident response procedures and implements the procedures accordingly. Requirement Enhancement - The organization employs automated mechanisms to administer and support the incident handling process.

46. How does the organization implement an alternate control center?

Requirement Enhancement 2 - The organization identifies potential accessibility problems to the alternate control center in the event of an areawide disruption or disaster and outlines explicit mitigation actions. Requirement Enhancement 3 - The organization develops alternate control center agreements that contain priority-of-service provisions in accordance with the organization's availability requirements. Requirement Enhancement 4 - The organization fully configures the alternate control center and telecommunications so that they are ready to be used as the operational site supporting a minimum required operational capability. Requirement Enhancement 5 - The organization ensures that the alternate processing site provides information security measures equivalent to that of the primary site.

47. How does the organization implement system and user backups?

The organization conducts backups of user-level information contained in the system on an organization-defined frequency. The organization conducts backups of system-level information (including system state information) contained in the system on an organization-defined frequency. The organization protects the confidentiality and integrity of backup information at the storage location. Requirement Enhancement 1 - The organization tests backup information periodically to verify media reliability and information integrity.

Key Reqs Questions and Answers - 03/01/2012

Page 42 of 54

Question

Answer Requirement Enhancement 3 - The organization stores backup copies of the operating system and other critical control system software in a separate facility or in a fire-rated container that is not collocated with the operational software.

48. How does the organization implement system recovery and reconstitution?

The organization provides the capability to recover and reconstitute the system to a known secure state after a disruption, compromise, or failure. Requirement Enhancement 2 - The organization provides compensating security controls (including procedures or mechanisms) for the organization-defined circumstances that inhibit recovery to a known, secure state. Requirement Enhancement 3 - The organization provides the capability to re-image system components in accordance with organization-defined restoration time periods from configurationcontrolled and integrity-protected disk images representing a secure, operational state for the components.

49. How does the organization implement a fail-safe response?

The system has the ability to execute an appropriate fail-safe procedure upon the loss of communications with the system or the loss of the control system itself.

50. How does the organization restrict access to system media?

The organization ensures that only authorized users have access to information in printed form or on digital media, whether integral to or removed from the control system. Requirement Enhancement - The organization employs automated mechanisms to ensure only authorized access to such storage areas and to audit access attempts and access granted. Note: This control enhancement is primarily applicable to designated media storage areas within an organization where a significant volume of media is stored and is not intended to apply to every location where some media are stored.

51. How does the organization physically protect and securely store system media?

The organization physically manages and securely stores control system media within protected areas. The sensitivity of the material delineates how the media are stored. The sensitivity of the material delineates how the media are stored.

52. How does the organization implement malicious code protection?

The organization employs malicious code protection mechanisms at system entry and exit points and at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means or, inserted through the exploitation of system vulnerabilities. The organization updates malicious code protection mechanisms (including signature definitions) whenever new releases are available

Key Reqs Questions and Answers - 03/01/2012

Page 43 of 54

Question

Answer in accordance with organizational configuration management policy and procedures. The organization configures malicious code protection mechanisms to perform periodic scans of the system on an organization-defined frequency and real-time scans of files from external sources as the files are downloaded, opened, or executed, and disinfect and quarantine infected files. The organization considers using malicious code protection software products from multiple vendors as part of defense-in-depth. The organization addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system. Requirement Enhancement 1 - The organization centrally manages malicious code protection mechanisms. Requirement Enhancement 2 - The system automatically updates malicious code protection mechanisms (including signature definitions). Requirement Enhancement 3 - The system prevents users from circumventing host-based malicious code protection capabilities. Requirement Enhancement 4 - The system updates malicious code protection mechanisms only when directed by a privileged user. Requirement Enhancement 5 - The organization does not allow users to introduce removable media into the system. Requirement Enhancement 6 - The system implements malicious code protection mechanisms to identify data containing malicious code and responds accordingly (i.e., block, quarantine, send alert to administrator) when the system encounters data not explicitly allowed by the security policy. Requirement Enhancement 7 - The use of mechanisms to centrally manage malicious code protection must not degrade the operational performance of the system.

53. How does the organization implement system monitoring?

The organization monitors events on the system. The organization detects system attacks. The organization identifies unauthorized use of the system. The organization deploys monitoring devices strategically within the system to collect organization-determined essential information and, at ad hoc locations, within the system to track specific types of transactions of interest to the organization. The organization heightens the level of system monitoring activity whenever an indication of increased risk exists to organizational operations and assets, individuals, other organizations, or the nation based on law enforcement information, intelligence information, or other credible sources of information. The organization consults legal counsel with regard to system monitoring activities.

Key Reqs Questions and Answers - 03/01/2012

Page 44 of 54

Question

Answer Requirement Enhancement 1 - The organization interconnects and configures individual intrusion detection tools into a systemwide intrusion detection system using common protocols. Requirement Enhancement 2 - In situations where the ICS cannot support the use of automated tools to support near real-time analysis of events, the organization employs nonautomated mechanisms or procedures as compensating controls in accordance with the general tailoring guidance. Requirement Enhancement 3 - The organization employs automated tools to support near real-time analysis of events. Requirement Enhancement 4 - The organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination. Requirement Enhancement 5 - The control system monitors inbound and outbound communications for unusual or unauthorized activities or conditions. Unusual/unauthorized activities or conditions include the presence of malicious code, the unauthorized export of information, or signaling to an external control system. Requirement Enhancement 6 - The control system provides a realtime alert when indications of compromise or potential compromise occur. Requirement Enhancement 7 - The system prevents users from circumventing host-based intrusion detection and prevention capabilities. Requirement Enhancement 8 - In situations where the ICS cannot prevent nonprivileged users from circumventing intrusion detection and prevention capabilities, the organization employs appropriate compensating controls (e.g., enhanced auditing) in accordance with the general tailoring guidance.

54. How does the organization implement security intelligence?

The organization receives system security alerts, advisories, and directives from designated external organizations on an ongoing basis. The organization generates internal security alerts, advisories, and directives as deemed necessary. The organization disseminates security alerts, advisories, and directives to an organization-defined list of personnel. The organization implements security directives in accordance with timeframes established by the directives, or notifies the issuing organization of the degree of noncompliance. Shutting down and restarting the ICS on the identification of an anomaly are not recommended because the event logs can be erased. Requirement Enhancement - The organization employs automated mechanisms to make security alert and advisory information available throughout the organization as needed.

Key Reqs Questions and Answers - 03/01/2012

Page 45 of 54

Question

Answer

55. How does the system implement security functionality verification?

The organization verifies the correct operation of security functions within the control system upon system startup and restart, upon command by user with appropriate privilege, periodically, and at defined time periods. The control system notifies the system administrator when anomalies are discovered.

56. How does the system detect unauthorized changes to software and information?

The system monitors and detects unauthorized changes to software and information. Requirement Enhancement 1 - The organization reassesses the integrity of software and information by performing on an organization-defined frequency integrity scans of the system and uses the scans with extreme caution on designated high-availability systems. Requirement Enhancement 2 - The organization employs automated tools that provide notification to designated individuals on discovering discrepancies during integrity verification and uses automated tools with extreme caution on designated high-availability systems.

57. How does the organization implement spam protection?

The organization employs spam protection mechanisms at system entry points and at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, or other common means. The organization updates spam protection mechanisms (including signature definitions) when new releases are available in accordance with organizational configuration management policy and procedures. The organization considers using spam protection software products from multiple vendors as part of defense-in-depth. Requirement Enhancement 1 - The organization centrally manages spam protection mechanisms. Organizations consider the risk of employing mechanisms to centrally manage spam protection on a system. The use of mechanisms to centrally manage spam protection must not degrade the operational performance of the system.

58. How does the organization implement access control policies and procedures?

The organization develops, disseminates, and periodically reviews and updates a formal, documented, access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. The organization develops, disseminates, and periodically reviews and updates formal, documented procedures to facilitate the implementation of the access control policy and associated access controls.

Key Reqs Questions and Answers - 03/01/2012

Page 46 of 54

Question

Answer Requirement Enhancement 1 - Public access to ICS is not permitted.

59. How does the organization manage information system accounts?

The organization manages system accounts, including identifying account types (i.e., individual, group, and system). The organization manages system accounts, including establishing conditions for group membership. The organization manages system accounts, including identifying authorized users of the system and specifying access rights and privileges. The organization manages system accounts, including requiring appropriate approvals for requests to establish accounts. The organization manages system accounts, including authorizing, establishing, activating, modifying, disabling, and removing accounts. The organization manages system accounts, including reviewing accounts on an organization-defined frequency. The organization manages system accounts, including specifically authorizing and monitoring the use of guest/anonymous accounts. The organization manages system accounts, including notifying account managers when system users are terminated; transferred, or system usage or need-to-know/need-to-share changes. The organization manages system accounts, including granting access to the system based on a valid need-to-know or need-toshare that is determined by assigned official duties and satisfying all personnel security criteria and intended system usage. Requirement Enhancement 3 - The system automatically disables inactive accounts after a defined time period. Requirement Enhancement 4 - The system automatically audits account creation, modification, disabling, and termination actions and notifies, as required, appropriate individuals. Requirement Enhancement 5 - The organization reviews currently active system accounts on a defined frequency to verify that temporary accounts and accounts of terminated or transferred users have been deactivated in accordance with organizational policy. Requirement Enhancement 6 - The organization prohibits the use of system account identifiers as the identifiers for user electronic mail accounts.

60. How does the organization manage system identifiers for users and devices?

Identifier management controls are not implemented as defined.

Key Reqs Questions and Answers - 03/01/2012

Page 47 of 54

Question

Answer

61. How does the organization manage system authenticators for users and devices?

The organization manages system authenticators for users and devices by verifying, as part of the initial authenticator distribution for a user authenticator, the identity of the individual receiving the authenticator. The organization manages system authenticators for users and devices by establishing initial authenticator content for organizationdefined authenticators. The organization manages system authenticators for users and devices by ensuring that authenticators have sufficient strength of mechanism for their intended use. The organization manages system authenticators for users and devices by establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators. The organization manages system authenticators for users and devices by changing default content of authenticators on system installation. The organization manages system authenticators for users and devices by establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators (if appropriate). The organization manages system authenticators for users and devices by changing or refreshing authenticators periodically, as appropriate for authenticator type. The organization manages system authenticators for users and devices by protecting authenticator content from unauthorized disclosure and modification. The organization manages system authenticators for users and devices by requiring users to take, and having devices implement, specific measures to safeguard authenticators. Requirement Enhancement 1 - The system, for PKI-based authentication: a. Validates certificates by constructing a certification path with status information to an accepted trust anchor. b. Enforces authorized access to the corresponding private key. c. Maps the authenticated identity to the user account. Note: Status information for certification paths includes certificate revocation lists or online certificate status protocol responses. Requirement Enhancement 2 - The organization requires that the registration process to receive a user authenticator be carried out in person before a designated registration authority with authorization by a designated organizational official (e.g., a supervisor).

Key Reqs Questions and Answers - 03/01/2012

Page 48 of 54

Question 62. How does the organization enforce authorization for access control?

Answer The system enforces assigned authorizations for controlling logical access to the system in accordance with applicable policy.

63. How does the organization implement separation of duties?

The organization establishes division of responsibilities and separates duties of individuals as necessary to eliminate conflicts of interest. The organization implements separation of duties through assigned system access authorizations.

64. How does the organization employ the concept of least privilege?

The organization employs the concept of least privilege, limiting authorized access for users (and processes acting on behalf of users), as necessary, to accomplish assigned tasks. Requirement Enhancement 1 - The organization explicitly authorizes access to organization-defined list of security functions (deployed in hardware, software, and firmware) and security-relevant information. Note: Explicitly authorized personnel include security administrators, system and network administrators, system security officers, system maintenance personnel, system programmers, and other privileged users. Requirement Enhancement 2 - The organization requires that users of system accounts with access to organization-defined list of security functions or security-relevant information, use nonprivileged accounts when accessing other system functions, and if feasible, audits any use of privileged accounts for such functions.

65. How does the system uniquely identify and authenticate organizational users?

The system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). Requirement Enhancement 1 - The system employs multifactor authentication for remote access and for access to privileged accounts. Requirement Enhancement 2 - The system employs multifactor authentication for network access and for access to privileged accounts. Requirement Enhancement 3 - The system employs multifactor authentication for local and network access.

66. How does the system use cryptographic module authentication?

The control system employs authentication methods that meet the requirements of applicable laws, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. Requirement Enhancement - Failure of cryptographic module authentication must not create a denial of service or adversely impact the operational performance of the control system.

Key Reqs Questions and Answers - 03/01/2012

Page 49 of 54

Question

Answer

67. How does the organization implement passwords?

The organization develops and enforces policies and procedures for control system users concerning the generation and use of passwords.

68. How does the system limit the number of concurrent sessions?

The organization limits the number of concurrent sessions for any user on the control system.

69. How does the system initiate a session lock?

The system prevents further access to the system by initiating a session lock after an organization-defined time period of inactivity or upon receiving a request from a user. The system retains the session lock until the user re-establishes access using appropriate identification and authentication procedures.

70. How does the system implement remote session termination?

The system terminates a network connection at the end of a session or after an organization-defined time period of inactivity.

71. How does the system implement remote access policy and procedures?

The organization documents allowed methods of remote access to the system. The organization establishes usage restrictions and implementation guidance for each allowed remote access method. The organization authorizes remote access to the system prior to connection. The organization enforces requirements for remote connections to the system.

72. How does the organization manage remote access?

The organization authorizes, monitors, and manages all methods of remote access to the control system. Requirement Enhancement 1 - The organization employs automated mechanisms to facilitate the monitoring and control of remote access methods. Requirement Enhancement 2 - The organization uses cryptography to protect the confidentiality and integrity of remote access sessions. Note: The encryption strength of mechanism is selected based on the FIPS 199 impact level of the information. Requirement Enhancement 3 - The system routes all remote accesses through a limited number of managed access control points. Requirement Enhancement 5 - The system protects wireless access to the system using authentication and encryption. Note:

Key Reqs Questions and Answers - 03/01/2012

Page 50 of 54

Question

Answer Authentication applies to user, device, or both as necessary. Requirement Enhancement 6 - The organization monitors for unauthorized remote connections to the system, including scanning for unauthorized wireless access points on an organization-defined frequency and takes appropriate action if an unauthorized connection is discovered. Note: Organizations proactively search for unauthorized remote connections including the conduct of thorough scans for unauthorized wireless access points. The scan is not necessarily limited to those areas within the facility containing the systems. Yet, the scan is conducted outside those areas only as needed to verify that unauthorized wireless access points are not connected to the system. Requirement Enhancement 9 - The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure. Requirement Enhancement 10 - The organization ensures that remote sessions for accessing an organization-defined list of security functions and security-relevant information employ additional security measures (organization defined security measures) and are audited. Requirement Enhancement 11 - The organization disables peer-topeer wireless networking capability within the system except for explicitly identified components in support of specific operational requirements. Requirement Enhancement 12 - The organization disables Bluetooth wireless networking capability within the system except for explicitly identified components in support of specific operational requirements.

73. How does the organization manage mobile devices?

The organization establishes usage restrictions and implementation guidance for organization-controlled mobile devices. The organization authorizes connection of mobile devices to organizational systems. The organization monitors for unauthorized connections of mobile devices to organizational system. The organization enforces requirements for the connection of mobile devices to organizational systems. The organization applies specified measures to mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. Requirement Enhancement 1 - The organization restricts the use of writable, removable media in organizational systems. Requirement Enhancement 2 - The organization prohibits the use of personally owned, removable media in organizational systems. Requirement Enhancement 3 - The organization prohibits the use of removable media in organizational systems when the media have no identifiable owner. Note: An identifiable owner for removable media helps reduce the risk of employing such technology by assigning responsibility and accountability for addressing known vulnerabilities in the media (e.g., malicious code insertion).

Key Reqs Questions and Answers - 03/01/2012

Page 51 of 54

Question

Answer

74. How does the organization manage wireless access?

The organization establishes use restrictions and implementation guidance for wireless technologies. The organization authorizes, monitors, and manages wireless access to the control system. Requirement Enhancement 1 - The organization uses authentication and encryption to protect wireless access to the control system. Any latency induced from the use of encryption must not degrade the operational performance of the control system. Requirement Enhancement 2 - The organization scans for unauthorized wireless access points at a specified frequency and takes appropriate action if such access points are discovered. Organizations conduct a thorough scan for unauthorized wireless access points in facilities containing high-impact control systems. The scan is not limited to only those areas within the facility containing the high-impact control systems.

75. How does the organization implement external access protection?

The organization employs mechanisms in the design and implementation of a control system to restrict public access to the control system from the organization's enterprise network.

76. How does the organization implement auditing?

The organization determines, based on a risk assessment in conjunction with mission/business needs, which system-related events require auditing on an organization-defined list of auditable events and frequency of (or situation requiring) auditing for each identified auditable event. The organization coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events. The organization ensures that auditable events are adequate to support after-the-fact investigations of security incidents. The organization adjusts, as necessary, the events to be audited within the system based on current threat information and ongoing assessments of risk. Requirement Enhancement 1 - The organization reviews and updates the list of organization-defined auditable events on an organization-defined frequency. Requirement Enhancement 2 - The organization includes execution of privileged functions in the list of events to be audited by the system.

Key Reqs Questions and Answers - 03/01/2012

Page 52 of 54

Question 77. How does the organization perform audit review, analysis, and reporting?

Answer The organization reviews and analyzes system audit records on an organization-defined frequency for indications of inappropriate or unusual activity and reports findings to designated organizational officials. The organization adjusts the level of audit review, analysis, and reporting within the system when a change in risk exists to organizational operations, organizational assets, individuals, other organizations, or the nation based on law enforcement information, intelligence information, or other credible sources of information. Requirement Enhancement 1 - The system employs automated mechanisms to integrate audit review, analysis, and reporting into organizational processes for investigation and response to suspicious activities.

78. How does the organization implement risk management plan?

The organization develops a risk management plan. A senior organization official reviews and approves the risk management plan.

79. How does the organization implement system connections?

The organization authorizes all connections from the system to other systems outside the authorization boundary through the use of system connection agreements. The organization documents the system connections and associated security requirements for each connection.

80. How does the organization implement vulnerability scanning?

The organization scans for vulnerabilities in the system on an organization-defined frequency and randomly in accordance with organization-defined process and when new vulnerabilities potentially affecting the system are identified and reported. The organization employs vulnerability scanning tools and techniques that promote interoperability among tools and automate parts of the vulnerability management process by using standards for: (a) enumerating platforms, software flaws, and improper configurations; (b) formatting and making transparent, checklists, and test procedures; and (c) measuring vulnerability impact. The organization analyzes vulnerability scan reports and remediates legitimate vulnerabilities for an organization-defined response time and organizational assessment of risk. The organization shares information obtained from the vulnerability scanning process with designated personnel throughout the organization to help eliminate similar vulnerabilities in other systems. Requirement Enhancement 1 - The organization employs vulnerability scanning tools that include the capability to readily update the list of system vulnerabilities scanned. Requirement Enhancement 2 - The organization updates the list of system vulnerabilities scanned on an organization-defined frequency or when new vulnerabilities are identified and reported.

Key Reqs Questions and Answers - 03/01/2012

Page 53 of 54

Question

Answer Requirement Enhancement 3 - The organization employs vulnerability scanning procedures that can demonstrate the breadth and depth of coverage (i.e., system components scanned and vulnerabilities checked). Requirement Enhancement 6 - The organization includes privileged access authorization to organization-defined system components for selected vulnerability scanning activities to facilitate more thorough scanning. Requirement Enhancement 7 - The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in system vulnerabilities.

81. How does the organization identify security risks?

The organization identifies, classifies, prioritizes, and analyzes potential security threats, vulnerabilities, and consequences to its control systems assets using accepted methodologies.

82. How does the organization implement a security officer?

The organization appoints a senior security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide security program.

83. How does the organization manage a system inventory?

The organization develops and maintains an inventory of its systems and critical components.

84. How does the organization implement the enterprise architecture?

The organization develops an enterprise architecture with consideration for security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the nation.

Key Reqs Questions and Answers - 03/01/2012

Page 54 of 54

You might also like