CCI - DISA Control Correlation Identifier

Reference Details

Name: CCI - DISA Control Correlation Identifier

Reference Items

ControlDescription
CCI-000001The policy will address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
CCI-000002The policy will address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
CCI-000003The policy will address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
CCI-000004The organization develops procedures to facilitate the implementation of the access control policy and associated access controls.
CCI-000005The organization disseminates the procedures to facilitate access control policy and associated access controls to the organization-defined personnel or roles.
CCI-000006The organization reviews and updates the access control procedures in accordance with organization-defined frequency.
CCI-000007The organization manages information system accounts by identifying account types (i.e., individual, group, system, application, guest/anonymous, and temporary).
CCI-000008The organization establishes conditions for group membership.
CCI-000009The organization manages information system accounts by identifying authorized users of the information system and specifying access privileges.
CCI-000010The organization requires approvals by organization-defined personnel or roles for requests to create information system accounts.
CCI-000011The organization creates, enables, modifies, disables, and removes information system accounts in accordance with organization-defined procedures or conditions.
CCI-000012Organization-defined frequency
CCI-000013The organization manages information system accounts by notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes.
CCI-000014The organization manages information system accounts by granting access to the system based on a valid access authorization; intended system usage; and other attributes as required by the organization or associated missions/business functions.
CCI-000015The organization employs automated mechanisms to support the information system account management functions.
CCI-000016The information system automatically removes or disables temporary accounts after an organization-defined time period for each type of account.
CCI-000017The information system automatically disables inactive accounts after an organization-defined time period.
CCI-000018The information system automatically audits account creation actions.
CCI-000019Other defined situation could be policy that users must log out at the end of the day.
CCI-000020The information system dynamically manages user privileges and associated access authorizations.
CCI-000021The information system enforces dual authorization for organization-defined privileged commands and/or other organization-defined actions.
CCI-000022The information system enforces one or more organization-defined nondiscretionary access control policies over an organization-defined set of users and resources.
CCI-000023The organization develops an organization-wide information security program plan that provides sufficient information about the program management controls and common controls (including specification of parameters for any assignment and selection operations either explicitly or by reference) to enable an implementation that is unambiguously compliant with the intent of the plan, and a determination of the risk to be incurred if the plan is implemented as intended.
CCI-000024The information system prevents access to organization-defined security-relevant information except during secure, non-operable system states.
CCI-000025The information system enforces information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions.
CCI-000026The information system uses protected processing domains to enforce organization-defined information flow control policies as a basis for flow control decisions.
CCI-000027The information system enforces dynamic information flow control based on organization-defined policies.
CCI-000028The information system prevents encrypted information from bypassing content-checking mechanisms by employing organization-defined procedures or methods.
CCI-000029The information system enforces organization-defined limitations on the embedding of data types within other data types.
CCI-000030The information system enforces information flow control based on organization-defined metadata.
CCI-000031The information system enforces organization-defined one-way flows using hardware mechanisms.
CCI-000032The information system enforces information flow control using organization-defined security policy filters as a basis for flow control decisions for organization-defined information flows.
CCI-000033The information system enforces the use of human review for organization-defined security policy filters when the system is not capable of making an information flow control decision.
CCI-000034The information system provides the capability for a privileged administrator to enable/disable organization-defined security policy filters under organization-defined conditions.
CCI-000035The information system provides the capability for privileged administrators to configure the organization-defined security policy filters to support different security policies.
CCI-000036The organization separates organization-defined duties of individuals.
CCI-000037The organization implements separation of duties through assigned information system access authorizations.
CCI-000038The organization explicitly authorizes access to organization-defined security functions and security-relevant information.
CCI-000039The organization requires that users of information system accounts or roles, with access to organization-defined security functions or security-relevant information, use non-privileged accounts, or roles, when accessing nonsecurity functions.
CCI-000040The organization audits any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions.
CCI-000041The organization employs the concept of least privilege, limiting authorized access for users (and processes acting on behalf of users) as necessary, to accomplish assigned tasks.
CCI-000042The organization employs the concept of least privilege, limiting authorized access for users (and processes acting on behalf of users) as necessary, to accomplish assigned tasks.
CCI-000043The organization defines the maximum number of consecutive invalid logon attempts to the information system by a user during an organization-defined time period.
CCI-000044The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.
CCI-000045The organization defines in the security plan, explicitly or by reference, the time period for lock out mode or delay period.
CCI-000046The organization selects either a lock out mode for the organization-defined time period or delays the next login prompt for the organization-defined delay period for information system responses to consecutive invalid access attempts.
CCI-000047The information system delays next login prompt according to the organization-defined delay algorithm, when the maximum number of unsuccessful attempts is exceeded, automatically locks the account/node for an organization-defined time period or locks the account/node until released by an Administrator IAW organizational policy.
CCI-000048The information system displays an organization-defined system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
CCI-000049The organization defines a system use notification message or banner displayed before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: (i) users are accessing a U.S. Government information system; (ii) system usage may be monitored, recorded, and subject to audit; (iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and (iv) use of the system indicates consent to monitoring and recording.
CCI-000050The information system retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system.