Security Control |
Control Element |
Implementation Points |
Type S/C/H |
---|
AC-2 Account Management |
AC-2-1 The organization employs automated mechanisms to support the management of information system accounts. |
Implementation Point(s): Authentication and Authorization Service or authentication gateway.
Description: Automated mechanisms are implemented within the Authentication and Authorization Service to manage guest wireless user accounts and wireless component administrator accounts. If authentication of guest wireless users is performed using a local account database, then these mechanisms are implemented within the authentication gateway for guest wireless user accounts. If automated mechanisms are implemented within the Authentication and Authorization Service then this is a common information system security requirement. Otherwise it is a system specific information system security requirement.
|
C/S |
AC-2 Account Management |
AC-2-2 The information system automatically terminates temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. |
Implementation Point(s): Authentication and Authorization Service or authentication gateway.
Description: Automated mechanisms are implemented within the Authentication and Authorization Service to terminate temporary or emergency accounts created for guest wireless users and wireless component administrators. If authentication of guest wireless users is performed using a local account database, then these mechanisms are implemented within the authentication gateway for guest wireless user accounts. If automated mechanisms are implemented within the Authentication and Authorization Service then this is a common information system security requirement. Otherwise it is a system specific information system security requirement.
|
C/S |
AC-2 Account Management |
AC-2-3 The information system automatically disables inactive accounts after [Assignment: organization-defined time period]. |
Implementation Point(s): Authentication and Authorization Service or authentication gateway.
Description: Automated mechanisms are implemented within the Authentication and Authorization Service to disable inactive guest wireless user accounts and wireless component administrator accounts after [Assignment: organization-defined time period]. If authentication of guest wireless users is performed using a local account database, then these mechanisms are implemented within the authentication gateway for guest wireless user accounts. If automated mechanisms are implemented within the Authentication and Authorization Service then this is a common information system security requirement. Otherwise it is a system specific information system security requirement.
|
C/S |
AC-2 Account Management |
AC-2-4 The information system automatically audits account creation, modification, disabling, and termination actions and notifies, as required, appropriate individuals. |
Implementation Point(s): Authentication and Authorization Service, Audit Service and authentication gateway.
Description: Automated mechanisms are implemented within the Authentication and Authorization Service to report to the Audit Service, account management actions for guest wireless users and wireless component administrators. The Audit Service will notify, as required, appropriate individuals. If authentication of guest wireless users is performed using a local account database, then automated auditing of guest wireless user account management activities will be performed within the authentication gateway and reported to the Audit Service. If automated mechanisms are implemented within the Authentication and Authorization Service then this is a common information system security requirement. Otherwise it is a system specific information system security requirement.
|
C/S |
AC-2 Account Management |
AC-2-5 The organization: (a) Requires that users log out when [Assignment: organization defined time-period of expected inactivity and/or description of when to log out]; (b) Determines normal time-of-day and duration usage for information system accounts; (c) Monitors for atypical usage of information system accounts; and (d) Reports atypical usage to designated organizational officials. |
Implementation Point(s): Authentication and Authorization Service and Audit Service.
Description:Automated mechanisms are implemented within the Authentication and Authorization Service to report to the Audit Service, atypical usage of wireless component administrator accounts based on normal time-of-day and duration usage. The Audit Service will notify, as required, appropriate individuals of atypical usage. This security control requirement is not applicable to guest wireless users since their accounts require less security than those of the wireless component administrators.
|
C |
AC-2 Account Management |
AC-2-6 The information system dynamically manages user privileges and associated access authorizations. |
Implementation Point(s): Authentication and Authorization Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Privileges and access authorizations are dynamically managed within the Authentication and Authorization Service for wireless component administrators. These privileges and access authorizations are enforced within the administrative access control functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components. This security control requirement does not apply to guest wireless users who are not assigned any privileges within the departmental network nor do they access any information within the departmental network.
|
S |
AC-2 Account Management |
AC-2-7 The organization: (a) establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes information system and network privileges into roles; and (b) tracks and monitors privileged role assignments. |
Implementation Point(s): Authentication and Authorization Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Wireless component administrator accounts are organized within the Authentication and Authorization Service by roles that are based on privileges. These privileges are enforced within the administrative access control functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components. This security control requirement does not apply to guest wireless users who are not assigned any privileges within the departmental network nor do they access any information within the departmental network.
|
S |
AC-3 Access Enforcement |
AC-3-A The information system enforces approved authorizations for logical access to the system in accordance with applicable policy. |
Implementation Point(s): Authentication and Authorization Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Authorizations are assigned within the Authentication and Authorization Service for wireless component administrators and enforced within the administrative access control functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components. This security control requirement does not apply to guest wireless users who are not assigned any privileges within the departmental network nor do they access any information within the departmental network.
|
S |
AC-3 Access Enforcement |
AC-3-2 The information system enforces dual authorization, based on organizational policies and procedures for [Assignment: organization-defined privileged commands]. |
Implementation Point(s): Authentication and Authorization Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Dual authorizations for [Assignment: organization-defined privileged commands] are assigned within the Authentication and Authorization Service for wireless component administrators and enforced within the administrative access control functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components. This security control requirement does not apply to guest wireless users which are only provided network connectivity to the SCNet/Internet and do not perform any privileged commands.
|
S |
AC-3 Access Enforcement |
AC-3-3 The information system enforces [Assignment: organization-defined nondiscretionary access control policies] over [Assignment: organization-defined set of users and resources] where the policy rule set for each policy specifies: (a) Access control information (e.g., attributes) employed by the policy rule set (e.g., position, nationality, age, project, time of day); and (b) Required relationships among the access control information to permit access. |
Implementation Point(s): Authentication and Authorization Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The [Assignment: organization-defined nondiscretionary access control policies] over [Assignment: organization-defined set of users and resources] are assigned within the Authentication and Authorization Service for wireless component administrators and enforced within the administrative access control functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components. This security control requirement does not apply to guest wireless users who are not assigned any privileges within the departmental network nor do they access any information within the departmental network.
|
S |
AC-3 Access Enforcement |
AC-3-4 The information system enforces a Discretionary Access Control (DAC) policy that: (a) Allows users to specify and control sharing by named individuals or groups of individuals, or by both; (b) Limits propagation of access rights; and (c) Includes or excludes access to the granularity of a single user. |
Implementation Point(s): Authentication and Authorization Service, Information Management Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Discretionary Access Control policies are configured within the Authentication and Authorization Service and enforced within the administrative access control functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components. Discretionary Access Control policies are configured to (a) Allow users to specify and control sharing by named individuals or groups of individuals, or by both; (b) Limit propagation of access rights; and (c) Include or excludes access to the granularity of a single user. This security control requirement does not apply to guest wireless users who are not assigned any privileges within the departmental network nor do they access any information within the departmental network.
|
S |
AC-3 Access Enforcement |
AC-3-5 The information system prevents access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states. |
Implementation Point(s): Authentication and Authorization Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Access to [Assignment: organization-defined security-relevant information] is configured within the Authentication and Authorization Service for wireless component administrators and enforced within the administrative access control functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components. This security control requirement does not apply to guest wireless users who are not assigned any privileges within the departmental network nor do they access any information within the departmental network.
|
S |
AC-3 Access Enforcement |
AC-3-6 The organization encrypts or stores off-line in a secure location [Assignment: organization-defined user and/or system information]. |
Implementation Point(s): Information Management Service
Description: Information specified by [Assignment: organization-defined user and/or system information] is secured by the Information Management Service using encryption.
|
C |
AC-4 Information Flow Enforcement |
AC-4-A The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy. |
Implementation Point(s): Guest wireless user perimeter
Description: The guest wireless user perimeter controls the communications between the sensors, access points, switches, authentication gateway and guest wireless user perimeter components and departmental network services (e.g., Authentication and Authorization, Audit Service, etc.). The guest wireless user perimeter controls the mobile device communications such that they can only access the SCNet/Internet.
|
S |
AC-4 Information Flow Enforcement |
AC-4-1 The information system enforces information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions. |
Implementation Point(s): Guest wireless user perimeter
Description: The guest wireless user perimeter controls the communications between the sensors, access points, switches, authentication gateway and guest wireless user perimeter components and departmental network services (e.g., Authentication and Authorization, Audit Service, etc.). The guest wireless user perimeter controls the mobile device communications such that they can only access the SCNet/Internet. Communications are controlled based on TCP/IP ports, source IP addresses and destination IP addresses.
|
S |
AC-4 Information Flow Enforcement |
AC-4-2 The information system enforces information flow control using protected processing domains (i.e., domain type-enforcement) as a basis for flow control decisions. |
Implementation Point(s): Guest wireless user perimeter
Description: The guest wireless user perimeter controls the communications between the sensors, access points, switches, authentication gateway and guest wireless user perimeter components and departmental network services (e.g., Authentication and Authorization, Audit Service, etc.). The guest wireless user perimeter controls the mobile device communications such that they can only access the SCNet/Internet. Domain type-enforcement of information flow control is not required by the business use case.
|
S |
AC-4 Information Flow Enforcement |
AC-4-3 The information system enforces dynamic information flow control based on policy that allows or disallows information flows based on changing conditions or operational considerations. |
Implementation Point(s): Guest wireless user perimeter
Description: The guest wireless user perimeter controls the communications between the sensors, access points, switches, authentication gateway and guest wireless user perimeter components and departmental network services (e.g., Authentication and Authorization, Audit Service, etc.). The guest wireless user perimeter controls the mobile device communications such that they can only access the SCNet/Internet. Dynamic information flow control policies allowing or disallowing information flows based on changing conditions or operational considerations is supported by the guest wireless user perimeter.
|
S |
AC-4 Information Flow Enforcement |
AC-4-4 The information system prevents encrypted data from bypassing content-checking mechanisms. |
Implementation Point(s): NA
Description: The guest wireless user perimeter does not control communications from the mobile devices based on the information content of the communications which can be concealed through encryption.
|
- |
AC-4 Information Flow Enforcement |
AC-4-5 The information system enforces [Assignment: organization-defined limitations on the embedding of data types within other data types]. |
Implementation Point(s): NA
Description: The guest wireless user perimeter does not control communications from the mobile devices based on the information content of the communications.
|
- |
AC-4 Information Flow Enforcement |
AC-4-6 The information system enforces information flow control on metadata. |
Implementation Point(s): NA
Description: The guest wireless user perimeter does not control communications from the mobile devices based on the information content of the communications.
|
- |
AC-4 Information Flow Enforcement |
AC-4-7 The information system enforces [Assignment: organization-defined one-way flows] using hardware mechanisms. |
Implementation Point(s): NA
Description: Enforcement of one-way flows using hardware mechanisms is normally a requirement for transferring information between information systems of different security levels which is not an applicable to the business use case.
|
- |
AC-4 Information Flow Enforcement |
AC-4-8 The information system enforces information flow control using [Assignment: organization-defined security policy filters] as a basis for flow control decisions. |
Implementation Point(s): Guest wireless user perimeter
Description: The guest wireless user perimeter controls the communications between the sensors, access points, switches, authentication gateway and guest wireless user perimeter components and departmental network services (e.g., Authentication and Authorization, Audit Service, etc.). The guest wireless user perimeter controls the mobile device communications such that they can only access the SCNet/Internet. The guest wireless user perimeter uses [Assignment: organization-defined security policy filters] as a basis for flow control decisions.
|
S |
AC-4 Information Flow Enforcement |
AC-4-9 The information system enforces the use of human review for [Assignment: organization-defined security policy filters] when the system is not capable of making an information flow control decision. |
Implementation Point(s): NA
Description: The guest wireless user perimeter controls the communications between the sensors, access points, switches, authentication gateway and guest wireless user perimeter components and departmental network services (e.g., Authentication and Authorization, Audit Service, etc.). The guest wireless user perimeter controls the mobile device communications such that they can only access the SCNet/Internet. Human review for [Assignment: organization-defined security policy filters] is not an applicable requirement for the business use case.
|
- |
AC-4 Information Flow Enforcement |
AC-4-10 The information system provides the capability for a privileged administrator to enable/disable [Assignment: organization-defined security policy filters]. |
Implementation Point(s): Guest wireless user perimeter
Description: The guest wireless user perimeter controls the communications between the sensors, access points, switches, authentication gateway and guest wireless user perimeter components and departmental network services (e.g., Authentication and Authorization, Audit Service, etc.). The guest wireless user perimeter controls the mobile device communications such that they can only access the SCNet/Internet. Information flow control uses [Assignment: organization-defined security policy filters] as a basis for flow control decisions. These policy filters can be configured, enabled, disabled by a wireless component administrator.
|
S |
AC-4 Information Flow Enforcement |
AC-4-11 The information system provides the capability for a privileged administrator to configure [Assignment: organization-defined security policy filters] to support different security policies. |
Implementation Point(s): Guest wireless user perimeter
Description: The guest wireless user perimeter controls the communications between the sensors, access points, switches, authentication gateway and guest wireless user perimeter components and departmental network services (e.g., Authentication and Authorization, Audit Service, etc.). The guest wireless user perimeter controls the mobile device communications such that they can only access the SCNet/Internet. Information flow control uses [Assignment: organization-defined security policy filters] as a basis for flow control decisions. These policy filters can be configured, enabled, disabled by a wireless component administrator.
|
S |
AC-4 Information Flow Enforcement |
AC-4-12 The information system, when transferring information between different security domains, identifies information flows by data type specification and usage. |
Implementation Point(s): NA
Description: The business use case does not control communications from the guest wireless user’s mobile device to the SCNet/Internet based on the information content of the communications.
|
- |
AC-4 Information Flow Enforcement |
AC-4-13 The information system, when transferring information between different security domains, decomposes information into policy-relevant subcomponents for submission to policy enforcement mechanisms. |
Implementation Point(s): NA
Description: The business use case does not control communications from the guest wireless user’s mobile device to the SCNet/Internet based on the information content of the communications.
|
- |
AC-4 Information Flow Enforcement |
AC-4-14 The information system, when transferring information between different security domains, implements policy filters that constrain data structure and content to [Assignment: organization-defined information security policy requirements]. |
Implementation Point(s): NA
Description: The business use case does not control communications from the guest wireless user’s mobile device to the SCNet/Internet based on the information content of the communications.
|
- |
AC-4 Information Flow Enforcement |
AC-4-15 The information system, when transferring information between different security domains, detects unsanctioned information and prohibits the transfer of such information in accordance with the security policy. |
Implementation Point(s): NA
Description: The business use case does not control communications from the guest wireless user’s mobile device to the SCNet/Internet based on the information content of the communications.
|
- |
AC-4 Information Flow Enforcement |
AC-4-17 The information system: (a) Uniquely identifies and authenticates source and destination domains for information transfer; (b) Binds security attributes to information to facilitate information flow policy enforcement; and (c) Tracks problems associated with the security attribute binding and information transfer. |
Implementation Point(s): NA
Description: The business use case does not control communications from the guest wireless user’s mobile device to the SCNet/Internet based on the information content of the communications.
|
- |
AC-5 Separation of Duties |
AC-5-C The organization implements separation of duties through assigned information system access authorizations. |
Implementation Point(s): Authentication and Authorization Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Authorizations are assigned within the Authentication and Authorization Service for wireless component administrators and enforced within the administrative access control functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components. This security control requirement does not apply to guest wireless users who are not assigned any privileges within the departmental network nor do they access any information within the departmental network.
|
S |
AC-6 Least Privilege |
AC-6-4 The information system provides separate processing domains to enable finer-grained allocation of user privileges. |
Implementation Point(s): Guest wireless user perimeter
Description: The guest wireless user perimeter keeps the guest wireless user mobile devices in their own network subnet (i.e., processing domain) and restricts communications from the guest wireless user’s mobile device to the SCNet/Internet only.
|
S |
AC-7 Unsuccessful Login Attempts |
AC-7-A The information system enforces a limit of [Assignment: organization-defined number] consecutive invalid access attempts by a user during a [Assignment: organization-defined time period]. |
Implementation Point(s): Authentication and Authorization Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: A consecutive invalid access attempts limit of [Assignment: organization-defined number] consecutive invalid access attempts by a user during a [Assignment: organization-defined time period] is configured within the Authentication and Authorization Service for wireless component administrators and enforced within the login functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components. This security control requirement is not applicable to guest wireless users since their accounts require less security than those of the wireless component administrators.
|
S |
AC-7 Unsuccessful Login Attempts |
AC-7-B The information system automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next login prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded. The control applies regardless of whether the login occurs via a local or network connection. |
Implementation Point(s): Authentication and Authorization Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Account lockout is configured within the Authentication and Authorization Service for wireless component administrators and enforced within the login functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components. This security control requirement is not applicable to guest wireless users since their accounts require less security than those of the wireless component administrators.
|
S |
AC-7 Unsuccessful Login Attempts |
AC-7-1 The information system automatically locks the account/node until released by an administrator when the maximum number of unsuccessful attempts is exceeded. |
Implementation Point(s): Authentication and Authorization Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Account lockout is configured within the Authentication and Authorization Service for wireless component administrators and enforced within the login functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components. Locked accounts can only be released by an administrator. This security control requirement is not applicable to guest wireless users since their accounts require less security than those of the wireless component administrators.
|
S |
AC-7 Unsuccessful Login Attempts |
AC-7-2 The information system provides additional protection for mobile devices accessed via login by purging information from the device after [Assignment: organization-defined number] consecutive, unsuccessful login attempts to the device. |
Implementation Point(s):NA
Description: The department is not responsible for the configuration of the guest wireless users’ mobile devices, their security, or the protection of the information they transmit, process or store.
|
- |
AC-8 System Use Notification |
AC-8-A The information system displays an approved system use notification message or banner before granting access to the system that provides privacy and security notices in accordance with the Treasury Board Secretariat (TBS) Policy on the Use of Electronic Networks. |
Implementation Point(s): Sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Login banners are configured on the authentication gateway and viewed by guest wireless users. Login banners are also configured on the sensors, access points, switches, authentication gateway and guest wireless user perimeter components and viewed by wireless component administrators. The login banner provides privacy and security notices in accordance with the TBS Policy on the Use of Electronic Networks.
|
S |
AC-8 System Use Notification |
AC-8-B The information system retains the notification message or banner on the screen until users take explicit actions to log on to or further access the information system. |
Implementation Point(s): Sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Login banners are configured on the authentication gateway and viewed by guest wireless users. Login banners are also configured on the sensors, access points, switches, authentication gateway and guest wireless user perimeter components and viewed by wireless component administrators. Login banners will be retained until login is complete. Login banners are displayed until users take explicit actions to log on to or further access, the information system.
|
S |
AC-8 System Use Notification |
AC-8-C The information system, for publicly accessible systems: (a) displays the system use information when appropriate, before granting further access; (b) displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and (c) includes in the notice given to public users of the information system, a description of the authorized uses of the system. |
Implementation Point(s): NA
Description: Security of publicly accessible systems supported by the departmental network is not applicable to the business use case.
|
- |
AC-9 Previous Logon (Access) Notification |
AC-9-A The information system notifies the user, upon successful logon (access), of the date and time of the last logon (access). |
Implementation Point(s): Authentication and Authorization Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: User notification of the date and time of the last logon is supported within the Authentication and Authorization Service for wireless component administrators and viewed during login to the sensors, access points, switches, authentication gateway and guest wireless user perimeter components. This security control requirement is not applicable to guest wireless users since their accounts require less security than those of the wireless component administrators.
|
S |
AC-9 Previous Logon (Access) Notification |
AC-9-1 The information system notifies the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access. |
Implementation Point(s): Authentication and Authorization Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Unsuccessful login notification is configured within the Authentication and Authorization Service for wireless component administrators and viewed during login to the sensors, access points, switches, authentication gateway and guest wireless user perimeter components. This security control requirement is not applicable to guest wireless users since their accounts require less security than those of the wireless component administrators.
|
S |
AC-9 Previous Logon (Access) Notification |
AC-9-2 The information system notifies the user of the number of [Selection: successful logins/accesses; unsuccessful login/access attempts; both] during [Assignment: organization-defined time period]. |
Implementation Point(s): Authentication and Authorization Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Successful and unsuccessful login notification of the number of [Selection: successful logins/accesses; unsuccessful login/access attempts; both] during [Assignment: organization-defined time period] is configured within the Authentication and Authorization Service for wireless component administrators and viewed during login to the sensors, access points, switches, authentication gateway and guest wireless user perimeter components. This security control requirement is not applicable to guest wireless users since their accounts require less security than those of the wireless component administrators.
|
S |
AC-9 Previous Logon (Access) Notification |
AC-9-3 The information system notifies the user of [Assignment: organization-defined set of security- related changes to the user’s account] during [Assignment: organization-defined time period]. |
Implementation Point(s): Authentication and Authorization Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: User account settings are configured within the Authentication and Authorization Service for wireless component administrators. The login functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components notifies wireless component administrators upon login of any [Assignment: organization-defined set of security- related changes to the user’s account] during [Assignment: organization-defined time period]. This security control requirement is not applicable to guest wireless users since their accounts require less security than those of the wireless component administrators.
|
S |
AC-10 Concurrent Session Control |
AC-10-A The information system limits the number of concurrent sessions for each system account to [Assignment: organization-defined number]. |
Implementation Point(s): Authentication and Authorization Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Number of concurrent sessions limit is configured within the Authentication and Authorization Service for wireless component administrators to [Assignment: organization-defined number] and viewed during login to the sensors, access points, switches, authentication gateway and guest wireless user perimeter components. Number of concurrent sessions limit is configured within the authentication gateway for guest wireless users.
|
S |
AC-11 Session Lock |
AC-11-A The information system prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user. |
Implementation Point(s): Authentication and Authorization Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Session lock is configured within the Authentication and Authorization Service for wireless component administrators and viewed during login to the sensors, access points, switches, authentication gateway and guest wireless user perimeter components. This requirement is not applicable to guest wireless users since the department is not responsible for securing their sessions.
|
S |
AC-11 Session Lock |
AC-11-B The information system retains the session lock until the user re-establishes access using established identification and authentication procedures. |
Implementation Point(s): Authentication and Authorization Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Session lock is configured within the Authentication and Authorization Service for wireless component administrators and enforced within the login functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components. Session lock is released following successful re-login. This requirement is not applicable to guest wireless users since the department is not responsible for securing their sessions.
|
S |
AC-11 Session Lock |
AC-11-1 The information system session lock mechanism, when activated on a device with a display screen, places a publically viewable pattern onto the associated display, hiding what was previously visible on the screen. |
Implementation Point(s): Authentication and Authorization Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Session lock is configured within the Authentication and Authorization Service for wireless component administrators and enforced within the login functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components. The wireless component administrator workstations display a publically viewable pattern onto the associated display, hiding what was previously visible on the screen during session lock. This requirement is not applicable to guest wireless users since the department is not responsible for securing their sessions.
|
S |
AC-16 Security Attributes |
NA |
This security control and its technology-related control elements are not applicable to this business use case. The department is not responsible for the security of the Unclassified information transmitted, processed or stored by the guest wireless users. |
- |
AC-18 Wireless Access |
AC-18-B The organization monitors for unauthorized wireless access to the information system. |
Implementation Point(s): WIDS Service, wireless access points and sensors.
Description: The WIDS service together with its sensors (overlay mode WIDS) or access points (integrated mode WIDS) monitor for and report unauthorized wireless components.
|
S |
AC-18 Wireless Access |
AC-18-C The organization authorizes wireless access to the information system prior to connection. |
Implementation Point(s): Authentication gateway
Description: Guest wireless users must first be assigned a temporary user account then successfully authenticate to the authentication gateway before their mobile device is provided network connectivity to the SCNet/Internet.
|
S |
AC-18 Wireless Access |
AC-18-D The organization enforces requirements for wireless connections to the information system. |
Implementation Point(s):Authentication gateway
Description: Guest wireless users must first be assigned a temporary user account then successfully authenticate to the authentication gateway before their mobile device is provided network connectivity to the SCNet/Internet.
|
S |
AC-18 Wireless Access |
AC-18-1 The information system protects wireless access to the system using authentication and encryption. |
Implementation Point(s): Authentication gateway
Description: Guest wireless users must first be assigned a temporary user account then successfully authenticate to the authentication gateway before their mobile device is provided network connectivity to the SCNet/Internet. The use of encryption is not a requirement since the security of guest wireless user communications is not a responsibility of the department.
|
S |
AC-18 Wireless Access |
AC-18-2 The organization monitors for unauthorized wireless connections to the information system, including scanning for unauthorized wireless access points [Assignment: organization-defined frequency], and takes appropriate action if an unauthorized connection is discovered. |
Implementation Point(s): WIDS Service, wireless access points and sensors.
Description: The WIDS service together with its sensors (overlay mode WIDS) or access points (integrated mode WIDS) monitor for and report unauthorized wireless components including scanning for unauthorized wireless access points [Assignment: organization-defined frequency].
|
S |
AC-18 Wireless Access |
AC-18-4 The organization does not allow users to independently configure wireless networking capabilities. |
Implementation Point(s): NA
Description: The business use case does not impose restrictions on the mobile devices used by the guest wireless users.
|
- |
AC-18 Wireless Access |
AC-18-5 The organization confines wireless communications to organization-controlled boundaries. |
Implementation Point(s): Sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The guest wireless user zone is confined to organization-controlled boundaries.
|
S |
AC-19 Access Control for Mobile Devices |
NA |
This security control and its technology-related control elements are not applicable to this business use case. The department is not responsible for the configuration of the mobile devices or their security. |
- |
AC-21 User Based Collaboration and Information Sharing |
NA |
This security control and its technology-related control elements are not applicable to this business use case which is only intended to support network connectivity between guest wireless users and the SCNet/Internet rather than provide security for information sharing between users. |
- |
AU-3 Content of Audit Records |
AU-3-A The information system produces audit records that contain sufficient information to, at a minimum, establish what type of event occurred, when (date and time) the event occurred, where the event occurred, the source of the event, the outcome (success or failure) of the event, and the identity of any user/subject associated with the event. |
Implementation Point(s): Audit Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The auditing functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components support reporting to the Audit Service of records that contain sufficient information to establish what type of event occurred, when (date and time) the event occurred, where the event occurred, the source of the event, the outcome (success or failure) of the event, and the identity of any user/subject associated with the event.
|
S |
AU-3 Content of Audit Records |
AU-3-1 The information system includes [Assignment: organization-defined additional, more detailed information] in the audit records for audit events identified by type, location, or subject. |
Implementation Point(s): Audit Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The auditing functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components supports the ability to configure the [Assignment: organization-defined additional, more detailed information] for events reported to the Audit Service.
|
S |
AU-3 Content of Audit Records |
AU-3-2 The organization centrally manages the content of audit records generated by [Assignment: organization-defined information system components]. |
Implementation Point(s): Audit Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The auditing functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components supports ability to send audit records to the Audit Service. The Audit Service maintains a central repository for all audit records.
|
S |
AU-4 Audit Storage Capacity |
AU-4-A The organization allocates audit record storage capacity and configures auditing to reduce the likelihood of such capacity being exceeded. |
Implementation Point(s): Audit Service and Information Management Service.
Description: The Audit Service has access to sufficient storage capacity maintained by the Information Management Service to present record loss.
|
C |
AU-5 Response to Audit Processing Failures |
AU-5-A The information system alerts designated organizational officials in the event of an audit processing failure. |
Implementation Point(s): Audit Service
Description: The Audit Service alerts appropriate organizational officials in the event of an audit processing failure.
|
C |
AU-5 Response to Audit Processing Failures |
AU-5-B The information system takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]. |
Implementation Point(s): Sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The auditing functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components support the ability to perform [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite To write or copy new data over existing data. The data that was overwritten cannot be retrieved.
oldest audit records, stop generating audit records)] in the event of an audit processing failure within the component.
|
S |
AU-5 Response to Audit Processing Failures |
AU-5-1 The information system provides a warning when allocated audit record storage volume reaches [Assignment: organization-defined percentage] of maximum audit record storage capacity. |
Implementation Point(s): Audit Service and Information Management Service.
Description: The Audit Service provides a warning when allocated audit record storage volume within the Information Management Service reaches a [Assignment: organization-defined percentage] of maximum storage available.
|
C |
AU-5 Response to Audit Processing Failures |
AU-5-2 The information system provides a real-time alert when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts]. |
Implementation Point(s): Audit Service
Description: The Audit Service provides a real-time alert when the [Assignment: organization-defined audit failure events requiring real-time alert] audit failure events occur.
|
C |
AU-5 Response to Audit Processing Failures |
AU-5-3 The information system enforces configurable traffic volume thresholds representing auditing capacity for network traffic and [Selection: rejects or delays] network traffic above those thresholds. |
Implementation Point(s): Network Service
Description: The Network Service’s routers support the assignment of traffic volume thresholds for audit related network traffic and [Selection: rejects or delays] network traffic above those thresholds.
|
C |
AU-5 Response to Audit Processing Failures |
AU-5-4 The information system invokes a system shutdown in the event of an audit failure, unless an alternative audit capability exists. |
Implementation Point(s): Sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The auditing functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components supports the ability to shutdown the component if an audit failure occurs.
|
S |
AU-6 Audit Review, Analysis, and Reporting |
AU-6-3 The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. |
Implementation Point(s): Audit Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The auditing functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components supports ability to send audit records to the Audit Service. The Audit Service maintains a central repository and management point for all audit records to gain organization-wide situational awareness.
|
S |
AU-6 Audit Review, Analysis, and Reporting |
AU-6-4 The information system centralizes the review and analysis of audit records from multiple components within the system. |
Implementation Point(s): Audit Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The auditing functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components supports ability to send audit records to the Audit Service. The Audit Service includes a central repository for all audit records for review and analysis.
|
S |
AU-6 Audit Review, Analysis, and Reporting |
AU-6-5 The organization integrates analysis of audit records with analysis of vulnerability scanning information, performance data, and network monitoring information to further enhance the ability to identify inappropriate or unusual activity. |
Implementation Point(s): Audit Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The auditing functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components supports ability to send audit records to the Audit Service. The Audit Service includes a central repository for all audit records for review and analysis.
|
S |
AU-7 Audit Reduction and Report Generation |
AU-7-A The information system provides an audit reduction and report generation capability. |
Implementation Point(s): Audit Service
Description: The Audit Service supports an audit reduction and report generation capability.
|
C |
AU-7 Audit Reduction and Report Generation |
AU-7-1 The information system provides the capability to automatically process audit records for events of interest based on selectable event criteria. |
Implementation Point(s): Audit Service
Description: The Audit Service supports functionality to automatically process audit records for events of interest based upon selectable, event criteria.
|
C |
AU-8 Time Stamps |
AU-8-A The information system uses internal system clocks to generate time stamps for audit records. |
Implementation Point(s): Network Service, Audit Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The auditing functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components supports ability to generate time stamps for audit records sent to the Audit Service. Each component also supports the ability to synchronize their component clocks with a centralized Time server functionality supported by the Network Service.
|
S |
AU-8 Time Stamps |
AU-8-1 The information system synchronizes internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]. |
Implementation Point(s): Network Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The sensors, access points, switches, authentication gateway and guest wireless user perimeter components support the ability to synchronize their component clocks [Assignment: organization-defined frequency] with a centralized Time server functionality supported by the Network Service.
|
S |
AU-9 Protection of Audit Information |
AU-9-A The information system protects audit information and audit tools from unauthorized access, modification, and deletion. |
Implementation Point(s): Audit Service, Authentication and Authorization Service.
Description: Access authorizations to audit information and tools within the Audit Service are configured within the Authentication and Authorization Service and enforced by the Audit Service.
|
C |
AU-9 Protection of Audit Information |
AU-9-1 The information system produces audit records on hardware-enforced, write-once media. |
Implementation Point(s): Audit Service
Description: The Audit Service supports the ability to produce audit records on hardware-enforced, write-once media.
|
C |
AU-9 Protection of Audit Information |
AU-9-2 The information system backs up audit records [Assignment: organization-defined frequency] onto a different system or media than the system being audited. |
Implementation Point(s): Backup and Recovery Service
Description: The Backup and Recovery Service backs up audit records [Assignment: organization-defined frequency] onto a different system or media than the system being audited.
|
C |
AU-9 Protection of Audit Information |
AU-9-3 The information system uses cryptographic mechanisms to protect the integrity of audit information and audit tools. |
Implementation Point(s): Audit Service and Information Management Service.
Description: The Audit Service uses cryptographic mechanisms to protect the integrity of audit information stored and maintained by the Information Management Service.
|
C |
AU-9 Protection of Audit Information |
AU-9-4 The organization: (a) Authorizes access to management of audit functionality to only a limited subset of privileged users; and (b) Protects the audit records of non-local accesses to privileged accounts and the execution of privileged functions. |
Implementation Point(s): Authentication and Authorization Service, Audit Service and Information Management Service.
Description: Access authorizations to audit information stored by the Audit Service within the Information Management Service, and audit functionality within the wireless components are configured within the Authentication and Authorization Service to ensure that access to management of audit functionality to only a limited subset of privileged users; and (b) Protects the audit records of non-local accesses to privileged accounts and the execution of privileged functions.
|
C |
AU-10 Non Repudiation |
NA |
This security control and its technology-related control elements are not applicable to this business use case. The department is not responsible for securing the information transmitted, processed or stored by guest wireless users including non-repudiation of actions performed. |
- |
AU-12 Audit Generation |
AU-12-A The information system provides audit record generation capability for the list of auditable events defined in AU-2 at [Assignment: organization-defined information system components]. |
Implementation Point(s): Audit Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The auditing functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components support the ability to produce and transmit audit records to the Audit Service for the events defined in AU-2 at [Assignment: organization-defined information system components].
|
S |
AU-12 Audit Generation |
AU-12-B The information system allows designated organizational personnel to select which auditable events are to be audited by specific components of the system. |
Implementation Point(s): Audit Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The auditing functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components is configurable by the wireless component administrators in terms of the events to be audited and reported to the Audit Service.
|
S |
AU-12 Audit Generation |
AU-12-C The information system generates audit records for the list of audited events defined in AU-2 with the content as defined in AU-3. |
Implementation Point(s): Audit Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The auditing functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components support the ability to produce and transmit audit records to the Audit Service for the events defined in AU-2 with the content as defined in AU-3.
|
S |
AU-12 Audit Generation |
AU-12-1 The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time- correlated to within [Assignment: organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail]. |
Implementation Point(s): Audit Service, Network Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The auditing functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components support the ability to send audit records to the Audit Service. Each component synchronizes its system clock with the Time server functionality of the Network Service to ensure the audit records are time correlated within a [Assignment: organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail].
|
S |
AU-12 Audit Generation |
AU-12-2 The information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format. |
Implementation Point(s): Audit Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The auditing functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components supports the ability to send audit records to the Audit Service. The audit records produced by the sensors, access points, switches, authentication gateway and guest wireless user perimeter components are in a standardized format or converted to this format by the Audit Service.
|
S |
AU-14 Session Audit |
AU-14-A The information system provides the capability to capture/record and log all content related to a user session. |
Implementation Point(s): IDS Service
Description: The IDS Service can be used to access the unencrypted content of wireless component administrator communications and log or capture the content to the Audit Service. The department is not required to capture/record and log all content related to a guest wireless user’s session.
|
C |
AU-14 Session Audit |
AU-14-B The information system provides the capability to remotely view/hear all content related to an established user session in real time. |
Implementation Point(s): IDS Service
Description: The IDS Service can be used to access the unencrypted content of wireless component administrator communications and view/hear all content related to an established user session in real time. The department is not required to view/hear all content related to an established guest wireless user’s session in real time.
|
C |
AU-14 Session Audit |
AU-14-1 The information system initiates session audits at system start-up. |
Implementation Point(s): IDS Service
Description: The IDS Service can be used to access the unencrypted content of wireless component administrator communications and log or capture the content to the Audit Service. This security control requirement is not applicable to guest wireless user communications. The IDS Service has the ability to initiate the audit processes at system start-up.
|
C |
CM-5 Access Restrictions for Change |
CM-5-A The organization defines documents, approves, and enforces physical and logical access restrictions associated with changes to the information system. |
Implementation Point(s): Authentication and Authorization Service, Audit Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Authorizations for changes to the configuration of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components by wireless component administrators, are assigned within the Authentication and Authorization Service and enforced within the wireless components. This security control requirement does not apply to guest wireless users who are not assigned any privileges within the departmental network nor do they access any information within the departmental network.
|
S |
CM-5 Access Restrictions for Change |
CM-5-1 The department employs automated mechanisms to enforce access restrictions and support auditing of the enforcement actions |
Implementation Point(s): Authentication and Authorization Service, Audit Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Authorizations are assigned within the Authentication and Authorization Service for wireless component administrators and enforced within the sensors, access points, switches, authentication gateway and guest wireless user perimeter components. Auditing of the enforcement of these authorizations is also performed by the sensors, access points, switches, authentication gateway and guest wireless user perimeter components. This security control requirement does not apply to guest wireless users who are not assigned any privileges within the departmental network nor do they access any information within the departmental network.
|
S |
CM-5 Access Restrictions for Change |
CM-5-3 The information system prevents the installation of [Assignment: organization-defined critical software programs] that are not signed with a certificate that is recognized and approved by the organization. |
Implementation Point(s): NA
Description: The department is not responsible for the security or configuration of the guest wireless users’ mobile devices.
|
- |
CM-5 Access Restrictions for Change |
CM-5-6 The organization limits privileges to change software resident within software libraries (including privileged programs). |
Implementation Point(s): Authentication and Authorization Service, Audit Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Authorizations are assigned within the Authentication and Authorization Service for wireless component administrators which define logical access restrictions associated with changes to software resident within software libraries (including privileged programs). The authorizations are enforced within the local administrative access control functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components. This security control requirement does not apply to guest wireless users who are not assigned any privileges within the departmental network nor do they access any information within the departmental network.
|
S |
CM-5 Access Restrictions for Change |
CM-5-7 The information system automatically implements [Assignment: organization-defined safeguards and countermeasures] if security functions (or mechanisms) are changed inappropriately. |
Implementation Point(s): Authentication and Authorization Service, Audit Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Authorizations are assigned within the Authentication and Authorization Service for wireless component administrators which define logical access restrictions associated with changes to software resident within software libraries (including privileged programs). The authorizations are enforced within the local administrative access control functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components. The information system automatically implements [Assignment: organization-defined safeguards and countermeasures] if security functions (or mechanisms) are changed inappropriately.
|
S |
CM-6 Configuration Settings |
CM-6-B The organization implements the configuration settings. |
Implementation Point(s): Sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The sensors, access points, switches, authentication gateway and guest wireless user perimeter components are configured with the most restrictive mode mandatory configuration settings.
|
S |
CM-6 Configuration Settings |
CM-6-1 The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings. |
Implementation Point(s): CMS, FIS, Audit Service sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The CMS supports the ability to provision and audit component configurations on sensors, access points, switches, authentication gateway and guest wireless user perimeter components. The CMS supports the ability to periodically audit component configurations and to compare these audited configurations against approved configurations. The FIS supports the functionality to verify configuration settings in files on components that support the installation of a FIS agent. The CMS and FIS can report any detected unauthorized changes to the appropriate individual either directly (e.g., email notification) or indirectly by sending reports to the Audit Service.
|
S |
CM-6 Configuration Settings |
CM-6-2 The organization employs automated mechanisms to respond to unauthorized changes to [Assignment: organization-defined configuration settings]. |
Implementation Point(s): CMS, FIS, Authentication and Authorization Service, Audit Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Authorizations for access to configuration settings are configured within the Authorization Service and enforced within the access control functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components. The access control functionality reports attempts for unauthorized access to the Audit Service. The CMS supports the ability to periodically audit component configurations and to compare these audited configurations against approved configurations in order to detect any unauthorized changes. The FIS supports the functionality to detect unauthorized modifications to files on components that support the installation of a FIS agent. Both the CMS and FIS report any detected unauthorized changes. The CMS and FIS can report any detected unauthorized changes to [Assignment: organization-defined configuration settings] to the appropriate individual either directly (e.g., email notification) or indirectly by sending reports to the Audit Service.
|
S |
CM-6 Configuration Settings |
CM-6-3 The organization incorporates detection of unauthorized, security-relevant configuration changes into the organization’s incident response capability to ensure that such detected events are tracked, monitored, corrected, and available for historical purposes. |
Implementation Point(s): CMS, FIS, Authentication and Authorization Service, Audit Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Authorizations for access to configuration settings are configured within the Authorization Service and enforced within the access control functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components. The access control functionality reports attempts for unauthorized access to the Audit Service. The CMS supports the ability to periodically audit component configurations and to compare these audited configurations against approved configurations in order to detect any unauthorized changes. The FIS supports the functionality to detect unauthorized modifications to files on components that support the installation of a FIS agent. Both the CMS and FIS report any detected unauthorized changes. The CMS and FIS can report any detected unauthorized changes to the appropriate individual either directly (e.g., email notification) or indirectly by sending reports to the Audit Service. The events can then be entered into the department’s incident response capability to ensure that such detected events are tracked, monitored, corrected, and available for historical purposes.
|
S |
CM-7 Least Functionality |
CM-7-A The organization configures the information system to provide only essential capabilities and specifically prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined list of prohibited or restricted functions, ports, protocols, and/or services]. |
Implementation Point(s): Sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The sensors, access points, switches, authentication gateway and guest wireless user perimeter components are configured to provide only essential capabilities and prohibits and/or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined list of prohibited and/or restricted functions, ports, protocols, and/or services].
|
S |
CM-7 Least Functionality |
CM-7-2 The organization employs automated mechanisms to prevent program execution in accordance with [Selection (one or more): list of authorized software programs; list of unauthorized software programs; rules authorizing the terms and conditions of software program usage]. |
Implementation Point(s): NA
Description: The business use case does not include any security configuration of the mobile devices.
|
- |
CM-8 Information System Component Inventory |
CM-8-2 The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components. |
Implementation Point(s): CMS
Description: The CMS supports the ability to audit component configurations for automated inventory purposes.
|
C |
CM-8 Information System Component Inventory |
CM-8-3 The organization: (a) employs automated mechanisms [Assignment: organization-defined frequency] to detect the addition of unauthorized components/devices into the information system; and (b) disables network access by such components/devices or notifies designated organizational officials. |
Implementation Point(s): WIDS Service, wireless access points and sensors.
Description: The WIDS service together with its sensors (overlay mode WIDS) or access points (integrated mode WIDS) monitor at [Assignment: organization-defined frequency] to detect for the addition of unauthorized wireless components/devices into the information system; and (b) disables network access by such components/devices or notifies designated organizational officials.
|
S |
CP-9 Information System Backup |
CP-9-A The organization conducts backups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]. |
Implementation Point(s): NA
Description: The business use case does not include the storage or backup of any guest wireless user information.
|
- |
CP-9 Information System Backup |
CP-9-B The organization conducts backups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]. |
Implementation Point(s): Backup and Recovery Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The Backup and Recovery Service accesses the sensors, access points, switches, authentication gateway and guest wireless user perimeter components to back up system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives].
|
S |
CP-9 Information System Backup |
CP-9-C The organization conducts backups of information system documentation including security-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]. |
Implementation Point(s): Backup and Recovery Service and Information Management Service.
Description: The Backup and Recovery Service conducts backups of information system documentation and these backups are maintained by the Information Management Service [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives].
|
C |
CP-9 Information System Backup |
CP-9-6 The organization accomplishes information system backup by maintaining a redundant secondary system, not collocated, that can be activated without loss of information or disruption to the operation. |
Implementation Point(s): All
Description: A fully redundant secondary information system is maintained to support continued information system availability in the event of failure to the primary information system.
|
S |
CP-10 Information System Recovery and Reconstitution |
CP-10-2 The information system implements transaction recovery for systems that are transaction-based. |
Implementation Point(s): NA
Description: Guest wireless users do not access any transaction based applications supported by the department.
|
- |
CP-10 Information System Recovery and Reconstitution |
CP-10-5 The organization provides [Selection: real-time; near-real-time] [Assignment: organization-defined failover capability for the information system]. |
Implementation Point(s): Sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The sensors, access points, switches, authentication gateway and guest wireless user perimeter components are implemented in a manner that support [Selection: real-time; near-real-time] [Assignment: organization-defined failover capability for the information system].
|
S |
IA-2 Identification and Authentication (Organizational Users) |
IA-2-A The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
Implementation Point(s): Authentication and Authorization Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Account credentials are configured within the Authentication and Authorization Service for wireless component administrators and enforced within the login functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
|
S |
IA-2 Identification and Authentication (Organizational Users) |
IA-2-1 The information system uses multifactor authentication for network access to privileged accounts. |
Implementation Point(s): Authentication and Authorization Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Multifactor authentication is configured within the Authentication and Authorization Service for wireless component administrators and enforced within the network access login functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components. Guest wireless users are non-privileged.
|
- |
IA-2 Identification and Authentication (Organizational Users) |
IA-2-2 The information system uses multifactor authentication for network access to non-privileged accounts. |
Implementation Point(s): NA
Description: Use of multifactor authentication is not applicable to guest wireless users (who are non-privileged) for local access as they are only assigned temporary user accounts based on password credentials.
|
- |
IA-2 Identification and Authentication (Organizational Users) |
IA-2-3 The information system uses multifactor authentication for local access to privileged accounts. |
Implementation Point(s): Authentication and Authorization Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Multifactor authentication is configured within the Authentication and Authorization Service for wireless component administrators and enforced within the local access login functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components. Guest wireless users are non-privileged.
|
S |
IA-2 Identification and Authentication (Organizational Users) |
IA-2-4 The information system uses multifactor authentication for local access to non-privileged accounts. |
Implementation Point(s): NA
Description: Use of multifactor authentication is not applicable to guest wireless users (who are non-privileged) for local access as they are only assigned temporary user accounts based on password credentials.
|
- |
IA-2 Identification and Authentication (Organizational Users) |
IA-2-5 The organization: (a) Allows the use of group authenticators only when used in conjunction with an individual/unique authenticator; and (b) Requires individuals to be authenticated with an individual authenticator prior to using a group authenticator. |
Implementation Point(s): Authentication and Authorization Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: If group authenticators are used for wireless component administrator accounts they are only used in conjunction with an individual/unique authenticator; individuals are authenticated with an individual authenticator prior to use of a group authenticator. The login functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components supports this authentication process. Group authenticators are not applicable to guest wireless users as they are only assigned temporary user accounts based on password credentials.
|
S |
IA-2 Identification and Authentication (Organizational Users) |
IA-2-6 The information system uses multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the information system being accessed. |
Implementation Point(s): Authentication and Authorization Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Multifactor authentication is configured within the Authentication and Authorization Service for wireless component administrators and enforced within the network access login functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components. One of the factors is provided by a device separate from the information system being accessed. Guest wireless users are non-privileged.
|
- |
IA-2 Identification and Authentication (Organizational Users) |
IA-2-7 The information system uses multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the information system being accessed. |
Implementation Point(s): NA
Description: Use of multifactor authentication is not applicable to guest wireless users (who are non-privileged) for local access as they are only assigned temporary user accounts based on password credentials.
|
- |
IA-2 Identification and Authentication (Organizational Users) |
IA-2-8 The information system uses [Assignment: organization-defined replay-resistant authentication mechanisms] for network access to privileged accounts. |
Implementation Point(s): Authentication and Authorization Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The authentication method configured within the Authentication and Authorization Service for wireless component administrators and enforced within the login functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components, uses [Assignment: organization-defined replay-resistant authentication mechanisms]. Guest wireless users are non-privileged.
|
- |
IA-2 Identification and Authentication (Organizational Users) |
IA-2-9 The information system uses [Assignment: organization-defined replay-resistant authentication mechanisms] for network access to non-privileged accounts. |
Implementation Point(s): NA
Description: Use of multifactor authentication is not applicable to guest wireless users (who are non-privileged) for local access as they are only assigned temporary user accounts based on password credentials.
|
- |
IA-2 Identification and Authentication (Organizational Users) |
IA-2-100 The information system uses multifactor authentication for remote access to privileged accounts. |
Implementation Point(s): NA
Description: Wireless component administrators do not use remote access connections to administer the wireless components.
|
- |
IA-3 Device Identification and Authentication |
NA |
This security control and its technology-related control elements are not applicable to this business use case since it does not require authentication of the guest wireless user mobile devices. |
- |
IA-4 Identifier Management |
IA-4-5 The information system dynamically manages identifiers, attributes, and associated access authorizations. |
Implementation Point(s): NA
Description: The use of dynamic management of identifiers, attributes, and associated access authorizations is not applicable to the business use case.
|
- |
IA-5 Authenticator Management |
IA-5-1 The information system, for password-based authentication: (a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (b) Enforces at least a [Assignment: organization-defined number of changed characters] when new passwords are created; (c) Encrypts passwords in storage and in transmission; (d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; and (e) Prohibits password reuse for [Assignment: organization-defined number] generations. |
Implementation Point(s): Authentication and Authorization Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description:Wireless component administrator accounts are configured within the Authentication and Authorization Service to support password-based authentication that (a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type]; (b) Enforces at least a [Assignment: organization-defined number of changed characters] when new passwords are created; (c) Encrypts passwords in storage and in transmission; (d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; and (e) Prohibits password reuse for [Assignment: organization-defined number] generations. This security control requirement is not applicable to guest wireless users since their accounts require less security than those of the wireless component administrators.
|
S |
IA-5 Authenticator Management |
IA-5-2 The information system, for PKI-based authentication: (a) Validates certificates by constructing a certification path with status information to an accepted trust anchor; (b) Enforces authorized access to the corresponding private key; and (c) Maps the authenticated identity to the user account. |
Implementation Point(s): Authentication and Authorization Service, PKI Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: PKI-based authentication is configured within the Authentication and Authorization Service for wireless component administrators and supported by the PKI Service to (a) validate certificates by constructing a certification path with status information to an accepted trust anchor; (b) enforce authorized access to the corresponding private key; and (c) map the authenticated identity to the user account. This security control requirement is not applicable to guest wireless users since their accounts require less security than those of the wireless component administrators.
|
S |
IA-6 Authenticator Feedback |
IA-6-A The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. |
Implementation Point(s): Authentication and Authorization Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Authentication enforced within the login functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components obscures feedback of authentication information during the authentication process. This security control requirement is not applicable to guest wireless users since their accounts require less security than those of the wireless component administrators.
|
S |
IA-7 Cryptographic Module Authentication |
IA-7-A The information system uses mechanisms for authentication to a cryptographic module that meet the requirements of applicable CSEC guidance for such authentication. |
Implementation Point(s): Authentication and Authorization Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Authentication methods are configured within the Authentication and Authorization Service for wireless component administrators and enforced within the login functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components. The authentication methods meet the requirements of applicable CSEC guidance for authentication to a cryptographic module. This security control requirement is not applicable to guest wireless users since their accounts require less security than those of the wireless component administrators.
|
S |
IA-8 Identification and Authentication(Non-organizational Users) |
IA-8-A The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users). |
Implementation Point(s): Authentication gateway
Description: Guest wireless users must successfully authenticate to the authentication gateway using temporary account credentials before their mobile devices are provided network connectivity to the SCNet/Internet.
|
S |
MA-4 Non-Local Maintenance |
NA |
This security control and its technology-related control elements are not applicable to this business use case which does not include support for non-local maintenance and diagnostic activities. |
- |
SC-2 Application Partitioning |
SC-2-A The information system separates user functionality (including user interface services) from information system management functionality. |
Implementation Point(s): Network Service
Description: The departmental network includes a management sub-zone implemented by the Network Service to separate user services from management services.
|
C |
SC-2 Application Partitioning |
SC-2-1 The information system prevents the presentation of information system management-related functionality at an interface for general (i.e., non-privileged) users. |
Implementation Point(s):Access points, authentication gateway and guest wireless user perimeter components.
Description: The access points, authentication gateway and guest wireless user perimeter components each prevent the presentation of information system management-related functionality at any interface accessed by guest wireless users.
|
S |
SC-3 Security Function Isolation |
SC-3-A The information system isolates security functions from non-security functions. |
Implementation Point(s):Sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Sensors, access points, switches, authentication gateway and guest wireless user perimeter components each isolate security functions from non-security functions.
|
S |
SC-3 Security Function Isolation |
SC-3-1 The information system implements underlying hardware separation mechanisms to facilitate security function isolation. |
Implementation Point(s):Sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Sensors, access points, switches, authentication gateway and guest wireless user perimeter components each employ underlying hardware separation mechanisms to facilitate security function isolation.
|
S |
SC-3 Security Function Isolation |
SC-3-2 The information system isolates security functions enforcing access and information flow control from both non-security functions and from other security functions. |
Implementation Point(s):Sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The sensors, access points, switches, authentication gateway and guest wireless user perimeter components each isolate security functions enforcing access and information flow control from both non-security functions and from other security functions.
|
S |
SC-3 Security Function Isolation |
SC-3-3 The organization implements an information system isolation boundary to minimize the number of non-security functions included within the boundary containing security functions. |
Implementation Point(s): Network Service and guest wireless user perimeter
Description: The guest wireless user mobile devices are restricted to the guest wireless user zone established by the Network Service and the guest wireless user perimeter. The guest wireless user zone isolates guest wireless users from security functions contained within the departmental network.
|
S |
SC-3 Security Function Isolation |
SC-3-4 The organization implements security functions as largely independent modules that avoid unnecessary interactions between modules. |
Implementation Point(s): Sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Sensors, access points, switches, authentication gateway and guest wireless user perimeter components each implement security functions as largely independent modules that avoid unnecessary interactions between modules.
|
S |
SC-3 Security Function Isolation |
SC-3-5 The organization implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. |
Implementation Point(s): Sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Sensors, access points, switches, authentication gateway and guest wireless user perimeter components each implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
|
S |
SC-4 Information in Shared Resources |
NA |
This security control and its technology-related control elements are not applicable to this business use case since it does not involve the use of shard system resources. |
- |
SC-5 Denial of Service Protection |
SC-5-A The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined list of types of denial of service attacks or reference to source for current list]. |
Implementation Point(s): WIDS Service, sensors, access points and IDS Service.
Description: The WIDS Service together with its sensors (overlay mode WIDS) or access points (integrated mode WIDS) monitor for [Assignment: organization-defined list of types of denial of service attacks or reference to source for current list] denial of service attacks within the guest wireless user zone while the IDS Service monitors for [Assignment: organization-defined list of types of denial of service attacks or reference to source for current list] denial of service attacks within the rest of the departmental network.
|
S |
SC-5 Denial of Service Protection |
SC-5-1 The information system restricts the ability of users to launch denial of service attacks against other information systems or networks. |
Implementation Point(s): WIDS Service, sensors, access points and IDS Service.
Description: The WIDS Service together with its sensors (overlay mode WIDS) or access points (integrated mode WIDS) monitor for denial of service attacks launched from the guest wireless user zone while the IDS Service monitors for denial of service attacks launched from the rest of the departmental network.
|
S |
SC-5 Denial of Service Protection |
SC-5-2 The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks. |
Implementation Point(s): Network Service
Description: The Network Service’s routers support the assignment of traffic volume thresholds for network traffic types to limit the effects of information flooding types of denial of service attacks.
|
C |
SC-6 Resource Priority |
SC-6-A The information system limits the use of resources by priority. |
Implementation Point(s): Network Service
Description: The Network Service’s routers support the assignment of traffic volume thresholds for network traffic types to limit use of resources by priority through traffic types.
|
C |
SC-7 Boundary Protection |
SC-7-A The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. |
Implementation Point(s): Network Service and guest wireless user perimeter.
Description: The perimeters used to implement departmental network zones (including the guest wireless user perimeter) monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system.
|
S |
SC-7 Boundary Protection |
SC-7-B The information system connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with a organizational security architecture. |
Implementation Point(s): Guest wireless user perimeter
Description: The guest wireless user perimeter mediates access between the public networks and the guest wireless users zone.
|
S |
SC-7 Boundary Protection |
SC-7-1 The organization physically allocates publicly accessible information system components to separate sub-networks with separate physical network interfaces. |
Implementation Point(s): Network Service
Description: Publicly accessible information system components are located in the Public Access Zone implemented by the Network Service.
|
C |
SC-7 Boundary Protection |
SC-7-2 The information system prevents public access into the organization’s internal networks except as appropriately mediated by managed interfaces employing boundary protection devices. |
Implementation Point(s): Network Service and guest wireless user perimeter.
Description: The perimeters used to implement departmental network zones (including the guest wireless user perimeter) monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system. These perimeters prevent public access into the department’s internal networks.
|
S |
SC-7 Boundary Protection |
SC-7-3 The organization limits the number of access points to the information system to allow for more comprehensive monitoring of inbound and outbound communications and network traffic. |
Implementation Point(s): Guest wireless user perimeter
Description: Access points for guest wireless users are limited to the guest wireless user zone.
|
S |
SC-7 Boundary Protection |
SC-7-4 The organization: (a) Implements a managed interface for each external telecommunication service; (b) Establishes a traffic flow policy for each managed interface; (c) Employs security controls as needed to protect the confidentiality and integrity of the information being transmitted; (d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; (e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency]; and (f) Removes traffic flow policy exceptions that are no longer supported by an explicit mission/business need. |
Implementation Point(s): Guest wireless user perimeter
Description: This security control requirement does not apply to guest wireless users who do not access any information within the departmental network.
|
S |
SC-7 Boundary Protection |
SC-7-5 The information system at managed interfaces, denies network traffic by default and allows network traffic by exception (i.e., deny all, permit by exception). |
Implementation Point(s): Guest wireless user perimeter
Description: The guest wireless user perimeter denies network traffic by default and allows network traffic by exception.
|
S |
SC-7 Boundary Protection |
SC-7-6 The organization prevents the unauthorized release of information outside of the information system boundary or any unauthorized communication through the information system boundary when there is an operational failure of the boundary protection mechanisms. |
Implementation Point(s):Guest wireless user perimeter
Description: The guest wireless user perimeter fails in the open state (i.e., deny all communications) to prevent the unauthorized release of information.
|
S |
SC-7 Boundary Protection |
SC-7-7 The information system prevents remote devices that have established a non-remote connection with the system from communicating outside of that communications path with resources in external networks. |
Implementation Point(s): Guest wireless user perimeter
Description: The guest wireless user perimeter controls the mobile device communications such that they can only access the SCNet/Internet.
|
S |
SC-7 Boundary Protection |
SC-7-8 The information system routes [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers within the managed interfaces of boundary protection devices. |
Implementation Point(s): Guest wireless user perimeter
Description: The guest wireless user perimeter controls the mobile device communications such that they can only access the SCNet/Internet. Guest wireless user communications are not internal to the departmental network.
|
S |
SC-7 Boundary Protection |
SC-7-9 The information system, at managed interfaces, denies network traffic and audits internal users (or malicious code) posing a threat to external information systems. |
Implementation Point(s): Guest wireless user perimeter
Description: The guest wireless user perimeter controls the mobile device communications such that they can only access the SCNet/Internet.
|
S |
SC-7 Boundary Protection |
SC-7-10 The organization prevents the unauthorized exfiltration of information across managed interfaces. |
Implementation Point(s): NA
Description: This security control requirement does not apply to guest wireless users who do not access any information within the departmental network.
|
- |
SC-7 Boundary Protection |
SC-7-11 The information system checks incoming communications to ensure that the communications are coming from an authorized source and routed to an authorized destination. |
Implementation Point(s): Guest wireless user perimeter
Description: The guest wireless user perimeter controls communications in and out of the guest wireless user zone based on TCP/IP ports, source IP addresses and destination IP addresses.
|
S |
SC-7 Boundary Protection |
SC-7-12 The information system implements host-based boundary protection mechanisms for servers, workstations, and mobile devices. |
Implementation Point(s): Sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Host-based boundary protection mechanisms are implemented on the sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
|
S |
SC-7 Boundary Protection |
SC-7-13 The organization isolates [Assignment: organization defined key information security tools, mechanisms, and support components] from other internal information system components via physically separate subnets with managed interfaces to other portions of the system. |
Implementation Point(s): Network Service and guest wireless user perimeter.
Description: The perimeters used to implement departmental network zones (including the guest wireless user perimeter) isolate [Assignment: organization defined key information security tools, mechanisms, and support components] from other internal information system components.
|
S |
SC-7 Boundary Protection |
SC-7-15 The information system routes all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing. |
Implementation Point(s): Sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The sensors, access points, switches, authentication gateway and guest wireless user perimeter components each support a separate management network interface that connects to the management sub-zone. The management network interfaces are used for internal administrator access to the components and support administrative access control and auditing.
|
S |
SC-7 Boundary Protection |
SC-7-16 The information system prevents discovery of specific system components (or devices) composing a managed interface. |
Implementation Point(s): Sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The sensors, access points, switches, authentication gateway and guest wireless user perimeter components each support a separate management network interface that connects to the management sub-zone. These management network interfaces do not respond to unauthorized network discovery tools or techniques.
|
S |
SC-7 Boundary Protection |
SC-7-17 The organization employs automated mechanisms to enforce strict adherence to protocol format. |
Implementation Point(s): Network Service
Description: The Network Service implements zones and sub-zones used to segregate components within the departmental network based on their security policies. The perimeter components that separate zones and sub-zones enforce strict adherence to protocol format and deny communications that don’t comply.
|
C |
SC-7 Boundary Protection |
SC-7-18 The information system fails securely in the event of an operational failure of a boundary protection device. |
Implementation Point(s): Network Service and guest wireless user perimeter.
Description: The Network Service and guest wireless user perimeter implement zones and sub-zones used to segregate components within the departmental network based on their security policies. The perimeter components that separate zones and sub-zones fail in a secure manner by denying all communication in their failed state.
|
C |
SC-8 Transmission Integrity |
NA |
This security control and its technology-related control elements are not applicable to this business use case since the department is not responsible for the security of guest wireless user communications. |
- |
SC-9 Transmission Confidentiality |
NA |
This security control and its technology-related control elements are not applicable to this business use case since the department is not responsible for the security of guest wireless user communications. |
- |
SC-10 Network Disconnect |
SC-10-A The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. |
Implementation Point(s): Guest wireless user perimeter
Description: The guest wireless user perimeter is configured to terminate network connections at the end of a session or after [Assignment: organization-defined time period] of inactivity.
|
S |
SC-11 Trusted Path |
SC-11-A The information system establishes a trusted communications path between the user and the following security functions of the system: [Assignment: organization-defined security functions to include at a minimum, information system authentication and re-authentication]. |
Implementation Point(s): Authentication and Authorization Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Wireless component administrators access the sensors, access points, switches, authentication gateway and guest wireless user perimeter components using their administrator workstations located within the management sub-zone implemented by the Network Service. The information flow policies enforced within the restricted zone and operations zone ensure that performance of [Assignment: organization-defined security functions to include at a minimum, information system authentication and re-authentication] can only be performed from internal administrator workstations located in the management sub-zone. The path between the internal administrators and the wireless components is therefore trusted.
|
S |
SC-12 Cryptographic Key Establishment and Management |
SC-12-A The organization establishes and manages cryptographic keys for required cryptography employed within the information system. |
Implementation Point(s): PKI Service
Description: The PKI Service establishes and manages cryptographic keys for required cryptography The study of techniques used to make plain information unreadable, as well as to convert it back to a readable form.
employed within the information system.
|
C |
SC-12 Cryptographic Key Establishment and Management |
SC-12-2 The organization produces, controls, and distributes symmetric cryptographic keys using CSEC-approved key management technology and processes. |
Implementation Point(s): PKI Service
Description: The PKI Service produces, controls, and distributes symmetric cryptographic keys using CSEC-approved key management The procedures and mechanisms for generating, disseminating, replacing, storing, archiving, and destroying cryptographic keys.
technology and processes.
|
C |
SC-12 Cryptographic Key Establishment and Management |
SC-12-3 The organization produces, controls, and distributes symmetric and asymmetric cryptographic keys using CSEC-approved key management technology and processes. |
Implementation Point(s): PKI Service
Description: The PKI Service produces, controls, and distributes symmetric and asymmetric cryptographic keys using CSEC-approved key management technology and processes.
|
C |
SC-12 Cryptographic Key Establishment and Management |
SC-12-4 The organization produces, controls, and distributes asymmetric cryptographic keys using approved PKI Class 3 certificates or prepositioned keying material. |
Implementation Point(s): PKI Service
Description: The PKI Service produces, controls, and distributes asymmetric cryptographic keys using approved PKI Class 3 certificates or prepositioned keying material.
|
C |
SC-12 Cryptographic Key Establishment and Management |
SC-12-5 The organization produces controls, and distributes asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user’s private key. |
Implementation Point(s): PKI Service
Description: The PKI Service produces controls, and distributes asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user’s private key.
|
C |
SC-13 Use of Cryptography |
NA |
This security control is not applicable to the business use case as the department is not responsible for securing the information transmitted by guest wireless users. |
- |
SC-14 Public Access Protections |
NA |
This security control is not applicable to the business use case which does not involve the protection of integrity and availability of publicly available information and applications. |
- |
SC-16 Transmission of Security Attributes |
NA |
This security control and its technology-related control elements are not applicable to this business use case. The exchange of information and their associated security attributes between separate information systems (i.e., the departmental network and some other information system) is not supported to the business use case. |
- |
SC-18 Mobile Code |
NA |
This security control and its technology-related control elements are not applicable to this business use case since the department is not responsible for the security of guest wireless user communications or the information they process or store. |
- |
SC-20 Secure Name/Address Resolution Service (Authoritative Source) |
NA |
This security control and its technology-related control elements are not applicable to this business use case since the department does not provide DNS Services for the guest wireless users. Instead the mobile devices are configured through DHCP by the Network Service with IP addresses for public primary and secondary DNS servers. |
- |
SC-21 Secure Name/Address Resolution Service (Recursive or Caching Resolver) |
NA |
This security control and its technology-related control elements are not applicable to this business use case since the department does not provide DNS Services for the guest wireless users. Instead the mobile devices are configured through DHCP by the Network Service with IP addresses for public primary and secondary DNS servers. |
- |
SC-22 Architecture and Provisioning for Name/ Address Resolution Service |
NA |
This security control and its technology-related control elements are not applicable to this business use case since the department does not provide DNS Services for the guest wireless users. Instead the mobile devices are configured through DHCP by the Network Service with IP addresses for public primary and secondary DNS servers. |
- |
SC-23 Session Authenticity |
NA |
This security control and its technology-related control elements are not applicable to this business use case since the department is not responsible for the security of guest wireless user communications. |
- |
SC-24 Fail in Known State |
SC-24-A The information system fails to a [Assignment: organization-defined known-state] for [Assignment: organization-defined types of failures] preserving [Assignment: organization-defined system state information] in failure. |
Implementation Point(s): Sensors, access points, wireless switch and guest wireless user perimeter.
Description: The sensors, access points, wireless switch and guest wireless user perimeter fail to a [Assignment: organization-defined known-state] for [Assignment: organization-defined types of failures] preserving [Assignment: organization-defined system state information] in failure.
|
S |
SC-25 Thin Nodes |
NA |
This security control and its technology-related control elements are not applicable since the use of thin nodes is not supported by the business use case. |
- |
SC-26 Honeypots |
NA |
This security control and its technology-related control elements are not applicable since the use of honeypots is not supported by the business use case. |
- |
SC-27 Operating System-Independent Applications |
NA |
This security control and its technology-related control elements are not applicable to the business use case since the guest wireless users do not access any departmental applications. |
- |
SC-28 Protection of Information at Rest |
|
This security control and its technology-related control elements are not applicable to the business use case since the department is not responsible for the security of guest wireless user information at rest. |
- |
SC-29 Heterogeneity |
SC-29-A The organization employs diverse information technologies in the implementation of the information system. |
Implementation Point(s): Sensors, access points, wireless switch and guest wireless user perimeter.
Description: The sensors, access points, wireless switch and guest wireless user perimeter are implemented using diverse information technologies. This may not be possible if the wireless components are selected from a single vendor to facilitate successful integration with each other.
|
S |
SC-30 Virtualization Techniques |
NA |
This security control and its technology-related control elements are not applicable to the business use case since the guest wireless users do not access any departmental services that need to be protected using virtualization techniques. |
- |
SC-32 Information System Partitioning |
SC-32-A The organization partitions the information system into components residing in separate physical domains (or environments) as deemed necessary. |
Implementation Point(s): Network Service
Description: The Network Service and guest wireless user perimeter implement zones and sub-zones used to segregate components within the departmental network based on their security policies.
|
C |
SC-33 Transmission Preparation Integrity |
NA |
This security control and its technology-related control elements are not applicable to the business use case since the department is not responsible for the security of guest wireless user communications. |
- |
SC-34 Non-Modifiable Executable Programs |
SC-34-A The information system at [Assignment: organization-defined information system components] loads and executes the operating environment from hardware-enforced, read-only media. |
Implementation Point(s): Sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The sensors, access points, switches, authentication gateway and guest wireless user perimeter components identified in [Assignment: organization-defined information system components] load and execute their operating environment from hardware-enforced, read-only media.
|
S |
SC-34 Non-Modifiable Executable Programs |
SC-34-B The information system at [Assignment: organization-defined information system components] loads and executes [Assignment: organization-defined applications] from hardware-enforced, read-only media. |
Implementation Point(s): Sensors, access points, switches, authentication gateway and guest wireless user perimeter components
Description: The sensors, access points, switches, authentication gateway and guest wireless user perimeter components identified in [Assignment: organization-defined information system components] loads and executes [Assignment: organization-defined applications] from hardware-enforced, read-only media.
|
S |
SC-34 Non-Modifiable Executable Programs |
SC-34-1 The organization employs [Assignment: organization-defined information system components] with no writeable storage that is persistent across component restart or power on/off. |
Implementation Point(s): Sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The sensors, access points, switches, authentication gateway and guest wireless user perimeter components identified in [Assignment: organization-defined information system components] are configured with no writeable storage that is persistent across component restart or power on/off.
|
S |
SC-100 Source Authentication |
NA |
This security control and its technology-related control elements are not applicable to the business use case as the department is not responsible for securing the information transmitted, processed or stored by guest wireless users including source authentication of messages. |
- |
SC-101 Unclassified Telecommunications Systems in Secure Facilities |
NA |
This security control and its technology-related control elements are not since the use of telecommunication systems is not supported by the business use case. |
- |
SI-2 Flaw Remediation |
SI-2-1 The organization centrally manages the flaw remediation process and installs software updates automatically. |
Implementation Point(s): Remediation Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The Remediation Service automates the collection, analysis, and provisioning of software patches to the sensors, access points, switches, authentication gateway and guest wireless user perimeter components that are compatible with the Remediation Service.
|
S |
SI-2 Flaw Remediation |
SI-2-2 The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation. |
Implementation Point(s): Remediation Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The Remediation Service automates the collection, analysis, and provisioning of software patches to the sensors, access points, switches, authentication gateway and guest wireless user perimeter components that are compatible with the Remediation Service.
|
S |
SI-2 Flaw Remediation |
SI-2-4 The organization employs automated patch management tools to facilitate flaw remediation to [Assignment: organization-defined information system components]. |
Implementation Point(s): Remediation Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The Remediation Service automates the collection, analysis, and provisioning of software patches to the sensors, access points, switches, authentication gateway and guest wireless user perimeter components that are compatible with the Remediation Service.
|
S |
SI-3 Malicious Code Protection |
|
This security control and its technology-related control elements are not applicable to the business use case since the department is not responsible for the security of guest wireless user information. |
- |
SI-4 Information System Monitoring |
SI-4-A The organization monitors events on the information system in accordance with [Assignment: organization-defined monitoring objectives] and detects information system attacks. |
Implementation Point(s): WIDS Service, sensors, access points and IDS Service.
Description: The WIDS Service together with its sensors (overlay mode WIDS) or access points (integrated mode WIDS) monitors events in accordance with [Assignment: organization-defined monitoring objectives] and detects information system attacks.
|
S |
SI-4 Information System Monitoring |
SI-4-C The organization deploys monitoring devices: (a) strategically within the information system to collect organization-determined essential information; and (b) at ad hoc locations within the system to track specific types of transactions of interest to the organization. |
Implementation Point(s): WIDS Service, sensors, access points and IDS Service.
Description: The WIDS Service together with its sensors (overlay mode WIDS) or access points (integrated mode WIDS) provide a monitoring capability within the guest wireless user zone while the IDS Service provides a monitoring capability within the rest of the departmental network.
|
S |
SI-4 Information System Monitoring |
SI-4-1 The organization interconnects and configures individual intrusion detection tools into a system wide intrusion detection system using common protocols. |
Implementation Point(s): WIDS Service, sensors, access points and IDS Service.
Description: The WIDS Service together with its sensors (overlay mode WIDS) or access points (integrated mode WIDS) integrate with the IDS Service to provide a system wide intrusion detection A security service that monitors and analyzes network or system events to warn of unauthorized access attempts. The findings are provided in real-time (or near real-time).
system.
|
S |
SI-4 Information System Monitoring |
SI-4-2 The organization employs automated tools to support near real-time analysis of events. |
Implementation Point(s): WIDS Service, sensors, access points and IDS Service.
Description: The WIDS Service together with its sensors (overlay mode WIDS) or access points (integrated mode WIDS) support near-real-time analysis of events within the guest wireless user zone while the IDS Service supports near-real-time analysis of events within the rest of the departmental network.
|
S |
SI-4 Information System Monitoring |
SI-4-3 The organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination. |
Implementation Point(s): WIDS Service, sensors, access points, and guest wireless user perimeter.
Description: The WIDS Service together with its sensors (overlay mode WIDS) or access points (integrated mode WIDS) integrate with the guest wireless user perimeter to control information flow in order to support attack isolation and elimination.
|
S |
SI-4 Information System Monitoring |
SI-4-4 The information system monitors inbound and outbound communications for unusual or unauthorized activities or conditions. |
Implementation Point(s): WIDS Service, sensors, access points, and guest wireless user perimeter.
Description: The WIDS Service including its sensors (overlay mode WIDS) or access points (integrated mode WIDS) and the guest wireless user perimeter monitor inbound and outbound communications for unusual or unauthorized activities or conditions.
|
S |
SI-4 Information System Monitoring |
SI-4-5 The information system provides near real-time alerts when the following indications of compromise or potential compromise occur: [Assignment: organization-defined list of compromise indicators]. |
Implementation Point(s): WIDS Service, sensors, access points and IDS Service
Description: The WIDS Service together with its sensors (overlay mode WIDS) or access points (integrated mode WIDS) detect events within the guest wireless user zone and provides a real-time alert when the following indications of compromise or potential compromise occur: [Assignment: organization-defined list of compromise indicators].
|
S |
SI-4 Information System Monitoring |
SI-4-6 The information system prevents non-privileged users from circumventing intrusion detection and prevention capabilities. |
Implementation Point(s): NA
Description: Guest wireless users do not have access to the departmental network and therefore cannot circumvent intrusion detection and prevention capabilities.
|
- |
SI-4 Information System Monitoring |
SI-4-7 The information system notifies [Assignment: organization-defined list of incident response personnel (identified by name and/or by role)] of suspicious events and takes [Assignment: organization-defined list of least-disruptive actions to terminate suspicious events]. |
Implementation Point(s): WIDS Service, wireless access points and sensors, IDS Service and Audit Service.
Description: The WIDS Service (including the sensors (overlay mode WIDS) or access points (integrated mode WIDS)), IDS Service and Audit Service notify [Assignment: organization-defined list of incident response personnel (identified by name and/or by role)] of suspicious events and takes [Assignment: department-defined list of least-disruptive actions to terminate suspicious events].
|
S |
SI-4 Information System Monitoring |
SI-4-8 The organization protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion. |
Implementation Point(s): Authentication and Authorization Service, WIDS Service, and IDS Service.
Description: Authorizations are assigned within the Authentication and Authorization Service for wireless component administrators and enforced within the access control functionality of the WIDS and IDS Services. These authorizations ensure that information obtained from intrusion monitoring tools shall be protected against unauthorized access, modification, and deletion.
|
S |
SI-4 Information System Monitoring |
SI-4-10 The organization makes provisions so that encrypted traffic is visible to information system monitoring tools. |
Implementation Point(s): NA
Description: The department does not have control over the guest wireless user communications to enforce encrypted traffic to be visible to the WIDS Service.
|
- |
SI-4 Information System Monitoring |
SI-4-11 The organization analyzes outbound communications traffic at the external boundary of the system (i.e., system perimeter) and, as deemed necessary, at selected interior points within the system (e.g., subnets, subsystems) to discover anomalies. |
Implementation Point(s): WIDS Service, sensors, access points, and guest wireless user perimeter.
Description: The WIDS Service including its sensors (overlay mode WIDS) or access points (integrated mode WIDS) and the guest wireless user perimeter monitor inbound and outbound communications for unusual or unauthorized activities or conditions.
|
S |
SI-4 Information System Monitoring |
SI-4-12 The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [Assignment: organization-defined list of inappropriate or unusual activities that trigger alerts]. |
Implementation Point(s): WIDS Service, sensors, access points, IDS Service and Audit Service.
Description: The WIDS Service including its sensors (overlay mode WIDS) or access points (integrated mode WIDS), IDS Service and Audit Service alert security personnel of the following inappropriate or unusual activities with security implications: [Assignment: organization-defined list of inappropriate or unusual activities that trigger alerts].
|
S |
SI-4 Information System Monitoring |
SI-4-13 The organization: (a) Analyzes communications traffic/event patterns for the information system; (b) Develops profiles representing common traffic patterns and/or events; and (c) Uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives to [Assignment: organization-defined measure of false positives] and the number of false negatives to [Assignment: organization-defined measure of false negatives]. |
Implementation Point(s): WIDS Service, sensors, access points and IDS Service.
Description: The WIDS Service including its sensors (overlay mode WIDS) or access points (integrated mode WIDS) and IDS Service analyzes communications traffic/event patterns for the information system; (b) Develops profiles representing common traffic patterns and/or events; and (c) Uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives to [Assignment: organization-defined measure of false positives] and the number of false negatives to [Assignment: organization-defined measure of false negatives].
|
S |
SI-4 Information System Monitoring |
SI-4-14 The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system. |
Implementation Point(s): WIDS Service, sensors and access points.
Description: The WIDS Service including its sensors (overlay mode WIDS) or access points (integrated mode WIDS) identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system.
|
S |
SI-4 Information System Monitoring |
SI-4-15 The organization employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks. |
Implementation Point(s): WIDS Service, wireless access points and sensors, IDS Service.
Description: The WIDS Service (including the sensors (overlay mode WIDS) or access points (integrated mode WIDS)) and IDS Service monitor wireless communications traffic as the traffic passes from wireless to wireline networks.
|
S |
SI-6 Security Functionality Verification |
SI-6-A The information system verifies the correct operation of security functions [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; periodically every [Assignment: organization-defined time-period] and [Selection (one or more): notifies system administrator; shuts the system down; restarts the system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered. |
Implementation Point(s): Sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The sensors, access points, switches, authentication gateway and guest wireless user perimeter components verify the correct operation of security functions [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; periodically every [Assignment: organization-defined time-period] and [Selection (one or more): notifies system administrator; shuts the system down; restarts the system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered.
|
S |
SI-6 Security Functionality Verification |
SI-6-1 The information system provides notification of failed automated security tests. |
Implementation Point(s): Sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The sensors, access points, switches, authentication gateway and guest wireless user perimeter components employs automated mechanisms to provide notification of failed automated security tests.
|
S |
SI-6 Security Functionality Verification |
SI-6-2 The information system provides automated support for the management of distributed security testing. |
Implementation Point(s): Sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The sensors, access points, switches, authentication gateway and guest wireless user perimeter components verify the correct operation of their critical security functions and report the results of these tests in audit records sent to the Audit Service.
|
S |
SI-7 Software and Information Integrity |
SI-7-A The information system detects unauthorized changes to software and information. |
Implementation Point(s): CMS, FIS, Authentication and Authorization Service, Audit Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Authorizations for access to software, information and functionality are configured within the Authorization Service and enforced within the access control functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components. Any actions that are not authorized will be reported by the audit capability of the components to the Audit Service. The CMS supports the ability to periodically audit component software and information configurations and to compare these audited configurations against approved configurations in order to detect any unauthorized changes. The FIS supports the functionality to detect unauthorized modifications to files on components that support the installation of a FIS agent. The CMS and FIS can report any detected unauthorized changes to the appropriate individual either directly (e.g., email notification) or indirectly by sending reports to the Audit Service.
|
S |
SI-7 Software and Information Integrity |
SI-7-2 The organization employs automated tools that provide notification to designated individuals upon discovering discrepancies during integrity verification. |
Implementation Point(s): CMS and FIS.
Description: The CMS and FIS can report any detected unauthorized changes to the appropriate individual either directly (e.g., email notification) or indirectly by sending reports to the Audit Service.
|
C |
SI-7 Software and Information Integrity |
SI-7-3 The organization employs centrally managed integrity verification tools. |
Implementation Point(s): CMS, FIS and Audit Service.
Description: The CMS supports the ability to periodically audit component software and information configurations and to compare these audited configurations against approved configurations in order to detect any unauthorized changes. The FIS supports the functionality to detect unauthorized modifications to files on components that support the installation of a FIS agent. The CMS and FIS can report any detected unauthorized changes to the appropriate individual either directly (e.g., email notification) or indirectly by sending reports to the Audit Service.
|
C |
SI-8 SPAM Protection |
NA |
This security control and its technology-related control elements are not applicable to the business use case since the guest wireless users do not access any departmental email services. |
- |
SI-9 Information Input Restrictions |
NA |
This security control and its technology-related control elements are not applicable to the business use case since the guest wireless users do not access any departmental network information services. |
- |
SI-10 Information Input Validation |
NA |
This security control and its technology-related control elements are not applicable to the business use case since the guest wireless users do not access any departmental network information services. |
- |
SI-11 Error Handling |
SI-11-A The information system identifies potentially security-relevant error conditions. |
Implementation Point(s): Audit Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The auditing functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components support reporting of potentially security-relevant error conditions to the Audit Service.
|
S |
SI-11 Error Handling |
SI-11-B The information system generates error messages that provide information necessary for corrective actions without revealing [Assignment: organization-defined sensitive or potentially harmful information] in error logs and administrative messages that could be exploited by adversaries. |
Implementation Point(s): Audit Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: The auditing functionality of the sensors, access points, switches, authentication gateway and guest wireless user perimeter components supports the ability to configure the type of error messages (i.e., audit records) reported to the Audit Service to provide information necessary for corrective actions without revealing [Assignment: organization-defined sensitive or potentially harmful information] in error logs and administrative messages that could be exploited by adversaries.
|
S |
SI-11 Error Handling |
SI-11-C The information system reveals error messages only to authorized personnel. |
Implementation Point(s): Audit Service, Authentication and Authorization Service, sensors, access points, switches, authentication gateway and guest wireless user perimeter components.
Description: Access authorizations for authorized personnel to audit information and tools within the Audit Service (including error messages) are configured within the Authentication and Authorization Service and enforced by the Audit Service. Access authorizations for authorized personnel to audit information within the sensors, access points, switches, authentication gateway and guest wireless user perimeter components are configured within the Authentication and Authorization Service and enforced by the access control functionality of the components.
|
S |