identified
no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
| — | identified [2021/10/08 16:06] (current) – created jgmac1106 | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | Verbs require action and the verb identify (used in past tense) bounces off the pages of the Cyberscecurity Maturity Model Certification assessment objectives more than70 times. The word gets into the once we include the discussion sections. | ||
| + | |||
| + | So how does an Organization Seeking Ceritification go about identifying? | ||
| + | |||
| + | Identify refers to the " | ||
| + | |||
| + | So identify in terms of CMMC means lists. Lists you can provide to an assessor to show the " | ||
| + | |||
| + | This can sometimes mean inventory. By the nature of identify you can throw that which you regard as the same and can't it and throw everything in another bucket and count those. But it really comes down to the practice and the assessment objective. What " | ||
| + | |||
| + | Sop I recommend companies spend time examining the CMMC practices that | ||
| + | |||
| + | AC.1.001 | ||
| + | Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] authorized users are identified; | ||
| + | [b] processes acting on behalf of authorized users are identified; | ||
| + | [c] devices (and other systems) authorized to connect to the system are identified; [d] system access is limited to authorized users; | ||
| + | [e] system access is limited to processes acting on behalf of authorized users; and | ||
| + | [f] system acces is limited to authorizeddevices(including other systems). | ||
| + | |||
| + | A doozy of a level one practice. Espeically F. Do you track MAC addresses, Media Access Control, a unique ID for all internet conencted devices and cross reference that to MAC addrsses allowed on the system? Regardless of the complexity of this practice it comes down to having a good access control policy. | ||
| + | |||
| + | Check this out to learn more: http:// | ||
| + | |||
| + | |||
| + | AC.1.003 | ||
| + | Verify and control/ | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] connections to external systems are identified; | ||
| + | [b] the use of external systems is identified; | ||
| + | [c] connections to external systems are verified; | ||
| + | [d] the use of external systems is verified; | ||
| + | [e] connections to external systems are controlled/ | ||
| + | |||
| + | In AC.1.003 First remember you do not have to " | ||
| + | | ||
| + | A system or component of a system that is outside of the authorization boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness. Basically if you can't control the sytem AC.1.003 kicks in | ||
| + | |||
| + | So you need to limit and control connecting to the Internet, often with routers and firewalls. Commonly just with acceptable use policies. You need to think about cell phones if people can acccess their netowrked files through Sharepont. If you bring a computer home do you need to log in to your system or get denied? | ||
| + | |||
| + | You can use MAC filtering or VLANS. This allows you to monitor | ||
| + | |||
| + | Put the external systems your employeess access must get identified in your policy and your procedures need to explain how you limit these external systems. | ||
| + | |||
| + | AC.1.004 | ||
| + | Control information posted or processed on publicly accessible information systems. | ||
| + | |||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] individuals authorized to post or process information on publicly accessible systems are identified; | ||
| + | [b] procedures to ensure FCI is not posted or processed on publicly accessible systems are identified; | ||
| + | |||
| + | AC.1004 sounds tricky due to having to approve the posing of information in an era when employees may have blogs or join live industry webinars. Do you need to approve every word they say? No. You may even just hand this control off to marketing if you have that department. Basoically it once again comes down to policy. Specifically your acceptable use policy and a social media policy. If you have that and a list of people identified that can change your public facing website you have two pieces of observable evidence for an assessor | ||
| + | |||
| + | |||
| + | AC.2.011 | ||
| + | Authorize wireless access prior to allowing such connections. | ||
| + | |||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] wireless access points are identified; and | ||
| + | [b] wireless access is authorized prior to allowing such connections. | ||
| + | |||
| + | You handle this through network segmentation. If you want people to connect their phones to Spotify or check their steps on a smart watch you will need to segment your networks and then allow these devices on a network segmented from your netowrks that handle CUI and FCI. For devices that need to connect to your secure networks you will use MAC address filtering/ | ||
| + | |||
| + | In each scenario you chould have banner instructions and procedures in your acceptable use policy detialing what devices employess can connect. | ||
| + | |||
| + | Probably just best to ban BYOD and say no CUI on personal devices but you can do it with containers and FIPS Validated Modules to control MDM. Easier to just say no personal devices. | ||
| + | |||
| + | |||
| + | |||
| + | AC.2.015 | ||
| + | Route remote access via managed access control points. | ||
| + | |||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] managed access control points are identified and implemented; | ||
| + | [b] remote access is routed through managed network access control points. | ||
| + | |||
| + | For this control you have to remember remote can have two different defintions per NIST. You can think of a remote employee connecting from home. This falls inside your system boundary. NIST also defines remote as a connection from outside your system boundary. So assessment item b really refers more to systems outside your boundary. | ||
| + | |||
| + | NIST SP-800-171 does reference NIST SP-800-46 which states that for remote or " | ||
| + | | ||
| + | < | ||
| + | or VMI technologies, | ||
| + | into a secure remote access and telework environment, | ||
| + | and mobile application management (MAM) solutions for enhancing and enforcing mobile device | ||
| + | security.</ | ||
| + | |||
| + | The VDI keeps or the application keeps your system boundary in scope. | ||
| + | |||
| + | Remember probably just best to ban BYOD and personal removable storage devices for any work stuff on any work network, inside or outside your boundary. | ||
| + | |||
| + | | ||
| + | AC.2.005 | ||
| + | Provide privacy and security notices consistent with applicable CUI rules. | ||
| + | |||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category; and | ||
| + | [b] privacy and security notices are displayed. | ||
| + | |||
| + | This will get spelled out in your CUI Policy and procedures. Invest a good amount of time in writint a CUI policy as this will provide Observable Evidence for multiple assessment objectives across the practices and processes of CMMC. | ||
| + | |||
| + | You need the rules spelled out in DoD Instruction 5200.48, “Controlled Unclassified Information, | ||
| + | | ||
| + | AC.2.006 | ||
| + | Limit use of portable storage devices on external systems. | ||
| + | |||
| + | This too falls in your CUI policy. You may take the safe route and say no CUI on portable devices. The Department of Defense has disabled them since 2007. You may say no using portable media on an external system, such as giving a presentation at a conference and saving a slidedeck to a USB drive. You might use an external system such as a Cloud CUI enclave. You must document the choices. | ||
| + | |||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] the use of portable storage devices containing CUI on external systems is identified and documented; | ||
| + | [b] limits on the use of portable storage devices containing CUI on external systems are defined; and | ||
| + | [c] the use of portable storage devices containing CUI on external systems is limited as defined. | ||
| + | |||
| + | AC.2.007 | ||
| + | Employ the principle of least privilege, including for specific security functions and privileged accounts. | ||
| + | |||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] privileged accounts are identified; | ||
| + | [b] access to privileged accounts is authorized in accordance with the principle of least privilege; | ||
| + | [c] security functions are identified; and | ||
| + | d] access to security functions is authorized in accordance with the principle of least privilege. | ||
| + | AC.2.013 | ||
| + | Monitor and control remote access sessions. | ||
| + | |||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] remote access sessions are permitted; | ||
| + | [b] the types of permitted remote access are identified; [c] remote access sessions are controlled; and | ||
| + | [d] remote access sessions are monitored. | ||
| + | | ||
| + | AC.2.015 | ||
| + | Route remote access via managed access control points. | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] managed access control points are identified and implemented; | ||
| + | [b] remote access is routed through managed network access control points. | ||
| + | | ||
| + | AC.2.016 | ||
| + | Control the flow of CUI in accordance with approved authorizations. | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] information flow control policies are defined; | ||
| + | [b] methods and enforcement mechanisms for controlling the flow of CUI are defined; | ||
| + | [c] designated sources and destinations (e.g., networks, individuals, | ||
| + | [d] authorizations for controlling the flow of CUI are defined; and | ||
| + | [e] approved authorizations for controlling the flow of CUI are enforced. | ||
| + | | ||
| + | AC.3.014 | ||
| + | Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] cryptographic mechanisms to protect the confidentiality of remote access sessions are identified; and | ||
| + | [b] cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented. | ||
| + | |||
| + | |||
| + | AC.3.020 | ||
| + | Control connection of mobile devices. | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] mobile devices that process, store, or transmit CUI are identified; [b] mobile device connections are authorized; and | ||
| + | [c] mobile device connections are monitored and logged. | ||
| + | |||
| + | | ||
| + | AC.3.021 | ||
| + | Authorize remote execution of privileged commands and remote access to security-relevant information. | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] privileged commands authorized for remote execution are identified; | ||
| + | [b] security-relevant information authorized to be accessed remotely is identified; | ||
| + | [c] the execution of the identified privileged commands via remote access is authorized; and | ||
| + | [d] access to the identified security-relevant information via remote access is authorized. | ||
| + | |||
| + | AC.3.022 | ||
| + | Encrypt CUI on mobile devices and mobile computing platforms. | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified; and | ||
| + | [b] encryption is employed to protect CUI on identified mobile devices and mobile computing platforms. | ||
| + | |||
| + | | ||
| + | Alert in the event of an audit logging process failure. | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | | ||
| + | Determine if: | ||
| + | [a] personnel or roles to be alerted in the event of an audit logging process failure are identified; | ||
| + | [b] types of audit logging process failures for which alert will be generated are defined; and [c] identified personnel or roles are alerted in the event of an audit logging process failure | ||
| + | |||
| + | IR.3.098 | ||
| + | Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization. | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] incidents are tracked; | ||
| + | [b] incidents are documented; | ||
| + | [c] authorities to whom incidents are to be reported are identified; | ||
| + | [d] organizational officials to whom incidents are to be reported are identified; [e] identified authorities are notified of incidents; and | ||
| + | [f] identifiedorganizationalofficialsarenotifiedofincidents. | ||
| + | |||
| + | |||
| + | AT.2.056 | ||
| + | | ||
| + | Ensure that managers, systems administrators, | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] security risks associated with organizational activities involving CUI are identified; | ||
| + | [b] policies, standards, and procedures related to the security of the system are identified; | ||
| + | [c] managers, systems administrators, | ||
| + | [d] managers, systems administrators, | ||
| + | |||
| + | |||
| + | AT.3.058 | ||
| + | | ||
| + | Provide security awareness training on recognizing and reporting potential indicators of insider threat. | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] potential indicators associated with insider threats are identified; and | ||
| + | [b] security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees. | ||
| + | | ||
| + | SC.3.180 | ||
| + | Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | | ||
| + | Determine if: | ||
| + | [a] architectural designs that promote effective information security are identified; | ||
| + | [b] software development techniques that promote effective information security are identified; | ||
| + | [c] systems engineering principles that promote effective information security are identified; | ||
| + | [d] identified architectural designs that promote effective information security are employed; | ||
| + | [e] identified software development techniques that promote effective information security are employed; and | ||
| + | [f] | ||
| + | | ||
| + | SI.1.211 | ||
| + | Provide protection from malicious code at appropriate locations within organizational information systems. | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] designated locations for malicious code protection are identified; and [ | ||
| + | b] protection from malicious code at designated locations is provided. | ||
| + | |||
| + | |||
| + | RM.3.146 | ||
| + | Develop and implement risk mitigation plans. | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [CMMC] | ||
| + | | ||
| + | Determine if: | ||
| + | [a] the organization develops an approach for mitigating each identified risk; and | ||
| + | [b] the organization implements risk mitigation plans for each identified risk. | ||
| + | |||
| + | | ||
| + | AT.3.058 | ||
| + | Provide security awareness training on recognizing and reporting potential indicators of insider threat. | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] potential indicators associated with insider threats are identified; and | ||
| + | [b] security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees. | ||
| + | |||
| + | IA.1.076 | ||
| + | Identify information system users, processes acting on behalf of users, or devices. | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | | ||
| + | Determine if: | ||
| + | [a] system users are identified; | ||
| + | [b] processes acting on behalf of users are identified; and [c] devices accessing the system are identified. | ||
| + | |||
| + | | ||
| + | IA.3.083 | ||
| + | Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | | ||
| + | Determine if: | ||
| + | [a] privileged accounts are identified; | ||
| + | [b] multifactor authentication is implemented for local access to privileged accounts; | ||
| + | [c] multifactor authentication is implemented for network access to privileged accounts; and | ||
| + | [d] multifactor authentication is implemented for network access to non-privileged accounts. | ||
| + | | ||
| + | Level 1 PE Practices | ||
| + | | ||
| + | PE.1.131 | ||
| + | Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] authorized individuals allowed physical access are identified; | ||
| + | [b] physical access to organizational systems is limited to authorized individuals; | ||
| + | [d] physical access to operating environments is limited to authorized individuals. | ||
| + | | ||
| + | RM.2.142 | ||
| + | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] the frequency to scan for vulnerabilities in organizational systems and applications is defined; | ||
| + | [b] vulnerability scans are performed on organizational systems with the defined frequency; | ||
| + | [c] vulnerability scans are performed on applications with the defined frequency; | ||
| + | d] vulnerability scans are performed on organizational systems when new vulnerabilities are identified; and | ||
| + | [e] vulnerability scans are performed on applications when new vulnerabilities are identified. | ||
| + | | ||
| + | RM.2.143 | ||
| + | Remediate vulnerabilities in accordance with risk assessments. | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] vulnerabilities are identified; and | ||
| + | [b] vulnerabilities are remediated in accordance with risk assessments. | ||
| + | |||
| + | |||
| + | RM.3.144 | ||
| + | | ||
| + | Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria. | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [CMMC] | ||
| + | Determine if: | ||
| + | [a] the organization maintains a process for performing risk assessments; | ||
| + | b] the organization documents and maintains defined risk categories, risk sources, and risk measurement criteria; | ||
| + | [c] the organization prioritizes risk; and | ||
| + | [d] the organization performs risk assessment at a frequency defined by the organization. | ||
| + | |||
| + | |||
| + | CA.2.157 | ||
| + | Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] a system security plan is developed; | ||
| + | [b] the system boundary is described and documented in the system security plan; | ||
| + | [c] the system environment of operation is described and documented in the system security plan; | ||
| + | [d] the security requirements identified and approved by the designated authority as non-applicable are identified; | ||
| + | [e] the method of security requirement implementation is described and documented in the system security plan; | ||
| + | [f] the relationship with or connection too the systems is described and documented in the system security plan; | ||
| + | [g] the frequency to update the system security plan is defined; and | ||
| + | [h] system security plan is updated with the defined frequency. | ||
| + | | ||
| + | CA.2.159 | ||
| + | Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | a] deficiencies and vulnerabilities to be addressed by the plan of action are identified; | ||
| + | [b] a plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities; | ||
| + | [c] the plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities. | ||
| + | |||
| + | | ||
| + | Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device. | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] collaborative computing devices are identified; | ||
| + | [b] collaborative computing devices provide indication to users of devices in use; and [c] remote activation of collaborative computing devices is prohibited. | ||
| + | |||
| + | CA.3.162 | ||
| + | Employ a security assessment of enterprise software that has been developed internally, for internal use, and that has been organizationally defined as an area of risk. | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [CMMC] | ||
| + | Determine if: | ||
| + | [a] the organization reviews internally developed software for risks; | ||
| + | | ||
| + | [c] the organization has the ability to demonstrate their security assessment process; and | ||
| + | [d] the security assessment process is integrated with the change management process. | ||
| + | |||
| + | |||
| + | SC.1.176 | ||
| + | Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] publicly accessible system components are identified; and | ||
| + | [b] subnetworks for publicly accessible system components are physically or logically separated from internal networks. | ||
| + | |||
| + | | ||
| + | SC.2.178 | ||
| + | Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device. | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] collaborative computing devices are identified; | ||
| + | [b] collaborative computing devices provide indication to users of devices in use; and [c] remote activation of collaborative computing devices is prohibited. | ||
| + | |||
| + | | ||
| + | SC.3.180 | ||
| + | | ||
| + | Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | | ||
| + | Determine if: | ||
| + | | ||
| + | [a] architectural designs that promote effective information security are identified; | ||
| + | [b] software development techniques that promote effective information security are identified; | ||
| + | [c] systems engineering principles that promote effective information security are identified; | ||
| + | [d] identified architectural designs that promote effective information security are employed; | ||
| + | [e] identified software development techniques that promote effective information security are employed; and | ||
| + | [f] | ||
| + | | ||
| + | SC.3.181 | ||
| + | | ||
| + | Separate user functionality from system management functionality. | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] user functionality is identified; | ||
| + | [b] system management functionality is identified; and | ||
| + | [c] user functionality is separated from system management functionality. | ||
| + | |||
| + | SC.3.185 | ||
| + | | ||
| + | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified; | ||
| + | [b] alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified; and | ||
| + | [c] either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission | ||
| + | |||
| + | | ||
| + | SI.1.210 | ||
| + | | ||
| + | Identify, report, and correct information and information system flaws in a timely manner. | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] the time within which to identify system flaws is specified; | ||
| + | [b] system flaws are identified within the specified time frame; | ||
| + | [c] the time within which to report system flaws is specified; | ||
| + | [d] system flaws are reported within the specified time frame; | ||
| + | [e] the time within which to correct system flaws is specified; and [f] systemflawsarecorrectedwithinthespecifiedtimeframe. | ||
| + | | ||
| + | SI.1.211 | ||
| + | | ||
| + | Provide protection from malicious code at appropriate locations within organizational information systems. | ||
| + | | ||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] designated locations for malicious code protection are identified; and | ||
| + | [b] protection from malicious code at designated locations is provided. | ||
| + | |||
| + | |||
| + | SI.2.217 | ||
| + | |||
| + | Identify unauthorized use of organizational systems. | ||
| + | |||
| + | ASSESSMENT OBJECTIVES [NIST SP 800-171A] | ||
| + | Determine if: | ||
| + | [a] authorized use of the system is defined; and [b] unauthorized use of the system is identified. | ||
identified.txt · Last modified: 2021/10/08 16:06 by jgmac1106