Title; FIPS Low Impact Doc. No. Rev. No. Date: Page 1 of x Company Name Division or Address Division or Address FIPS Specifications for Minimum Security Requirements Procedure Approved: __________________________________________________ title Name Approved: ___________________________________________________ title Name Approved: __________________________________________________ title Name Approved: __________________________________________________ title Name Approved: __________________________________________________ title Name 1. Change Record Rev Date Responsible Person Description of Change A date Name Initial Release 2. Distribution List Information Systems Security (ISS) Development Operations (DevOPs) (List the departments that receive controlled copies) 3. Acronyms FIPS Controlled Copy, Do Not Duplicate Federal Information Processing For Internal Use Only Company Name Division or Address Division or Address Title; FIPS Low Impact Doc. No. Rev. No. Date: Page 2 of x 4. Definitions 5. Purpose 5.1. The purpose of this procedure is to establish the executive directive of the minimum standards for Federal Information Processing Systems (FIPS). Our company information systems and information is categorized as Low impact. This also applies to the security objectives of confidentiality, integrity, and availability. 6. Policy for the Standards for Security Categorization of Federal Information and Information Systems Our company will follow the standards for Federal Information Processing Systems (FIPS). Our company will be categorized as low impact Moderate Impact, or high impact. This will apply to the security objectives of confidentiality, integrity, and availability. The Minimum Security requirements shall cover the 17 security related areas with regard to protecting the confidentiality, integrity, and availability. This applies to federal information systems and information processes, stored and transmitted by those systems. 8. Scope This applies to Controlled Copy, Do Not Duplicate For Internal Use Only Company Name Division or Address Division or Address I. Title; FIPS Low Impact Doc. No. Rev. No. Date: Page 3 of x Standards for categorizing information and information systems according to a range of risk levels 8.I.1. Information collected or maintained for on or on behalf of each federal agency 8.I.2. Providing appropriate levels of information security 8.I.3. Guidelines for categorizing the types of information and information systems II. Minimum information security requirements for information and information systems in each category 9. Responsibilities 9.1. Chief Information Officer (CIO) The person responsible for: 1. Providing advice to the executive committee or decision makers for acquiring technology 2. Information systems that is managed in accordance with Executive Orders, directives, policies, regulations and priorities established by our company. 3. Developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture for the company 4. Promoting the effective and efficient design and operation of all major information resources management processes for the company including improvements 9.2. Chief Information Security Officer 1. Responsible for carrying out the directives of the CIO. 10. Low Impact Security Control Selection Process – 10.1. The FIPS requires Organizations that perform information system security must comply with the requirements of FIPS 200 / FIPS 199. They must select the appropriate security controls and assurance requirements described in NIST Special Publications 800-53 Recommended Security Controls for Federal Information Systems 10.1.1. The following table lists Low Impact systems organizations minimum security controls from the low baseline controls of NIST 800-53. They Controlled Copy, Do Not Duplicate For Internal Use Only Company Name Division or Address Division or Address Title; FIPS Low Impact Doc. No. Rev. No. Date: Page 4 of x assure that the minimum assurance requirements associated with the low baseline are satisfied. 1 AC-01 ACCESS CONTROL AC-1 ACCESS CONTROL POLICY AND PROCEDURES 2 AC-02 ACCESS CONTROL AC-2 ACCOUNT MANAGEMENT 3 AC-03 ACCESS CONTROL AC-3 ACCESS ENFORCEMENT 4 AC-07 ACCESS CONTROL AC-7 UNSUCCESSFUL LOGON ATTEMPTS 5 AC-08 ACCESS CONTROL AC-8 SYSTEM USE NOTIFICATION 6 AC-14 ACCESS CONTROL AC14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION 7 AC-17 ACCESS CONTROL AC17 REMOTE ACCESS 8 AC-18 ACCESS CONTROL AC18 WIRELESS ACCESS 9 AC-19 ACCESS CONTROL AC19 ACCESS CONTROL FOR MOBILE DEVICES 10 AC-20 ACCESS CONTROL AC20 USE OF EXTERNAL INFORMATION SYSTEMS 11 AC-22 ACCESS CONTROL AC22 PUBLICLY ACCESSIBLE CONTENT 12 AT-01 AWARENESS AND TRAINING AT-1 SECURITY AWARENESS AND TRAINING POLICY ANDPROCEDURES 13 AT-02 AWARENESS AND TRAINING AT-2 SECURITY AWARENESS TRAINING 14 AT-03 AWARENESS AND TRAINING AT-3 ROLE-BASED SECURITY TRAINING 15 AT-04 AWARENESS AND TRAINING AT-4 SECURITY TRAINING RECORDS 16 AU-01 AUDIT AND ACCOUNTABILITY AU-1 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES 17 AU-02 AUDIT AND ACCOUNTABILITY AU-2 AUDIT EVENTS 18 AU-03 AUDIT AND ACCOUNTABILITY AU-3 CONTENT OF AUDIT RECORDS Controlled Copy, Do Not Duplicate For Internal Use Only Company Name Division or Address Division or Address Title; FIPS Low Impact Doc. No. Rev. No. Date: Page 5 of x 19 AU-04 AUDIT AND ACCOUNTABILITY AU-4 AUDIT STORAGE CAPACITY 20 AU-05 AUDIT AND ACCOUNTABILITY AU-5 RESPONSE TO AUDIT PROCESSING FAILURES 21 AU-06 AUDIT AND ACCOUNTABILITY AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING 22 AU-08 AUDIT AND ACCOUNTABILITY AU-8 TIME STAMPS 23 AU-09 AUDIT AND ACCOUNTABILITY AU-9 PROTECTION OF AUDIT INFORMATION 24 AU-11 AUDIT AND ACCOUNTABILITY AU11 AUDIT RECORD RETENTION 25 AU-12 AUDIT AND ACCOUNTABILITY AU12 AUDIT GENERATION 26 CA-01 SECURITY ASSESSMENT AND AUTHORIZATION CA-1 SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES 27 CA-02 SECURITY ASSESSMENT AND AUTHORIZATION CA-2 SECURITY ASSESSMENTS 28 CA-02 (01) SECURITY ASSESSMENT AND AUTHORIZATION CA-2 (1) SECURITY ASSESSMENTS | INDEPENDENT ASSESSORS 29 CA-03 SECURITY ASSESSMENT AND AUTHORIZATION CA-3 SYSTEM INTERCONNECTIONS 30 CA-05 SECURITY ASSESSMENT AND AUTHORIZATION CA-5 PLAN OF ACTION AND MILESTONES 31 CA-06 SECURITY ASSESSMENT AND AUTHORIZATION CA-6 SECURITY AUTHORIZATION 32 CA-07 SECURITY ASSESSMENT AND AUTHORIZATION CA-7 CONTINUOUS MONITORING 33 CA-09 SECURITY ASSESSMENT AND AUTHORIZATION CA-9 INTERNAL SYSTEM CONNECTIONS 34 CM-01 CONFIGURATION MANAGEMENT CM-1 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES 35 CM-02 CONFIGURATION MANAGEMENT CM-2 BASELINE CONFIGURATION 36 CM-04 CONFIGURATION MANAGEMENT CM-4 SECURITY IMPACT ANALYSIS Controlled Copy, Do Not Duplicate For Internal Use Only Company Name Division or Address Division or Address Title; FIPS Low Impact Doc. No. Rev. No. Date: Page 6 of x 37 CM-06 CONFIGURATION MANAGEMENT CM-6 CONFIGURATION SETTINGS 38 CM-07 CONFIGURATION MANAGEMENT CM-7 LEAST FUNCTIONALITY 39 CM-08 CONFIGURATION MANAGEMENT CM-8 INFORMATION SYSTEM COMPONENT INVENTORY 40 CM-10 CONFIGURATION MANAGEMENT CM10 SOFTWARE USAGE RESTRICTIONS 41 CM-11 CONFIGURATION MANAGEMENT CM11 USER-INSTALLED SOFTWARE 42 CP-01 CONTINGENCY PLANNING CP-1 CONTINGENCY PLANNING POLICY AND PROCEDURES 43 CP-02 CONTINGENCY PLANNING CP-2 CONTINGENCY PLAN 44 CP-03 CONTINGENCY PLANNING CP-3 CONTINGENCY TRAINING 45 CP-04 CONTINGENCY PLANNING CP-4 CONTINGENCY PLAN TESTING 46 CP-09 CONTINGENCY PLANNING CP-9 INFORMATION SYSTEM BACKUP 47 CP-10 CONTINGENCY PLANNING CP10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION 48 IA-01 IDENTIFICATION AND AUTHENTICATION IA-1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES 49 IA-02 IDENTIFICATION AND AUTHENTICATION IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) 50 IA-02 (01) IDENTIFICATION AND AUTHENTICATION IA-2 (1) IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO PRIVILEGED ACCOUNTS 51 IA-02 (12) IDENTIFICATION AND AUTHENTICATION IA-2 (12) IDENTIFICATION AND AUTHENTICATION | ACCEPTANCE OF PIV CREDENTIALS 52 IA-04 IDENTIFICATION AND AUTHENTICATION IA-4 IDENTIFIER MANAGEMENT 53 IA-05 IDENTIFICATION AND AUTHENTICATION IA-5 AUTHENTICATOR MANAGEMENT Controlled Copy, Do Not Duplicate For Internal Use Only Company Name Division or Address Division or Address Title; FIPS Low Impact Doc. No. Rev. No. Date: Page 7 of x 54 IA-05 (01) IDENTIFICATION AND AUTHENTICATION IA-5 (1) AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION 55 IA-05 (11) IDENTIFICATION AND AUTHENTICATION IA-5 (11) AUTHENTICATOR MANAGEMENT | HARDWARE TOKENBASED AUTHENTICATION 56 IA-06 IDENTIFICATION AND AUTHENTICATION IA-6 AUTHENTICATOR FEEDBACK 57 IA-07 IDENTIFICATION AND AUTHENTICATION IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION 58 IA-08 IDENTIFICATION AND AUTHENTICATION IA-8 IDENTIFICATION AND AUTHENTICATION (NONORGANIZATIONAL USERS) 59 IA-08 (01) IDENTIFICATION AND AUTHENTICATION IA-8 (1) IDENTIFICATION AND AUTHENTICATION | ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES 60 IA-08 (02) IDENTIFICATION AND AUTHENTICATION IA-8 (2) IDENTIFICATION AND AUTHENTICATION | ACCEPTANCE OF THIRDPARTY CREDENTIALS 61 IA-08 (03) IDENTIFICATION AND AUTHENTICATION IA-8 (3) IDENTIFICATION AND AUTHENTICATION | USE OF FICAM-APPROVED PRODUCTS 62 IA-08 (04) IDENTIFICATION AND AUTHENTICATION IA-8 (4) IDENTIFICATION AND AUTHENTICATION | USE OF FICAM-ISSUED PROFILES 63 IR-01 INCIDENT RESPONSE IR-1 INCIDENT RESPONSE POLICY AND PROCEDURES 64 IR-02 INCIDENT RESPONSE IR-2 INCIDENT RESPONSE TRAINING 65 IR-04 INCIDENT RESPONSE IR-4 INCIDENT HANDLING 66 IR-05 INCIDENT RESPONSE IR-5 INCIDENT MONITORING 67 IR-06 INCIDENT RESPONSE IR-6 INCIDENT REPORTING 68 IR-07 INCIDENT RESPONSE IR-7 INCIDENT RESPONSE ASSISTANCE Controlled Copy, Do Not Duplicate For Internal Use Only Company Name Division or Address Division or Address Title; FIPS Low Impact Doc. No. Rev. No. Date: Page 8 of x 69 IR-08 INCIDENT RESPONSE IR-8 INCIDENT RESPONSE PLAN 70 MA-01 MAINTENANCE MA-1 SYSTEM MAINTENANCE POLICY AND PROCEDURES 71 MA-02 MAINTENANCE MA-2 CONTROLLED MAINTENANCE 72 MA-04 MAINTENANCE MA-4 NONLOCAL MAINTENANCE 73 MA-05 MAINTENANCE MA-5 MAINTENANCE PERSONNEL 74 MP-01 MEDIA PROTECTION MP-1 MEDIA PROTECTION POLICY AND PROCEDURES 75 MP-02 MEDIA PROTECTION MP-2 MEDIA ACCESS 76 MP-06 MEDIA PROTECTION MP-6 MEDIA SANITIZATION 77 MP-07 MEDIA PROTECTION MP-7 MEDIA USE 78 PE-01 PHYSICAL AND ENVIRONMENTAL PROTECTION PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES 79 PE-02 PHYSICAL AND ENVIRONMENTAL PROTECTION PE-2 PHYSICAL ACCESS AUTHORIZATIONS 80 PE-03 PHYSICAL AND ENVIRONMENTAL PROTECTION PE-3 PHYSICAL ACCESS CONTROL 81 PE-06 PHYSICAL AND ENVIRONMENTAL PROTECTION PE-6 MONITORING PHYSICAL ACCESS 82 PE-08 PHYSICAL AND ENVIRONMENTAL PROTECTION PE-8 VISITOR ACCESS RECORDS 83 PE-12 PHYSICAL AND ENVIRONMENTAL PROTECTION PE12 EMERGENCY LIGHTING 84 PE-13 PHYSICAL AND ENVIRONMENTAL PROTECTION PE13 FIRE PROTECTION 85 PE-14 PHYSICAL AND ENVIRONMENTAL PROTECTION PE14 TEMPERATURE AND HUMIDITY CONTROLS 86 PE-15 PHYSICAL AND ENVIRONMENTAL PROTECTION PE15 WATER DAMAGE PROTECTION 87 PE-16 PHYSICAL AND ENVIRONMENTAL PROTECTION PE16 DELIVERY AND REMOVAL Controlled Copy, Do Not Duplicate For Internal Use Only Company Name Division or Address Division or Address Title; FIPS Low Impact Doc. No. Rev. No. Date: Page 9 of x 88 PL-01 PLANNING PL-1 SECURITY PLANNING POLICY AND PROCEDURES 89 PL-02 PLANNING PL-2 SYSTEM SECURITY PLAN 90 PL-04 PLANNING PL-4 RULES OF BEHAVIOR 91 PS-01 PERSONNEL SECURITY PS-1 PERSONNEL SECURITY POLICY AND PROCEDURES 92 PS-02 PERSONNEL SECURITY PS-2 POSITION RISK DESIGNATION 93 PS-03 PERSONNEL SECURITY PS-3 PERSONNEL SCREENING 94 PS-04 PERSONNEL SECURITY PS-4 PERSONNEL TERMINATION 95 PS-05 PERSONNEL SECURITY PS-5 PERSONNEL TRANSFER 96 PS-06 PERSONNEL SECURITY PS-6 ACCESS AGREEMENTS 97 PS-07 PERSONNEL SECURITY PS-7 THIRD-PARTY PERSONNEL SECURITY 98 PS-08 PERSONNEL SECURITY PS-8 PERSONNEL SANCTIONS 99 RA-01 RISK ASSESSMENT RA-1 RISK ASSESSMENT POLICY AND PROCEDURES 100 RA-02 RISK ASSESSMENT RA-2 SECURITY CATEGORIZATION 101 RA-03 RISK ASSESSMENT RA-3 RISK ASSESSMENT 102 RA-05 RISK ASSESSMENT RA-5 VULNERABILITY SCANNING 103 SA-01 SYSTEM AND SERVICES ACQUISITION SA-1 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES 104 SA-02 SYSTEM AND SERVICES ACQUISITION SA-2 ALLOCATION OF RESOURCES 105 SA-03 SYSTEM AND SERVICES ACQUISITION SA-3 SYSTEM DEVELOPMENT LIFE CYCLE 106 SA-04 SYSTEM AND SERVICES ACQUISITION SA-4 ACQUISITION PROCESS 107 SA-05 SYSTEM AND SERVICES ACQUISITION SA-5 INFORMATION SYSTEM DOCUMENTATION 108 SA-09 SYSTEM AND SERVICES ACQUISITION SA-9 EXTERNAL INFORMATION SYSTEM SERVICES Controlled Copy, Do Not Duplicate For Internal Use Only Company Name Division or Address Division or Address Title; FIPS Low Impact Doc. No. Rev. No. Date: Page 10 of x 109 SC-01 SYSTEM AND COMMUNICATIONS PROTECTION SC-1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES 110 SC-05 SYSTEM AND COMMUNICATIONS PROTECTION SC-5 DENIAL OF SERVICE PROTECTION 111 SC-07 SYSTEM AND COMMUNICATIONS PROTECTION SC-7 BOUNDARY PROTECTION 112 SC-12 SYSTEM AND COMMUNICATIONS PROTECTION SC12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT 113 SC-13 SYSTEM AND COMMUNICATIONS PROTECTION SC13 CRYPTOGRAPHIC PROTECTION 114 SC-15 SYSTEM AND COMMUNICATIONS PROTECTION SC15 COLLABORATIVE COMPUTING DEVICES 115 SC-20 SYSTEM AND COMMUNICATIONS PROTECTION SC20 SECURE NAME /ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) 116 SC-21 SYSTEM AND COMMUNICATIONS PROTECTION SC21 SECURE NAME /ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) 117 SC-22 SYSTEM AND COMMUNICATIONS PROTECTION SC22 ARCHITECTURE AND PROVISIONING FOR NAME/ADDRESS RESOLUTION SERVICE 118 SC-39 SYSTEM AND COMMUNICATIONS PROTECTION SC39 PROCESS ISOLATION 119 SI-01 SYSTEM AND INFORMATION INTEGRITY SI-1 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES 120 SI-02 SYSTEM AND INFORMATION INTEGRITY SI-2 FLAW REMEDIATION 121 SI-03 SYSTEM AND INFORMATION INTEGRITY SI-3 MALICIOUS CODE PROTECTION 122 SI-04 SYSTEM AND INFORMATION INTEGRITY SI-4 INFORMATION SYSTEM MONITORING 123 SI-05 SYSTEM AND INFORMATION INTEGRITY SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES Controlled Copy, Do Not Duplicate For Internal Use Only Company Name Division or Address Division or Address Title; FIPS Low Impact Doc. No. Rev. No. Date: Page 11 of x 124 SI-12 SYSTEM AND INFORMATION INTEGRITY SI-12 INFORMATION HANDLING AND RETENTION 125 SI-16 SYSTEM AND INFORMATION INTEGRITY SI-16 MEMORY PROTECTION 11. Risk Management I. The selection and specification of security controls for an information system is accomplished as part of an organization-wide information security program for the management of risk—that is, the risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation of information systems. Risk-based approaches to security control selection and specification consider effectiveness, efficiency, and constraints due to applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines. Tier 1 provides a prioritization of organizational missions/business functions which in turn drives investment strategies and funding decisions—promoting cost-effective, efficient information technology solutions consistent with the strategic goals and objectives of the organization and measures of performance. Tier 2 includes: (i) defining the mission/business processes needed to support the organizational missions/business functions; (ii) determining the security categories of the information systems needed to execute the mission/business processes; (iii) incorporating information security requirements into the mission/business processes; and (iv) establishing an enterprise architecture (including an embedded information security architecture) to facilitate the Controlled Copy, Do Not Duplicate For Internal Use Only Company Name Division or Address Division or Address Title; FIPS Low Impact Doc. No. Rev. No. Date: Page 12 of x allocation of security controls to organizational information systems and the environments in which those systems operate. The Risk Management Framework (RMF), depicted in Figure 2, is the primary means for addressing risk at Tier 3.1 This publication focuses on Step 2 of the RMF, the security control selection process, in the context of the three tiers in the organizational risk management hierarchy. Step 1: Categorize the information system based on a FIPS Publication 199 impact assessment;2 Step 2: Select the applicable security control baseline based on the results of the security categorization and apply tailoring guidance (including the potential use of overlays); Step 3: Implement the security controls and document the design, development, and implementation details for the controls; Step 4: Assess the security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system;3 Step 5: Authorize information system operation based on a determination of risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation and use of the information system and the decision that this risk is acceptable; and 1 NIST Special Publication 800-37 provides guidance on the implementation of the Risk Management Framework. A complete listing of all publications supporting the RMF and referenced in Figure 2 is provided in Appendix A. 2 CNSS Instruction 1253 provides security categorization guidance for national security systems. 3 NIST Special Publication 800-53A provides guidance on assessing the effectiveness of security controls. Controlled Copy, Do Not Duplicate For Internal Use Only Title; FIPS Low Impact Doc. No. Rev. No. Date: Page 13 of x Company Name Division or Address Division or Address Step 6: Monitor the security controls in the information system and environment of operation on an ongoing basis to determine control effectiveness, changes to the system/environment, and compliance to legislation, Executive Orders, directives, policies, regulations, and standards. Architecture Description Organizational Inputs Mission/Business Processes FEA Reference Models Segment and Solution Architectures Information System Boundaries Starting Point Laws, Directives, Policy, Guidance Strategic Goals and Objectives Information Security Requirements Priorities and Resource Availability Repeat as necessary Step 1 CATEGORIZE Information Systems Step 6 Step 2 FIPS 199 / SP 800-60 MONITOR SELECT Security Controls Security Controls SP 800-137 FIPS 200 / SP 800-53 RISK MANAGEMENT FRAMEWORK Security Life Cycle Step 5 Step 3 AUTHORIZE IMPLEMENT Information Systems Security Controls SP 800-37 SP 800-160 Step 4 ASSESS Security Controls SP 800-53A Note: CNSS Instruction 1253 provides guidance for RMF Steps 1 and 2 for National Security Systems (NSS). Figure 1 Risk Management Framework 12. Security Control Structure TABLE 1: SECURITY CONTROL IDENTIFIERS AND FAMILY NAMES ID FAMILY ID FAMILY AC Access Control MP Media Protection AT Awareness and Training PE Physical and Environmental Protection AU Audit and Accountability PL Planning CA Security Assessment and Authorization PS Personnel Security CM Configuration Management RA Risk Assessment CP Contingency Planning SA System and Services Acquisition Controlled Copy, Do Not Duplicate For Internal Use Only Title; FIPS Low Impact Doc. No. Rev. No. Date: Page 14 of x Company Name Division or Address Division or Address ID FAMILY ID FAMILY IA Identification and Authentication SC System and Communications Protection IR Incident Response SI System and Information Integrity MA Maintenance PM Program Management Controlled Copy, Do Not Duplicate For Internal Use Only