Operational Class
Security Control Families

ID Class
CA Management
PL Management
PM Management
RA Management
SA Management
AT Operational
CM Operational
CP
IR
Operational
Operational
MA Operational
MP Operational
PE Operational
PS
SI
Operational
Operational
AC Technical
AU Technical
IA
SC
Technical
Technical
Family
Security Assessment and Authorization
Planning
Program Management
Risk Assessment
System and Services Acquisition
Awareness and Training
Configuration Management
Contingency Planning
Incident Response
Maintenance
Media Protection
Physical and Environmental Protection
Personnel Security
System and Information Integrity
Access Control
Audit and Accountability
Identification and Authentication
System and Communications Protection
10
8
6
6
19
# of
6
5
11
5
9
4
14/40
8
13/84
19
14
8
34/75

AT-2 Security Awareness
AT-3 Security Training
AT-4 Security Training Records
C.F.R. Part 5 Subpart C (5 C.F.R
930.301); Executive Order 13587
C.F.R. Part 5 Subpart C (5 C.F.R
930.301)
800-50
800-50,
800-16
CP-3 Contingency Training Federal Continuity Directive 1;
SP 800-50
IR-2 Incident Response Training 800-84, 800-115
SP 800-16,
CP-4 Contingency Plan Testing and Exercises
IR-3 Incident Response Testing and Exercises
SP 800-84, SP 800-34
SP 800-84, SP 800-115

(CM) Configuration Management
CM-2 Baseline Configuration
CM-3 Configuration Change
Control
CM-4 Security Impact Analysis
CM-5 Access Restrictions for
Change
CM-6 Configuration Settings OMB 07-11, 07-
18. 08-22
SP 800-128
SP 800-128
SP 800-128
SP 800-70, , 800-128;
Web: http://nvd.nist.gov
, http://checklists.nist.gov
, http://www.nsa.gov
.
CM-7 Least Functionality
CM-8 Information System
Component Inventory
CM-9 Configuration
Management Plan
SP 800-128
SP 800-128

(CM) Configuration Management
CM-10 Software Usage
Restrictions
CM-11 User-Installed
Software

CP-6 Alternate Storage Site
CP-7 Alternate Processing Site FCD-1
SP 800-34
SP 800-34
CP-8 Telecommunications Services http://tsp.ncs.gov/ SP 800-34
SP 800-34 CP-9 Information System Backup
CP-10
Information System Recovery and Reconstitution SP 800-34

CP-2 Contingency Plan
CP-6 Alternate Storage Site
FCD-1 SP 800-34
SP 800-34
CP-7 Alternate Processing Site FCD-1 SP 800-34
CP-8 Telecommunications Services http://tsp.ncs.gov/ SP 800-34
SP 800-34 CP-9 Information System Backup
CP-10
Information System Recovery and Reconstitution SP 800-34

IR-4
IR-5
Incident Handling
Incident Monitoring
IR-6 Incident Reporting
IR-7 Incident Response Assistance
IR-8 Incident Response Plan
SP 800-61
SP 800-61
FISMA, US-
CERT, M-06-19 SP 800-61
SP 800-61

MA-2 Controlled Maintenance
MA-3 Maintenance Tools SP 800-88
FIPS 140-2, 197,
201, CNSS Policy 15 SP 800-63, SP 800-88 MA-4 Non-Local Maintenance
MA-5 Maintenance Personnel
MA-6 Timely Maintenance

MP-2 Media Access
MP-3 Media Marking
MP-4 Media Storage
MP-5 Media Transport
FIPS 199
FIPS 199
FIPS 199
FIPS 199
MP-6 Media Sanitization FIPS 199
MP-7 Media Use FIPS 199
SP 800-111
SP 800-56, 57
SP 800-111
SP 800-60
SP 800-60,
SP 800-88,
Media Destruction
Guidance (NSA)
SP 800-111

PS-2 Position Categorization
PS-3 Personnel Screening
PS-4 Personnel Termination
PS-5 Personnel Transfer
PS-6 Access Agreements
PS-7 Third-Party Personnel Security
PS-8 Personnel Sanctions
5 CFR 731.106(a)
5 CFR 731.106 FIPS 199,
201 ICD 704
800-73, 800-76,
800-78
SP 800-35

(PE) Physical & Environmental Protection
PE-2 Physical Access Authorizations
PE-3 Physical Access Control
FIPS 201, ICD 704, 705,
DoD Instruction 5200.39;
DoD Instruction 5200.39;
Personal Identity
Verification (PIV) in
Enterprise Physical Access
Control System (E-PACS);
Web: http://idmanagement.gov
, http://fips201ep.cio.gov
.
PE-4 Access Control for Transmission Medium NSTISSI No. 7003
PE-5 Access Control for Output Devices
PE-6 Monitoring Physical Access
PE-7
Visitor Control (Withdrawn into PE-2 and
PE-3)
PE-8 Access Records
PE-9 Power Equipment and Power Cabling
SP 800-73, SP 800-76, SP
800-78, 800-116

(PE) Physical & Environmental Protection
PE-10 Emergency Shutoff
PE-11 Emergency Power
PE-12 Emergency Lighting
PE-13 Fire Protection
Temperature and Humidity
PE-14
Controls
PE-15 Water Damage Protection
PE-16 Delivery and Removal
PE-17 Alternate Work Site
PE-18
Location of Information System
Components
SP 800-46

SI-2 Flaw Remediation
SI-3 Malicious Code Protection
SI-4 Information System Monitoring
SI-5
Security Alerts, Advisories, and
Directives
SI-6 Security Functionality Verification
SI-7 Software and Information Integrity
SI-8 Spam Protection
SI-9 (Withdrawn)
SI-10 Information Input Validation
SI-11 Error Handling
SI-12
Information Output Handling and Retention
SCAP
SP 800-40, 800-
128
SP 800-83
800-61, 800-83,
800-92, 800-94,
800-137
FISMA, US-
CERT 800-40
800-147, 800-
155
SP 800-45
DHS EBK, CWE
DHS EBK, CWE
DHS EBK

 How well do you know your Awareness & Training (AT) controls, and TT&E related controls? Take 2 minutes to fill in as many of the following controls as you can.
 Which US Law requires all agencies to report security incidents to a Federal incident response center?
 Software assurance (EBK Domain: Application Security) is address by which family of security controls from SP
800-53?

(AT) AWARENESS & TRAINING

Awareness & Training Guidance
 C.F.R. Part 5 Subpart C (5 C.F.R 930.301) Information
Systems Security Awareness Training Program
 800-16 Role-based Training
 800-50 Building an IT Security Awareness and Training
Program
 SP 800-84 TT&E
 SP 800-34 Contingency Planning
 SP 800-61 Incident Handling

 Training
 Test
 Exercises
– Tabletop
– Functional
CP-3 Contingency Training
IR-2 Incident Response Training
CP-4 Contingency Plan Testing and Exercises
IR-3 Incident Response Testing and Exercises

 List the (CM) configuration management, and (CP) contingency planning controls:

(CM) CONFIGURATION
MANAGEMENT

Configuration Management
Guidance
 OMB M-07-11 Implementation of Commonly Security
Configurations for Windows Operating Systems
 OMB M-07-18 Ensuring New Acquisitions Include
Common Security Configurations
 OMB M-08-22 Guidance on the Federal Desktop Core
Configuration (FDCC)
 SP 800-128 Configuration Management
 SP 800-70 National Checklist Program
 NVD/SCAP Configuration Monitoring

The Phases of Security-focused
Configuration Management

 Which SCAP specifications provide a standard naming convention for operating systems, hardware, and applications for the purpose of providing consistent, easily parsed names?
 What is defined as an identifiable part of a system (e.g., hardware, software, firmware, documentation, or a combination thereof) that is a discrete target of configuration control processes?
 Which special pub provides guidelines on designing, developing, conducting, and evaluating test, training, and exercise (TT&E) events?

(CP) CONTINGENCY
PLANNING

Contingency Planning Guidance
 FCD-1 National Continuity Program
 SP 800-34r1 Contingency Planning

 Maximum Tolerable Downtime (MTD)
 Recovery Time Objective (RTO)
 Recovery Point Objective (RPO)
 Related: SI-13 Predictable Failure Prevention

(IR) INCIDENT RESPONSE

 M-06-19 Reporting Security Incidents Involving PII
 FISMA Requires Agencies Report Incidents to US-CERT
 US-CERT Provides Specific Reporting Procedures
 SP 800-61 Incident Handling

 SP 800-61, Computer Security Incident Handling Guide
 Preparation
 Detection and Analysis
 Containment, Eradication, and Recovery
 Post-Incident Activity

Incident Reporting Organizations
 US-CERT [IR 6,7]
Each agency must designate a primary and secondary
POC with US-CERT, report all incidents, and internally document corrective actions and their impact. [IR-7]
 Information Analysis Infrastructure Protection (IAIP)
 CERT® Coordination Center (CERT®/CC)
 Information Sharing and Analysis Centers (ISAC)

Federal Agency Incident Reporting
Categories
 CAT 0 - Exercise/Network Defense Testing
 CAT 1 * Unauthorized Access
 CAT 2 * Denial of Service (DoS)
 CAT 3 * Malicious Code
 CAT 4 * Inappropriate Usage
 CAT 5 - Scans/Probes/ Attempted Access
 CAT 6 - Investigation
* Any incident that involves compromised PII must be reported to US-CERT within 1 hour of detection regardless of the incident category reporting timeframe.

 Name the contingency planning variable that defines the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported mission/business functions, and the MTD?
 What is created to correlate the information system with critical mission/business processes, which is further used to characterize the consequences of a disruption?
 Which Federal mandate requires agencies to report incidents to US-CERT?
 What is the US-CERT incident category name and reporting timeframe for a CAT-2 incident?
 To the best of your knowledge, what are the MA & MP controls?

(MA) SYSTEM MAINTENANCE

 Non-local Maintenance = Remote Access/Maintenance
– FIPS 201-1 Common Identification (IA)
– SP 800-63 E-Authentication (IA)
– FIPS 197 Advance Encryption Standard (SC)
– FIPS 140-2 Cryptography Standard
 SP 80-88 Media Sanitization (MP)

 FIPS 140-2
– Level 1 – Basic (at least one Approved algorithm or Approved security function shall be used)
– Level (EAL) 2 - Tamper-evidence, requires role-based authentication
– Level (EAL) 3 – Intrusion detection and prevention, requires identity-based authentication mechanisms
– Level (EAL) 4 – Zeroization, environmental protection
 Advanced Encryption Standard (FIPS 197)
66

(MP) MEDIA PROTECTION

 SP 800-111 Storage Encryption
 SP 800-88 Media Sanitization

Storage Encryption Technologies

 Disposal - discarding media with no other sanitization considerations
 Cleaning - must not allow information to be retrieved by data, disk, or file recovery utilities.
 Purging - protects the confidentiality of information against a laboratory attack.
 Destroying - ultimate form of sanitization: disintegration, incineration, pulverizing, shredding, and melting.

Sanitization and Disposition
Decision Flow

 Which FIPS 140-2 encryption level requires identity based authentication?
 What is the FIPS publication specifies the Rijndael algorithm, a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of
128, 192, and 256 bits?
 What is the recommended disposal method, from the sanitization guidelines of NIST SP 800-88, for paperbased medical records containing sensitive PII?
 What is the supporting guideline for PE-17 Alternate
Work Site?

(PE) PHYSICAL &
ENVIRONMENTAL PROTECTION

 FIPS 201 - Personal Identity Verification (PIV) of Federal
Employees and Contractors (IA)
 SP 800-73 - Interfaces for PIV (IA)
 SP 800-76 - Biometric Data Specification for PIV (IA)
 SP 800-78 - Cryptographic Algorithms & Key Sizes for
PIV (IA)

 SP 800-46 Guide to Enterprise Telework and Remote
Access Security (AC)
– Tunneling
– Application Portals
– Remote Desktop Access
– Direct Application Access

(PS) PERSONNEL SECURITY

(PS-7) Third-party
Personnel Security
 SP 800-35 Guide to Information Technology Security
Services
 GSA’s Federal Risk and Authorization Management
Program (FedRAMP)
– Standardized Security Requirements
– A Conformity Assessment Program
– Repository of Authorization Packages for Cloud Services
– Standardized Contract Language

(SI) SYSTEMS INTEGRITY

 SCAP – Security Content Automation Protocol
– CVE – Common Vulnerability Exposure
– CWE- Common Weakness Enumeration
 SP 800-40 Patch & Vulnerability Management
 SP 800-83 Malware
 800-61 Incident Handling
 800-92 Log Management
 800-94 Intrusion Detection & Prevention
 SP 800-45 E-mail Security
 DHS EBK, Application Security

Malware Incident
Prevention & Handling
 Employs malicious code protection mechanisms
 Updates malicious code protection mechanisms
 Configures malicious code protection mechanisms to:
– Periodically Scan
– Respond to Detection
 SP 800-83 Guide to Malware Incident Prevention and
Handling
– Malware Categories
– Malware Incident Prevention
– Malware Incident Response
 Related: SI-8 Spam Protection

 Monitors Events and Detect Attacks
 Identifies Unauthorized Use
 Deploys Monitoring Devices
 Heightens Monitoring Activity Whenever There is
Indication of Increased Risk
 Obtains Legal Opinion with Regard to Information
System Monitoring Activities
 SP 800-61
 Related: SI-7 Software and Information Integrity
– parity checks,
– cyclical redundancy checks
– cryptographic hashes

 SI-10 Information Input Validation
 SI-11 Error Handling
 SI-12 Information Output Handling and Retention

Software Assurance Technologies
Security Automation Domain #11
 Software Assurance Automation Protocol (SwAAP measure and enumerate software weaknesses):
CWE Common Weakness Enumeration
Dictionary of weaknesses that can lead to exploitable vulnerabilities
CWSS Common Weakness Scoring System
Assigning risk scores to weaknesses
CAPEC Common Attack Pattern Enumeration & Classification
Catalog of attack patterns
MAEC Malware Attribute Enumeration & Characterization
Standardized language about malware, based on attributes such as behaviors and attack patterns

Operational Security Controls
Key Concepts & Vocabulary
 Awareness and Training
 Configuration Management
 Contingency Planning
 Incident Response
 Maintenance
 Media Protection
 Physical and Environmental Protection
 Personnel Security
 System and Information Integrity