diff --git a/README.md b/README.md index d0e286c3b..e9f445c04 100644 --- a/README.md +++ b/README.md @@ -101,6 +101,7 @@ Check out the online documentation on https://intuitem.gitbook.io/ciso-assistant 29. CSA CCM (Cloud Controls Matrix)\* 30. FADP (Federal Act on Data Protection) πŸ‡¨πŸ‡­ 31. NIST SP 800-171 rev2 πŸ‡ΊπŸ‡Έ +32. CJIS Security Policy 5.9.4 πŸ•΅
@@ -120,10 +121,9 @@ Checkout the [library](/backend/library/libraries/) and [tools](/tools/) for the - SOX - MASVS - FedRAMP -- FBI CJIS - NCSC Cyber Assessment Framework (CAF) - UK Cyber Essentials -- and much more: just ask on [Discord](https://discord.gg/qvkaMdQ8da). If it's an open standard, we'll do it for you, _free of charge_ πŸ˜‰ +- and much more: just ask on [Discord](https://discord.gg/qvkaMdQ8da). If it's an open and license-free standard, we'll do it for you, _free of charge_ πŸ˜‰ ### Add your own framework diff --git a/backend/library/libraries/cjis-policy-5.9.4.yaml b/backend/library/libraries/cjis-policy-5.9.4.yaml new file mode 100644 index 000000000..ee48910d1 --- /dev/null +++ b/backend/library/libraries/cjis-policy-5.9.4.yaml @@ -0,0 +1,10098 @@ +urn: urn:intuitem:risk:library:cjis-policy-5.9.4 +locale: en +ref_id: CJIS-POLICY-5.9.4 +name: Criminal Justice Information Services (CJIS) Security Policy +description: The Criminal Justice Information Services (CJIS) Security Policy is a + set of standards and guidelines developed by the FBI to help secure criminal justice + information (CJI), such as fingerprints, criminal histories, and other data. The + policy aims to provide appropriate controls to protect the full lifecycle of CJI, + ensuring that it is securely handled, stored, and transmitted. +copyright: US CJIS +version: 1 +provider: US CJIS +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:cjis-policy-5.9.4 + ref_id: CJIS-POLICY-5.9.4 + name: Criminal Justice Information Services (CJIS) Security Policy + description: The Criminal Justice Information Services (CJIS) Security Policy + is a set of standards and guidelines developed by the FBI to help secure criminal + justice information (CJI), such as fingerprints, criminal histories, and other + data. The policy aims to provide appropriate controls to protect the full lifecycle + of CJI, ensuring that it is securely handled, stored, and transmitted. + requirement_nodes: + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + assessable: false + depth: 1 + name: CJIS Security Policy Sections 1 - 4 (Introduction, Approach, Roles & Responsibilities, + and CJI/PII) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: Relationship to Local Security Policy and Other Policies + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node4 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node3 + description: "The local agency may complement the CJIS Security Policy with\ + \ a local policy, or the agency may develop their own stand-alone security\ + \ policy; however, the CJIS Security Policy shall always be the minimum standard\ + \ and local policy may augment, or increase the standards,\u2026" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node5 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node3 + description: '...and local policy may augment, or increase the standards, but + shall not detract from the CJIS Security Policy standards.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node6 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node3 + description: The agency shall develop, disseminate, and maintain formal, documented + procedures to facilitate the implementation of the CJIS Security Policy and, + where applicable, the local security policy. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node7 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node3 + description: The policies and procedures shall be consistent with applicable + laws, Executive Orders, directives, policies, regulations, standards, and + guidance. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node8 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: CJIS Systems Agencies (CSA) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node9 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node8 + description: The head of each CSA shall appoint a CJIS Systems Officer (CSO). + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node10 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node8 + description: Such decisions shall be documented and kept current. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: CJIS Systems Officer (CSO) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node12 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: Pursuant to The Bylaws for the CJIS Advisory Policy Board and Working + Groups, the role of CSO shall not be outsourced. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node13 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: 'The CSO shall set, maintain, and enforce the following:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node14 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: 1. Standards for the selection, supervision, and separation of + personnel who have access to CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node15 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: 2. Policy governing the operation of computers, access devices, + circuits, hubs, routers, firewalls, and other components that comprise and + support a telecommunications network and related CJIS systems used to process, + store, or transmit CJI, guaranteeing the priority, confidentiality, integrity, + and availability of service needed by the criminal justice community. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node16 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: a. Ensure appropriate use, enforce system discipline, and ensure + CJIS Division operating procedures are followed by all users of the respective + services and information. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node17 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: b. Ensure state/federal agency compliance with policies approved + by the APB and adopted by the FBI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node18 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: c. Ensure the appointment of the CSA ISO and determine the extent + of authority to the CSA ISO. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node19 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: d. Ensure the designation of a Terminal Agency Coordinator (TAC) + within each agency with device access to CJIS systems. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node20 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: e. Ensure each agency having access to CJI has someone designated + as the Local Agency Security Officer (LASO). + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node21 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: f. Ensure the LASO receives enhanced security awareness training + (ref. Section 5.2). + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node22 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: g. Approve access to FBI CJIS systems. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node23 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: h. Assume ultimate responsibility for managing the security of + CJIS systems within their state and/or agency. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node24 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: i. Perform other related duties outlined by the user agreements + with the FBI CJIS Division. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node25 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: 3. Outsourcing of Criminal Justice Functions + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node26 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: a. Responsibility for the management of the approved security + requirements shall remain with the CJA. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node27 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node11 + description: b. Responsibility for the management control of network security + shall remain with the CJA. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node28 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: Contracting Government Agency (CGA) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node29 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node28 + description: A CGA is a government agency, whether a CJA or a NCJA, that enters + into an agreement with a private contractor subject to the CJIS Security Addendum. + The CGA entering into an agreement with a contractor shall appoint an Agency + Coordinator. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: Agency Coordinator (AC) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node31 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + description: The AC shall be responsible for the supervision and integrity of + the system, training and continuing education of employees and operators, + scheduling of initial training and testing, and certification testing and + all required reports by NCIC. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node32 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + description: 'The AC shall:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node33 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + description: 1. Understand the communications, records capabilities, and needs + of the Contractor which is accessing federal and state records through or + because of its relationship with the CGA. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node34 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + description: 2. Participate in related meetings and provide input and comments + for system improvement. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node35 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + description: 3. Receive information from the CGA (e.g., system updates) and + disseminate it to appropriate Contractor employees. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node36 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + description: 4. Maintain and update manuals applicable to the effectuation + of the agreement, and provide them to the Contractor. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node37 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + description: "5. Maintain up-to-date records of Contractor\u2019s employees\ + \ who access the system, including name, date of birth, social security number,\ + \ date fingerprint card(s) submitted, date security clearance issued, and\ + \ date initially trained, tested, certified or recertified (if applicable)." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node38 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + description: 6. Train or ensure the training of Contractor personnel. If Contractor + personnel access NCIC, schedule the operators for testing or a certification + exam with the CSA staff, or AC staff with permission from the CSA staff. Schedule + new operators for the certification exam within six (6) months of assignment. Schedule + certified operators for biennial re-certification testing within thirty (30) + days prior to the expiration of certification. Schedule operators for other + mandated class. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node39 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + description: 7. The AC will not permit an untrained/untested or non-certified + Contractor employee to access CJI or systems supporting CJI where access to + CJI can be gained. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node40 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + description: 8. Where appropriate, ensure compliance by the Contractor with + NCIC validation requirements. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node41 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + description: 9. Provide completed applicant fingerprint cards on each Contractor + employee who accesses the system to the CJA (or, where appropriate, CSA) for + criminal background investigation prior to such employee accessing the system. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node42 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node30 + description: 10. Any other responsibility for the AC promulgated by the FBI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node43 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: CJIS System Agency Information Secrurity Officer (CSA ISO) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node44 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node43 + description: 'The CSA ISO shall:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node45 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node43 + description: 1. Serve as the security point of contact (POC) to the FBI CJIS + Division ISO. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node46 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node43 + description: "2. Document technical compliance with the CJIS Security Policy\ + \ with the goal to assure the confidentiality, integrity, and availability\ + \ of criminal justice information to the user community throughout the CSA\u2019\ + s user community, to include the local level." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node47 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node43 + description: 3. Document and provide assistance for implementing the security-related + controls for the Interface Agency and its users. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node48 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node43 + description: 4. Establish a security incident response and reporting procedure + to discover, investigate, document, and report to the CSA, the affected criminal + justice agency, and the FBI CJIS Division ISO major incidents that significantly + endanger the security or integrity of CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node49 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: Local Agency Security Officer (LASO) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node50 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node49 + description: 'Each LASO shall:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node51 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node49 + description: 1. Identify who is using the CSA approved hardware, software, + and firmware and ensure no unauthorized individuals or processes have access + to the same. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node52 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node49 + description: 2. Identify and document how the equipment is connected to the + state system. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node53 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node49 + description: 3. Ensure that personnel security screening procedures are being + followed as stated in this policy. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node54 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node49 + description: 4. Ensure the approved and appropriate security measures are in + place and working as expected. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node55 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node49 + description: 5. Support policy compliance and ensure CSA ISO is promptly informed + of security incidents. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node56 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: FBI CJIS Division Information Security Officer (FBI CJIS ISO) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node57 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node56 + description: 'The FBI CJIS ISO shall:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node58 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node56 + description: 1. Maintain the CJIS Security Policy. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node59 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node56 + description: 2. Disseminate the FBI Director approved CJIS Security Policy. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node60 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node56 + description: "3. Serve as a liaison with the CSA\u2019s ISO and with other\ + \ personnel across the CJIS community and in this regard provide technical\ + \ guidance as to the intent and implementation of operational and technical\ + \ policy issues." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node61 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node56 + description: 4. Serve as a point-of-contact (POC) for computer incident notification + and distribution of security alerts to the CSOs and ISOs. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node62 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node56 + description: 5. Assist with developing audit compliance guidelines as well + as identifying and reconciling security-related issues. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node63 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node56 + description: 6. Develop and participate in information security training programs + for the CSOs and ISOs, and provide a means by which to acquire feedback to + measure the effectiveness and success of such training. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node64 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node56 + description: 7. Maintain a security policy resource center (SPRC) on FBI.gov + and keep the CSOs and ISOs updated on pertinent information. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node65 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: Compact Officer + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node66 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node65 + description: "Pursuant to the National Crime Prevention and Privacy Compact,\ + \ each party state shall appoint a Compact Officer\u2026" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node67 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node65 + description: '...Compact Officer who shall ensure that Compact provisions and + rules, procedures, and standards established by the Compact Council are complied + with in their respective state.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node68 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: Proper Access, Use, and Dissemination of CHRI + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node69 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node68 + description: The III shall be accessed only for an authorized purpose. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node70 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node68 + description: Further, CHRI shall only be used for an authorized purpose consistent + with the purpose for which III was accessed. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node71 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: Proper Access, Use, and Dissemination of NCIC Restricted Files Information + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node72 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node71 + description: Proper access to, use, and dissemination of data from restricted + files shall be consistent with the access, use, and dissemination policies + concerning the III described in Title 28, Part 20, CFR, and the NCIC Operating + Manual. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node73 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node71 + description: 'The restricted files, which shall be protected as CHRI, are as + follows:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node74 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node71 + description: 1. Gang File + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node75 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node71 + description: 2. Threat Screening Center File + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node76 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node71 + description: 3. Supervised Release File + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node77 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node71 + description: 4. National Sex Offender Registry File + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node78 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node71 + description: 5. Historical Protection Order File of the NCIC + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node79 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node71 + description: 6. Identity Theft File + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node80 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node71 + description: 7. Protective Interest File + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node81 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node71 + description: 8. Person With Information [PWI] data in the Missing Person Files + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node82 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node71 + description: 9. Violent Person File + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node83 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node71 + description: 10. NICS Denied Transaction File + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node84 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: For Other Authorized Purposes + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node85 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node84 + description: 'Non-restricted files information shall not be disseminated commercially. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node86 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node84 + description: 'Agencies shall not disseminate restricted files information for + purposes other than law enforcement. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node87 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: Storage + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node88 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node87 + description: 'When CHRI is stored, agencies shall establish appropriate administrative, + technical and physical safeguards to ensure the security and confidentiality + of the information. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node89 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node87 + description: These records shall be stored for extended periods only when they + are key elements for the integrity and/or utility of case files and/or criminal + record files. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node90 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: Justification + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node91 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node90 + description: In addition to the use of purpose codes and logging information, + all users shall provide a reason for all III inquiries whenever requested + by NCIC System Managers, CSAs, local agency administrators, or their representatives. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node92 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node2 + name: Personally Identifiable Information (PII) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node93 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node92 + description: 'PII shall be extracted from CJI for the purpose of official business + only. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node94 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node92 + description: Agencies shall develop policies, based on state and local privacy + rules, to ensure appropriate controls are applied when handling PII extracted + from CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-1: Information Exchange Agreements' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node96 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + name: 'Policy Area 1: Information Exchange Agreements' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node97 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node96 + description: The information shared through communication mediums shall be protected + with appropriate security safeguards. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node98 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + name: Information Exchange + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node99 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node98 + description: Before exchanging CJI, agencies shall put formal agreements in + place that specify security controls. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node100 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node98 + description: Information exchange agreements for agencies sharing CJI data that + is sent to and/or received from the FBI CJIS shall specify the security controls + and conditions described in this document. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node101 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node98 + description: 'Information exchange agreements shall be supported by documentation + committing both parties to the terms of information exchange. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node102 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node98 + description: Law Enforcement and civil agencies shall have a local policy to + validate a requestor of CJI as an authorized recipient before disseminating + CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node103 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + name: Information Handling + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node104 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node103 + description: Procedures for handling and storage of information shall be established + to protect that information from unauthorized disclosure, alteration or misuse. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node105 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node103 + description: Using the requirements in this policy as a starting point, the + procedures shall apply to the handling, processing, storing, and communication + of CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node106 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + name: State and Federal Agency User Agreements + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node107 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node106 + description: Each CSA head or SIB Chief shall execute a signed written user + agreement with the FBI CJIS Division stating their willingness to demonstrate + conformity with this policy before accessing and participating in CJIS records + information programs. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node108 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node106 + description: 'This agreement shall include the standards and sanctions governing + utilization of CJIS systems. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node109 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node106 + description: "As coordinated through the particular CSA or SIB Chief, each Interface\ + \ Agency shall also allow the FBI to periodically test the ability to penetrate\ + \ the FBI\u2019s network through the external network connection or system\ + \ per authorization of Department of Justice (DOJ) Order 2640.2F." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node110 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node106 + description: All user agreements with the FBI CJIS Division shall be coordinated + with the CSA head. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + name: Criminal Justice Agency User Agreements + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node112 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + description: Any CJA receiving access to FBI CJI shall enter into a signed written + agreement with the appropriate signatory authority of the CSA providing the + access. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node113 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + description: The written agreement shall specify the FBI CJIS systems and services + to which the agency will have access, and the FBI CJIS Division policies to + which the agency must adhere. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node114 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + description: 'These agreements shall include:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node115 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + description: "1.\_Audit." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node116 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + description: "2.\_Dissemination." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node117 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + description: "3.\_Hit confirmation." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node118 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + description: "4.\_Logging." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node119 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + description: "5.\_Quality Assurance (QA)." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node120 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + description: "6.\_Screening (Pre-Employment)." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node121 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + description: "7.\_Security." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node122 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + description: "8.\_Timeliness." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node123 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + description: "9.\_Training." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node124 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + description: 10. Use of the system. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node125 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node111 + description: 11. Validation. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node126 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + name: Inter-Agency and Management Control Agreements + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node127 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node126 + description: 'A NCJA (government) designated to perform criminal justice functions + for a CJA shall be eligible for access to the CJI. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node128 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node126 + description: 'Access shall be permitted when such designation is authorized + pursuant to Executive Order, statute, regulation, or inter-agency agreement. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node129 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node126 + description: The NCJA shall sign and execute a management control agreement + (MCA) with the CJA, which stipulates management control of the criminal justice + function remains solely with the CJA. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node130 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + name: Private Contractor User Agreements and CJIS Security Addendum + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node131 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node130 + description: "Private contractors who perform criminal justice functions shall\ + \ meet the same training and certification criteria required by governmental\ + \ agencies performing a similar function, and\u2026" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node132 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node130 + description: '...and shall be subject to the same extent of audit review as + are local user agencies.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node133 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node130 + description: All private contractors who perform criminal justice functions + shall acknowledge, via signing of the Security Addendum Certification page, + and abide by all aspects of the CJIS Security Addendum. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node134 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node130 + description: Modifications to the CJIS Security Addendum shall be enacted only + by the FBI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node135 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node130 + description: '1. Private contractors designated to perform criminal justice + functions for a CJA shall be eligible for access to CJI. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node136 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node130 + description: "Access shall be permitted pursuant to an agreement which specifically\ + \ identifies the agency\u2019s purpose and scope of providing services for\ + \ the administration of criminal justice." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node137 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node130 + description: The agreement between the CJA and the private contractor shall + incorporate the CJIS Security Addendum approved by the Director of the FBI, + acting for the U.S. Attorney General, as referenced in Title 28 CFR 20.33 + (a)(7). + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node138 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node130 + description: '2. Private contractors designated to perform criminal justice + functions on behalf of a NCJA (government) shall be eligible for access to + CJI. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node139 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node130 + description: "Access shall be permitted pursuant to an agreement which specifically\ + \ identifies the agency\u2019s purpose and scope of providing services for\ + \ the administration of criminal justice. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node140 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node130 + description: The agreement between the NCJA and the private contractor shall + incorporate the CJIS Security Addendum approved by the Director of the FBI, + acting for the U.S. Attorney General, as referenced in Title 28 CFR 20.33 + (a)(7). + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node141 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + name: Agency User Agreements + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node142 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node141 + description: A NCJA (public) designated to request civil fingerprint-based background + checks, with the full consent of the individual to whom a background check + is taking place, for noncriminal justice functions, shall be eligible for + access to CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node143 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node141 + description: 'Access shall be permitted when such designation is authorized + pursuant to federal law or state statute approved by the U.S. Attorney General. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node144 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node141 + description: 'A NCJA (public) receiving access to FBI CJI shall enter into a + signed written agreement with the appropriate signatory authority of the CSA/SIB + providing the access. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node145 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node141 + description: A NCJA (private) designated to request civil fingerprint-based + background checks, with the full consent of the individual to whom a background + check is taking place, for noncriminal justice functions, shall be eligible + for access to CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node146 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node141 + description: 'Access shall be permitted when such designation is authorized + pursuant to federal law or state statute approved by the U.S. Attorney General. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node147 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node141 + description: A NCJA (private) receiving access to FBI CJI shall enter into a + signed written agreement with the appropriate signatory authority of the CSA, + SIB, or authorized agency providing the access. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node148 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node141 + description: All NCJAs accessing CJI shall be subject to all pertinent areas + of the CJIS Security Policy (see appendix J for supplemental guidance). + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node149 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node141 + description: "Each NCJA that directly accesses FBI CJI shall also allow the\ + \ FBI to periodically test the ability to penetrate the FBI\u2019s network\ + \ through the external network connection or system per authorization of Department\ + \ of Justice (DOJ) Order 2640.2F." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node150 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + name: Outsourcing Standards for Channelers + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node151 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node150 + description: Channelers designated to request civil fingerprint-based background + checks or noncriminal justice ancillary functions on behalf of a NCJA (public) + or NCJA (private) for noncriminal justice functions shall be eligible for + access to CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node152 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node150 + description: Access shall be permitted when such designation is authorized pursuant + to federal law or state statute approved by the U.S. Attorney General. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node153 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node150 + description: All Channelers accessing CJI shall be subject to the terms and + conditions described in the Compact Council Security and Management Control + Outsourcing Standard. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node154 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node150 + description: Each Channeler that directly accesses CJI shall also allow the + FBI to conduct periodic penetration testing. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node155 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node150 + description: "Channelers leveraging CJI to perform civil functions on behalf\ + \ of an Authorized Recipient shall meet the same training and certification\ + \ criteria required by governmental agencies performing a similar function\u2026" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node156 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node150 + description: '...and shall be subject to the same extent of audit review as + are local user agencies.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node157 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + name: Outsourcing Standards for Non-Channelers + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node158 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node157 + description: Contractors designated to perform noncriminal justice ancillary + functions on behalf of a NCJA (public) or NCJA (private) for noncriminal justice + functions shall be eligible for access to CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node159 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node157 + description: Access shall be permitted when such designation is authorized pursuant + to federal law or state statute approved by the U.S. Attorney General. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node160 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node157 + description: All contractors accessing CJI shall be subject to the terms and + conditions described in the Compact Council Outsourcing Standard for Non-Channelers. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node161 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node157 + description: "Contractors leveraging CJI to perform civil functions on behalf\ + \ of an Authorized Recipient shall meet the same training and certification\ + \ criteria required by governmental agencies performing a similar function,\ + \ and\u2026" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node162 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node157 + description: '...and shall be subject to the same extent of audit review as + are local user agencies.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node163 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + name: Monitoring, Review, and Delivery of Services + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node164 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node163 + description: 'As specified in the inter-agency agreements, MCAs, and contractual + agreements with private contractors, the services, reports and records provided + by the service provider shall be regularly monitored and reviewed. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node165 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node163 + description: 'The CJA, authorized agency, or FBI shall maintain sufficient overall + control and visibility into all security aspects to include, but not limited + to, identification of vulnerabilities and information security incident reporting/response. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node166 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node163 + description: The incident reporting/response process used by the service provider + shall conform to the incident reporting/response specifications provided in + this policy. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node167 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + name: Managing Changes to Service Providers + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node168 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node167 + description: Any changes to services provided by a service provider shall be + managed by the CJA, authorized agency, or FBI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node169 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node167 + description: Evaluation of the risks to the agency shall be undertaken based + on the criticality of the data, system, and the impact of the change. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node170 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + name: Secondary Dissemination + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node171 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node170 + description: "If CHRI is released to another authorized agency, and that agency\ + \ was not part of the releasing agency\u2019s primary information exchange\ + \ agreement(s), the releasing agency shall log such dissemination." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node172 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node95 + name: Secondary Dissemination of Non-CHRI CJI + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node173 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node172 + description: Dissemination shall conform to the local policy validating the + requestor of the CJI as an employee or contractor of a law enforcement agency + or civil agency requiring the CJI to perform their mission or a member of + the public receiving CJI via authorized dissemination. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node174 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-2: Awareness and Training (AT)' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node175 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node174 + name: Policy and Procedures + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node176 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node175 + description: "a.\_\_\_\_\_ Develop, document, and disseminate to all personnel\ + \ when their unescorted logical or physical access to any information system\ + \ results in the ability, right, or privilege to view, modify, or make use\ + \ of unencrypted CJI:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node177 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node175 + description: "1.\_\_\_\_\_ Organization-level awareness and training policy\ + \ that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node178 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node175 + description: "(a)\_\_\_ Addresses purpose, scope, roles, responsibilities, management\ + \ commitment, coordination among organizational entities, and compliance;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node179 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node175 + description: "(b)\_\_\_ Is consistent with applicable laws, executive orders,\ + \ directives, regulations, policies, standards, and guidelines; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node180 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node175 + description: "2.\_\_\_\_\_ Procedures to facilitate the implementation of the\ + \ awareness and training policy and the associated awareness and training\ + \ controls;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node181 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node175 + description: "b.\_\_\_\_\_ Designate organizational personnel with information\ + \ security awareness and training responsibilities to manage the development,\ + \ documentation, and dissemination of the awareness and training policy nd\ + \ procedures; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node182 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node175 + description: "c.\_\_\_\_\_\_ Review and update the current awareness and training:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node183 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node175 + description: "1.\_\_\_\_\_ Policy annually and following changes in the information\ + \ system operating environment, when security incidents occur, or when changes\ + \ to the CJIS Security Policy are made; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node184 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node175 + description: "2.\_\_\_\_\_ Procedures annually and following changes in the\ + \ information system operating environment, when security incidents occur,\ + \ or when changes to the CJIS Security Policy are made." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node185 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node174 + name: Literacy Training and Awareness + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node186 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node185 + description: "a.\_\_\_\_\_ Provide security and privacy literacy training to\ + \ system users (including managers, senior executives, and contractors):" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node187 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node185 + description: "1.\_\_\_\_\_ As part of initial training for new users prior to\ + \ accessing CJI and annually thereafter; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node188 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node185 + description: "2.\_\_\_\_\_ When required by system changes or within 30 days\ + \ of any security event for individuals involved in the event;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node189 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node185 + description: "b.\_\_\_\_\_ Employ one or more of the following techniques to\ + \ increase the security and privacy awareness of system users:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node190 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node185 + description: "1.\_\_\_\_\_ Displaying posters " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node191 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node185 + description: "2.\_\_\_\_\_ Offering supplies inscribed with security and privacy\ + \ reminders" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node192 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node185 + description: "3.\_\_\_\_\_ Displaying logon screen messages " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node193 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node185 + description: "4.\_\_\_\_\_ Generating email advisories or notices from organizational\ + \ officials" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node194 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node185 + description: "5.\_\_\_\_\_ Conducting awareness events " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node195 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node185 + description: "c.\_\_\_\_\_\_ Update literacy training and awareness content\ + \ annually and following changes in the information system operating environment,\ + \ when security incidents occur, or when changes are made in the CJIS Security\ + \ Policy; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node196 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node185 + description: "d.\_\_\_\_\_ Incorporate lessons learned from internal or external\ + \ security incidents or breaches into literacy training and awareness techniques." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node197 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node174 + name: LITERACY TRAINING AND AWARENESS | INSIDER THREAT + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node198 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node197 + description: Provide literacy training on recognizing and reporting potential + indicators of insider threat. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node199 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node174 + name: LITERACY TRAINING AND AWARENESS | SOCIAL ENGINEERING AND MINING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node200 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node199 + description: Provide literacy training on recognizing and reporting potential + and actual instances of social engineering and social mining. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node174 + name: ROLE-BASED TRAINING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node202 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "a.\_\_\_\_\_ Provide role-based security and privacy training\ + \ to personnel with the following roles and responsibilities: " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node203 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "\xB7\_\_\_\_\_\_\_ All individuals with unescorted access to a\ + \ physically secure location; " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node204 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "\xB7\_\_\_\_\_\_\_ General User: A user, but not a process, who\ + \ is authorized to use an information system; " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node205 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "\xB7\_\_\_\_\_\_\_ Privileged User: A user that is authorized\ + \ (and, therefore, trusted) to perform security-relevant functions that general\ + \ users are not authorized to perform:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node206 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "1.\_\_\_\_\_ Before authorizing access to the system, information,\ + \ or performing assigned duties, and annually thereafter; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node207 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "2.\_\_\_\_\_ When required by system changes;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node208 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "b.\_\_\_\_\_ Update role-based training content annually and following\ + \ audits of the CSA and local agencies\_; changes in the information system\ + \ operating environment; security incidents; or when changes are made to the\ + \ CJIS Security Policy;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node209 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "c.\_\_\_\_\_\_ Incorporate lessons learned from internal or external\ + \ security incidents or breaches into role-based training;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node210 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "d.\_\_\_\_\_ Incorporate the minimum following topics into the\ + \ appropriate role-based training content:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node211 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "1.\_\_\_\_ All individuals with unescorted access to a physically\ + \ secure location:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node212 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "a.\_\_\_\_ Access, Use and Dissemination of Criminal History Record\ + \ Information (CHRI), NCIC Restricted Files Information, and NCIC Non-Restricted\ + \ Files Information Penalties" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node213 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "b.\_\_\_\_ Reporting Security Events" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node214 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: c. Training + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node215 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "d.\_\_\_\_ System Use Notification" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node216 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "e.\_\_\_\_\_ Physical Access Authorizations " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node217 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "f.\_\_\_\_\_ Physical Access Control " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node218 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "g.\_\_\_\_ Monitoring Physical Access " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node219 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "h.\_\_\_\_ Visitor Control" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node220 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "i.\_\_\_\_\_\_ Personnel Sanctions" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node221 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "2.\_\_\_\_ General User: A user, but not a process, who is authorized\ + \ to use an information system. In addition to AT-3 (d) (1) above, include\ + \ the following topics:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node222 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "a.\_\_\_\_ Criminal Justice Information" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node223 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "b.\_\_\_\_ Proper Access, Use, and Dissemination of NCIC Non-Restricted\ + \ Files Information" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node224 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "c.\_\_\_\_\_ Personally Identifiable Information" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node225 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "d.\_\_\_\_ Information Handling" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node226 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: e. Media Storage + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node227 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: f. Media Access + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node228 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "g.\_\_\_\_ Audit Monitoring, Analysis, and Reporting" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node229 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "h.\_\_\_\_ Access Enforcement" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node230 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "i.\_\_\_\_\_\_ Least Privilege" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node231 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "j.\_\_\_\_\_\_ System Access Control" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node232 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "k.\_\_\_\_ Access Control Criteria" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node233 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "l.\_\_\_\_\_\_ System Use Notification" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node234 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "m.\_\_ Session Lock" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node235 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "n.\_\_\_\_ Personally Owned Information Systems" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node236 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "o.\_\_\_\_ Password" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node237 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "p.\_\_\_\_ Access Control for Display Medium" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node238 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "q.\_\_\_\_ Encryption" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node239 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "r.\_\_\_\_\_ Malicious Code Protection" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node240 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "s.\_\_\_\_\_ Spam and Spyware Protection" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node241 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "t.\_\_\_\_\_\_ Cellular Devices" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node242 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "u.\_\_\_\_ Mobile Device Management" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node243 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "v.\_\_\_\_\_ Wireless Device Risk Mitigations" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node244 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "w.\_\_\_ Wireless Device Malicious Code Protection" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node245 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "x.\_\_\_\_ Literacy Training and Awareness/Social Engineering\ + \ and Mining" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node246 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "y.\_\_\_\_\_ Identification and Authentication (Organizational\ + \ Users)" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node247 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "z.\_\_\_\_\_ Media Protection" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node248 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "3.\_\_\_\_ Privileged User: A user that is authorized (and, therefore,\ + \ trusted) to perform security-relevant functions that general users are not\ + \ authorized to perform. In addition to AT-3 (d) (1) and (2) above, include\ + \ the following topics:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node249 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "a.\_\_\_\_ Access Control" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node250 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "b.\_\_\_\_ System and Communications Protection and Information\ + \ Integrity" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node251 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: c. Patch Management + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node252 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "d. Data backup and storage\u2014centralized or decentralized approach" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node253 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "e.\_\_\_\_\_ Most recent changes to the CJIS Security Policy" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node254 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "4.\_\_\_\_ Organizational Personnel with Security Responsibilities:\ + \ Personnel with the responsibility to ensure the confidentiality, integrity,\ + \ and availability of CJI and the implementation of technology in a manner\ + \ compliant with the CJISSECPOL. In addition to AT-3 (d) (1), (2), and (3)\ + \ above, include the following topics:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node255 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "a.\_\_\_\_ Local Agency Security Officer Role" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node256 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: "b.\_\_\_\_ Authorized Recipient Security Officer Role" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node257 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: c. Additional state/local/tribal/federal agency LASO roles + and responsibilities + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node258 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: d. Summary of audit findings from previous state audits of + local agencies + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node259 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node201 + description: e. Findings from the last FBI CJIS Division audit + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node260 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node174 + name: ROLE-BASED TRAINING | PROCESSING PERSONALLY IDENTIFIABLE INFORMATION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node261 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node260 + description: Provide all personnel when their unescorted logical or physical + access to any information system results in the ability, right, or privilege + to view, modify, or make use of unencrypted CJI with initial and annual training + in the employment and operation of personally identifiable information processing + and transparency controls. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node262 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node174 + name: TRAINING RECORDS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node263 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node262 + description: "a.\_\_\_\_\_ Document and monitor information security and privacy\ + \ training activities, including security and privacy awareness training and\ + \ specific role-based security and privacy training; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node264 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node262 + description: "b.\_\_\_\_\_ Retain individual training records for a minimum\ + \ of three years." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-3: Incident Response (IR)' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node266 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: POLICY AND PROCEDURES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node267 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node266 + description: "a.\_\_\_\_\_\_\_\_ Develop, document, and disseminate to all personnel\ + \ when their unescorted logical or physical access to any information system\ + \ results in the ability, right, or privilege to view, modify, or make use\ + \ of unencrypted CJI:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node268 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node266 + description: "1.\_\_\_\_\_ Agency-level incident response policy that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node269 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node266 + description: "(a)\_\_\_ Addresses purpose, scope, roles, responsibilities, management\ + \ commitment, coordination among organizational entities, and compliance;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node270 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node266 + description: "(b)\_\_\_ Is consistent with applicable laws, executive orders,\ + \ directives, regulations, policies, standards, and guidelines; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node271 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node266 + description: "2.\_\_\_\_\_ Procedures to facilitate the implementation of the\ + \ incident response policy and the associated incident response controls;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node272 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node266 + description: "b.\_\_\_\_\_ Designate an individual with security responsibilities\ + \ to manage the development, documentation, and dissemination of the incident\ + \ response policy and procedures; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node273 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node266 + description: "c.\_\_\_\_\_\_ Review and update the current incident response:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node274 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node266 + description: "1.\_\_\_\_\_ Policy annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node275 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node266 + description: "2.\_\_\_\_\_ Procedures annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node276 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: INCIDENT RESPONSE TRAINING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node277 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node276 + description: "a.\_\_\_\_\_ Provide incident response training to system users\ + \ consistent with assigned roles and responsibilities:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node278 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node276 + description: "1.\_\_\_\_\_ Prior to assuming an incident response role or responsibility\ + \ or acquiring system access;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node279 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node276 + description: "2.\_\_\_\_\_ When required by system changes; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node280 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node276 + description: "3.\_\_\_\_\_ Annually thereafter; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node281 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node276 + description: "b.\_\_\_\_\_ Review and update incident response training content\ + \ annually and following any security incidents involving unauthorized access\ + \ to CJI or systems used to process, store, or transmit CJI." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node282 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: (3) INCIDENT RESPONSE TRAINING | BREACH + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node283 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node282 + description: "Provide incident response training on how to identify and respond\ + \ to a breach, including the organization\u2019s process for reporting a breach." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node284 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: INCIDENT RESPONSE TESTING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node285 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node284 + description: 'Test the effectiveness of the incident response capability for + the system annually using the following tests: tabletop or walk-through exercises; + simulations; or other agency-appropriate tests.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node286 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: (2) INCIDENT RESPONSE TESTING | COORDINATION WITH RELATED PLANS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node287 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node286 + description: Coordinate incident response testing with organizational elements + responsible for related plans. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node288 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: INCIDENT HANDLING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node289 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node288 + description: "a.\_\_\_\_\_ Implement an incident handling capability for incidents\ + \ that is consistent with the incident response plan and includes preparation,\ + \ detection and analysis, containment, eradication, and recovery;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node290 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node288 + description: "b.\_\_\_\_\_ Coordinate incident handling activities with contingency\ + \ planning activities;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node291 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node288 + description: "c.\_\_\_\_\_\_ Incorporate lessons learned from ongoing incident\ + \ handling activities into incident response procedures, training, and testing,\ + \ and implement the resulting changes accordingly; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node292 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node288 + description: "d.\_\_\_\_\_ Ensure the rigor, intensity, scope, and results of\ + \ incident handling activities are comparable and predictable across the organization." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node293 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: (1) INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node294 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node293 + description: Support the incident handling process using automated mechanisms + (e.g., online incident management systems and tools that support the collection + of live response data, full network packet capture, and forensic analysis. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node295 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: INCIDENT MONITORING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node296 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node295 + description: Track and document incidents. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node297 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: INCIDENT REPORTING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node298 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node297 + description: "a.\_\_\_\_\_ Require personnel to report suspected incidents to\ + \ the organizational incident response capability immediately but not to exceed\ + \ one (1) hour after discovery; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node299 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node297 + description: "b.\_\_\_\_ Report incident information to organizational personnel\ + \ with incident handling responsibilities, and if confirmed, notify the CSO,\ + \ SIB Chief, or Interface Agency Official." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node300 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: (1) INCIDENT REPORTING | AUTOMATED REPORTING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node301 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node300 + description: Report incidents using automated mechanisms. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node302 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: (3) INCIDENT REPORTING | SUPPLY CHAIN COORDINATION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node303 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node302 + description: Provide incident information to the provider of the product or + service and other organizations involved in the supply chain or supply chain + governance for systems or system components related to the incident. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node304 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: INCIDENT RESPONSE ASSISTANCE + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node305 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node304 + description: Provide an incident response support resource, integral to the + organizational incident response capability, that offers advice and assistance + to users of the system for the handling and reporting of incidents. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node306 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: (1) INCIDENT RESPONSE ASSISTANCE | AUTOMATION SUPPORT FOR AVAILABILITY + OF INFORMATION AND SUPPORT + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node307 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node306 + description: Increase the availability of incident response information and + support using automated mechanisms described in the discussion. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: INCIDENT RESPONSE PLAN + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node309 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "a.\_\_\_\_\_ Develop an incident response plan that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node310 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "1.\_\_\_\_\_ Provides the organization with a roadmap for implementing\ + \ its incident response capability;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node311 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "2.\_\_\_\_\_ Describes the structure and organization of the incident\ + \ response capability;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node312 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "3.\_\_\_\_\_ Provides a high-level approach for how the incident\ + \ response capability fits into the overall organization;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node313 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "4.\_\_\_\_\_ Meets the unique requirements of the organization,\ + \ which relate to mission, size, structure, and functions;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node314 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "5.\_\_\_\_\_ Defines reportable incidents;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node315 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "6.\_\_\_\_\_ Provides metrics for measuring the incident response\ + \ capability within the organization;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node316 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "7.\_\_\_\_\_ Defines the resources and management support needed\ + \ to effectively maintain and mature an incident response capability;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node317 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "8.\_\_\_\_\_ Addresses the sharing of incident information;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node318 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "9.\_\_\_\_\_ Is reviewed and approved by the organization\u2019\ + s/agency\u2019s executive leadership annually; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node319 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "10.\_\_ Explicitly designates responsibility for incident response\ + \ to organizational personnel with incident reporting responsibilities and\ + \ CSO or CJIS WAN Official." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node320 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "b.\_\_\_\_\_ Distribute copies of the incident response plan to\ + \ organizational personnel with incident handling responsibilities;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node321 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "c.\_\_\_\_\_\_ Update the incident response plan to address system\ + \ and organizational changes or problems encountered during plan implementation,\ + \ execution, or testing;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node322 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "d.\_\_\_\_\_ Communicate incident response plan changes to organizational\ + \ personnel with incident handling responsibilities; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node323 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node308 + description: "e.\_\_\_\_\_ Protect the incident response plan from unauthorized\ + \ disclosure and modification." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node324 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node265 + name: (1) INCIDENT RESPONSE PLAN | BREACHES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node325 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node324 + description: 'Include the following in the Incident Response Plan for breaches + involving personally identifiable information:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node326 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node324 + description: "(a)\_\_\_ A process to determine if notice to individuals or other\ + \ organizations, including oversight organizations, is needed;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node327 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node324 + description: "(b)\_\_\_ An assessment process to determine the extent of the\ + \ harm, embarrassment, inconvenience, or unfairness to affected individuals\ + \ and any mechanisms to mitigate such harms; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node328 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node324 + description: "(c)\_\_\_\_ Identification of applicable privacy requirements." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-4: Audit and Accountability' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node330 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: POLICY AND PROCEDURES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node331 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node330 + description: "a.\_\_\_\_\_ Develop, document, and disseminate to organizational\ + \ personnel with audit and accountability responsibilities:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node332 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node330 + description: "1.\_\_\_\_\_ Agency and system-level audit and accountability\ + \ policy that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node333 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node330 + description: "(a)\_\_\_ Addresses purpose, scope, roles, responsibilities, management\ + \ commitment, coordination among organizational entities, and compliance;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node334 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node330 + description: "(b)\_\_\_ Is consistent with applicable laws, executive orders,\ + \ directives, regulations, policies, standards, and guidelines; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node335 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node330 + description: "2.\_\_\_\_\_ Procedures to facilitate the implementation of the\ + \ audit and accountability policy and the associated audit and accountability\ + \ controls;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node336 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node330 + description: "b.\_\_\_\_\_ Designate organizational personnel with information\ + \ security responsibilities to manage the development, documentation, and\ + \ dissemination of the audit and accountability policy and procedures; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node337 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node330 + description: "c.\_\_\_\_\_\_ Review and update the current audit and accountability:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node338 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node330 + description: "1.\_\_\_\_\_ Policy annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node339 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node330 + description: "2.\_\_\_\_\_ Procedures annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: EVENT LOGGING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node341 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "a.\_\_\_\_\_ Identify the types of events that the system is capable\ + \ of logging in support of the audit function: authentication, file use, user/group\ + \ management, events sufficient to establish what occurred, the sources of\ + \ events, outcomes of events, and operational transactions (e.g., NCIC, III);" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node342 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "b.\_\_\_\_\_ Coordinate the event logging function with other\ + \ organizational entities requiring audit- related information to guide and\ + \ inform the selection criteria for events to be logged;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node343 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "c.\_\_\_\_\_\_ Specify the following event types for logging within\ + \ the system: " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node344 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: 'All successful and unsuccessful:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node345 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "1.\_\_\_\_ System log-on attempts" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node346 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "2.\_\_\_\_ Attempts to use:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node347 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "a.\_\_\_\_ Access permission on a user account, file, directory,\ + \ or other system resource;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node348 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "b.\_\_\_\_ Create permission on a user account, file, directory,\ + \ or other system resource;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node349 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "c.\_\_\_\_\_ Write permission on a user account, file, directory,\ + \ or other system resource;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node350 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "d.\_\_\_\_ Delete permission on a user account, file, directory,\ + \ or other system resource;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node351 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "e.\_\_\_\_\_ Change permission on a user account, file, directory,\ + \ or other system resource." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node352 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "3.\_\_\_\_ Attempts to change account passwords" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node353 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "4.\_\_\_\_ Actions by privileged accounts (i.e., root, Oracle,\ + \ DBA, admin, etc.)" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node354 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "5.\_\_\_\_ Attempts for users to:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node355 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "a.\_\_\_\_ Access the audit log file;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node356 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "b.\_\_\_\_ Modify the audit log file;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node357 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "c.\_\_\_\_\_ Destroy the audit log file;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node358 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "d.\_\_\_\_\_ Provide a rationale for why the event types selected\ + \ for logging are deemed to be adequate to support after-the-fact investigations\ + \ of incidents; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node359 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node340 + description: "e.\_\_\_\_\_ Review and update the event types selected for logging\ + \ annually." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node360 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: CONTENT OF AUDIT RECORDS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node361 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node360 + description: 'Ensure that audit records contain information that establishes + the following:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node362 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node360 + description: "a.\_\_\_\_\_ What type of event occurred;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node363 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node360 + description: "b.\_\_\_\_\_ When the event occurred;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node364 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node360 + description: "c.\_\_\_\_\_\_ Where the event occurred;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node365 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node360 + description: "d.\_\_\_\_\_ Source of the event;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node366 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node360 + description: "e.\_\_\_\_\_ Outcome of the event; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node367 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node360 + description: "f.\_\_\_\_\_\_ Identity of any individuals, subjects, or objects/entities\ + \ associated with the event." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node368 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: "(1)\_\_\_ CONTENT OF AUDIT RECORDS | ADDITIONAL AUDIT INFORMATION" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node369 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node368 + description: 'Generate audit records containing the following additional information: ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node370 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node368 + description: "a.\_\_\_\_ Session, connection, transaction, and activity duration;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node371 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node368 + description: "b.\_\_\_\_ Source and destination addresses;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node372 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node368 + description: "c.\_\_\_\_\_ Object or filename involved; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node373 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node368 + description: "d.\_\_\_\_ Number of bytes received and bytes sent (for client-server\ + \ transactions) in the audit records for audit events identified by type,\ + \ location, or subject." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node374 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node368 + description: "e.\_\_\_\_\_ The III portion of the log shall clearly identify:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node375 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node368 + description: "1.\_\_\_\_ The operator" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node376 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node368 + description: "2.\_\_\_\_ The authorized receiving agency" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node377 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node368 + description: "3.\_\_\_\_ The requestor" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node378 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node368 + description: "4.\_\_\_\_ The secondary recipient" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node379 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: "(3)\_\_\_ CONTENT OF AUDIT RECORDS | LIMIT PERSONALLY IDENTIFIABLE INFORMATION\ + \ ELEMENTS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node380 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node379 + description: 'Limit personally identifiable information contained in audit records + to the following elements identified in the privacy risk assessment: minimum + PII necessary to achieve the purpose for which it is collected (see Section + 4.3).' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node381 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: AUDIT LOG STORAGE CAPACITY + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node382 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node381 + description: Allocate audit log storage capacity to accommodate the collection + of audit logs to meet retention requirements (AU-11). + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node383 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: RESPONSE TO AUDIT LOGGING PROCESS FAILURES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node384 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node383 + description: "a.\_\_\_\_\_ Alert organizational personnel with audit and accountability\ + \ responsibilities and system/network administrators within one (1) hour in\ + \ the event of an audit logging process failure; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node385 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node383 + description: "b.\_\_\_\_\_ Take the following additional actions: restart all\ + \ audit logging processes and verify system(s) are logging properly." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node386 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node387 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node386 + description: "a.\_\_\_\_\_ Review and analyze system audit records weekly for\ + \ indications of inappropriate or unusual activity and the potential impact\ + \ of the inappropriate or unusual activity;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node388 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node386 + description: "b.\_\_\_\_\_ Report findings to organizational personnel with\ + \ audit review, analysis, and reporting responsibilities and organizational\ + \ personnel with information security and privacy responsibilities; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node389 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node386 + description: "c.\_\_\_\_\_\_ Adjust the level of audit record review, analysis,\ + \ and reporting within the system when there is a change in risk based on\ + \ law enforcement information, intelligence information, or other credible\ + \ sources of information." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node390 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: "(1)\_\_\_ AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING | AUTOMATED PROCESS\ + \ INTEGRATION" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node391 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node390 + description: Integrate audit record review, analysis, and reporting processes + using automated mechanisms. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node392 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: "(3)\_\_\_ AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING | CORRELATE AUDIT\ + \ RECORD REPOSITORIES" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node393 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node392 + description: Analyze and correlate audit records across different repositories + to gain organization-wide situational awareness. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node394 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: AUDIT RECORD REDUCTION AND REPORT GENERATION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node395 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node394 + description: "a.\_\_\_\_\_ Supports on-demand audit record review, analysis,\ + \ and reporting requirements and after- the-fact investigations of incidents;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node396 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node394 + description: "b.\_\_\_\_\_ Does not alter the original content or time ordering\ + \ of audit records." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node397 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: "(1)\_\_\_ AUDIT RECORD REDUCTION AND REPORT GENERATION | AUTOMATIC PROCESSING" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node398 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node397 + description: 'Provide and implement the capability to process, sort, and search + audit records for events of interest based on the following content: information + included in AU-3.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node399 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: TIME STAMPS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node400 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node399 + description: "a.\_\_\_\_\_ Use internal system clocks to generate time stamps\ + \ for audit records;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node401 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node399 + description: "b.\_\_\_\_\_ Record time stamps for audit records that meet hundredths\ + \ of a second (i.e., hh:mm:ss:00) interval and that use Coordinated Universal\ + \ Time, have a fixed local time offset from Coordinated Universal Time, or\ + \ that include the local time offset as part of the time stamp." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node402 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: PROTECTION OF AUDIT INFORMATION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node403 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node402 + description: "a.\_\_\_\_\_ Protect audit information and audit logging tools\ + \ from unauthorized access, modification, and deletion; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node404 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node402 + description: "b.\_\_\_\_\_ Alert organizational personnel with audit and accountability\ + \ responsibilities, organizational personnel with information security and\ + \ privacy responsibilities, and system/network administrators upon detection\ + \ of unauthorized access, modification, or deletion of audit information." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node405 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: "(4)\_\_\_ PROTECTION OF AUDIT INFORMATION | ACCESS BY SUBSET OF PRIVILEGED\ + \ USERS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node406 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node405 + description: Authorize access to management of audit logging functionality to + only organizational personnel with audit and accountability responsibilities, + organizational personnel with information security and privacy responsibilities, + and system/network administrators. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node407 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: AUDIT RECORD RETENTION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node408 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node407 + description: Retain audit records for a minimum of one (1) year or until it + is determined they are no longer needed for administrative, legal, audit, + or other operational purposes to provide support for after-the-fact investigations + of incidents and to meet regulatory and organizational information retention + requirements. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node409 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node329 + name: AUDIT RECORD GENERATION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node410 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node409 + description: "a.\_\_\_\_\_ Provide audit record generation capability for the\ + \ event types the system is capable of auditing as defined in AU-2a on all\ + \ systems generating required audit logs;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node411 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node409 + description: "b.\_\_\_\_\_ Allow organizational personnel with audit record\ + \ generation responsibilities, organizational personnel with information security\ + \ and privacy responsibilities, and system/network administrators to select\ + \ the event types that are to be logged by specific components of the system;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node412 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node409 + description: "c.\_\_\_\_\_\_ Generate audit records for the event types defined\ + \ in AU-2c that include the audit record content defined in AU-3." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-5: Access Control (AC)' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node414 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: POLICY AND PROCEDURES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node415 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node414 + description: "a.\_\_\_\_\_ Develop, document, and disseminate to: organizational\ + \ personnel with access control responsibilities" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node416 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node414 + description: "1.\_\_\_\_\_ Agency-level access control policy that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node417 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node414 + description: "(a)\_\_\_ Addresses purpose, scope, roles, responsibilities, management\ + \ commitment, coordination among organizational entities, and compliance;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node418 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node414 + description: "(b)\_\_\_ Is consistent with applicable laws, executive orders,\ + \ directives, regulations, policies, standards, and guidelines; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node419 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node414 + description: "2.\_\_\_\_\_ Procedures to facilitate the implementation of the\ + \ access control policy and the associated access controls;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node420 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node414 + description: "b.\_\_\_\_\_ Designate an individual with security responsibilities\ + \ to manage the development, documentation, and dissemination of the access\ + \ control policy and procedures; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node421 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node414 + description: "c.\_\_\_\_\_\_ Review and update the current access control:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node422 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node414 + description: "1.\_\_\_\_\_ Policy annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node423 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node414 + description: "2.\_\_\_\_\_ Procedures annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: ACCOUNT MANAGEMENT + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node425 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "a.\_\_\_\_\_ Define and document the types of accounts allowed\ + \ and specifically prohibited for use within the system;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node426 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "b.\_\_\_\_\_ Assign account managers;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node427 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "c.\_\_\_\_\_\_ Require conditions for group and role membership;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node428 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "d.\_\_\_\_\_ Specify:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node429 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "1.\_\_\_\_\_ Authorized users of the system;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node430 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "2.\_\_\_\_\_ Group and role membership; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node431 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "3.\_\_\_\_\_ Access authorizations (i.e., privileges) and attributes\ + \ listed for each account;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node432 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Attribute Name + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node433 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Email Address Text + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node434 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Employer Name + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node435 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Federation Id + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node436 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Given Name + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node437 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Identity Provider Id + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node438 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Sur Name + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node439 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Telephone Number + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node440 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Identity Provider Id + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node441 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Unique Subject Id + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node442 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Counter Terrorism Data Self Search Home Privilege Indicator + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node443 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Criminal History Data Self Search Home Privilege Indicator + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node444 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Criminal Intelligence Data Self Search Home Privilege Indicator + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node445 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Criminal Investigative Data Self Search Home Privilege Indicator + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node446 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Display Name + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node447 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Government Data Self Search Home Privilege Indicator + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node448 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Local Id + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node449 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: NCIC Certification Indicator + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node450 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: NDEx Privilege Indicator + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node451 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: PCII Certification Indicator + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node452 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: 28 CFR Certification Indicator + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node453 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Employer ORI + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node454 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Employer Organization General Category Code + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node455 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Employer State Code + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node456 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Public Safety Officer Indicator + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node457 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Sworn Law Enforcement Officer Indicator + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node458 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Authenticator Assurance Level + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node459 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Federation Assurance Level + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node460 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Identity Assurance Level + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node461 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: Intelligence Analyst Indicator + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node462 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "e.\_\_\_\_\_ Require approvals by organizational personnel with\ + \ account management responsibilities for requests to create accounts;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node463 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "f.\_\_\_\_\_\_ Create, enable, modify, disable, and remove accounts\ + \ in accordance with agency policy;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node464 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "g.\_\_\_\_\_ Monitor the use of accounts;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node465 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "h.\_\_\_\_\_ Notify account managers and system/network administrators\ + \ within:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node466 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "1.\_\_\_\_\_ One day when accounts are no longer required;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node467 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "2.\_\_\_\_\_ One day when users are terminated or transferred;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node468 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "3.\_\_\_\_\_ One day when system usage or need-to-know changes\ + \ for an individual;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node469 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "i.\_\_\_\_\_\_\_ Authorize access to the system based on:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node470 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "1.\_\_\_\_\_ A valid access authorization;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node471 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "2.\_\_\_\_\_ Intended system usage; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node472 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "3.\_\_\_\_\_ Attributes as listed in AC-2(d)(3);" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node473 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "j.\_\_\_\_\_\_\_ Review accounts for compliance with account management\ + \ requirements at least annually;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node474 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "k.\_\_\_\_\_ Establish and implement a process for changing shared\ + \ or group account authenticators (if deployed) when individuals are removed\ + \ from the group; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node475 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node424 + description: "l.\_\_\_\_\_\_\_ Align account management processes with personnel\ + \ termination and transfer processes." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node476 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(1)\_\_\_ ACCOUNT MANAGEMENT | AUTOMATED SYSTEM ACCOUNT MANAGEMENT" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node477 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node476 + description: Support the management of system accounts using automated mechanisms + including email, phone, and text notifications. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node478 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(2)\_\_\_ ACCOUNT MANAGEMENT | AUTOMATED TEMPORARY AND EMERGENCY ACCOUNT\ + \ MANAGEMENT" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node479 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node478 + description: Automatically remove temporary and emergency accounts within 72 + hours. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node480 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(3)\_\_\_ ACCOUNT MANAGEMENT | DISABLE ACCOUNTS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node481 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node480 + description: 'Disable accounts within one (1) week when the accounts:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node482 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node480 + description: "(a)\_\_\_ Have expired;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node483 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node480 + description: "(b)\_\_\_ Are no longer associated with a user or individual;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node484 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node480 + description: "(c)\_\_\_\_ Are in violation of organizational policy; or" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node485 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node480 + description: "(d)\_\_\_ Have been inactive for 90 calendar days. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node486 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(4)\_\_\_ ACCOUNT MANAGEMENT | AUTOMATED AUDIT ACTIONS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node487 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node486 + description: Automatically audit account creation, modification, enabling, disabling, + and removal actions. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node488 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(5)\_\_\_ ACCOUNT MANAGEMENT | INACTIVITY LOGOUT" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node489 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node488 + description: 'Require that users log out when a work period has been completed. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node490 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: (13) ACCOUNT MANAGEMENT | DISABLE ACCOUNTS FOR HIGH-RISK INDIVIDUALS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node491 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node490 + description: Disable accounts of individuals within 30 minutes of discovery + of direct threats to the confidentiality, integrity, or availability of CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node492 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: ACCESS ENFORCEMENT + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node493 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node492 + description: Enforce approved authorizations for logical access to information + and system resources in accordance with applicable access control policies. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node494 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: (14) ACCESS ENFORCEMENT | INDIVIDUAL ACCESS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node495 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node494 + description: Provide automated or manual processes to enable individuals to + have access to elements of their personally identifiable information. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node496 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: INFORMATION FLOW ENFORCEMENT + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node497 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node496 + description: Enforce approved authorizations for controlling the flow of information + within the system and between connected systems by preventing CJI from being + transmitted unencrypted across the public network, blocking outside traffic + that claims to be from within the agency, and not passing any web requests + to the public network that are not from agency controlled or internal boundary + protection devices (e.g., proxies, gateways, firewalls, or routers). + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node498 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: SEPARATION OF DUTIES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node499 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node498 + description: "a.\_\_\_\_\_ Identify and document separation of duties based\ + \ on specific duties, operations, or information systems, as necessary, to\ + \ mitigate risk to CJI; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node500 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node498 + description: "b.\_\_\_\_\_ Define system access authorizations to support separation\ + \ of duties." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node501 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: LEAST PRIVILEGE + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node502 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node501 + description: Employ the principle of least privilege, allowing only authorized + accesses for users (or processes acting on behalf of users) that are necessary + to accomplish assigned organizational tasks. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node503 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(1)\_\_\_ LEAST PRIVILEGE | AUTHORIZE ACCESS TO SECURITY FUNCTIONS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node504 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node503 + description: 'Authorize access for personnel including, security administrators, + system and network administrators, and other privileged users with access + to system control, monitoring, or administration functions (e.g., system administrators, + information security personnel, maintainers, system programmers, etc.) to:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node505 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node503 + description: "(a)\_\_\_ Established system accounts, configured access authorizations\ + \ (i.e., permissions, privileges), set events to be audited, set intrusion\ + \ detection parameters, and other security functions; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node506 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node503 + description: "(b)\_\_\_ Security-relevant information in hardware, software,\ + \ and firmware." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node507 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(2)\_\_\_ LEAST PRIVILEGE | NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node508 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node507 + description: Require that users of system accounts (or roles) with access to + privileged security functions or security-relevant information (e.g., audit + logs), use non-privileged accounts or roles, when accessing nonsecurity functions. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node509 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(5)\_\_\_ LEAST PRIVILEGE | PRIVILEGED ACCOUNTS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node510 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node509 + description: Restrict privileged accounts on the system to privileged users. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node511 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(7)\_\_\_ LEAST PRIVILEGE | REVIEW OF USER PRIVILEGES" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node512 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node511 + description: "a.\_\_\_\_\_ Reviews annually the privileges assigned to non-privileged\ + \ and privileged users to validate the need for such privileges; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node513 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node511 + description: "b.\_\_\_\_ Reassign or remove privileges, if necessary, to correctly\ + \ reflect organizational mission and business needs." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node514 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(9)\_\_\_ LEAST PRIVILEGE | LOG USE OF PRIVILEGED FUNCTIONS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node515 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node514 + description: Log the execution of privileged functions. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node516 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: (10) LEAST PRIVILEGE | PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED + FUNCTIONS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node517 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node516 + description: Prevent non-privileged users from executing privileged functions. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node518 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: UNSUCCESSFUL LOGON ATTEMPTS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node519 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node518 + description: "a.\_\_\_\_\_ Enforce a limit of five (5) consecutive invalid logon\ + \ attempts by a user during a 15-minute time period; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node520 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node518 + description: "b.\_\_\_\_\_ Automatically lock the account or node until released\ + \ by an administrator when the maximum number of unsuccessful attempts is\ + \ exceeded." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node521 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: SYSTEM USE NOTIFICATION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node522 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node521 + description: "a.\_\_\_\_\_ Display a system use notification message to users\ + \ before granting access to the system that provides privacy and security\ + \ notices consistent with applicable laws, executive orders, directives, regulations,\ + \ policies, standards, and guidelines and state that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node523 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node521 + description: "1.\_\_\_\_\_ Users are accessing a restricted information system;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node524 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node521 + description: "2.\_\_\_\_\_ System usage may be monitored, recorded, and subject\ + \ to audit;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node525 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node521 + description: "3.\_\_\_\_\_ Unauthorized use of the system is prohibited and\ + \ subject to criminal and civil penalties; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node526 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node521 + description: "4.\_\_\_\_\_ Use of the system indicates consent to monitoring\ + \ and recording;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node527 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node521 + description: "b.\_\_\_\_\_ Retain the notification message or banner on the\ + \ screen until users acknowledge the usage conditions and take explicit actions\ + \ to log on to or further access the system; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node528 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node521 + description: "c.\_\_\_\_\_\_ For publicly accessible systems:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node529 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node521 + description: "1.\_\_\_\_\_ Display system use information consistent with applicable\ + \ laws, executive orders, directives, regulations, policies, standards, and\ + \ guidelines, before granting further access to the publicly accessible system;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node530 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node521 + description: "2.\_\_\_\_\_ Display references, if any, to monitoring, recording,\ + \ or auditing that are consistent with privacy accommodations for such systems\ + \ that generally prohibit those activities; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node531 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node521 + description: "3.\_\_\_\_\_ Include a description of the authorized uses of the\ + \ system." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node532 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: DEVICE LOCK + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node533 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node532 + description: "a.\_\_\_\_\_ Prevent further access to the system by initiating\ + \ a device lock after a maximum of 30 minutes of inactivity and requiring\ + \ the user to initiate a device lock before leaving the system unattended." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node534 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node532 + description: 'NOTE: In the interest of safety, devices that are: (1) part of + a criminal justice conveyance; or (2) used to perform dispatch functions and + located within a physically secure location; or (3) terminals designated solely + for the purpose of receiving alert notifications (i.e., receive only terminals + or ROT) used within physically secure location facilities that remain staffed + when in operation, are exempt from this requirement.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node535 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node532 + description: "b.\_\_\_\_\_ Retain the device lock until the user reestablishes\ + \ access using established identification and authentication procedures." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node536 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: (1) DEVICE LOCK | PATTERN-HIDING DISPLAYS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node537 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node536 + description: Conceal, via the device lock, information previously visible on + the display with a publicly viewable image. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node538 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: SESSION TERMINATION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node539 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node538 + description: Automatically terminate a user session after a user has been logged + out. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node540 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node541 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node540 + description: "a.\_\_\_\_\_\_ Identify any specific user actions that can be\ + \ performed on the system without identification or authentication consistent\ + \ with organizational mission and business functions; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node542 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node540 + description: "b.\_\_\_\_\_ Document and provide supporting rationale in the\ + \ security plan for the system, user actions not requiring identification\ + \ or authentication." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node543 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: REMOTE ACCESS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node544 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node543 + description: "a.\_\_\_\_\_ Establish and document usage restrictions, configuration/connection\ + \ requirements, and implementation guidance for each type of remote access\ + \ allowed; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node545 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node543 + description: "b.\_\_\_\_\_ Authorize each type of remote access to the system\ + \ prior to allowing such connections." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node546 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(1)\_\_\_ REMOTE ACCESS | MONITORING AND CONTROL" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node547 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node546 + description: Employ automated mechanisms to monitor and control remote access + methods. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node548 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(2)\_\_\_ REMOTE ACCESS | PROTECTION OF CONFIDENTIALITY AND INTEGRITY\ + \ USING ENCRYPTION" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node549 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node548 + description: Implement cryptographic mechanisms to protect the confidentiality + and integrity of remote access sessions. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node550 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(3)\_\_\_ REMOTE ACCESS | MANAGED ACCESS CONTROL POINTS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node551 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node550 + description: Route remote accesses through authorized and managed network access + control points. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node552 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(4)\_\_\_ REMOTE ACCESS | PRIVILEGED COMMANDS AND ACCESS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node553 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node552 + description: "(a)\_\_\_ Authorize the execution of privileged commands and access\ + \ to security-relevant information via remote access only in a format that\ + \ provides assessable evidence and for the following needs: compelling operational\ + \ needs; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node554 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node552 + description: "(b)\_\_\_ Document the rationale for remote access in the security\ + \ plan for the system." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node555 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: WIRELESS ACCESS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node556 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node555 + description: "a.\_\_\_\_\_ Establish configuration requirements, connection\ + \ requirements, and implementation guidance for each type of wireless access;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node557 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node555 + description: "b.\_\_\_\_\_ Authorize each type of wireless access to the system\ + \ prior to allowing such connections." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node558 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(1)\_\_\_ WIRELESS ACCESS | AUTHENTICATION AND ENCRYPTION" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node559 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node558 + description: Protect wireless access to the system using authentication of authorized + users and agency-controlled devices, and encryption. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node560 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(3)\_\_\_ WIRELESS ACCESS | DISABLE WIRELESS NETWORKING" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node561 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node560 + description: Disable, when not intended for use, wireless networking capabilities + embedded within system components prior to issuance and deployment. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node562 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: ACCESS CONTROL FOR MOBILE DEVICES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node563 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node562 + description: "a.\_\_\_\_\_ Establish configuration requirements, connection\ + \ requirements, and implementation guidance for organization-controlled mobile\ + \ devices, to include when such devices are outside of controlled areas; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node564 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node562 + description: "b.\_\_\_\_\_ Authorize the connection of mobile devices to organizational\ + \ systems." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node565 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(5)\_\_\_ ACCESS CONTROL FOR MOBILE DEVICES | FULL DEVICE OR CONTAINER-BASED\ + \ ENCRYPTION" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node566 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node565 + description: Employ full-device encryption to protect the confidentiality and + integrity of information on full- and limited-feature operating system mobile + devices authorized to process, store, or transmit CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node567 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: USE OF EXTERNAL SYSTEMS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node568 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node567 + description: "a.\_\_\_\_\_ Establish agency-level policies governing the use\ + \ of external systems consistent with the trust relationships established\ + \ with other organizations owning, operating, and/or maintaining external\ + \ systems, allowing authorized individuals to:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node569 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node567 + description: "1.\_\_\_\_\_ Access the system from external systems; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node570 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node567 + description: "2.\_\_\_\_\_ Process, store, or transmit organization-controlled\ + \ information using external systems; or" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node571 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node567 + description: "b.\_\_\_\_\_ Prohibit the use of personally-owned information\ + \ systems including mobile devices (i.e., bring your own device [BYOD]) and\ + \ publicly accessible systems for accessing, processing, storing, or transmitting\ + \ CJI." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node572 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(1)\_\_\_ USE OF EXTERNAL SYSTEMS | LIMITS ON AUTHORIZED USE" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node573 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node572 + description: 'Permit authorized individuals to use an external system to access + the system or to process, store, or transmit organization-controlled information + only after:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node574 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node572 + description: "(a)\_\_\_ Verification of the implementation of controls on the\ + \ external system as specified in the organization\u2019s security and privacy\ + \ policies and security and privacy plans; or" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node575 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node572 + description: "(b)\_\_\_ Retention of approved system connection or processing\ + \ agreements with the organizational entity hosting the external system." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node576 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: "(2)\_\_\_ USE OF EXTERNAL SYSTEMS | PORTABLE STORAGE DEVICES \u2014 RESTRICTED\ + \ USE" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node577 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node576 + description: Restrict the use of organization-controlled portable storage devices + by authorized individuals on external systems. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node578 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: INFORMATION SHARING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node579 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node578 + description: "a.\_\_\_\_\_ Enable authorized users to determine whether access\ + \ authorizations assigned to a sharing partner match the information\u2019\ + s access and use restrictions as defined in an executed information exchange\ + \ agreement; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node580 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node578 + description: "b.\_\_\_\_\_ Employ attribute-based access control (see AC-2(d)(3))\ + \ or manual processes as defined in information exchange agreements to assist\ + \ users in making information sharing and collaboration decisions." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node581 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node413 + name: PUBLICLY ACCESSIBLE CONTENT + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node582 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node581 + description: "a.\_\_\_\_\_ Designate individuals authorized to make information\ + \ publicly accessible;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node583 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node581 + description: "b.\_\_\_\_\_ Train authorized individuals to ensure that publicly\ + \ accessible information does not contain nonpublic information;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node584 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node581 + description: "c.\_\_\_\_\_\_ Review the proposed content of information prior\ + \ to posting onto the publicly accessible system to ensure that nonpublic\ + \ information is not included; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node585 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node581 + description: "d.\_\_\_\_\_ Review the content on the publicly accessible system\ + \ for nonpublic information quarterly and remove such information, if discovered." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-6: Identification and Authentication (IA)' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node587 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Use of Originating Agency Identifiers in Transactions and Information + Exchanges + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node588 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node587 + description: 'An FBI authorized originating agency identifier (ORI) shall be + used in each transaction on CJIS systems in order to identify the sending + agency and to ensure the proper level of access for each transaction. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node589 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node587 + description: The original identifier between the requesting agency and the CSA/SIB/Channeler + shall be the ORI, and other agency identifiers, such as user identification + or personal identifier, an access device mnemonic, or the Internet Protocol + (IP) address. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node590 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node587 + description: Because the agency performing the transaction may not necessarily + be the same as the agency requesting the transaction, the CSA/SIB/Channeler + shall ensure that the ORI for each transaction can be traced, via audit trail, + to the specific agency which is requesting the transaction. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node591 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node587 + description: Agencies assigned a limited access ORI shall not use the full access + ORI of another agency to conduct an inquiry transaction. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node592 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Policy and Procedures + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node593 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node592 + description: 'a. Develop, document, and disseminate to authorized personnel: ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node594 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node592 + description: '1. Agency/Entity identification and authentication policy that: ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node595 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node592 + description: '(a) Addresses purpose, scope, roles, responsibilities, management + commitment, coordination among organizational entities, and compliance; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node596 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node592 + description: '(b) Is consistent with applicable laws, executive orders, directives, + regulations, policies, standards, and guidelines; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node597 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node592 + description: '2. Procedures to facilitate the implementation of the identification + and authentication policy and the associated identification and authentication + controls; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node598 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node592 + description: 'b. Designate an individual with security responsibilities to manage + the development, documentation, and dissemination of the identification and + authentication policy and procedures; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node599 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node592 + description: 'c. Review and update the current identification and authentication: ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node600 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node592 + description: '1. Policy annually and following any security incidents involving + unauthorized access to CJI or systems used to process, store, or transmit + CJI; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node601 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node592 + description: '2. Procedures annually and following any security incidents involving + unauthorized access to CJI or systems used to process, store, or transmit + CJI. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node602 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Identification and Authentication (Organizational Users) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node603 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node602 + description: Uniquely identify and authenticate organizational users and associate + that unique identification with processes acting on behalf of those users. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node604 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Identification and Authentication (Organizational Users) | Multi-Factor + Authentication to Privileged Accounts + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node605 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node604 + description: 'Implement multi-factor authentication for access to privileged + accounts. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node606 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Identification and Authentication (Organizational Users) | Multi-Factor + Authentication to Non-Privileged Accounts + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node607 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node606 + description: 'Implement multi-factor authentication for access to non-privileged + accounts. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node608 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Identification and Authentication (Organizational Users) |Access to Accounts + - Replay Resistant + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node609 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node608 + description: 'Implement replay-resistant authentication mechanisms for access + to privileged and non-privileged accounts. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node610 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Identification and Authentication (Organizational Users) | Acceptance + of PIV Credentials + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node611 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node610 + description: 'Accept and electronically verify Personal Identity Verification-compliant + credentials. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node612 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Device Identification and Authentication + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node613 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node612 + description: Uniquely identify and authenticate agency devices before establishing + all remote and network connections. In the instance of local connection, the + device must be approved by the agency and the device must be identified and + authenticated prior to connection to an agency asset. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node614 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Identifier Management + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node615 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node614 + description: 'Manage system identifiers by: ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node616 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node614 + description: 'a. Receiving authorization from organizational personnel with + identifier management responsibilities to assign an individual, group, role, + service, or device identifier; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node617 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node614 + description: 'b. Selecting an identifier that identifies an individual, group, + role, service, or device; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node618 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node614 + description: 'c. Assigning the identifier to the intended individual, group, + role, service, or device; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node619 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node614 + description: 'd. Preventing reuse of identifiers for one (1) year. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node620 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Identifier Management | Identify User Status + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node621 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node620 + description: 'Manage individual identifiers by uniquely identifying each individual + as agency or non-agency. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Authenticator Management + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node623 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'Manage system authenticators by:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node624 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: a. Verifying, as part of the initial authenticator distribution, + the identity of the individual, group, role, service, or device receiving + the authenticator; + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node625 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: b. Establishing initial authenticator content for any authenticators + issued by the organization; + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node626 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: c. Ensuring that authenticators have sufficient strength of mechanism + for their intended use; + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node627 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: d. Establishing and implementing administrative procedures for + initial authenticator distribution, for lost or compromised or damaged authenticators, + and for revoking authenticators; + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node628 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: e. Changing default authenticators prior to first use; + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node629 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: f. Changing or refreshing authenticators annually or when there + is evidence of authenticator compromise; + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node630 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: g. Protecting authenticator content from unauthorized disclosure + and modification; + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node631 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'h. Requiring individuals to take, and having devices implement, + specific controls to protect authenticators; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node632 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'i. Changing authenticators for group or role accounts when membership + to those accounts changes. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node633 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'j. All credential service providers (CSPs) authenticating claimants + at Authenticator Assurance Level 2 (AAL2) SHALL be assessed on the following + criteria:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node634 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(1)\_\_\_\_\_\_\_\_\_\_\_\_ Authentication SHALL occur by the\ + \ use of either a multi-factor authenticator or a combination of two single-factor\ + \ authenticators. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node635 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(2)\_\_\_\_\_\_\_\_\_\_\_\_ If the multi-factor authentication\ + \ process uses a combination of two single-factor authenticators, then it\ + \ SHALL include a Memorized Secret authenticator and a possession-based authenticator.\ + \ (NIST 800-63B, Section 4.2.1)" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node636 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(3)\_\_\_\_\_\_\_\_\_\_\_\_ Cryptographic authenticators used\ + \ at AAL2 SHALL use approved cryptography. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node637 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(4)\_\_\_\_\_\_\_\_\_\_\_\_ At least one authenticator used at\ + \ AAL2 SHALL be replay resistant. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node638 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(5)\_\_\_\_\_\_\_\_\_\_\_\_ Communication between the claimant\ + \ and verifier SHALL be via an authenticated protected channel. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node639 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(6)\_\_\_\_\_\_\_\_\_\_\_\_ Verifiers operated by government agencies\ + \ at AAL2 SHALL be validated to meet the requirements of FIPS 140 Level 1. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node640 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(7)\_\_\_\_\_\_\_\_\_\_\_\_ Authenticators procured by government\ + \ agencies SHALL be validated to meet the requirements of FIPS 140 Level 1. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node641 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(8)\_\_\_\_\_\_\_\_\_\_\_\_ If a device such as a smartphone is\ + \ used in the authentication process, then the unlocking of that device (typically\ + \ done using a PIN or biometric) SHALL NOT be considered one of the authentication\ + \ factors. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node642 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(9)\_\_\_\_\_\_\_\_\_\_\_\_ If a biometric factor is used in authentication\ + \ at AAL2, then the performance requirements stated in IA-5 m Biometric Requirements\ + \ SHALL be met. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node643 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(10)\_\_\_\_\_\_\_\_ Reauthentication of the subscriber SHALL\ + \ be repeated at least once per 12 hours during an extended usage session. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node644 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(11)\_\_\_\_\_\_\_\_ Reauthentication of the subscriber SHALL\ + \ be repeated following any period of inactivity lasting 30 minutes or longer. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node645 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(12)\_\_\_\_\_\_\_\_ The CSP SHALL employ appropriately tailored\ + \ security controls from the moderate baseline of security controls defined\ + \ in the CJIS Security Policy." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node646 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'The CSP SHALL ensure that the minimum assurance-related controls + for moderate-impact systems are satisfied. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node647 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(13)\_\_\_\_\_\_\_\_ The CSP SHALL comply with records retention\ + \ policies in accordance with applicable laws and regulations. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node648 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(14)\_\_\_\_\_\_\_\_ If the CSP opts to retain records in the\ + \ absence of any mandatory requirements, then the CSP SHALL conduct a risk\ + \ management process, including assessments of privacy and security risks\ + \ to determine how long records should be retained and SHALL inform subscribers\ + \ of that retention policy. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node649 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: k. Privacy requirements that apply to all CSPs, verifiers, and + RPs. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node650 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(1)\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL employ appropriately\ + \ tailored privacy controls from the CJIS Security Policy. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node651 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(2)\_\_\_\_\_\_\_\_\_\_\_\_ If the CSP processes attributes for\ + \ purposes other than identity proofing, authentication, or attribute assertions\ + \ (collectively \u201Cidentity service\u201D), related fraud mitigation, or\ + \ to comply with law or legal process, then the CSP SHALL implement measures\ + \ to maintain predictability and manageability commensurate with the associated\ + \ privacy risk. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node652 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: l. General requirements applicable to AAL2 authentication process. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node653 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(1)\_\_\_\_\_\_\_\_\_\_\_\_ CSPs SHALL provide subscriber instructions\ + \ on how to appropriately protect a physical authenticator against theft or\ + \ loss. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node654 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(2)\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL provide a mechanism\ + \ to revoke or suspend the authenticator immediately upon notification from\ + \ subscriber that loss or theft of the authenticator is suspected. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node655 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(3)\_\_\_\_\_\_\_\_\_\_\_\_ If required by the authenticator type\ + \ descriptions in IA-5(1), then the verifier SHALL implement controls to protect\ + \ against online guessing attacks. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node656 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(4)\_\_\_\_\_\_\_\_\_\_\_\_ If required by the authenticator type\ + \ descriptions in IA-5(1) and the description of a given authenticator does\ + \ not specify otherwise, then the verifier SHALL limit consecutive failed\ + \ authentication attempts on a single account to no more than 100. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node657 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(5)\_\_\_\_\_\_\_\_\_\_\_\_ If signed attestations are used, then\ + \ they SHALL be signed using a digital signature that provides at least the\ + \ minimum security strength specified in the latest revision of 112 bits as\ + \ of the date of this publication. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node658 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(6)\_\_\_\_\_\_\_\_\_\_\_\_ If the verifier and CSP are separate\ + \ entities (as shown by the dotted line in Figure 8 Digital Identity Model),\ + \ then communications between the verifier and CSP SHALL occur through a mutually-authenticated\ + \ secure channel (such as a client-authenticated TLS connection). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node659 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(7)\_\_\_\_\_\_\_\_\_\_\_\_ If the CSP provides the subscriber\ + \ with a means to report loss, theft, or damage to an authenticator using\ + \ a backup or alternate authenticator, then that authenticator SHALL be either\ + \ a memorized secret or a physical authenticator. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node660 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(8)\_\_\_\_\_\_\_\_\_\_\_\_ If the CSP chooses to verify an address\ + \ of record (i.e., email, telephone, postal) and suspend authenticator(s)\ + \ reported to have been compromised, then...The suspension SHALL be reversible\ + \ if the subscriber successfully authenticates to the CSP using a valid (i.e.,\ + \ not suspended) authenticator and requests reactivation of an authenticator\ + \ suspended in this manner. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node661 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(9)\_\_\_\_\_\_\_\_\_\_\_\_ If and when an authenticator expires,\ + \ it SHALL NOT be usable for authentication. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node662 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(10)\_\_\_\_\_\_\_\_ The CSP SHALL have a documented process to\ + \ require subscribers to surrender or report the loss of any physical authenticator\ + \ containing attribute certificates signed by the CSP as soon as practical\ + \ after expiration or receipt of a renewed authenticator. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node663 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(11)\_\_\_\_\_\_\_\_ CSPs SHALL revoke the binding of authenticators\ + \ immediately upon notification when an online identity ceases to exist (e.g.,\ + \ subscriber\u2019s death, discovery of a fraudulent subscriber), when requested\ + \ by the subscriber, or when the CSP determines that the subscriber no longer\ + \ meets its eligibility requirements. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node664 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(12)\_\_\_\_\_\_\_\_ The CSP SHALL have a documented process to\ + \ require subscribers to surrender or report the loss of any physical authenticator\ + \ containing certified attributes signed by the CSP within five (5) days after\ + \ revocation or termination takes place. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node665 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'm. Biometric Requirements ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node666 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(1)\_\_\_\_\_\_\_\_\_\_\_\_ Biometrics SHALL be used only as part\ + \ of multi-factor authentication with a physical authenticator (something\ + \ you have). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node667 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(2)\_\_\_\_\_\_\_\_\_\_\_\_ An authenticated protected channel\ + \ between sensor (or an endpoint containing a sensor that resists sensor replacement)\ + \ and verifier SHALL be established. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node668 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(3)\_\_\_\_\_\_\_\_\_\_\_\_ The sensor or endpoint SHALL be authenticated\ + \ prior to capturing the biometric sample from the claimant. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node669 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(4)\_\_\_\_\_\_\_\_\_\_\_\_ The biometric system SHALL operate\ + \ with an FMR [ISO/IEC 2382-37] of 1 in 1000 or better. This FMR SHALL be\ + \ achieved under conditions of a conformant attack (i.e., zero-effort impostor\ + \ attempt) as defined in [ISO/IEC 30107-1]. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node670 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(5)\_\_\_\_\_\_\_\_\_\_\_\_ The biometric system SHALL allow no\ + \ more than 5 consecutive failed authentication attempts or 10 consecutive\ + \ failed attempts if PAD demonstrating at least 90% resistance to presentation\ + \ attacks is implemented. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node671 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(6)\_\_\_\_\_\_\_\_\_\_\_\_ Once the limit on authentication failures\ + \ has been reached, the biometric authenticator SHALL either: " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node672 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "\_\_\_\_\_\_ i.\_\_\_\_\_\_\_\_\_ Impose a delay of at least 30\ + \ seconds before the next attempt, increasing exponentially with each successive\ + \ attempt, or " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node673 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "\_\_\_\_ ii.\_\_\_\_\_\_\_\_\_ disable the biometric user authentication\ + \ and offer another factor (e.g., a different biometric modality or a PIN/Passcode\ + \ if it is not already a required factor) if such an alternative method is\ + \ already available. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node674 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(7)\_\_\_\_\_\_\_\_\_\_\_\_ The verifier SHALL make a determination\ + \ of sensor and endpoint performance, integrity, and authenticity. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node675 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(8)\_\_\_\_\_\_\_\_\_\_\_\_ If biometric comparison is performed\ + \ centrally, then use of the biometric as an authentication factor SHALL be\ + \ limited to one or more specific devices that are identified using approved\ + \ cryptography. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node676 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(9)\_\_\_\_\_\_\_\_\_\_\_\_ If biometric comparison is performed\ + \ centrally, then a separate key SHALL be used for identifying the device. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node677 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(10)\_\_\_\_\_\_\_\_ If biometric comparison is performed centrally,\ + \ then biometric revocation, referred to as biometric template protection\ + \ in ISO/IEC 24745, SHALL be implemented. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node678 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(11)\_\_\_\_\_\_\_\_ If biometric comparison is performed centrally,\ + \ all transmission of biometrics SHALL be over the authenticated protected\ + \ channel. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node679 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(12)\_\_\_\_\_\_\_\_ Biometric samples and any biometric data\ + \ derived from the biometric sample such as a probe produced through signal\ + \ processing SHALL be zeroized immediately after any training or research\ + \ data has been derived " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node680 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "n. Authenticator binding refers to the establishment of an association\ + \ between a specific authenticator and a subscriber\u2019s account, enabling\ + \ the authenticator to be used \u2014 possibly in conjunction with other authenticators\ + \ \u2014 to authenticate for that account." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node681 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(1)\_\_\_\_\_\_\_\_\_\_\_\_ Authenticators SHALL be bound to subscriber\ + \ accounts by either issuance by the CSP as part of enrollment or associating\ + \ a subscriber-provided authenticator that is acceptable to the CSP. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node682 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(2)\_\_\_\_\_\_\_\_\_\_\_\_ Throughout the digital identity lifecycle,\ + \ CSPs SHALL maintain a record of all authenticators that are or have been\ + \ associated with each identity. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node683 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(3)\_\_\_\_\_\_\_\_\_\_\_\_ The CSP or verifier SHALL maintain\ + \ the information required for throttling authentication attempts. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node684 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(4)\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL also verify the type\ + \ of user-provided authenticator so verifiers can determine compliance with\ + \ requirements at each AAL. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node685 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(5)\_\_\_\_\_\_\_\_\_\_\_\_ The record created by the CSP SHALL\ + \ contain the date and time the authenticator was bound to the account. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node686 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(6)\_\_\_\_\_\_\_\_\_\_\_\_ When any new authenticator is bound\ + \ to a subscriber account, the CSP SHALL ensure that the binding protocol\ + \ and the protocol for provisioning the associated key(s) are done at AAL2. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node687 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(7)\_\_\_\_\_\_\_\_\_\_\_\_ Protocols for key provisioning SHALL\ + \ use authenticated protected channels or be performed in person to protect\ + \ against man-in-the- middle attacks. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node688 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(8)\_\_\_\_\_\_\_\_\_\_\_\_ Binding of multi-factor authenticators\ + \ SHALL require multi-factor authentication (or equivalent) at identity proofing. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node689 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(9)\_\_\_\_\_\_\_\_\_\_\_\_ At enrollment, the CSP SHALL bind\ + \ at least one, and SHOULD \_\_\_\_bind at least two, physical (something\ + \ you have) authenticators to the subscriber\u2019s online identity, in addition\ + \ to a memorized secret or one or more biometrics. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node690 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(10)\_\_\_\_\_\_\_\_ At enrollment, authenticators at AAL2 and\ + \ IAL2 SHALL be bound to the account. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node691 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(11)\_\_\_\_\_\_\_\_ If the subscriber is authenticated at AAL1,\ + \ then the CSP SHALL NOT expose personal information, even if self-asserted,\ + \ to the subscriber. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node692 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(12)\_\_\_\_\_\_\_\_ If enrollment and binding are being done\ + \ remotely and cannot be completed in a single electronic transaction, then\ + \ the applicant SHALL identify themselves in each new binding transaction\ + \ by presenting a temporary secret which was either established during a prior\ + \ transaction, or sent to the applicant\u2019s phone number, email address,\ + \ or postal address of record. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node693 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(13)\_\_\_\_\_\_\_\_ If enrollment and binding are being done\ + \ remotely and cannot be completed in a single electronic transaction, then\ + \ long-term authenticator secrets are delivered to the applicant within a\ + \ protected session. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node694 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(14)\_\_\_\_\_\_\_\_ If enrollment and binding are being done\ + \ in person and cannot be completed in a single physical encounter, the applicant\ + \ SHALL identify themselves in person by either using a secret as described\ + \ in IA-5 n (12) above, or through use of a biometric that was recorded during\ + \ a prior encounter. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node695 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(15)\_\_\_\_\_\_\_\_ If enrollment and binding are being done\ + \ in person and cannot be completed in a single physical encounter, temporary\ + \ secrets SHALL NOT be reused. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node696 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(16)\_\_\_\_\_\_\_\_ If enrollment and binding are being done\ + \ in person and cannot be completed in a single physical encounter and the\ + \ CSP issues long-term authenticator secrets during a physical transaction,\ + \ they SHALL be loaded locally onto a physical device that is issued in person\ + \ to the applicant or delivered in a manner that confirms the address of record. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node697 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(17)\_\_\_\_\_\_\_\_ Before adding a new authenticator to a subscriber\u2019\ + s account, the CSP SHALL first require the subscriber to authenticate at AAL2\ + \ (or a higher AAL) at which the new authenticator will be used. \_\_\_\_" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node698 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(18)\_\_\_\_\_\_\_\_ If the subscriber\u2019s account has only\ + \ one authentication factor bound to it, the CSP SHALL require the subscriber\ + \ to authenticate at AAL1 in order to bind an additional authenticator of\ + \ a different authentication factor. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node699 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(19)\_\_\_\_\_\_\_\_ If a subscriber loses all authenticators\ + \ of a factor necessary to complete multi-factor authentication and has been\ + \ identity proofed at IAL2, that subscriber SHALL repeat the identity proofing\ + \ process described in IA-12. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node700 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(20)\_\_\_\_\_\_\_\_ If a subscriber loses all authenticators\ + \ of a factor necessary to complete multi-factor authentication and has been\ + \ identity proofed at IAL2 or IAL3, the CSP SHALL require the claimant to\ + \ authenticate using an authenticator of the remaining factor, if any, to\ + \ confirm binding to the existing identity. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node701 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(21)\_\_\_\_\_\_\_\_ If the CSP opts to allow binding of a new\ + \ memorized secret with the use of two physical authenticators, then it requires\ + \ entry of a confirmation code sent to an address of record. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node702 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(22)\_\_\_\_\_\_\_\_ If the CSP opts to allow binding of a new\ + \ memorized secret with the use of two physical authenticators, then the confirmation\ + \ code SHALL consist of at least 6 random alphanumeric characters generated\ + \ by an approved random bit generator [SP 800-90Ar1]. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node703 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(23)\_\_\_\_\_\_\_\_ If the CSP opts to allow binding of a new\ + \ memorized secret with the use of two physical authenticators, then the confirmation\ + \ code SHALL be valid for a maximum of 7 days but MAY be made valid up to\ + \ 21 days via an exception process to accommodate addresses outside the direct\ + \ reach of the U.S. Postal Service. Confirmation codes sent by means other\ + \ than physical mail SHALL be valid for a maximum of 5 minutes. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node704 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'o. Session Management: The following requirements apply to applications + where a session is maintained between the subscriber and relying party to + allow multiple interactions without repeating the authentication event each + time.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node705 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "(1) Session Binding Requirements: A session occurs between\ + \ the software that a subscriber is running \u2014 such as a browser, application,\ + \ or operating system (i.e., the session subject) \u2014 and the RP or CSP\ + \ that the subscriber is accessing (i.e., the session host)." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node706 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "a. A session is maintained by a session secret which SHALL\ + \ be shared between the subscriber\u2019s software and the service being accessed. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node707 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "b. The secret SHALL be presented directly by the subscriber\u2019\ + s software or possession of the secret SHALL be proven using a cryptographic\ + \ mechanism. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node708 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'c. The secret used for session binding SHALL be generated by + the session host in direct response to an authentication event. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node709 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'd. A session SHALL NOT be considered at a higher AAL than the + authentication event. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node710 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: e. Secrets used for session binding SHALL be generated by the + session host during an interaction, typically immediately following authentication. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node711 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'f. Secrets used for session binding SHALL be generated by an + approved random bit generator [SP 800-90Ar1]. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node712 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'g. Secrets used for session binding SHALL contain at least + 64 bits of entropy. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node713 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'h. Secrets used for session binding SHALL be erased or invalidated + by the session subject when the subscriber logs out. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node714 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'i. Secrets used for session binding SHALL be sent to and received + from the device using an authenticated protected channel. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node715 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'j. Secrets used for session binding SHALL time out and not + be accepted after the times specified in IA-5 j (13) as appropriate for the + AAL. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node716 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "k. Secrets used for session binding SHALL NOT be available\ + \ to insecure communications between the host and subscriber\u2019s endpoint. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node717 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'l. Authenticated sessions SHALL NOT fall back to an insecure + transport, such as from https to http, following authentication. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node718 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'm. URLs or POST content SHALL contain a session identifier + that SHALL be verified by the RP to ensure that actions taken outside the + session do not affect the protected session. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node719 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'n. Browser cookies SHALL be tagged to be accessible only on + secure (HTTPS) sessions. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node720 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'o. Browser cookies SHALL be accessible to the minimum practical + set of hostnames and paths. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node721 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'p. Expiration of browser cookies SHALL NOT be depended upon + to enforce session timeouts. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node722 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'q. The presence of an OAuth access token SHALL NOT be interpreted + by the RP as presence of the subscriber, in the absence of other signals. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node723 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: (2) Reauthentication Requirements + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node724 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'a. Continuity of authenticated sessions SHALL be based upon + the possession of a session secret issued by the verifier at the time of authentication + and optionally refreshed during the session. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node725 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'b. Session secrets SHALL be non-persistent, i.e., they SHALL + NOT be retained across a restart of the associated application or a reboot + of the host device. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node726 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'c. Periodic reauthentication of sessions (at least every 12 + hours per session) SHALL be performed to confirm the continued presence of + the subscriber at an authenticated session. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node727 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "d. A session SHALL NOT be extended past the guidelines in IA-5\ + \ o (2) a \u2013 j based on presentation of the session secret alone. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node728 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'e. Prior to session expiration, the reauthentication time limit + SHALL be extended by prompting the subscriber for the authentication factor(s) + of a memorized secret or biometric. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node729 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'f. If federated authentication is being used, then since the + CSP and RP often employ separate session management technologies, there SHALL + NOT be any assumption of correlation between these sessions. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node730 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: "g. An RP requiring reauthentication through a federation protocol\ + \ SHALL \u2014 if possible within the protocol \u2014 specify the maximum\ + \ (see IA-5 j (10)) acceptable authentication age to the CSP. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node731 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'h. If federated authentication if being used and an RP has + specific authentication age (see IA-5 j (10)) requirements that it has communicated + to the CSP, then the CSP SHALL reauthenticate the subscriber if they have + not been authenticated within that time period. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node732 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node622 + description: 'i. If federated authentication is being used, the CSP SHALL + communicate the authentication event time to the RP to allow the RP to decide + if the assertion is sufficient for reauthentication and to determine the time + for the next reauthentication event. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Authenticator Management | Authenticator Types + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node734 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: '(a) Memorized Secret Authenticators and Verifiers:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node735 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(1)\_\_\_\_\_\_\_\_\_\_\_\_ Maintain a list of commonly-used,\ + \ expected, or compromised passwords and update the list quarterly and when\ + \ organizational passwords are suspected to have been compromised directly\ + \ or indirectly; " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node736 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(2)\_\_\_\_\_\_\_\_\_\_\_\_ Require immediate selection of a new\ + \ password upon account recovery; " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node737 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(3)\_\_\_\_\_\_\_\_\_\_\_\_ Allow user selection of long passwords\ + \ and passphrases, including spaces and all printable characters; " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node738 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(4)\_\_\_\_\_\_\_\_\_\_\_\_ Employ automated tools to assist the\ + \ user in selecting strong password authenticators; " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node739 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(5)\_\_\_\_\_\_\_\_\_\_\_\_ Enforce the following composition\ + \ and complexity rules: when agencies elect to follow basic password standards. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node740 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: '(a) Not be a proper name. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node741 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: '(b) Not be the same as the Userid. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node742 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: '(c) Expire within a maximum of 90 calendar days. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node743 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: '(d) Not be identical to the previous ten (10) passwords. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node744 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: '(e) Not be displayed when entered. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node745 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(6)\_\_\_\_\_\_\_\_\_\_\_\_ If chosen by the subscriber, memorized\ + \ secrets SHALL be at least 8 characters in length. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node746 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(7)\_\_\_\_\_\_\_\_\_\_\_\_ If chosen by the CSP or verifier using\ + \ an approved random number generator, memorized secrets SHALL be at least\ + \ 6 characters in length. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node747 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(8)\_\_\_\_\_\_\_\_\_\_\_\_ Truncation of the secret SHALL NOT\ + \ be performed. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node748 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(9)\_\_\_\_\_\_\_\_\_\_\_\_ Memorized secret verifiers SHALL NOT\ + \ permit the subscriber to store a \u201Chint\u201D that is accessible to\ + \ an unauthenticated claimant. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node749 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(10)\_\_\_\_\_\_\_\_ Verifiers SHALL NOT prompt subscribers to\ + \ use specific types of information (e.g., \u201CWhat was the name of your\ + \ first pet?\u201D) when choosing memorized secrets. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node750 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(11)\_\_\_\_\_\_\_\_ When processing requests to establish and\ + \ change memorized secrets, verifiers SHALL compare the prospective secrets\ + \ against a list that contains values known to be commonly used, expected,\ + \ or compromised. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node751 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(12)\_\_\_\_\_\_\_\_ If a chosen secret is found in the list,\ + \ the CSP or verifier SHALL advise the subscriber that they need to select\ + \ a different secret." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node752 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(13)\_\_\_\_\_\_\_\_ If a chosen secret is found in the list,\ + \ the CSP or verifier SHALL provide the reason for rejection. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node753 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(14)\_\_\_\_\_\_\_\_ If a chosen secret is found in the list,\ + \ the CSP or verifier SHALL require the subscriber to choose a different value. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node754 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(15)\_\_\_\_\_\_\_\_ Verifiers SHALL implement a rate-limiting\ + \ mechanism that effectively limits failed authentication attempts that can\ + \ be made on the subscriber\u2019s account to no more than five." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node755 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(16)\_\_\_\_\_\_\_\_ Verifiers SHALL force a change of memorized\ + \ secret if there is evidence of compromise of the authenticator. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node756 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(17)\_\_\_\_\_\_\_\_ The verifier SHALL use approved encryption\ + \ when requesting memorized secrets in order to provide resistance to eavesdropping\ + \ and MitM attacks. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node757 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(18)\_\_\_\_\_\_\_\_ The verifier SHALL use an authenticated protected\ + \ channel when requesting memorized secrets in order to provide resistance\ + \ to eavesdropping and MitM attacks. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node758 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(19)\_\_\_\_\_\_\_\_ Verifiers SHALL store memorized secrets in\ + \ a form that is resistant to offline attacks. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node759 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(20)\_\_\_\_\_\_\_\_ Memorized secrets SHALL be salted and hashed\ + \ using a suitable one-way key derivation function. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node760 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(21)\_\_\_\_\_\_\_\_ The salt SHALL be at least 32 bits in length\ + \ and be chosen arbitrarily to minimize salt value collisions among stored\ + \ hashes. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node761 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(22)\_\_\_\_\_\_\_\_ Both the salt value and the resulting hash\ + \ SHALL be stored for each subscriber using a memorized secret authenticator " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node762 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(23)\_\_\_\_\_\_\_\_ If an additional iteration of a key derivation\ + \ function using a salt value known only to the verifier is performed, then\ + \ this secret salt value SHALL be generated with an approved random bit generator\ + \ and of sufficient length. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node763 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(24)\_\_\_\_\_\_\_\_ If an additional iteration of a key derivation\ + \ function using a salt value known only to the verifier is performed, then\ + \ this secret salt value SHALL provide at least the minimum-security strength. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node764 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(25)\_\_\_\_\_\_\_\_ If an additional iteration of a key derivation\ + \ function using a salt value known only to the verifier is performed, then\ + \ this secret salt value SHALL be stored separately from the memorized secrets. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node765 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: (b) Look-Up Secret Authenticators and Verifiers + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node766 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(1)\_\_\_\_\_\_\_\_\_\_\_\_ CSPs creating look-up secret authenticators\ + \ SHALL use an approved random bit generator to generate the list of secrets. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node767 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(2)\_\_\_\_\_\_\_\_\_\_\_\_ Look-up secrets SHALL have at least\ + \ 20 bits of entropy. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node768 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(3)\_\_\_\_\_\_\_\_\_\_\_\_ If look-up secrets are distributed\ + \ online, then they SHALL be distributed over a secure channel in accordance\ + \ with the post-enrollment binding requirements in IA-5 n 17 through 25. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node769 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(4)\_\_\_\_\_\_\_\_\_\_\_\_ Verifiers of look-up secrets SHALL\ + \ prompt the claimant for the next secret from their authenticator or for\ + \ a specific (e.g., numbered) secret. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node770 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(5)\_\_\_\_\_\_\_\_\_\_\_\_ A given secret from an authenticator\ + \ SHALL be used successfully only once. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node771 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(6)\_\_\_\_\_\_\_\_\_\_\_\_ If a look-up secret is derived from\ + \ a grid (bingo) card, then each cell of the grid SHALL be used only once. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node772 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(7)\_\_\_\_\_\_\_\_\_\_\_\_ Verifiers SHALL store look-up secrets\ + \ in a form that is resistant to offline attacks. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node773 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(8)\_\_\_\_\_\_\_\_\_\_\_\_ If look-up secrets have at least 112\ + \ bits of entropy, then they SHALL be hashed with an approved one-way function " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node774 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(9)\_\_\_\_\_\_\_\_\_\_\_\_ If look-up secrets have less than\ + \ 112 bits of entropy, then they SHALL be salted and hashed using a suitable\ + \ one-way key derivation function. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node775 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(10)\_\_\_\_\_\_\_\_ If look-up secrets have less than 112 bits\ + \ of entropy, then the salt SHALL be at least 32 bits in length and be chosen\ + \ arbitrarily to minimize salt value collisions among stored hashes. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node776 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(11)\_\_\_\_\_\_\_\_ If look-up secrets have less than 112 bits\ + \ of entropy, then both the salt value and the resulting hash SHALL be stored\ + \ for each look-up secret " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node777 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(12)\_\_\_\_\_\_\_\_ If look-up secrets that have less than 64\ + \ bits of entropy, then the verifier SHALL implement a rate-limiting mechanism\ + \ that effectively limits the number of failed authentication attempts that\ + \ can be made on the subscriber\u2019s account. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node778 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(13)\_\_\_\_\_\_\_\_ The verifier SHALL use approved encryption\ + \ when requesting look-up secrets in order to provide resistance to eavesdropping\ + \ and MitM attacks. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node779 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(14)\_\_\_\_\_\_\_\_ The verifier SHALL use an authenticated protected\ + \ channel when requesting look-up secrets in order to provide resistance to\ + \ eavesdropping and MitM attacks. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node780 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: (c) Out-of-Band Authenticators and Verifiers + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node781 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(1)\_\_\_\_\_\_\_\_\_\_\_\_ The out-of-band authenticator SHALL\ + \ establish a separate channel with the verifier in order to retrieve the\ + \ out-of-band secret or authentication request. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node782 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(2)\_\_\_\_\_\_\_\_\_\_\_\_ Communication over the secondary channel\ + \ SHALL be encrypted unless sent via the public switched telephone network\ + \ (PSTN). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node783 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(3)\_\_\_\_\_\_\_\_\_\_\_\_ Methods that do not prove possession\ + \ of a specific device, such as voice-over-IP (VOIP) or email, SHALL NOT be\ + \ used for out-of-band authentication. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node784 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(4)\_\_\_\_\_\_\_\_\_\_\_\_ If PSTN is not being used for out-of-band\ + \ communication, then the out-of-band authenticator SHALL uniquely authenticate\ + \ itself by establishing an authenticated protected channel with the verifier. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node785 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(5)\_\_\_\_\_\_\_\_\_\_\_\_ If PSTN is not being used for out-of-band\ + \ communication, then the out-of-band authenticator SHALL communicate with\ + \ the verifier using approved cryptography. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node786 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(6)\_\_\_\_\_\_\_\_\_\_\_\_ If PSTN is not being used for out-of-band\ + \ communication, then the key used to authenticate the out-of-band device\ + \ SHALL be stored in suitably secure storage available to the authenticator\ + \ application (e.g., keychain storage, TPM, TEE, secure element). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node787 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(7)\_\_\_\_\_\_\_\_\_\_\_\_ If the PSTN is used for out-of-band\ + \ authentication and a secret is sent to the out-of-band device via the PSTN,\ + \ then the out-of-band authenticator SHALL uniquely authenticate itself to\ + \ a mobile telephone network using a SIM card or equivalent that uniquely\ + \ identifies the device. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node788 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(8)\_\_\_\_\_\_\_\_\_\_\_\_ If the out-of-band authenticator sends\ + \ an approval message over the secondary communication channel, it SHALL either\ + \ accept transfer of a secret from the primary channel to be sent to the verifier\ + \ via the secondary communications channel, or present a secret received via\ + \ the secondary channel from the verifier and prompt the claimant to verify\ + \ the consistency of that secret with the primary channel, prior to accepting\ + \ a yes/no response from the claimant which it sends to the verifier. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node789 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(9)\_\_\_\_\_\_\_\_\_\_\_\_ The verifier SHALL NOT store the identifying\ + \ key itself, but SHALL use a verification method (e.g., an approved hash\ + \ function or proof of possession of the identifying key) to uniquely identify\ + \ the authenticator. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node790 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(10)\_\_\_\_\_\_\_\_ Depending on the type of out-of-band authenticator,\ + \ one of the following SHALL take place: transfer of a secret to the primary\ + \ channel, transfer of a secret to the secondary channel, or verification\ + \ of secrets by the claimant. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node791 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(11)\_\_\_\_\_\_\_\_ If the out-of-band authenticator operates\ + \ by transferring the secret to the primary channel, then the verifier SHALL\ + \ transmit a random secret to the out-of-band authenticator and then wait\ + \ for the secret to be returned on the primary communication channel. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node792 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(12)\_\_\_\_\_\_\_\_ If the out-of-band authenticator operates\ + \ by transferring the secret to the secondary channel, then the verifier SHALL\ + \ display a random authentication secret to the claimant via the primary channel\ + \ and then wait for the secret to be returned on the secondary channel from\ + \ the claimant\u2019s out-of- band authenticator. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node793 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(13)\_\_\_\_\_\_\_\_ If the out-of-band authenticator operates\ + \ by verification of secrets by the claimant, then the verifier SHALL display\ + \ a random authentication secret to the claimant via the primary channel,\ + \ send the same secret to the out-of-band authenticator via the secondary\ + \ channel for presentation to the claimant, and then wait for an approval\ + \ (or disapproval) message via the secondary channel. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node794 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(14)\_\_\_\_\_\_\_\_ The authentication SHALL be considered invalid\ + \ if not completed within 10 minutes. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node795 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(15)\_\_\_\_\_\_\_\_ Verifiers SHALL accept a given authentication\ + \ secret only once during the validity period. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node796 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(16)\_\_\_\_\_\_\_\_ The verifier SHALL generate random authentication\ + \ secrets with at least 20 bits of entropy. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node797 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(17)\_\_\_\_\_\_\_\_ The verifier SHALL generate random authentication\ + \ secrets using an approved random bit generator. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node798 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(18)\_\_\_\_\_\_\_\_ If the authentication secret has less than\ + \ 64 bits of entropy, the verifier SHALL implement a rate-limiting mechanism\ + \ that effectively limits the number of failed authentication attempts that\ + \ can be made on the subscriber\u2019s account as described in IA-5 l (3)\ + \ through (4). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node799 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(19)\_\_\_\_\_\_\_\_ If out-of-band verification is to be made\ + \ using the PSTN, then the verifier SHALL verify that the pre-registered telephone\ + \ number being used is associated with a specific physical device. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node800 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(20)\_\_\_\_\_\_\_\_ If out-of-band verification is to be made\ + \ using the PSTN, then changing the pre-registered telephone number is considered\ + \ to be the binding of a new authenticator and SHALL only occur as described\ + \ in IA-5 n (17) through (25). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node801 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(21)\_\_\_\_\_\_\_\_ If PSTN is used for out-of-band authentication,\ + \ then the CSP SHALL offer subscribers at least one alternate authenticator\ + \ that is not RESTRICTED and can be used to authenticate at the required AAL. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node802 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(22)\_\_\_\_\_\_\_\_ If PSTN is used for out-of-band authentication,\ + \ then the CSP SHALL Provide meaningful notice to subscribers regarding the\ + \ security risks of the RESTRICTED authenticator and availability of alternative(s)\ + \ that are not RESTRICTED. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node803 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(23)\_\_\_\_\_\_\_\_ If PSTN is used for out-of-band authentication,\ + \ then the CSP SHALL address any additional risk to subscribers in its risk\ + \ assessment. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node804 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(24)\_\_\_\_\_\_\_\_ If PSTN is used for out-of-band authentication,\ + \ then the CSP SHALL develop a migration plan for the possibility that the\ + \ RESTRICTED authenticator is no longer acceptable at some point in the future\ + \ and include this migration plan in its digital identity acceptance statement. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node805 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: (d) OTP Authenticators and Verifiers + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node806 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(1)\_\_\_\_\_\_\_\_\_\_\_\_ The secret key and its algorithm SHALL\ + \ provide at least the minimum security strength of 112 bits as of the date\ + \ of this publication. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node807 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(2)\_\_\_\_\_\_\_\_\_\_\_\_ The nonce SHALL be of sufficient length\ + \ to ensure that it is unique for each operation of the device over its lifetime. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node808 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(3)\_\_\_\_\_\_\_\_\_\_\_\_ OTP authenticators \u2014 particularly\ + \ software-based OTP generators \u2014SHALL NOT facilitate the cloning of\ + \ the secret key onto multiple devices. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node809 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(4)\_\_\_\_\_\_\_\_\_\_\_\_ The authenticator output SHALL have\ + \ at least 6 decimal digits (approximately 20 bits) of entropy. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node810 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(5)\_\_\_\_\_\_\_\_\_\_\_\_ If the nonce used to generate the\ + \ authenticator output is based on a real-time clock, then the nonce SHALL\ + \ be changed at least once every 2 minutes. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node811 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(6)\_\_\_\_\_\_\_\_\_\_\_\_ The OTP value associated with a given\ + \ nonce SHALL be accepted only once. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node812 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(7)\_\_\_\_\_\_\_\_\_\_\_\_ The symmetric keys used by authenticators\ + \ are also present in the verifier and SHALL be strongly protected against\ + \ compromise. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node813 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(8)\_\_\_\_\_\_\_\_\_\_\_\_ If a single-factor OTP authenticator\ + \ is being associated with a subscriber account, then the verifier or associated\ + \ CSP SHALL use approved cryptography to either generate and exchange or to\ + \ obtain the secrets required to duplicate the authenticator output. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node814 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(9)\_\_\_\_\_\_\_\_\_\_\_\_ The verifier SHALL use approved encryption\ + \ when collecting the OTP. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node815 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(10)\_\_\_\_\_\_\_\_ The verifier SHALL use an authenticated protected\ + \ channel when collecting the OTP. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node816 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(11)\_\_\_\_\_\_\_\_ If a time-based OTP is used, it SHALL have\ + \ a defined lifetime (recommended 30 seconds) that is determined by the expected\ + \ clock drift \u2014 in either direction \u2014 of the authenticator over\ + \ its lifetime, plus allowance for network delay and user entry of the OTP. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node817 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(12)\_\_\_\_\_\_\_\_ Verifiers SHALL accept a given time-based\ + \ OTP only once during the validity period. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node818 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(13)\_\_\_\_\_\_\_\_ If the authenticator output has less than\ + \ 64 bits of entropy, the verifier SHALL implement a rate-limiting mechanism\ + \ that effectively limits the number of failed authentication attempts that\ + \ can be made on the subscriber\u2019s account as described in IA-5 l (3)\ + \ through (4). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node819 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(14)\_\_\_\_\_\_\_\_ If the authenticator is multi-factor, then\ + \ each use of the authenticator SHALL require the input of the additional\ + \ factor. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node820 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(15)\_\_\_\_\_\_\_\_ If the authenticator is multi-factor and\ + \ a memorized secret is used by the authenticator for activation, then that\ + \ memorized secret SHALL be a randomly chosen numeric secret at least 6 decimal\ + \ digits in length or other memorized secret meeting the requirements of IA-5\ + \ (1)(a). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node821 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(16)\_\_\_\_\_\_\_\_ If the authenticator is multi-factor, then\ + \ use of a memorized secret for activation SHALL be rate limited as specified\ + \ in IA-5 l (3) through (4). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node822 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(17)\_\_\_\_\_\_\_\_ If the authenticator is multi-factor and\ + \ is activated by a biometric factor, then that factor SHALL meet the requirements\ + \ of IA-5 m, including limits on the number of consecutive authentication\ + \ failures. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node823 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(18)\_\_\_\_\_\_\_\_ If the authenticator is multi-factor, then\ + \ the unencrypted key and activation secret or biometric sample \u2014 and\ + \ any biometric data derived from the biometric sample such as a probe produced\ + \ through signal processing \u2014 SHALL be zeroized immediately after an\ + \ OTP has been generated. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node824 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(19)\_\_\_\_\_\_\_\_ If the authenticator is multi-factor, the\ + \ verifier or CSP SHALL establish, via the authenticator source, that the\ + \ authenticator is a multi-factor device. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node825 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(20)\_\_\_\_\_\_\_\_ In the absence of a trusted statement \_\ + that it is a multi-factor device, the verifier SHALL treat the authenticator\ + \ as single-factor, in accordance with IA-5 (1) (d) (1) through (13). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node826 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: (e) Cryptographic Authenticators and Verifiers (including single- + and multi-factor cryptographic authenticators, both hardware- and software-based) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node827 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(1)\_\_\_\_\_\_\_\_\_\_\_\_ If the cryptographic authenticator\ + \ is software based, the key SHALL be stored in suitably secure storage available\ + \ to the authenticator application. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node828 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(2)\_\_\_\_\_\_\_\_\_\_\_\_ If the cryptographic authenticator\ + \ is software based, the key SHALL be strongly protected against unauthorized\ + \ disclosure by the use of access controls that limit access to the key to\ + \ only those software components on the device requiring access. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node829 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(3)\_\_\_\_\_\_\_\_\_\_\_\_ If the cryptographic authenticator\ + \ is software based, it SHALL NOT facilitate the cloning of the secret key\ + \ onto multiple devices. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node830 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(4)\_\_\_\_\_\_\_\_\_\_\_\_ If the authenticator is single-factor\ + \ and hardware-based, secret keys unique to the device SHALL NOT be exportable\ + \ (i.e., cannot be removed from the device). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node831 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(5)\_\_\_\_\_\_\_\_\_\_\_\_ If the authenticator is hardware-based,\ + \ the secret key and its algorithm SHALL provide at least the minimum-security\ + \ length of 112 bits as of the date of this publication. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node832 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(6)\_\_\_\_\_\_\_\_\_\_\_\_ If the authenticator is hardware-based,\ + \ the challenge nonce SHALL be at least 64 bits in length. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node833 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(7)\_\_\_\_\_\_\_\_\_\_\_\_ If the authenticator is hardware-based,\ + \ approved cryptography SHALL be used. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node834 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(8)\_\_\_\_\_\_\_\_\_\_\_\_ Cryptographic keys stored by the verifier\ + \ SHALL be protected against modification. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node835 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(9)\_\_\_\_\_\_\_\_\_\_\_\_ If symmetric keys are used, cryptographic\ + \ keys stored by the verifier SHALL be protected against disclosure. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node836 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(10)\_\_\_\_\_\_\_\_ The challenge nonce SHALL be at least 64\ + \ bits in length. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node837 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(11)\_\_\_\_\_\_\_\_ The challenge nonce SHALL either be unique\ + \ over the authenticator\u2019s lifetime or statistically unique (i.e., generated\ + \ using an approved random bit generator). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node838 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(12)\_\_\_\_\_\_\_\_ The verification operation SHALL use approved\ + \ cryptography. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node839 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(13)\_\_\_\_\_\_\_\_ If a multi-factor cryptographic software\ + \ authenticator is being used, then each authentication requires the presentation\ + \ of the activation factor. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node840 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(14)\_\_\_\_\_\_\_\_ If the authenticator is multi-factor, then\ + \ any memorized secret used by the authenticator for activation SHALL be a\ + \ randomly chosen numeric secret at least 6 decimal digits in length or other\ + \ memorized secret meeting the requirements of IA-5 (1) (a). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node841 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(15)\_\_\_\_\_\_\_\_ If the authenticator is multi-factor, then\ + \ use of a memorized secret for activation SHALL be rate limited as specified\ + \ in IA-5 l (3) through (4). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node842 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(16)\_\_\_\_\_\_\_\_ If the authenticator is multi-factor and\ + \ is activated by a biometric factor, then that factor SHALL meet the requirements\ + \ of IA-5 m, including limits on the number of consecutive authentication\ + \ failures. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node843 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node733 + description: "(17)\_\_\_\_\_\_\_\_ If the authenticator is multi-factor, then\ + \ the unencrypted key and activation secret or biometric sample \u2014 and\ + \ any biometric data derived from the biometric sample such as a probe produced\ + \ through signal processing \u2014 SHALL be zeroized immediately after an\ + \ authentication transaction has taken place. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node844 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Authenticator Management | Public Key Based Authentication + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node845 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node844 + description: '(a) For public key-based authentication:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node846 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node844 + description: (1) Enforce authorized access to the corresponding private key; + and + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node847 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node844 + description: (2) Map the authenticated identity to the account of the individual + or group; and + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node848 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node844 + description: '(b) When public key infrastructure (PKI) is used:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node849 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node844 + description: (1) Validate certificates by constructing and verifying a certification + path to an accepted trust anchor, including checking certificate status information; + and + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node850 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node844 + description: (2) Implement a local cache of revocation data to support path + discovery and validation. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node851 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Authenticator Management | Protection of Authenticators + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node852 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node851 + description: Protect authenticators commensurate with the security category + of the information to which use of the authenticator permits access. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node853 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Authentication Feedback + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node854 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node853 + description: 'Obscure feedback of authentication information during the authentication + process to protect the information from possible exploitation and use by unauthorized + individuals. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node855 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Cryptographic Module Authentication + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node856 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node855 + description: 'Implement mechanisms for authentication to a cryptographic module + that meet the requirements of applicable laws, executive orders, directives, + policies, regulations, standards, and guidelines for such authentication. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node857 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Identification and Authentication (Non-Organizational Users) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node858 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node857 + description: 'Control: Uniquely identify and authenticate non-organizational + users or processes acting on behalf of non-organizational users.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node859 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Identification and Authentication (Non-Organizational Users) | Acceptance + of PIV Credentials From Other Agencies + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node860 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node859 + description: 'Accept and electronically verify Personal Identity Verification-compliant + credentials from other federal, state, local, tribal, or territorial (SLTT) + agencies. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node861 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Identification and Authentication (Non-Organizational Users) | Acceptance + of External Authenticators + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node862 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node861 + description: '(a) Accept only external authenticators that are NIST-compliant; + and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node863 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node861 + description: '(b) Document and maintain a list of accepted external authenticators. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node864 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Identification and Authentication (Non-Organizational Users) | Use of + Defined Profiles + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node865 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node864 + description: 'Conform to the following profiles for identity management: Security + Assertion Markup Language (SAML) or OpenID Connect. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node866 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Re-Authentication + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node867 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node866 + description: 'Require users to re-authenticate when: roles, authenticators, + or credentials change, security categories of systems change, the execution + of privileged functions occur, or every 12 hours.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node868 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Identity Proofing + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node869 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node868 + description: 'a. Identity proof users that require accounts for logical access + to systems based on appropriate identity assurance level requirements as specified + in applicable standards and guidelines; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node870 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node868 + description: 'b. Resolve user identities to a unique individual; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node871 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node868 + description: 'c. Collect, validate, and verify identity evidence. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node872 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Identity Proofing | Identity Evidence + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node873 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node872 + description: 'Require evidence of individual identification be presented to + the registration authority. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: Identity Proofing | Identity Evidence Validation and Verification + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node875 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "a.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ Require that the presented identity\ + \ evidence be validated and verified through agency defined resolution, validation,\ + \ and verification methods. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node876 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "b.\_\_\_\_\_\_\_\_\_\_\_\_\_\_ Identity proofing SHALL NOT be\ + \ performed to determine suitability or entitlement to gain access to services\ + \ or benefits. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node877 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: 'c. 1. Collection of PII SHALL be limited to the minimum necessary + to resolve to a unique identity in a given context. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node878 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: '2. Collection of PII SHALL be limited to the minimum necessary + to validate the existence of the claimed identity and associate the claimed + identity with the applicant providing identity evidence for appropriate identity + resolution, validation, and verification. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node879 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "d.\_\_\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL provide explicit\ + \ notice to the applicant at the time of collection regarding the purpose\ + \ for collecting and maintaining a record of the attributes necessary for\ + \ identity proofing, including whether such attributes are voluntary or mandatory\ + \ to complete the identity proofing process, and the consequences for not\ + \ providing the attributes. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node880 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "e.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ If CSPs process attributes for\ + \ purposes other than identity proofing, authentication, or attribute assertions\ + \ (collectively \u201Cidentity service\u201D), related fraud mitigation, or\ + \ to comply with law or legal process, then CSPs SHALL implement measures\ + \ to maintain predictability and manageability commensurate with the privacy\ + \ risk arising from the additional processing. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node881 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "f.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ If the CSP employs consent as\ + \ part of its measures to maintain predictability and manageability, \u2026\ + then it SHALL NOT make consent for the additional processing a condition of\ + \ the identity service. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node882 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "g.\_\_\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL provide mechanisms\ + \ for redress of applicant complaints or problems arising from the identity\ + \ proofing. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node883 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: 'These [redress] mechanisms SHALL be easy for applicants to find + and use. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node884 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "h.\_\_\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL assess the [redress]\ + \ mechanisms for their efficacy in achieving resolution of complaints or problems. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node885 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "i.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ The identity proofing and enrollment\ + \ processes SHALL be performed according to an applicable written policy or\ + \ *practice statement* that specifies the particular steps taken to verify\ + \ identities. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node886 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "j.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ The *practice statement* SHALL\ + \ include control information detailing how the CSP handles proofing errors\ + \ that result in an applicant not being successfully enrolled. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node887 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "k.\_\_\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL maintain a record,\ + \ including audit logs, of all steps taken to verify the identity of the applicant\ + \ as long as the identity exists in the information system." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node888 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "l.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL record the types\ + \ of identity evidence presented in the proofing process. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node889 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "m.\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL conduct a risk management\ + \ process, including assessments of privacy and security risks to determine:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node890 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: 1. Any steps that it will take to verify the identity of the + applicant beyond any mandatory requirements specified herein; + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node891 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: '2. The PII, including any biometrics, images, scans, or other + copies of the identity evidence that the CSP will maintain as a record of + identity proofing (Note: Specific federal requirements may apply); and' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node892 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: '3. The schedule of retention for these records (Note: CSPs may + be subject to specific retention policies in accordance with applicable laws, + regulations, or policies, including any National Archives and Records Administration + (NARA) records retention schedules that may apply). ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node893 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "n.\_\_\_\_\_\_\_\_\_\_\_\_\_\_ All PII collected as part of the\ + \ enrollment process SHALL be protected to ensure confidentiality, integrity,\ + \ and attribution of the information source. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node894 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "o.\_\_\_\_\_\_\_\_\_\_\_\_\_\_ \"The entire proofing transaction,\ + \ including transactions that involve a third party, SHALL occur over authenticated\ + \ protected channels. \"" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node895 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "p.\_\_\_\_\_\_\_\_\_\_\_\_\_\_ \"If the CSP uses fraud mitigation\ + \ measures, then the CSP SHALL conduct a privacy risk assessment for these\ + \ mitigation measures. \"" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node896 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "Such assessments SHALL include any privacy risk mitigations (e.g.,\ + \ risk acceptance or transfer, limited retention, use limitations, notice)\ + \ or other technological mitigations (e.g., cryptography), and be documented\ + \ per requirement IA-12(3) k \u2013 m above. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node897 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "q.\_\_\_\_\_\_\_\_\_\_\_\_\_\_ In the event a CSP ceases to conduct\ + \ identity proofing and enrollment processes, then the CSP SHALL be responsible\ + \ for fully disposing of or destroying any sensitive data including PII, or\ + \ its protection from unauthorized access for the duration of retention. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node898 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "r.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ Regardless of whether the CSP\ + \ is a federal agency or non- federal entity, the following requirements apply\ + \ to the federal agency offering or using the proofing service:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node899 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: 1. The agency SHALL consult with their Senior Agency Official + for Privacy (SAOP) to conduct an analysis determining whether the collection + of PII to conduct identity proofing triggers Privacy Act requirements. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node900 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: 2. The agency SHALL publish a System of Records Notice (SORN) + to cover such collection, as applicable. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node901 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: 3. The agency SHALL consult with their SAOP to conduct an analysis + determining whether the collection of PII to conduct identity proofing triggers + E-Government Act of 2002 requirements. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node902 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: '4. The agency SHALL publish a Privacy Impact Assessment (PIA) + to cover such collection, as applicable. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node903 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "s.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ An enrollment code SHALL be comprised\ + \ of one of the following:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node904 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: 1. Minimally, a random six character alphanumeric or equivalent + entropy. For example, a code generated using an approved random number generator + or a serial number for a physical hardware authenticator; OR + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node905 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: '2. A machine-readable optical label, such as a QR Code, that + contains data of similar or higher entropy as a random six character alphanumeric. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node906 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "t.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ Training requirements for personnel\ + \ validating evidence SHALL be based on the policies, guidelines, or requirements\ + \ of the CSP or RP. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node907 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "u.\_\_\_\_\_\_\_\_\_\_\_\_\_\_ This criterion applies to CSPs\ + \ that provide identity proofing and enrollment services to minors (under\ + \ the age of 18):" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node908 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "If the CSP provides identity proofing and enrollment services\ + \ to minors (under the age of 18), then\u2026the CSP SHALL give special consideration\ + \ to the legal restrictions of interacting with minors unable to meet the\ + \ evidence requirements of identity proofing [to ensure compliance with the\ + \ Children\u2019s Online Privacy Protection Act of 1998 (COPPA), and other\ + \ laws, as applicable]. \"" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node909 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: Requirements v and w apply to the collection of biometric characteristics + for in-person (physical or supervised remote) identity proofing and are mandatory + at IAL3. These criteria also apply to CSPs that optionally choose to collect + biometric characteristics through in-person identity-proofing identity proofing + and enrollment at IAL2. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node910 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "v.\_\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL have the operator view\ + \ the biometric source (e.g., fingers, face) for presence of non-natural materials\ + \ and perform such inspections as part of the proofing process. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node911 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "w.\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL collect biometrics in\ + \ such a way that ensures that the biometric is collected from the applicant,\ + \ and not another subject. All biometric performance requirements in IA-5\ + \ m (1) through (12) apply. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node912 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "x.\_\_\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL support in-person\ + \ or remote identity proofing, or both. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node913 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "y.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL collect the following\ + \ from the applicant:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node914 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "1. One piece of SUPERIOR or STRONG evidence if the evidence\u2019\ + s issuing source, during its identity proofing event, confirmed the claimed\ + \ identity by collecting two or more forms of SUPERIOR or STRONG evidence\ + \ and the CSP validates the evidence directly with the issuing source; OR" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node915 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: 2. Two pieces of STRONG evidence; OR + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node916 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: '3. One piece of STRONG evidence plus two pieces of FAIR evidence ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node917 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "z.\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL validate each piece of\ + \ evidence with a process that can achieve the same strength as the evidence\ + \ presented (see \u2019z\u2019 above). For example, if two forms of STRONG\ + \ identity evidence are presented, each piece of evidence will be validated\ + \ at a strength of STRONG. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node918 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "aa.\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL verify identity evidence\ + \ as follows:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node919 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "At a minimum, the applicant\u2019s binding to identity evidence\ + \ must be verified by a process that is able to achieve a strength of STRONG. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node920 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "bb.\_\_\_\_\_\_\_\_\_\_\_\_ For IAL2 remote proofing: The collection\ + \ of biometric characteristics for physical or biometric comparison of the\ + \ applicant to the strongest piece of identity evidence provided to support\ + \ the claimed identity performed remotely SHALL adhere to all requirements\ + \ as specified in IA-5 m. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node921 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "cc.\_\_\_\_\_\_\_\_\_\_\_ Knowledge-based verification (KBV) SHALL\ + \ NOT be used for in-person (physical or supervised remote) identity verification. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node922 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "dd.\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL employ appropriately\ + \ tailored security controls, to include control enhancements, from the moderate\ + \ or high baseline of security controls defined in the CJIS Security Policy." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node923 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: 'The CSP SHALL ensure that the minimum assurance-related controls + for moderate-impact systems are satisfied. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node924 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "ee.\_\_\_\_\_\_\_\_\_\_\_\_\_ Supervised Remote Identity Proofing:\ + \ Supervised remote identity proofing is intended to provide controls for\ + \ comparable levels of confidence and security to in-person IAL3 identity\ + \ proofing for identity proofing processes that are performed remotely. Supervised\ + \ remote identity proofing is optional for CSPs; that is, if a CSP chooses\ + \ to use supervised remote identity proofing, then the following requirements,\ + \ (1) through (8), would apply. It should be noted that the term \u201Csupervised\ + \ remote identity proofing\u201D has specialized meaning and is used only\ + \ to refer to the specialized equipment and the following control requirements,\ + \ (1) through (8). In addition to those requirements presented in this document,\ + \ as well as the applicable identity validation and verification requirements,\ + \ CSPs that provide supervised remote identity proofing services must demonstrate\ + \ conformance with the requirements contained in this section. The following\ + \ requirements for supervised remote proofing apply specifically to IAL3.\ + \ If the equipment/facilities used for supervised remote proofing are used\ + \ for IAL2 identity proofing, the following requirements, (1) through (8),\ + \ for supervised remote proofing do not apply. In this case, the requirements\ + \ for conventional remote identity proofing are applicable." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node925 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "(1)\_\_\_\_\_\_\_\_\_\_\_\_ Supervised remote identity proofing\ + \ and enrollment transactions SHALL meet the following requirements, in addition\ + \ to the IAL3 validation and verification requirements specified in Section\ + \ 4.6\_. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node926 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "(2)\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL monitor the entire identity\ + \ proofing session, from which the applicant SHALL NOT depart \u2014 for example,\ + \ by a continuous high-resolution video transmission of the applicant. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node927 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "(3)\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL have a live operator\ + \ participate remotely with the applicant for the entirety of the identity\ + \ proofing session. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node928 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "(4)\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL require all actions\ + \ taken by the applicant during the identity proofing session to be clearly\ + \ visible to the remote operator. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node929 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "(5)\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL require that all digital\ + \ validation of evidence (e.g., via chip or wireless technologies) be performed\ + \ by integrated scanners and sensors. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node930 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "(6)\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL require operators to\ + \ have undergone a training program to detect potential fraud and to properly\ + \ perform a supervised remote proofing session. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node931 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "(7)\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL employ physical tamper\ + \ detection and resistance features appropriate for the environment in which\ + \ it is located. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node932 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "(8)\_\_\_\_\_\_\_\_\_\_\_\_ The CSP SHALL ensure that all communications\ + \ occur over a mutually authenticated protected channel. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node933 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "ff.\_\_\_\_\_\_\_\_\_\_\_ Trusted Referee: The use of trusted\ + \ referees is optional for CSPs; that is, if a CSP chooses to use trusted\ + \ referees for identity proofing and enrollment, then the following requirements,\ + \ (1) through (3) would apply. The use of trusted referees is intended to\ + \ assist in the identity proofing and enrollment for populations that are\ + \ unable to meet IAL2 identity proofing requirements, or otherwise would be\ + \ challenged to perform identity proofing and enrollment process requirements.\ + \ Such populations may include, but are not limited to:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node934 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "\xB7\_\_\_\_\_\_ disabled individuals;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node935 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "\xB7\_\_\_\_\_\_ elderly individuals;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node936 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "\xB7\_\_\_\_\_\_ homeless individuals," + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node937 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "\xB7\_\_\_\_\_\_ individuals with little or no access to online\ + \ services or computing devices;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node938 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "\xB7\_\_\_\_\_\_ unbanked and individuals with little or no credit\ + \ history;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node939 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "\xB7\_\_\_\_\_\_ victims of identity theft;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node940 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "\xB7\_\_\_\_\_\_ children under 18; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node941 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "\xB7\_\_\_\_\_\_ immigrants." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node942 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: In addition to those requirements presented in the General section + of this document, as well as the applicable IAL requirements, CSPs that use + trusted referees in their identity proofing services must demonstrate conformance + with the requirements contained in this section. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node943 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "(1)\_\_\_\_\_\_\_\_\_\_\_\_ If the CSP uses trusted referees,\ + \ then\u2026The CSP SHALL establish written policy and procedures as to how\ + \ a trusted referee is determined and the lifecycle by which the trusted referee\ + \ retains their status as a valid referee, to include any restrictions, as\ + \ well as any revocation and suspension requirements. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node944 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "(2)\_\_\_\_\_\_\_\_\_\_\_\_ If the CSP uses trusted referees,\ + \ then\u2026The CSP SHALL proof the trusted referee at the same IAL as the\ + \ applicant proofing. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node945 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node874 + description: "(3)\_\_\_\_\_\_\_\_\_\_\_\_ If the CSP uses trusted referees,\ + \ then\u2026The CSP SHALL determine the minimum evidence required to bind\ + \ the relationship between the trusted referee and the applicant. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node586 + name: (5) Identity Proofing | Address Confirmation + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node947 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: "a.\_\_ Require that a registration code or notice of proofing\ + \ be delivered through an out-of-band channel to verify the users address\ + \ (physical or digital) of record. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node948 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: "b.\_\_\_The CSP SHALL confirm address of record. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node949 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: "c.\_\_\_Valid records to confirm address SHALL be issuing source(s)\ + \ or authoritative source(s). " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node950 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: 'Self-asserted address data that has not been confirmed in records + SHALL NOT be used for confirmation. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node951 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: "d.\_\_\_Note that IAL2-7 applies only to in-person proofing at\ + \ IAL2." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node952 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: "If the CSP performs in-person proofing for IAL2 and provides an\ + \ enrollment code directly to the subscriber for binding to an authenticator\ + \ at a later time, then the enrollment code\u2026SHALL be valid for a maximum\ + \ of seven (7) days. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node953 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: "e.\_\_ For remote identity proofing at IAL2: " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node954 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: 'The CSP SHALL send an enrollment code to a confirmed address of + record for the applicant. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node955 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: "f.\_\_\_\_For remote identity proofing at IAL2: " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node956 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: 'The applicant SHALL present a valid enrollment code to complete + the identity proofing process. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node957 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: "g.\_\_\_Note that the following enrollment code validity periods\ + \ apply to enrollment codes sent to confirmed addresses of record for IAL2\ + \ remote in-person proofing only." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node958 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: 'Enrollment codes shall have the following maximum validities: ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node959 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: i. 10 days, when sent to a postal address of record within the + contiguous United States; + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node960 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: ii. 30 days, when sent to a postal address of record outside + the contiguous United States; + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node961 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: iii. 10 minutes, when sent to a telephone of record (SMS or voice); + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node962 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: 'iv. 24 hours, when sent to an email address of record. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node963 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: "h.\_\_\_If the enrollment code sent to the confirmed address of\ + \ record as part of the remote identity proofing process at IAL2 is also intended\ + \ to be an authentication factor, then\u2026it SHALL be reset upon first use. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node964 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node946 + description: "i.\_\_\_ If the CSP performs remote proofing at IAL2 and optionally\ + \ sends notification of proofing in addition to sending the required enrollment\ + \ code, then\u2026The CSP SHALL ensure the enrollment code and notification\ + \ of proofing are sent to different addresses of record. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node965 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-7: Configuration Management' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node966 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node965 + name: Least Functionality + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node967 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node966 + description: "The agency shall configure the application, service, or information\ + \ system to provide only essential capabilities and\u2026" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node968 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node966 + description: '...and shall specifically prohibit and/or restrict the use of + specified functions, ports, protocols, and/or services.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node969 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node965 + name: Network Diagram + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node970 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node969 + description: The agency shall ensure that a complete topological drawing depicting + the interconnectivity of the agency network, to criminal justice information, + systems and services is maintained in a current status. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node971 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node969 + description: 'The network topological drawing shall include the following:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node972 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node969 + description: "1.\_All communications paths, circuits, and other components used\ + \ for the interconnection, beginning with the agency-owned system(s) and traversing\ + \ through all interconnected systems to the agency end-point." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node973 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node969 + description: "2.\_The logical location of all components (e.g., firewalls, routers,\ + \ switches, hubs, servers, encryption devices, and computer workstations).\ + \ Individual workstations (clients) do not have to be shown; the number of\ + \ clients is sufficient." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node974 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node969 + description: "3.\_\u201CFor Official Use Only\u201D (FOUO) markings." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node975 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node969 + description: "4.\_The agency name and date (day, month, and year) drawing was\ + \ created or updated." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node976 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node965 + name: Security of Configuration Documentation + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node977 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node976 + description: Agencies shall protect the system documentation from unauthorized + access consistent with the provisions described in section 5.5 Access Control. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node978 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-8: Media Protection (MP)' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node979 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node978 + name: Policy and Procedures + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node980 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node979 + description: 'a. Develop, document, and disseminate to authorized individuals: ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node981 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node979 + description: "1.\_Agency-level media protection policy that: " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node982 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node979 + description: "(a)\_Addresses purpose, scope, roles, responsibilities, management\ + \ commitment, coordination among agency entities, and compliance; and " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node983 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node979 + description: "(b)\_Is consistent with applicable laws, executive orders, directives,\ + \ regulations, policies, standards, and guidelines; and " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node984 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node979 + description: '2. Procedures to facilitate the implementation of the media protection + policy and the associated media protection controls; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node985 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node979 + description: 'b. Designate an individual with security responsibilities to manage + the development, documentation, and dissemination of the media protection + policy and procedures; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node986 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node979 + description: 'c. Review and update the current media protection: ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node987 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node979 + description: '1. Policy at least annually and following any security incidents + involving digital and/or non-digital media; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node988 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node979 + description: 2. Procedures at least annually and following any security incidents + involving digital and/or non-digital media. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node989 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node978 + name: Media Access + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node990 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node989 + description: Restrict access to digital and non-digital media to authorized + individuals. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node991 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node978 + name: Media Marking + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node992 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node991 + description: 'a. Mark system media indicating the distribution limitations, + handling caveats, and applicable security markings (if any) of the information; + and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node993 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node991 + description: 'b. Exempt digital and non-digital media containing CJI from marking + if the media remain within physically secure locations and controlled areas. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node994 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node978 + name: Media Storage + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node995 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node994 + description: 'a. Physically control and securely store digital and non-digital + media within physically secure locations or controlled areas and encrypt CJI + on digital media when physical and personnel restrictions are not feasible; + and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node996 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node994 + description: 'b. Protect system media types defined in MP-4a until the media + are destroyed or sanitized using approved equipment, techniques, and procedures. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node997 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node978 + name: Media Transport + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node998 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node997 + description: 'a. Protect and control digital and non-digital media to help prevent + compromise of the data during transport outside of the physically secure locations + or controlled areas using encryption, as defined in Section 5.10.1.2 of this + Policy. Physical media will be protected at the same level as the information + would be protected in electronic form. Restrict the activities associated + with transport of electronic and physical media to authorized personnel; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node999 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node997 + description: 'b. Maintain accountability for system media during transport outside + of the physically secure location or controlled areas; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1000 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node997 + description: 'c. Document activities associated with the transport of system + media; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1001 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node997 + description: 'd. Restrict the activities associated with the transport of system + media to authorized personnel. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1002 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node978 + name: Media Sanitization + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1003 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1002 + description: 'a. Sanitize or destroy digital and non-digital media prior to + disposal, release out of agency control, or release for reuse using overwrite + technology at least three times or degauss digital media prior to disposal + or release for reuse by unauthorized individuals. Inoperable digital media + will be destroyed (cut up, shredded, etc.). Physical media will be securely + disposed of when no longer needed for investigative or security purposes, + whichever is later. Physical media will be destroyed by crosscut shredding + or incineration; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1004 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1002 + description: 'b. Employ sanitization mechanisms with the strength and integrity + commensurate with the security category or classification of the information. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1005 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node978 + name: Media Use + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1006 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1005 + description: 'a. Restrict the use of digital and non-digital media on agency-owned + systems that have been approved for use in the storage, processing, or transmission + of criminal justice information by using technical, physical, or administrative + controls (examples below); and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1007 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1005 + description: b. Prohibit the use of personally-owned digital media devices on + all agency-owned or controlled systems that store, process, or transmit criminal + justice information; and + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1008 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1005 + description: "c.\_Prohibit the use of digital media devices on all agency-owned\ + \ or controlled systems that store, process, or transmit criminal justice\ + \ information when such devices have no identifiable owner." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-9: Physical Protection' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1010 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: POLICY AND PROCEDURES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1011 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1010 + description: "a.\_\_\_\_\_ Develop, document, and disseminate to organizational\ + \ personnel with physical and environmental protection responsibilities:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1012 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1010 + description: "1.\_\_\_\_\_ Agency-level physical and environmental protection\ + \ policy that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1013 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1010 + description: "(a)\_\_\_ Addresses purpose, scope, roles, responsibilities, management\ + \ commitment, coordination among organizational entities, and compliance;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1014 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1010 + description: "(b)\_\_\_ Is consistent with applicable laws, executive orders,\ + \ directives, regulations, policies, standards, and guidelines; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1015 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1010 + description: "2.\_\_\_\_\_ Procedures to facilitate the implementation of the\ + \ physical and environmental protection policy and the associated physical\ + \ and environmental protection controls;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1016 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1010 + description: "b.\_\_\_\_\_ Designate organizational personnel with information\ + \ security responsibilities to manage the development, documentation, and\ + \ dissemination of the physical and environmental protection policy and procedures;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1017 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1010 + description: "c.\_\_\_\_\_\_ Review and update the current physical and environmental\ + \ protection:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1018 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1010 + description: "1.\_\_\_\_\_ Policy annually and following any physical, environmental,\ + \ or security related incidents involving CJI or systems used to process,\ + \ store, or transmit CJI; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1019 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1010 + description: "2.\_\_\_\_\_ Procedures annually and following any physical, environmental,\ + \ or security related incidents involving CJI or systems used to process,\ + \ store, or transmit CJI." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1020 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: PHYSICAL ACCESS AUTHORIZATIONS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1021 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1020 + description: "a.\_\_\_\_\_ Develop, approve, and maintain a list of individuals\ + \ with authorized access to the facility where the system resides;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1022 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1020 + description: "b.\_\_\_\_\_ Issue authorization credentials for facility access;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1023 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1020 + description: "c.\_\_\_\_\_\_ Review the access list detailing authorized facility\ + \ access by individuals annually and when personnel changes occur; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1024 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1020 + description: "d.\_\_\_\_\_ Remove individuals from the facility access list\ + \ when access is no longer required." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1025 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: PHYSICAL ACCESS CONTROL + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1026 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1025 + description: "a.\_\_\_\_\_ Enforce physical access authorizations by:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1027 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1025 + description: "1.\_\_\_\_\_ Verifying individual access authorizations before\ + \ granting access to the facility; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1028 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1025 + description: "2.\_\_\_\_\_ Controlling ingress and egress to the facility using\ + \ agency-implemented procedures and controls;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1029 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1025 + description: "b.\_\_\_\_\_ Maintain physical access audit logs for the physically\ + \ secure location and agency-defined sensitive areas;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1030 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1025 + description: "c.\_\_\_\_\_\_ Control access to areas within the facility designated\ + \ as non-publicly accessible by implementing physical access devices including,\ + \ but not limited to keys, locks, combinations, biometric readers, placards,\ + \ and/or card readers; " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1031 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1025 + description: "d.\_\_\_\_\_ Escort visitors and control visitor activity in all\ + \ physically secure locations;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1032 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1025 + description: "e.\_\_\_\_\_ Secure keys, combinations, and other physical access\ + \ devices;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1033 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1025 + description: "f.\_\_\_\_\_\_ Inventory all agency-issued physical access devices\ + \ annually; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1034 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1025 + description: "g.\_\_\_\_\_ Change combinations and keys and/or when keys are\ + \ lost, combinations are compromised, or when individuals possessing the keys\ + \ or combinations are transferred or terminated." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1035 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1025 + description: "h.\_\_\_\_\_ If the above conditions cannot be met refer to the\ + \ requirements listed in PE-17." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1036 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: ACCESS CONTROL FOR TRANSMISSION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1037 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1036 + description: Control physical access to information system distribution and + transmission lines and devices within organizational facilities using agency-implemented + procedures and controls. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1038 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: ACCESS CONTROL FOR OUTPUT DEVICES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1039 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1038 + description: Control physical access to output from monitors, printers, scanners, + audio devices, facsimile machines, and copiers to prevent unauthorized individuals + from obtaining the output. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1040 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: MONITORING PHYSICAL ACCESS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1041 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1040 + description: "a.\_\_\_\_\_ Monitor physical access to the facility where the\ + \ system resides to detect and respond to physical security incidents;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1042 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1040 + description: "b.\_\_\_\_\_ Review physical access logs quarterly and upon occurrence\ + \ of any physical, environmental, or security-related incidents involving\ + \ CJI or systems used to process, store, or transmit CJI; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1043 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1040 + description: "c.\_\_\_\_\_\_ Coordinate results of reviews and investigations\ + \ with the organizational incident response capability." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1044 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: "(1)\_\_\_ MONITORING PHYSICAL ACCESS | INTRUSION ALARMS AND SURVEILLANCE\ + \ EQUIPMENT" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1045 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1044 + description: Monitor physical access to the facility where the system resides + using physical intrusion alarms and surveillance equipment. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1046 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: VISITOR ACCESS RECORDS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1047 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1046 + description: "a.\_\_\_\_\_ Maintain visitor access records to the facility where\ + \ the system resides for one (1) year;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1048 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1046 + description: "b.\_\_\_\_\_ Review visitor access records quarterly; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1049 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1046 + description: "c.\_\_\_\_\_\_ Report anomalies in visitor access records to organizational\ + \ personnel with physical and environmental protection responsibilities and\ + \ organizational personnel with information security responsibilities." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1050 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: "(3)\_\_\_ VISITOR ACCESS RECORDS | LIMIT PERSONALLY IDENTIFIABLE INFORMATION\ + \ ELEMENTS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1051 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1050 + description: Limit personally identifiable information contained in visitor + access records to the minimum PII necessary to achieve the purpose for which + it is collected (see Section 4.3). + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1052 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1050 + description: 'Note: Access to visitor access records is restricted to authorized + agency personnel.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1053 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: POWER EQUIPMENT AND CABLING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1054 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1053 + description: Protect power equipment and power cabling for the system from damage + and destruction. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1055 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: EMERGENCY SHUTOFF + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1056 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1055 + description: "a.\_\_\_\_\_ Provide the capability of shutting off power to all\ + \ information systems in emergency situations;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1057 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1055 + description: "b.\_\_\_\_\_ Place emergency shutoff switches or devices in easily\ + \ accessible locations to facilitate access for authorized personnel; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1058 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1055 + description: "c.\_\_\_\_\_\_ Protect emergency power shutoff capability from\ + \ unauthorized activation." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1059 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: EMERGENCY POWER + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1060 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1059 + description: Provide an uninterruptible power supply to facilitate an orderly + shutdown of the information system or transition of the information system + to an alternate power source in the event of a primary power source loss. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1061 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: EMERGENCY LIGHTING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1062 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1061 + description: Employ and maintain automatic emergency lighting for the system + that activates in the event of a power outage or disruption and that covers + emergency exits and evacuation routes within the facility. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1063 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: FIRE PROTECTION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1064 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1063 + description: Employ and maintain fire detection and suppression systems that + are supported by an independent energy source. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1065 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: "(1)\_\_\_ FIRE PROTECTION | DETECTION SYSTEMS \u2014 AUTOMATIC ACTIVATION\ + \ AND NOTIFICATION" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1066 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1065 + description: Employ fire detection systems that activate automatically and notify + organizational personnel with physical and environmental protection responsibilities + and police, fire, or emergency medical personnel in the event of a fire. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1067 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: ENVIRONMENTAL CONTROLS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1068 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1067 + description: "a.\_\_\_\_\_ Maintain adequate HVAC levels within the facility\ + \ where the system resides at recommended system manufacturer levels; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1069 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1067 + description: "b.\_\_\_\_\_ Monitor environmental control levels continuously." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1070 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: WATER DAMAGE PROTECTION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1071 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1070 + description: Protect the system from damage resulting from water leakage by + providing master shutoff or isolation valves that are accessible, working + properly, and known to key personnel. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1072 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: DELIVERY AND REMOVAL + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1073 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1072 + description: "a.\_\_\_\_\_ Authorize and control information system-related\ + \ components entering and exiting the facility; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1074 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1072 + description: "b.\_\_\_\_\_ Maintain records of the system components." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1075 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1009 + name: ALTERNATE WORK SITE + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1076 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1075 + description: "a.\_\_\_\_\_ Determine and document all alternate facilities or\ + \ locations allowed for use by employees;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1077 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1075 + description: "b.\_\_\_\_\_ Employ the following controls at alternate work sites:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1078 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1075 + description: "1.\_\_\_\_\_ Limit access to the area during CJI processing times\ + \ to only those personnel authorized by the agency to access or view CJI." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1079 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1075 + description: "2.\_\_\_\_\_ Lock the area, room, or storage container when unattended." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1080 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1075 + description: "3.\_\_\_\_\_ Position information system devices and documents\ + \ containing CJI in such a way as to prevent unauthorized individuals from\ + \ access and view." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1081 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1075 + description: "4.\_\_\_\_\_ Follow the encryption requirements found in SC-13\ + \ and SC-28 for electronic storage (i.e., data at-rest) of CJI." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1082 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1075 + description: "c.\_\_\_\_\_\_ Assess the effectiveness of controls at alternate\ + \ work sites; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1083 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1075 + description: "d.\_\_\_\_\_ Provide a means for employees to communicate with\ + \ information security and privacy personnel in case of incidents." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-10: Systems and Communications Protection' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1085 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'POLICY AND PROCEDURES ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1086 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1085 + description: 'a. Develop, document, and disseminate to organizational personnel + with system and communications protection responsibilities: ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1087 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1085 + description: '1. Agency-level system and communications protection policy that: ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1088 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1085 + description: '(a) Addresses purpose, scope, roles, responsibilities, management + commitment, coordination among organizational entities, and compliance; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1089 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1085 + description: '(b) Is consistent with applicable laws, executive orders, directives, + regulations, policies, standards, and guidelines; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1090 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1085 + description: '2. Procedures to facilitate the implementation of the system and + communications protection policy and the associated system and communications + protection controls; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1091 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1085 + description: 'b. Designate organizational personnel with information security + responsibilities to manage the development, documentation, and dissemination + of the system and communications protection policy and procedures; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1092 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1085 + description: 'c. Review and update the current system and communications protection: ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1093 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1085 + description: '1. Policy annually and following any changes and security incidents + involving unauthorized access to CJI or systems used to process, store, or + transmit CJI; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1094 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1085 + description: '2. Procedures annually and following any changes and security + incidents involving unauthorized access to CJI or systems used to process, + store, or transmit CJI. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1095 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'SEPARATION OF SYSTEM AND USER FUNCTIONALITY ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1096 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1095 + description: 'Separate user functionality, including user interface services, + from system management functionality. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1097 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'INFORMATION IN SHARED SYSTEM RESOURCES ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1098 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1097 + description: 'Prevent unauthorized and unintended information transfer via shared + system resources. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1099 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'DENIAL-OF-SERVICE PROTECTION ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1100 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1099 + description: 'a. Protect against or limit the effects of the following types + of denial-of-service events: distributed denial of service, DNS Denial of + Service, etc.; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1101 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1099 + description: 'b. Employ the following controls to achieve the denial-of-service + objective: boundary protection devices and intrusion detection or prevention + devices. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1102 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'BOUNDARY PROTECTION ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1103 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1102 + description: 'a. Monitor and control communications at the external managed + interfaces to the system and at key internal managed interfaces within the + system; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1104 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1102 + description: 'b. Implement subnetworks for publicly accessible system components + that are physically or logically separated from internal organizational networks; + and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1105 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1102 + description: 'c. Connect to external networks or systems only through managed + interfaces consisting of boundary protection devices arranged in accordance + with an organizational security and privacy architecture. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1106 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'BOUNDARY PROTECTION | ACCESS POINTS ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1107 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1106 + description: 'Limit the number of external network connections to the system. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1108 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'BOUNDARY PROTECTION | EXTERNAL TELECOMMUNICATIONS SERVICES ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1109 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1108 + description: '(a) Implement a managed interface for each external telecommunication + service; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1110 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1108 + description: '(b) Establish a traffic flow policy for each managed interface; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1111 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1108 + description: '(c) Protect the confidentiality and integrity of the information + being transmitted across each interface; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1112 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1108 + description: '(d) Document each exception to the traffic flow policy with a + supporting mission or business need and duration of that need; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1113 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1108 + description: '(e) Review exceptions to the traffic flow policy annually, after + any incident, and after any major changes impacting the information system, + while remove exceptions that are no longer supported by an explicit mission + or business need; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1114 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1108 + description: '(f) Prevent unauthorized exchange of control plane traffic with + external networks; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1115 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1108 + description: '(g) Publish information to enable remote networks to detect unauthorized + control plane traffic from internal networks; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1116 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1108 + description: '(h) Filter unauthorized control plane traffic from external networks. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1117 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: "BOUNDARY PROTECTION | DENY BY DEFAULT \u2014 ALLOW BY EXCEPTION " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1118 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1117 + description: 'Deny network communications traffic by default and allow network + communications traffic by exception at boundary devices for information systems + used to process, store, or transmit CJI. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1119 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'BOUNDARY PROTECTION | SPLIT TUNNELING FOR REMOTE DEVICES ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1120 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1119 + description: 'Prevent split tunneling for remote devices connecting to organizational + systems. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1121 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'BOUNDARY PROTECTION | ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1122 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1121 + description: 'Route all internal communications traffic that may be proxied, + except traffic specifically exempted by organizational personnel with information + security responsibilities, to all untrusted networks through authenticated + proxy servers at managed interfaces. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1123 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'BOUNDARY PROTECTION | PERSONALLY IDENTIFIABLE INFORMATION ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1124 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1123 + description: 'For systems that process personally identifiable information: ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1125 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1123 + description: '(a) Apply the following processing rules to data elements of personally + identifiable information: all applicable laws, executive orders, directives, + regulations, policies, standards, and guidelines; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1126 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1123 + description: '(b) Monitor for permitted processing at the external interfaces + to the system and at key internal boundaries within the system; ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1127 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1123 + description: '(c) Document each processing exception; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1128 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1123 + description: '(d) Review and remove exceptions that are no longer supported. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1129 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'TRANSMISSION CONFIDENTIALITY AND INTEGRITY ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1130 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1129 + description: 'Protect the confidentiality and integrity of transmitted information. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1131 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1129 + description: Metadata derived from unencrypted CJI shall be protected in the + same manner as CJI and shall not be used for any advertising or other commercial + purposes by any cloud service provider or other associated entity. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1132 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'TRANSMISSION CONFIDENTIALITY AND INTEGRITY | CRYPTOGRAPHIC PROTECTION ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1133 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1132 + description: 'Implement cryptographic mechanisms to prevent unauthorized disclosure + and detect unauthorized changes or access to CJI during transmission. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1134 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'NETWORK DISCONNECT ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1135 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1134 + description: 'Terminate the network connection associated with a communications + session at the end of the session or after one (1) hour of inactivity. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1136 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1134 + description: 'NOTE: In the interest of safety, devices that are: (1) part of + a criminal justice conveyance; or (2) used to perform dispatch functions and + located within a physically secure location; or (3) terminals designated solely + for the purpose of receiving alert notifications (i.e., receive only terminals + or ROT) and used within physically secure location facilities that remain + staffed when in operation, are exempt from this requirement.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1137 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1138 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1137 + description: 'Establish and manage cryptographic keys when cryptography is employed + within the system in accordance with the following key management requirements: + encryption key generation, distribution, storage, access, and destruction + is controlled by the agency. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1139 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'CRYPTOGRAPHIC PROTECTION ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1140 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1139 + description: 'a. Determine the use of encryption for CJI in-transit when outside + a physically secure location; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1141 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1139 + description: 'b. Implement the following types of cryptography required for + each specified cryptographic use: cryptographic modules which are Federal + Information Processing Standard (FIPS) 140-3 certified, or FIPS validated + algorithm for symmetric key encryption and decryption (FIPS 197 [AES]), with + a symmetric cipher key of at least 128-bit strength for CJI in-transit.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1142 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1139 + description: 'NOTE: Subsequent versions of approved cryptographic modules that + are under current review for FIPS 140-3 compliancy can be used in the interim + until certification is complete. FIPS 140-2 certificates will not be acceptable + after September 21, 2026.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1143 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'COLLABORATIVE COMPUTING DEVICES AND APPLICATIONS ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1144 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1143 + description: 'a. Prohibit remote activation of collaborative computing devices + and applications; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1145 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1143 + description: 'b. Provide an explicit indication of use to users physically present + at the devices. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1146 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'PUBLIC KEY INFRASTRUCTURE CERTIFICATES ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1147 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1146 + description: 'a. Issue public key certificates under an agency-level certificate + authority or obtain public key certificates from an approved service provider; + and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1148 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1146 + description: 'b. Include only approved trust anchors in trust stores or certificate + stores managed by the organization. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1149 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'MOBILE CODE ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1150 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1149 + description: 'a. Define acceptable and unacceptable mobile code and mobile code + technologies; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1151 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1149 + description: 'b. Authorize, monitor, and control the use of mobile code within + the system. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1152 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'SECURE NAME/ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1153 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1152 + description: 'a. Provide additional data origin authentication and integrity + verification artifacts along with the authoritative name resolution data the + system returns in response to external name/address resolution queries; and ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1154 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1152 + description: 'b. Provide the means to indicate the security status of child + zones and (if the child supports secure resolution services) to enable verification + of a chain of trust among parent and child domains, when operating as part + of a distributed, hierarchical namespace. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1155 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'SECURE NAME/ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1156 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1155 + description: 'Request and perform data origin authentication and data integrity + verification on the name/address resolution responses the system receives + from authoritative sources. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1157 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'ARCHITECTURE AND PROVISIONING FOR NAME/ADDRESS RESOLUTION SERVICE ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1158 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1157 + description: 'Ensure the systems that collectively provide name/address resolution + service for an organization are fault-tolerant and implement internal and + external role separation. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1159 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'SESSION AUTHENTICITY ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1160 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1159 + description: 'Protect the authenticity of communications sessions. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1161 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'PROTECTION OF INFORMATION AT REST ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1162 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1161 + description: 'Protect the confidentiality and integrity of the following information + at rest: CJI when outside physically secure locations using cryptographic + modules which are certified FIPS 140-3 with a symmetric cipher key of at least + 128-bit strength, or FIPS 197 with a symmetric cipher key of at least 256-bit + strength.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1163 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1161 + description: Metadata derived from unencrypted CJI shall be protected in the + same manner as CJI and shall not be used for any advertising or other commercial + purposes by any cloud service provider or other associated entity. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1164 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1161 + description: "The storage of CJI, regardless of encryption status, shall only\ + \ be permitted in cloud environments (e.g., government or third-party/commercial\ + \ datacenters, etc.) which reside within the physical boundaries of APB-member\ + \ country (i.e., United States, U.S. territories, Indian Tribes, and Canada)\ + \ and are under legal authority of an APB-member agency (i.e., United States\u2013\ + federal/state/territory, Indian Tribe, or the Royal Canadian Mounted Police)." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1165 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1161 + description: 'Note: This restriction does not apply to exchanges of CJI with + foreign government agencies under international exchange agreements (e.g., + the Preventing and Combating Serious Crime agreements, fugitive extracts, + and exchanges made for humanitarian and criminal investigatory purposes in + particular circumstances).' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1166 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'PROTECTION OF INFORMATION AT REST | CRYPTOGRAPHIC PROTECTION ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1167 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1166 + description: 'Implement cryptographic mechanisms to prevent unauthorized disclosure + and modification of the following information at rest on information systems + and digital media outside physically secure locations: CJI. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1168 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1084 + name: 'PROCESS ISOLATION ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1169 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1168 + description: 'Maintain a separate execution domain for each executing system + process. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1170 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-11: Formal Audits' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1171 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1170 + name: Triennial Compliance Audits by the FBI CJIS Division + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1172 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1171 + description: The CJIS Audit Unit (CAU) shall conduct a triennial audit of each + CSA in order to verify compliance with applicable statutes, regulations and + policies. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1173 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1171 + description: 'This audit shall include a sample of CJAs and, in coordination + with the SIB, the NCJAs. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1174 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1171 + description: The FBI CJIS Division shall also have the authority to conduct + unannounced security inspections and scheduled audits of Contractor facilities. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1175 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1170 + name: Triennial Security Audits by the FBI CJIS Division + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1176 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1175 + description: 'This audit shall include a sample of CJAs and NCJAs. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1177 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1170 + name: Audits by the CSA + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1178 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1177 + description: 'Each CSA shall:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1179 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1177 + description: 1. At a minimum, triennially audit all CJAs and NCJAs which have + direct access to the state system in order to ensure compliance with applicable + statutes, regulations and policies. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1180 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1177 + description: 2. In coordination with the SIB, establish a process to periodically + audit all NCJAs, with access to CJI, in order to ensure compliance with applicable + statutes, regulations and policies. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1181 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1177 + description: 3. Have the authority to conduct unannounced security inspections + and scheduled audits of Contractor facilities. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1182 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1177 + description: 4. Have the authority, on behalf of another CSA, to conduct a CSP + compliance audit of contractor facilities and provide the results to the requesting + CSA. If a subsequent CSA requests an audit of the same contractor facility, + the CSA may provide the results of the previous audit unless otherwise notified + by the requesting CSA that a new audit be performed. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1183 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1170 + name: Special Security Inquiries and Audits + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1184 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1183 + description: 'All agencies having access to CJI shall permit an inspection team + to conduct an appropriate inquiry and audit of any alleged security violations. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1185 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1183 + description: "The inspection team shall be appointed by the APB and\u2026" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1186 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1183 + description: '...and shall include at least one representative of the CJIS Division. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1187 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1183 + description: All results of the inquiry and audit shall be reported to the APB + with appropriate recommendations. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1188 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-12: Personnel Security' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1188 + name: Personnel Screening Requirements for Individuals Requiring Unescorted + Access to Unencrypted CJI + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1190 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: '1. To verify identification, state of residency and national + fingerprint-based record checks shall be conducted prior to granting access + to CJI for all personnel who have unescorted access to unencrypted CJI or + unescorted access to physically secure locations or controlled areas (during + times of CJI processing). ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1191 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: However, if the person resides in a different state than that of + the assigned agency, the agency shall conduct state (of the agency) and national + fingerprint-based record checks and execute a NLETS CHRI IQ/FQ/AQ query using + purpose code C, E, or J depending on the circumstances. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1192 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: 'When appropriate, the screening shall be consistent with: ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1193 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: 'a. 5 CFR 731.106; and/or ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1194 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: 'b. Office of Personnel Management policy, regulations, and guidance; + and/or ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1195 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: c. agency policy, regulations, and guidance. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1196 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: '2. All requests for access shall be made as specified by the + CSO. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1197 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: All CSO designees shall be from an authorized criminal justice + agency. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1198 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: "3.\_\_If a record of any kind exists, access to CJI shall not\ + \ be granted until the CSO or his/her designee reviews the matter to determine\ + \ if access is appropriate." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1199 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: a. If a felony conviction of any kind exists, the Interface Agency + shall deny access to CJI. However, the Interface Agency may ask for a review + by the CSO in extenuating circumstances where the severity of the offense + and the time that has passed would support a possible variance. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1200 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: 'c. If a record of any kind is found on a contractor, the CGA shall + be formally notified and system access shall be delayed pending review of + the criminal history record information. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1201 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: "c. (cont) The CGA shall in turn notify the contractor\u2019s security\ + \ officer." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1202 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: 4. If the person appears to be a fugitive or has an arrest history + without conviction, the CSO or his/her designee shall review the matter to + determine if access to CJI is appropriate. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1203 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: '5. If the person already has access to CJI and is subsequently + arrested and or convicted, continued access to CJI shall be determined by + the CSO. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1204 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: "6. If the CSO or his/her designee determines that access to CJI\ + \ by the person would not be in the public interest, access shall be denied\ + \ and\u2026" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1205 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: '...and the person''s appointing authority shall be notified in + writing of the access denial.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1206 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: 7. The granting agency shall maintain a list of personnel who have + been authorized unescorted access to unencrypted CJI and... + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1207 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1189 + description: '...and shall, upon request, provide a current copy of the access + list to the CSO.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1208 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1188 + name: Personnel Termination + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1209 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1208 + description: Upon termination of personnel by an interface agency, the agency + shall immediately terminate access to local agency systems with access to + CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1210 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1208 + description: Furthermore, the interface agency shall provide notification or + other action to ensure access to state and other agency systems is terminated. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1211 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1208 + description: If the employee is an employee of a NCJA or a Contractor, the employer + shall notify all Interface Agencies that may be affected by the personnel + change. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1212 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1188 + name: Personnel Transfer + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1213 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1212 + description: The agency shall review CJI access authorizations when personnel + are reassigned or transferred to other positions within the agency and initiate + appropriate actions such as closing and establishing accounts and changing + system access authorizations. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1214 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1188 + name: Personnel Sanctions + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1215 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1214 + description: The agency shall employ a formal sanctions process for personnel + failing to comply with established information security policies and procedures. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-13: Mobile Devices' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1217 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: 'Mobile Devices ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1218 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1217 + description: 'The agency shall: ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1219 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1217 + description: (i) establish usage restrictions and implementation guidance for + mobile devices; + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1220 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1217 + description: '(ii) authorize, monitor, control wireless access to the information + system. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: 802.11 Wireless Protocols + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1222 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: 'Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA) + cryptographic algorithms, used by all pre-80.11i protocols, do not meet the + requirements for FIPS 140-2 and shall not be used. ' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1223 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: 'Agencies shall implement the following controls for all agency-managed + wireless access points with access to an agency''s network that processes + unencrypted CJI:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1224 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "1.\_Perform validation testing to ensure rogue APs (Access Points)\ + \ do not exist in the 802.11 Wireless Local Area Network (WLAN) and to fully\ + \ understand the wireless network security posture." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1225 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "2.\_Maintain a complete inventory of all Access Points (APs) and\ + \ 802.11 wireless devices." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1226 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "3.\_Place APs in secured areas to prevent unauthorized physical\ + \ access and user manipulation." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1227 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "4.\_Test AP range boundaries to determine the precise extent of\ + \ the wireless coverage and design the AP wireless coverage to limit the coverage\ + \ area to only what is needed for operational purposes." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1228 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "5.\_Enable user authentication and encryption mechanisms for the\ + \ management interface of the AP." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1229 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "6.\_Ensure that all APs have strong administrative passwords and\ + \ ensure that all passwords are changed in accordance with section 5.6.3.1." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1230 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "7.\_Ensure the reset function on APs is used only when needed\ + \ and is only invoked by authorized personnel. Restore the APs to the latest\ + \ security settings, when the reset functions are used, to ensure the factory\ + \ default settings are not utilized." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1231 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "8.\_Change the default service set identifier (SSID) in the APs." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1232 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: Disable the broadcast SSID feature so that the client SSID must + match that of the AP. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1233 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: Validate that the SSID character string does not contain any agency + identifiable information (division, department, street, etc.) or services. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1234 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "9.\_Enable all security features of the wireless product, including\ + \ the cryptographic authentication, firewall, and other privacy features." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1235 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "10.\_Ensure that encryption key sizes are at least 128-bits and\u2026" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1236 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: '...and the default shared keys are replaced by unique keys.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1237 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "11.\_Ensure that the ad hoc mode has been disabled." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1238 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "12.\_Disable all nonessential management protocols on the APs.\ + \ Disable non-FIPS compliant secure access to the managment interface." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1239 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "13.\_Ensure all management access and authentication occurs via\ + \ FIPS compliant secure protocols (e.g. SFTP, HTTPS, SNMP over TLS, etc.).\ + \ Disable non-FIPS compliant secure access to the managment interface." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1240 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "14.\_Enable logging (if supported) and\u2026" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1241 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: '...and review the logs on a recurring basis per local policy.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1242 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: At a minimum logs shall be reviewed monthly. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1243 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: 15. Insulate, virtually (e.g. virtual local area network (VLAN) + and ACLs) or physically (e.g. firewalls), the wireless network from the operational + wired infrastructure. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1244 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1221 + description: "16.\_When disposing of access points that will no longer be used\ + \ by the agency, clear access point configuration to prevent disclosure of\ + \ network configuration, keys, passwords, etc." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1245 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: Cellular Service Abroad + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1246 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1245 + description: When devices are authorized to access CJI outside the U.S., agencies + shall perform an inspection to ensure that all controls are in place and functioning + properly in accordance with the agency's policies prior to and after deployment + outside of the U.S. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1247 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: Bluetooth + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1248 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1247 + description: Organizational security policy shall be used to dictate the use + of Bluetooth and its associated devices based on the agency's operational + and business processes. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1249 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: Mobile Hotspots + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1250 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1249 + description: 'When an agency allows mobile devices that are approved to access + or store CJI to function as a Wi-Fi hotspot connecting to the Internet, they + shall be configured:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1251 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1249 + description: 1. Enable encryption on the hotspot + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1252 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1249 + description: 2. Change the hotspot's default SSID + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1253 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1249 + description: a. Ensure the hotspot SSID does not identify the device make/model + or agency ownership + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1254 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1249 + description: 3. Create a wireless network password (Pre-shared key) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1255 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1249 + description: "4. Enable the hotspot\u2019s port filtering/blocking features\ + \ if present" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1256 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1249 + description: 5. Only allow connections from agency controlled devices + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1257 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1249 + description: OR 1. Have a MDM solution to provide the same security as identified + in 1 - 5 above. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: Mobile Device Management (MDM) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1259 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: Devices that have had any unauthorized changes made to them (including + but not limited to being rooted or jailbroken) shall not be used to process, + store, or transmit CJI at any time. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1260 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: 'User agencies shall implement the following controls when directly + accessing CJI from devices running limited feature operating system:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1261 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: 1. Ensure that CJI is only transferred between CJI authorized applications + and storage areas of the device. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1262 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: '2. MDM with centralized administration configured and implemented + to perform at least the following controls:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1263 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: a. Remote locking of the device + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1264 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: b. Remote wiping of the device + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1265 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: c. Setting and locking device configuration + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1266 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: d. Detection of "rooted" and "jailbroken" devices + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1267 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: e. Enforcement of folder or disk level encryption + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1268 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: f. Application of mandatory policy settings on the device + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1269 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: g. Detection of unauthorized configurations + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1270 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: h. Detection of unauthorized software or applications + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1271 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: i. Ability to determine location of agency controlled devices + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1272 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: j. Prevention of unpatched devices from accessing CJI or CJI systems + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1273 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1258 + description: k. Automatic device wiping after a specified number of failed access + attempts + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1274 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: Wireless Device Risk Mitigations + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1275 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1274 + description: 'Organizations shall, as a minimum, ensure that wireless devices:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1276 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1274 + description: "1.\_Apply available critical patches and upgrades to the operating\ + \ system as soon as they become available for the device and after necessary\ + \ testing as described in Section 5.10.4.1." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1277 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1274 + description: "2.\_Are configured for local device authentication (see Section\ + \ 5.13.8.1)." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1278 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1274 + description: "3.\_Use advanced authentication or CSO approved compensating controls\ + \ as per Section 5.13.7.2.1." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1279 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1274 + description: "4.\_Encrypt all CJI resident on the device." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1280 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1274 + description: "5.\_Erase cached information, to include authenticators (see Section\ + \ 5.6.2.1) in applications, when session is terminated." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1281 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1274 + description: "6.\_Employ personal firewalls on full-featured operating system\ + \ devices or run a Mobile Device Management (MDM) system that facilitates\ + \ the ability to provide firewall services from the agency level." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1282 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1274 + description: 7. Employ malicious code protection on full-featured operating + system devices or run a MDM system that facilitates the ability to provide + anti-malware services from the agency level. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1283 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: Patching/Updates + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1284 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1283 + description: Agencies shall monitor mobile devices to ensure their patch and + update state is current. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1285 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: Malicious Code Protection + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1286 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1285 + description: Agencies that allow smartphones and tablets to access CJI shall + have a process to approve the use of specific software or applications on + the devices. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1287 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: Personal Firewall + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1288 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1287 + description: A personal firewall shall be employed on all devices that have + a full-feature operating system (i.e. laptops or tablets with Windows or Linux/Unix + operating systems). + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1289 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1287 + description: 'At a minimum, the personal firewall shall perform the following + activities:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1290 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1287 + description: 1. Manage program access to the Internet. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1291 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1287 + description: 2. Block unsolicited requests to connect to the PC. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1292 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1287 + description: 3. Filter Incoming traffic by IP address or protocol. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1293 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1287 + description: 4. Filter Incoming traffic by destination ports. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1294 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1287 + description: 5. Maintain an IP traffic log. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1295 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: Incident Response + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1296 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1295 + description: In addition to the requirements in Section 5.3 Incident Response, + agencies shall develop additional or enhanced incident reporting and handling + procedures to address mobile device operating scenarios. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1297 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1295 + description: 'Special reporting procedures for mobile devices shall apply in + any of the following situations:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1298 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1295 + description: '1. Loss of device control. For example:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1299 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1295 + description: a. Device known to be locked, minimal duration of loss + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1300 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1295 + description: b. Device lock state unknown, minimal duration of loss + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1301 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1295 + description: c. Device lock state unknown, extended duration of loss + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1302 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1295 + description: d. Device known to be unlocked, more than momentary duration of + loss + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1303 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1295 + description: 2. Total loss of device + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1304 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1295 + description: 3. Device compromise + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1305 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1295 + description: 4. Device loss or compromise outside the United States + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1306 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: Access Control + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1307 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1306 + description: Access control (Section 5.5 Access Control) shall be accomplished + by the application that accesses CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1308 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: Local Device Authentication + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1309 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1308 + description: When mobile devices are authorized for use in accessing CJI, local + device authentication shall be used to unlock the device for use. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1310 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1308 + description: The authenticator used shall meet the requirements in section 5.6.2.1 + Standard Authenticators. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1311 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: Advanced Authentication + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1312 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1311 + description: When accessing CJI from an authorized mobile device, advanced authentication + shall be used by the authorized user unless the access to CJI is indirect + as described in Section 5.6.2.2.1. If access in indirect, then AA is not required. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: Compensating Controls + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1314 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + description: Before CSOs consider approval of compensating controls, Mobile + Device Management (MDM) shall be implemented per Section 5.13.2. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1315 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + description: 'The compensating controls shall:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1316 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + description: 1. Meet the intent of the CJIS Security Policy AA requirement + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1317 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + description: 2. Provide a similar level of protection or security as the original + AA requirement + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1318 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + description: 3. Not rely upon the existing requirements for AA as compensating + controls + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1319 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + description: 4. Expire upon the CSO approved date or when a compliant AA solution + is implemented. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1320 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + description: "The following minimum controls shall be implemented as a part\ + \ of the CSO approved compensating controls:\_" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1321 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + description: Possession and registration of an agency-issued smartphone or tablet + as an indication it is the authorized user + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1322 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + description: Use of device certificates as per Section 5.13.7.3 Device Certificates + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1323 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1313 + description: Implemented CJIS Security Policy compliant standard authenticator + protection on the secure location where CJI is stored + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1324 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1216 + name: Device Certificates + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1325 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1324 + description: 'When certificates or cryptographic keys used to authenticate a + mobile device are used in lieu of compensating controls for advanced authentication, + they shall be:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1326 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1324 + description: 1. Protected against being extracted from the device + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1327 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1324 + description: 2. Configured for remote wipe on demand or self-deletion based + on a number of unsuccessful login or access attempts + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1328 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1324 + description: 3. Configured to use a secure authenticator (i.e. password, PIN) + to unlock the key for use + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1329 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-14: System and Services Acquisition (SA)' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1330 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1329 + name: UNSUPPORTED SYSTEM COMPONENTS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1331 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1330 + description: "a.\_\_\_\_ Replace system components when support for the components\ + \ is no longer available from the developer, vendor, or manufacturer; or" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1332 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1330 + description: "b.\_\_\_\_\_ Provide the following option for alternative sources\ + \ for continued support for unsupported components: original manufacturer\ + \ support, or original contracted vendor support." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-15: System and Information Integrity (SI)' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1334 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: POLICY AND PROCEDURES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1335 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1334 + description: "a.\_\_\_\_\_ Develop, document, and disseminate to all organizational\ + \ personnel with system and information integrity responsibilities and information\ + \ system owners:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1336 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1334 + description: "1.\_\_\_\_\_ Agency-level system and information integrity policy\ + \ that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1337 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1334 + description: "(a)\_\_\_ Addresses purpose, scope, roles, responsibilities, management\ + \ commitment, coordination among organizational entities, and compliance;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1338 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1334 + description: "(b)\_\_\_ Is consistent with applicable laws, executive orders,\ + \ directives, regulations, policies, standards, and guidelines; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1339 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1334 + description: "2.\_\_\_\_\_ Procedures to facilitate the implementation of the\ + \ system and information integrity policy and the associated system and information\ + \ integrity controls;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1340 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1334 + description: "b.\_\_\_\_\_ Designate organizational personnel with system and\ + \ information integrity responsibilities to manage the development, documentation,\ + \ and dissemination of the system and information integrity policy and procedures;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1341 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1334 + description: "c.\_\_\_\_\_\_ Review and update the current system and information\ + \ integrity:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1342 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1334 + description: "1.\_\_\_\_\_ Policy annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1343 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1334 + description: "2.\_\_\_\_\_ Procedures annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1344 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: FLAW REMEDIATION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1345 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1344 + description: "a.\_\_\_\_\_ Identify, report, and correct system flaws;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1346 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1344 + description: "b.\_\_\_\_\_ Test software and firmware updates related to flaw\ + \ remediation for effectiveness and potential side effects before installation;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1347 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1344 + description: "c.\_\_\_\_\_\_ Install security-relevant software and firmware\ + \ updates within the number of days listed after the release of the updates; " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1348 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1344 + description: "\u2022\_\_\_\_\_\_\_ Critical \u2013 15 days" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1349 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1344 + description: "\u2022\_\_\_\_\_\_\_ High \u2013 30 days" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1350 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1344 + description: "\u2022\_\_\_\_\_\_\_ Medium \u2013 60 days" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1351 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1344 + description: "\u2022\_\_\_\_\_\_\_ Low \u2013 90 days; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1352 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1344 + description: "d.\_\_\_\_\_ Incorporate flaw remediation into the organizational\ + \ configuration management process." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1353 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: "(2)\_\_\_ FLAW REMEDIATION | AUTOMATED FLAW REMEDIATION STATUS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1354 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1353 + description: Determine if system components have applicable security-relevant + software and firmware updates installed using vulnerability scanning tools + as least quarterly or following any security incidents involving CJI or systems + used to process, store, or transmit CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1355 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: MALICIOUS CODE PROTECTION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1356 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1355 + description: "a.\_\_\_\_\_ Implement signature-based malicious code protection\ + \ mechanisms at system entry and exit points to detect and eradicate malicious\ + \ code;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1357 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1355 + description: "b.\_\_\_\_\_ Automatically update malicious code protection mechanisms\ + \ as new releases are available in accordance with organizational configuration\ + \ management policy and procedures;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1358 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1355 + description: "c.\_\_\_\_\_\_ Configure malicious code protection mechanisms\ + \ to:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1359 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1355 + description: "1.\_\_\_\_\_ Perform periodic scans of the system at least daily\ + \ and real-time scans of files from external sources at network entry and\ + \ exit points and on all servers and endpoint devices as the files are downloaded,\ + \ opened, or executed in accordance with organizational policy; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1360 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1355 + description: "2.\_\_\_\_\_ Block or quarantine malicious code, take mitigating\ + \ action(s), and when necessary, implement incident response procedures; and\ + \ send alert to system/network administrators and/or organizational personnel\ + \ with information security responsibilities in response to malicious code\ + \ detection; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1361 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1355 + description: "d.\_\_\_\_\_ Address the receipt of false positives during malicious\ + \ code detection and eradication and the resulting potential impact on the\ + \ availability of the system." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: SYSTEM MONITORING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1363 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "a.\_\_\_\_\_ Monitor the system to detect:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1364 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "1.\_\_\_\_\_ Attacks and indicators of potential attacks in accordance\ + \ with the following monitoring objectives: " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1365 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "a.\_\_\_\_ Intrusion detection and prevention" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1366 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "b.\_\_\_\_ Malicious code protection" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1367 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "c.\_\_\_\_\_ Vulnerability scanning" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1368 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "d.\_\_\_\_ Audit record monitoring" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1369 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "e.\_\_\_\_\_ Network monitoring" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1370 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "f.\_\_\_\_\_ Firewall monitoring;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1371 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "2.\_\_\_\_\_ Unauthorized local, network, and remote connections;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1372 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "b.\_\_\_\_\_ Identify unauthorized use of the system through the\ + \ following techniques and methods: event logging (ref. 5.4 Audit and Accountability);" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1373 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "c.\_\_\_\_\_\_ Invoke internal monitoring capabilities or deploy\ + \ monitoring devices:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1374 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "1.\_\_\_\_\_ Strategically within the system to collect organization-determined\ + \ essential information; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1375 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "2.\_\_\_\_\_ At ad hoc locations within the system to track specific\ + \ types of transactions of interest to the organization;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1376 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "d.\_\_\_\_\_ Analyze detected events and anomalies;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1377 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "e.\_\_\_\_\_ Adjust the level of system monitoring activity when\ + \ there is a change in risk to organizational operations and assets, individuals,\ + \ other organizations, or the Nation;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1378 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "f.\_\_\_\_\_\_ Obtain legal opinion regarding system monitoring\ + \ activities; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1379 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1362 + description: "g.\_\_\_\_\_ Provide intrusion detection and prevention systems,\ + \ malicious code protection software, scanning tools, audit record monitoring\ + \ software, network monitoring, and firewall monitoring software logs to organizational\ + \ personnel with information security responsibilities weekly." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1380 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: "(2)\_\_\_ SYSTEM MONITORING | AUTOMATED TOOLS AND MECHANISMS FOR REAL-TIME\ + \ ANALYSIS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1381 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1380 + description: Employ automated tools and mechanisms to support near-real-time + analysis of events. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1382 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: "(4)\_\_\_ SYSTEM MONITORING | INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1383 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1382 + description: "a.\_\_\_\_ Determine criteria for unusual or unauthorized activities\ + \ or conditions for inbound and outbound communications traffic;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1384 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1382 + description: "b.\_\_\_\_ Monitor inbound and outbound communications traffic\ + \ continuously for unusual or unauthorized activities or conditions such as:\ + \ the presence of malicious code or unauthorized use of legitimate code or\ + \ credentials within organizational systems or propagating among system components,\ + \ signaling to external systems, and the unauthorized exporting of information." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1385 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: "(5)\_\_\_ SYSTEM MONITORING | SYSTEM-GENERATED ALERTS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1386 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1385 + description: 'Alert organizational personnel with system monitoring responsibilities + when the following system-generated indications of compromise or potential + compromise occur: inappropriate or unusual activities with security or privacy + implications.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1387 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: SECURITY ALERTS, ADVISORIES, AND DIRECTIVES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1388 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1387 + description: "a.\_\_\_\_\_ Receive system security alerts, advisories, and directives\ + \ from external source(s) (e.g., CISA, Multi-State Information Sharing & Analysis\ + \ Center [MS-ISAC], U.S. Computer Emergency Readiness Team [USCERT], hardware/software\ + \ providers, federal/state advisories, etc.) on an ongoing basis;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1389 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1387 + description: "b.\_\_\_\_\_ Generate internal security alerts, advisories, and\ + \ directives as deemed necessary;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1390 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1387 + description: "c.\_\_\_\_\_Issue security alerts, advisories, and directives\ + \ to: organizational personnel implementing, operating, maintaining, and using\ + \ the system; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1391 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1387 + description: "d.\_\_\_\_\_ Implement security directives in accordance with\ + \ established time frames, or notify the issuing organization of the degree\ + \ of noncompliance." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1392 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1393 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1392 + description: "a.\_\_\_\_\_ Employ integrity verification tools to detect unauthorized\ + \ changes to software, firmware, and information systems that contain or process\ + \ CJI; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1394 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1392 + description: "b.\_\_\_\_\_ Take the following actions when unauthorized changes\ + \ to the software, firmware, and information are detected: notify organizational\ + \ personnel responsible for software, firmware, and/or information integrity\ + \ and implement incident response procedures as appropriate." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1395 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: "(1)\_\_\_ SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRITY CHECKS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1396 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1395 + description: Perform an integrity check of software, firmware, and information + systems that contain or process CJI at agency-defined transitional states + or security relevant events at least weekly or in an automated fashion. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1397 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: "(7)\_\_\_ SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRATION\ + \ OF DETECTION AND RESPONSE" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1398 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1397 + description: 'Incorporate the detection of the following unauthorized changes + into the organizational incident response capability: unauthorized changes + to established configuration setting or the unauthorized elevation of system + privileges.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1399 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: SPAM PROTECTION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1400 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1399 + description: "a.\_\_\_\_\_ Employ spam protection mechanisms at system entry\ + \ points to detect and act on unsolicited messages; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1401 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1399 + description: "b.\_\_\_\_\_ Update spam protection mechanisms when new releases\ + \ are available in accordance with organizational configuration management\ + \ policy and procedures." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1402 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: "(2)\_\_\_ SPAM PROTECTION | AUTOMATIC UPDATES" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1403 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1402 + description: Automatically update spam protection mechanisms at least daily. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1404 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: INFORMATION INPUT VALIDATION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1405 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1404 + description: 'Check the validity of the following information inputs: all inputs + to web/application servers, database servers, and any system or application + input that might receive or process CJI.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1406 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: ERROR HANDLING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1407 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1406 + description: "a.\_\_\_\_\_ Generate error messages that provide information\ + \ necessary for corrective actions without revealing information that could\ + \ be exploited; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1408 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1406 + description: "b.\_\_\_\_\_ Reveal error messages only to organizational personnel\ + \ with information security responsibilities." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1409 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: INFORMATION MANAGEMENT AND RETENTION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1410 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1409 + description: Manage and retain information within the system and information + output from the system in accordance with applicable laws, executive orders, + directives, regulations, policies, standards, guidelines and operational requirements. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1411 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: "(1)\_\_\_ INFORMATION MANAGEMENT AND RETENTION | LIMIT PERSONALLY IDENTIFIABLE\ + \ INFORMATION ELEMENTS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1412 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1411 + description: Limit personally identifiable information being processed in the + information life cycle to the minimum PII necessary to achieve the purpose + for which it is collected (see Section 4.3). + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1413 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: "(2)\_\_\_ INFORMATION MANAGEMENT AND RETENTION | MINIMIZE PERSONALLY\ + \ IDENTIFIABLE INFORMATION IN TESTING, TRAINING, AND RESEARCH" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1414 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1413 + description: 'Use the following techniques to minimize the use of personally + identifiable information for research, testing, or training: data obfuscation, + randomization, anonymization, or use of synthetic data.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1415 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: "(3)\_\_\_ INFORMATION MANAGEMENT AND RETENTION | INFORMATION DISPOSAL" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1416 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1415 + description: 'Use the following techniques to dispose of, destroy, or erase + information following the retention period: as defined in MP-6.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1417 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1333 + name: MEMORY PROTECTION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1418 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1417 + description: 'Implement the following controls to protect the system memory + from unauthorized code execution: data execution prevention and address space + layout randomization.' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1419 + assessable: false + depth: 1 + name: 'CJIS Security Policy Section 5-16: Maintenance (MA)' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1420 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1419 + name: POLICY AND PROCEDURES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1421 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1420 + description: "a.\_\_\_\_\_ Develop, document, and disseminate to organizational\ + \ personnel with system maintenance responsibilities:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1422 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1420 + description: "1.\_\_\_\_\_ Agency-level maintenance policy that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1423 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1420 + description: "(a)\_\_\_ Addresses purpose, scope, roles, responsibilities, management\ + \ commitment, coordination among organizational entities, and compliance;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1424 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1420 + description: "(b)\_\_\_ Is consistent with applicable laws, executive orders,\ + \ directives, regulations, policies, standards, and guidelines; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1425 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1420 + description: "2.\_\_\_\_\_ Procedures to facilitate the implementation of the\ + \ maintenance policy and the associated maintenance controls;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1426 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1420 + description: "b.\_\_\_\_\_ Designate organizational personnel with information\ + \ security and privacy responsibilities to manage the development, documentation,\ + \ and dissemination of the maintenance policy and procedures; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1427 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1420 + description: "c.\_\_\_\_\_\_ Review and update the current maintenance:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1428 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1420 + description: "1.\_\_\_\_\_ Policy annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1429 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1420 + description: "2.\_\_\_\_\_ Procedures annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1430 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1419 + name: CONTROLLED MAINTENANCE + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1431 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1430 + description: "a.\_\_\_\_\_ Schedule, document, and review records of maintenance,\ + \ repair, and replacement on system components in accordance with manufacturer\ + \ or vendor specifications and/or organizational requirements;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1432 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1430 + description: "b.\_\_\_\_\_ Approve and monitor all maintenance activities, whether\ + \ performed on site or remotely and whether the system or system components\ + \ are serviced on site or removed to another location;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1433 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1430 + description: "c.\_\_\_\_\_\_ Require that organizational personnel with information\ + \ security and privacy responsibilities explicitly approve the removal of\ + \ the system or system components from organizational facilities for off-site\ + \ maintenance, repair, or replacement;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1434 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1430 + description: "d.\_\_\_\_\_ Sanitize equipment to remove information from associated\ + \ media prior to removal from organizational facilities for off-site maintenance,\ + \ repair, replacement, or destruction;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1435 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1430 + description: "e.\_\_\_\_\_ Check all potentially impacted controls to verify\ + \ that the controls are still functioning properly following maintenance,\ + \ repair, or replacement actions; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1436 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1430 + description: "f.\_\_\_\_\_\_ Include the following information in organizational\ + \ maintenance records: " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1437 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1430 + description: "1.\_\_\_\_\_ Component name" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1438 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1430 + description: "2.\_\_\_\_\_ Component serial number" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1439 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1430 + description: "3.\_\_\_\_\_ Date/time of maintenance" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1440 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1430 + description: "4.\_\_\_\_\_ Maintenance performed" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1441 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1430 + description: "5.\_\_\_\_\_ Name(s) of entity performing maintenance including\ + \ escort if required." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1442 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1419 + name: MAINTENANCE TOOLS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1443 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1442 + description: "a.\_\_\_\_\_ Approve, control, and monitor the use of system maintenance\ + \ tools; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1444 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1442 + description: "b.\_\_\_\_\_ Review previously approved system maintenance tools\ + \ prior to each use." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1445 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1419 + name: (1) MAINTENANCE TOOLS | INSPECT TOOLS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1446 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1445 + description: Inspect the maintenance tools used by maintenance personnel for + improper or unauthorized modifications. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1447 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1419 + name: (2) MAINTENANCE TOOLS | INSPECT MEDIA + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1448 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1447 + description: Check media containing diagnostic and test programs for malicious + code before the media are used in the system. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1449 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1419 + name: (3) MAINTENANCE TOOLS | PREVENT UNAUTHORIZED REMOVAL + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1450 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1449 + description: 'Prevent the removal of maintenance equipment containing organizational + information by:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1451 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1449 + description: "(a)\_\_\_ Verifying that there is no organizational information\ + \ contained on the equipment;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1452 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1449 + description: "(b)\_\_\_ Sanitizing or destroying the equipment;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1453 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1449 + description: "(c)\_\_\_\_ Retaining the equipment within the facility; or" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1454 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1449 + description: "(d)\_\_\_ Obtaining an exemption from organizational personnel\ + \ with system maintenance responsibilities explicitly authorizing removal\ + \ of the equipment from the facility." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1455 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1419 + name: NONLOCAL MAINTENANCE + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1456 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1455 + description: "a.\_\_\_\_\_ Approve and monitor nonlocal maintenance and diagnostic\ + \ activities;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1457 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1455 + description: "b.\_\_\_\_\_ Allow the use of nonlocal maintenance and diagnostic\ + \ tools only as consistent with organizational policy and documented in the\ + \ security plan for the system;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1458 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1455 + description: "c.\_\_\_\_\_\_ Employ strong authentication in the establishment\ + \ of nonlocal maintenance and diagnostic sessions;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1459 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1455 + description: "d.\_\_\_\_\_ Maintain records for nonlocal maintenance and diagnostic\ + \ activities; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1460 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1455 + description: "e.\_\_\_\_\_ Terminate session and network connections when nonlocal\ + \ maintenance is completed." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1461 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1419 + name: MAINTENANCE PERSONNEL + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1462 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1461 + description: "a.\_\_\_\_\_ Establish a process for maintenance personnel authorization\ + \ and maintain a list of authorized maintenance organizations or personnel;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1463 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1461 + description: "b.\_\_\_\_\_ Verify that non-escorted personnel performing maintenance\ + \ on the system possess the required access authorizations; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1464 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1461 + description: "c.\_\_\_\_\_\_ Designate organizational personnel with required\ + \ access authorizations and technical competence to supervise the maintenance\ + \ activities of personnel who do not possess the required access authorizations." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1465 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1419 + name: TIMELY MAINTENANCE + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1466 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1465 + description: Obtain maintenance support and/or spare parts for critical system + components that process, store, and transmit CJI within agency-defined recovery + time and recovery point objectives of failure. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1467 + assessable: false + depth: 1 + name: CJIS Security Policy Area 5-17 - Planning (PL) + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1468 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1467 + name: POLICY AND PROCEDURES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1469 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1468 + description: "a.\_\_\_\_\_ Develop, document, and disseminate to organizational\ + \ personnel with planning responsibilities:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1470 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1468 + description: "1.\_\_\_\_\_ Agency-level planning policy that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1471 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1468 + description: "(a)\_\_\_ Addresses purpose, scope, roles, responsibilities, management\ + \ commitment, coordination among organizational entities, and compliance;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1472 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1468 + description: "(b)\_\_\_ Is consistent with applicable laws, executive orders,\ + \ directives, regulations, policies, standards, and guidelines; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1473 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1468 + description: "2.\_\_\_\_\_ Procedures to facilitate the implementation of the\ + \ planning policy and the associated planning controls;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1474 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1468 + description: "b.\_\_\_\_\_ Designate organizational personnel with information\ + \ security and privacy responsibilities to manage the development, documentation,\ + \ and dissemination of the planning policy and procedures; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1475 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1468 + description: "c.\_\_\_\_\_\_ Review and update the current planning:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1476 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1468 + description: "1.\_\_\_\_\_ Policy annually and following; any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1477 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1468 + description: "2.\_\_\_\_\_ Procedures annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1467 + name: SYSTEM SECURITY AND PRIVACY PLANS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1479 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "a.\_\_\_\_\_ Develop security and privacy plans for the system\ + \ that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1480 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "1.\_\_\_\_\_ Are consistent with the organization\u2019s enterprise\ + \ architecture;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1481 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "2.\_\_\_\_\_ Explicitly define the constituent system components;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1482 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "3.\_\_\_\_\_ Describe the operational context of the system in\ + \ terms of mission and business processes;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1483 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "4.\_\_\_\_\_ Identify the individuals that fulfill system roles\ + \ and responsibilities;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1484 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "5.\_\_\_\_\_ Identify the information types processed, stored,\ + \ and transmitted by the system;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1485 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "6.\_\_\_\_\_ Provide the security categorization of the system,\ + \ including supporting rationale;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1486 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "7.\_\_\_\_\_ Describe any specific threats to the system that\ + \ are of concern to the organization;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1487 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "8.\_\_\_\_\_ Provide the results of a privacy risk assessment\ + \ for systems processing personally identifiable information;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1488 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "9.\_\_\_\_\_ Describe the operational environment for the system\ + \ and any dependencies on or connections to other systems or system components;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1489 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "10.\_\_ Provide an overview of the security and privacy requirements\ + \ for the system;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1490 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "11.\_\_ Identify any relevant control baselines or overlays, if\ + \ applicable;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1491 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "12.\_\_ Describe the controls in place or planned for meeting\ + \ the security and privacy requirements, including a rationale for any tailoring\ + \ decisions;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1492 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "13.\_\_ Include risk determinations for security and privacy architecture\ + \ and design decisions;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1493 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "14.\_\_ Include security- and privacy-related activities affecting\ + \ the system that require planning and coordination with organizational personnel\ + \ with system security and privacy planning and plan implementation responsibilities;\ + \ system developers; organizational personnel with information security and\ + \ privacy responsibilities; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1494 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "15.\_\_ Are reviewed and approved by the authorizing official\ + \ or designated representative prior to plan implementation." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1495 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "b.\_\_\_\_\_ Distribute copies of the plans and communicate subsequent\ + \ changes to the plans to organizational personnel with system security and\ + \ privacy planning and plan implementation responsibilities; system developers;\ + \ organizational personnel with information security and privacy responsibilities;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1496 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "c.\_\_\_\_\_ Review the system security and privacy plans at least\ + \ annually or when required due to system changes or modifications;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1497 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "d.\_\_\_\_\_ Update the plans to address changes to the system\ + \ and environment of operation or problems identified during plan implementation\ + \ or control assessments; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1498 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1478 + description: "e.\_\_\_\_\_ Protect the plans from unauthorized disclosure and\ + \ modification." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1499 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1467 + name: RULES OF BEHAVIOR + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1500 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1499 + description: "a.\_\_\_\_\_ Establish and provide to individuals requiring access\ + \ to the system, the rules that describe their responsibilities and expected\ + \ behavior for information and system usage, security, and privacy;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1501 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1499 + description: "b.\_\_\_\_\_ Receive a documented acknowledgment from such individuals,\ + \ indicating that they have read, understand, and agree to abide by the rules\ + \ of behavior, before authorizing access to information and the system;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1502 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1499 + description: "c.\_\_\_\_\_\_ Review and update the rules of behavior at least\ + \ annually; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1503 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1499 + description: "d.\_\_\_\_\_ Require individuals who have acknowledged a previous\ + \ version of the rules of behavior to read and re-acknowledge annually, or\ + \ when the rules are revised or updated. " + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1504 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1467 + name: "(1)\_\_\_ RULES OF BEHAVIOR | SOCIAL MEDIA AND EXTERNAL SITE/APPLICATION\ + \ USAGE RESTRICTIONS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1505 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1504 + description: 'Include in the rules of behavior, restrictions on:' + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1506 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1504 + description: "(a)\_\_\_ Use of social media, social networking sites, and external\ + \ sites/applications;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1507 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1504 + description: "(b)\_\_\_ Posting organizational information on public websites;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1508 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1504 + description: "(c)\_\_\_\_ Use of organization-provided identifiers (e.g., email\ + \ addresses) and authentication secrets (e.g., passwords) for creating accounts\ + \ on external sites/applications." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1509 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1467 + name: SECURITY AND PRIVACY ARCHITECTURES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1510 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1509 + description: "a.\_\_\_\_\_ Develop security and privacy architectures for the\ + \ system that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1511 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1509 + description: "1.\_\_\_\_\_ Describe the requirements and approach to be taken\ + \ for protecting the confidentiality, integrity, and availability of organizational\ + \ information;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1512 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1509 + description: "2.\_\_\_\_\_ Describe the requirements and approach to be taken\ + \ for processing personally identifiable information to minimize privacy risk\ + \ to individuals;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1513 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1509 + description: "3.\_\_\_\_\_ Describe how the architectures are integrated into\ + \ and support the enterprise architecture; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1514 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1509 + description: "4.\_\_\_\_\_ Describe any assumptions about, and dependencies\ + \ on, external systems and services;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1515 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1509 + description: "b.\_\_\_\_\_ Review and update the architectures at least annually\ + \ or when changes to the system or its environment occur to reflect changes\ + \ in the enterprise architecture; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1516 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1509 + description: "c.\_\_\_\_\_\_ Reflect planned architecture changes in security\ + \ and privacy plans, Concept of Operations (CONOPS), criticality analysis,\ + \ organizational procedures, and procurements and acquisitions." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1517 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1467 + name: CENTRAL MANAGEMENT + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1518 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1517 + description: The CJISSECPOL is centrally managed by the FBI CJIS ISO. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1519 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1467 + name: BASELINE SELECTION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1520 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1519 + description: Select a control baseline for the system. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1521 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1467 + name: BASELINE TAILORING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1522 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1521 + description: Tailor the selected control baseline by applying specified tailoring + actions. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + assessable: false + depth: 1 + name: CJIS Security Policy Area 5-18 - Contingency Planning + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1524 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: POLICY AND PROCEDURES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1525 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1524 + description: "a.\_\_\_\_\_ Develop, document, and disseminate to organizational\ + \ personnel with contingency planning responsibilities:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1526 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1524 + description: "1.\_\_\_\_\_ Agency-level contingency planning policy that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1527 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1524 + description: "(a)\_\_\_ Addresses purpose, scope, roles, responsibilities, management\ + \ commitment, coordination among organizational entities, and compliance;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1528 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1524 + description: "(b)\_\_\_ Is consistent with applicable laws, executive orders,\ + \ directives, regulations, policies, standards, and guidelines; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1529 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1524 + description: "2.\_\_\_\_\_ Procedures to facilitate the implementation of the\ + \ contingency planning policy and the associated contingency planning controls;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1530 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1524 + description: "b.\_\_\_\_\_ Designate organizational personnel with information\ + \ security responsibilities to manage the development, documentation, and\ + \ dissemination of the contingency planning policy and procedures; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1531 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1524 + description: "c.\_\_\_\_\_\_ Review and update the current contingency planning:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1532 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1524 + description: "1.\_\_\_\_\_ Policy annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI, or training simulations or exercises; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1533 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1524 + description: "2.\_\_\_\_\_ Procedures annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI, or training simulations or exercises." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: CONTINGENCY PLAN + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1535 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "a.\_\_\_\_\_ Develop a contingency plan for the system that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1536 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "1.\_\_\_\_\_ Identifies essential mission and business functions\ + \ and associated contingency requirements;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1537 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "2.\_\_\_\_\_ Provides recovery objectives, restoration priorities,\ + \ and metrics;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1538 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "3.\_\_\_\_\_ Addresses contingency roles, responsibilities, assigned\ + \ individuals with contact information;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1539 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "4.\_\_\_\_\_ Addresses maintaining essential mission and business\ + \ functions despite a system disruption, compromise, or failure;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1540 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "5.\_\_\_\_\_ Addresses eventual, full system restoration without\ + \ deterioration of the controls originally planned and implemented;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1541 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "6.\_\_\_\_\_ Addresses the sharing of contingency information;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1542 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "7.\_\_\_\_\_ Is reviewed and approved by agency head or their\ + \ designee;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1543 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "b.\_\_\_\_\_ Distribute copies of the contingency plan to organizational\ + \ personnel with contingency planning or incident response duties;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1544 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "c.\_\_\_\_\_\_ Coordinate contingency planning activities with\ + \ incident handling activities;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1545 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "d.\_\_\_\_\_ Review the contingency plan for the system annually;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1546 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "e.\_\_\_\_\_ Update the contingency plan to address changes to\ + \ the organization, system, or environment of operation and problems encountered\ + \ during contingency plan implementation, execution, or testing;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1547 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "f.\_\_\_\_\_\_ Communicate contingency plan changes to organizational\ + \ personnel with contingency planning or incident response duties;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1548 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "g.\_\_\_\_\_ Incorporate lessons learned from contingency plan\ + \ testing, training, or actual contingency activities into contingency testing\ + \ and training; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1549 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1534 + description: "h.\_\_\_\_\_ Protect the contingency plan from unauthorized disclosure\ + \ and modification." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1550 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: "(1)\_\_\_ CONTINGENCY PLAN | COORDINATE WITH RELATED PLANS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1551 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1550 + description: Coordinate contingency plan development with organizational elements + responsible for related plans. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1552 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: "(3)\_\_\_ CONTINGENCY PLAN | RESUME MISSION AND BUSINESS FUNCTIONS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1553 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1552 + description: Plan for the resumption of essential mission and business functions + within twenty-four (24) hours of contingency plan activation. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1554 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: "(8)\_\_\_ CONTINGENCY PLAN | IDENTIFY CRITICAL ASSETS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1555 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1554 + description: Identify critical system assets supporting essential mission and + business functions. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1556 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: CONTINGENCY TRAINING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1557 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1556 + description: "a.\_\_\_\_\_ Provide contingency training to system users consistent\ + \ with assigned roles and responsibilities:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1558 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1556 + description: "1.\_\_\_\_\_ Within thirty (30) days of assuming a contingency\ + \ role or responsibility;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1559 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1556 + description: "2.\_\_\_\_\_ When required by system changes; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1560 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1556 + description: "3.\_\_\_\_\_ Annually thereafter; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1561 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1556 + description: "b.\_\_\_\_\_ Review and update contingency training content annually\ + \ and following any security incidents involving unauthorized access to CJI\ + \ or systems used to process, store, or transmit CJI, or training simulations\ + \ or exercises." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1562 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: CONTINGENCY PLAN TESTING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1563 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1562 + description: "a.\_\_\_\_\_ Test the contingency plan for the system annually\ + \ using the following tests to determine the effectiveness of the plan and\ + \ the readiness to execute the plan: checklists, walk-through and tabletop\ + \ exercises, simulations (parallel or full interrupt), or comprehensive exercises." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1564 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1562 + description: "b.\_\_\_\_\_ Review the contingency plan test results; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1565 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1562 + description: "c.\_\_\_\_\_\_ Initiate corrective actions, if needed." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1566 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: "(1)\_\_\_ CONTINGENCY PLAN TESTING | COORDINATE WITH RELATED PLANS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1567 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1566 + description: Coordinate contingency plan testing with organizational elements + responsible for related plans. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1568 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: ALTERNATE STORAGE SITE + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1569 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1568 + description: "a.\_\_\_\_\_ Establish an alternate storage site, including necessary\ + \ agreements to permit the storage and retrieval of system backup information;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1570 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1568 + description: "b.\_\_\_\_\_ Ensure that the alternate storage site provides controls\ + \ equivalent to that of the primary site." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1571 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: "(1)\_\_\_ ALTERNATE STORAGE SITE | SEPARATION FROM PRIMARY SITE" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1572 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1571 + description: Identify an alternate storage site that is sufficiently separated + from the primary storage site to reduce susceptibility to the same threats. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1573 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: "(3)\_\_\_ ALTERNATE STORAGE SITE | ACCESSIBILITY" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1574 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1573 + description: Identify potential accessibility problems to the alternate storage + site in the event of an area-wide disruption or disaster and outline explicit + mitigation actions. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1575 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: ALTERNATE PROCESSING SITE + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1576 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1575 + description: "a.\_\_\_\_\_ Establish an alternate processing site, including\ + \ necessary agreements to permit the transfer and resumption of operations\ + \ for essential mission and business functions within the time period defined\ + \ in the system contingency plan(s) when the primary processing capabilities\ + \ are unavailable;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1577 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1575 + description: "b.\_\_\_\_\_ Make available at the alternate processing site,\ + \ the equipment and supplies required to transfer and resume operations or\ + \ put contracts in place to support delivery to the site within the organization-defined\ + \ time period for transfer and resumption; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1578 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1575 + description: "c.\_\_\_\_\_\_ Provide controls at the alternate processing site\ + \ that are equivalent to those at the primary site." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1579 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: "(1)\_\_\_ ALTERNATE PROCESSING SITE | SEPARATION FROM PRIMARY SITE" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1580 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1579 + description: Identify an alternate processing site that is sufficiently separated + from the primary processing site to reduce susceptibility to the same threats. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1581 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: "(2)\_\_\_ ALTERNATE PROCESSING SITE | ACCESSIBILITY" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1582 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1581 + description: Identify potential accessibility problems to alternate processing + sites in the event of an area-wide disruption or disaster and outlines explicit + mitigation actions. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1583 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: "(3)\_\_\_ ALTERNATE PROCESSING SITE | PRIORITY OF SERVICE" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1584 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1583 + description: Develop alternate processing site agreements that contain priority-of-service + provisions in accordance with availability requirements (including recovery + time objectives). + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1585 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: TELECOMMUNICATIONS SERVICES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1586 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1585 + description: Establish alternate telecommunications services, including necessary + agreements to permit the resumption of system operations for essential mission + and business functions within the time period as defined in the system contingency + plan(s) when the primary telecommunications capabilities are unavailable at + either the primary or alternate processing or storage sites. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1587 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: "(1)\_\_\_ TELECOMMUNICATIONS SERVICES | PRIORITY OF SERVICE PROVISIONS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1588 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1587 + description: "(a)\_\_\_ Develop primary and alternate telecommunications service\ + \ agreements that contain priority-of-service provisions in accordance with\ + \ availability requirements (including recovery time objectives); and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1589 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1587 + description: "(b)\_\_\_ Request Telecommunications Service Priority for all\ + \ telecommunications services used for national security emergency preparedness\ + \ if the primary and/or alternate telecommunications services are provided\ + \ by a common carrier." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1590 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: "(2)\_\_\_ TELECOMMUNICATIONS SERVICES | SINGLE POINTS OF FAILURE" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1591 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1590 + description: Obtain alternate telecommunications services to reduce the likelihood + of sharing a single point of failure with primary telecommunications services. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1592 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: SYSTEM BACKUP + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1593 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1592 + description: "a.\_\_\_\_\_ Conduct backups of user-level information contained\ + \ in operational systems for essential business functions as required by the\ + \ contingency plans;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1594 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1592 + description: "b.\_\_\_\_\_ Conduct backups of system-level information contained\ + \ in the system as required by the contingency plans;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1595 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1592 + description: "c.\_\_\_\_\_\_ Conduct backups of system documentation, including\ + \ security- and privacy-related documentation as required by the contingency\ + \ plans; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1596 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1592 + description: "d.\_\_\_\_\_ Protect the confidentiality, integrity, and availability\ + \ of backup information." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1597 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: "(1)\_\_\_ SYSTEM BACKUP | TESTING FOR RELIABILITY AND INTEGRITY" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1598 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1597 + description: Test backup information as required by the contingency plans to + verify media reliability and information integrity. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1599 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: "(8)\_\_\_ SYSTEM BACKUP | CRYPTOGRAPHIC PROTECTION" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1600 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1599 + description: Implement cryptographic mechanisms to prevent unauthorized disclosure + and modification of CJI. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1601 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: SYSTEM RECOVERY AND RECONSTITUTION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1602 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1601 + description: Provide for the recovery and reconstitution of the system to a + known state within the timeframe as required by the contingency plans after + a disruption, compromise, or failure. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1603 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1523 + name: "(2)\_\_\_ SYSTEM RECOVERY AND RECONSTITUTION | TRANSACTION RECOVERY" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1604 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1603 + description: Implement transaction recovery for systems that are transaction-based. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1605 + assessable: false + depth: 1 + name: CJIS Security Policy Area 5-19 - Risk Assessment + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1606 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1605 + name: POLICY AND PROCEDURES + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1607 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1606 + description: "a.\_\_\_\_\_ Develop, document, and disseminate to organizational\ + \ personnel with risk assessment responsibilities:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1608 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1606 + description: "1.\_\_\_\_\_ Agency Level risk assessment policy that:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1609 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1606 + description: "(a)\_\_\_ Addresses purpose, scope, roles, responsibilities, management\ + \ commitment, coordination among organizational entities, and compliance;\ + \ and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1610 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1606 + description: "(b)\_\_\_ Is consistent with applicable laws, executive orders,\ + \ directives, regulations, policies, standards, and guidelines; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1611 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1606 + description: "2.\_\_\_\_\_ Procedures to facilitate the implementation of the\ + \ risk assessment policy and the associated risk assessment controls;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1612 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1606 + description: "b.\_\_\_\_\_ Designate organizational personnel with security\ + \ and privacy responsibilities to manage the development, documentation, and\ + \ dissemination of the risk assessment policy and procedures; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1613 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1606 + description: "c.\_\_\_\_\_\_ Review and update the current risk assessment:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1614 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1606 + description: "1.\_\_\_\_\_ Policy annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1615 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1606 + description: "2.\_\_\_\_\_ Procedures annually and following any security incidents\ + \ involving unauthorized access to CJI or systems used to process, store,\ + \ or transmit CJI." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1616 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1605 + name: SECURITY CATEGORIZATION + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1617 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1616 + description: "a.\_\_\_\_\_ Categorize the system and information it processes,\ + \ stores, and transmits;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1618 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1616 + description: "b.\_\_\_\_\_ Document the security categorization results, including\ + \ supporting rationale, in the security plan for the system; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1619 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1616 + description: "c.\_\_\_\_\_\_ Verify that the authorizing official or authorizing\ + \ official designated representative reviews and approves the security categorization\ + \ decision." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1620 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1605 + name: RISK ASSESSMENT + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1621 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1620 + description: "a.\_\_\_\_\_ Conduct a risk assessment, including:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1622 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1620 + description: "1.\_\_\_\_\_ Identifying threats to and vulnerabilities in the\ + \ system;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1623 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1620 + description: "2.\_\_\_\_\_ Determining the likelihood and magnitude of harm\ + \ from unauthorized access, use, disclosure, disruption, modification, or\ + \ destruction of the system, the information it processes, stores, or transmits,\ + \ and any related information; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1624 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1620 + description: "3.\_\_\_\_\_ Determining the likelihood and impact of adverse\ + \ effects on individuals arising from the processing of personally identifiable\ + \ information;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1625 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1620 + description: "b.\_\_\_\_\_ Integrate risk assessment results and risk management\ + \ decisions from the organization and mission or business process perspectives\ + \ with system-level risk assessments;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1626 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1620 + description: "c.\_\_\_\_\_\_ Document risk assessment results in risk assessment\ + \ report;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1627 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1620 + description: "d.\_\_\_\_\_ Review risk assessment results at least quarterly;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1628 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1620 + description: "e.\_\_\_\_\_ Disseminate risk assessment results to organizational\ + \ personnel with risk assessment responsibilities and organizational personnel\ + \ with security and privacy responsibilities; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1629 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1620 + description: "f.\_\_\_\_\_\_ Update the risk assessment at least quarterly or\ + \ when there are significant changes to the system, its environment of operation,\ + \ or other conditions that may impact the security or privacy state of the\ + \ system." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1630 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1605 + name: VULNERABILITY MONITORING AND SCANNING + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1631 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1630 + description: "a.\_\_\_\_\_ Monitor and scan for vulnerabilities in the system\ + \ and hosted applications at least monthly and when new vulnerabilities potentially\ + \ affecting the system are identified and reported;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1632 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1630 + description: "b.\_\_\_\_\_ Employ vulnerability monitoring tools and techniques\ + \ that facilitate interoperability among tools and automate parts of the vulnerability\ + \ management process by using standards for:" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1633 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1630 + description: "1.\_\_\_\_\_ Enumerating platforms, software flaws, and improper\ + \ configurations;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1634 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1630 + description: "2.\_\_\_\_\_ Formatting checklists and test procedures; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1635 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1630 + description: "3.\_\_\_\_\_ Measuring vulnerability impact;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1636 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1630 + description: "c.\_\_\_\_\_\_ Analyze vulnerability scan reports and results\ + \ from vulnerability monitoring;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1637 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1630 + description: "d.\_\_\_\_\_ Remediate legitimate vulnerabilities within the number\ + \ of days listed;" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1638 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1630 + description: "\u2022\_\_\_ Critical\u201315 days" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1639 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1630 + description: "\u2022\_\_\_ High\u201330 days" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1640 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1630 + description: "\u2022\_\_\_ Medium\u201360 days" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1641 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1630 + description: "\u2022\_\_\_ Low\u201390 days; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1642 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1630 + description: "e.\_\_\_\_\_ Share information obtained from the vulnerability\ + \ monitoring process and control assessments with organizational personnel\ + \ with risk assessment, control assessment, and vulnerability scanning responsibilities\ + \ to help eliminate similar vulnerabilities in other systems; and" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1643 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1630 + description: "f.\_\_\_\_\_\_ Employ vulnerability monitoring tools that include\ + \ the capability to readily update the vulnerabilities to be scanned." + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1644 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1605 + name: "(2)\_\_\_ VULNERABILITY MONITORING AND SCANNING | UPDATE VULNERABILITIES\ + \ TO BE SCANNED" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1645 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1644 + description: Update the system vulnerabilities to be scanned within 24 hours + prior to running a new scan or when new vulnerabilities are identified and + reported. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1646 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1605 + name: "(5)\_\_\_ VULNERABILITY MONITORING AND SCANNING | PRIVILEGED ACCESS" + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1647 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1646 + description: Implement privileged access authorization to information system + components containing or processing CJI for vulnerability scanning activities + requiring privileged access. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1648 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1605 + name: (11) VULNERABILITY MONITORING AND SCANNING | PUBLIC DISCLOSURE PROGRAM + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1649 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1648 + description: Establish a public reporting channel for receiving reports of vulnerabilities + in organizational systems and system components. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1650 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1605 + name: RISK RESPONSE + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1651 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1650 + description: Respond to findings from security and privacy assessments, monitoring, + and audits in accordance with organizational risk tolerance. + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1652 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1605 + name: CRITICALITY ANALYSIS + - urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1653 + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:cjis-policy-5.9.4:node1652 + description: Identify critical system components and functions by performing + a criticality analysis for information system components containing or processing + CJI at the planning, design, development, testing, implementation, and maintenance + stages of the system development life cycle. diff --git a/tools/cjis/cjis-policy-5.9.4.xlsx b/tools/cjis/cjis-policy-5.9.4.xlsx new file mode 100644 index 000000000..c2a887c35 Binary files /dev/null and b/tools/cjis/cjis-policy-5.9.4.xlsx differ