Name: CCI - DISA Control Correlation Identifier
Control | Description |
---|---|
CCI-000001 | The policy will address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
CCI-000002 | The policy will address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
CCI-000003 | The policy will address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
CCI-000004 | The organization develops procedures to facilitate the implementation of the access control policy and associated access controls. |
CCI-000005 | The organization disseminates the procedures to facilitate access control policy and associated access controls to the organization-defined personnel or roles. |
CCI-000006 | The organization reviews and updates the access control procedures in accordance with organization-defined frequency. |
CCI-000007 | The organization manages information system accounts by identifying account types (i.e., individual, group, system, application, guest/anonymous, and temporary). |
CCI-000008 | The organization establishes conditions for group membership. |
CCI-000009 | The organization manages information system accounts by identifying authorized users of the information system and specifying access privileges. |
CCI-000010 | The organization requires approvals by organization-defined personnel or roles for requests to create information system accounts. |
CCI-000011 | The organization creates, enables, modifies, disables, and removes information system accounts in accordance with organization-defined procedures or conditions. |
CCI-000012 | Organization-defined frequency |
CCI-000013 | The organization manages information system accounts by notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes. |
CCI-000014 | The organization manages information system accounts by granting access to the system based on a valid access authorization; intended system usage; and other attributes as required by the organization or associated missions/business functions. |
CCI-000015 | The organization employs automated mechanisms to support the information system account management functions. |
CCI-000016 | The information system automatically removes or disables temporary accounts after an organization-defined time period for each type of account. |
CCI-000017 | The information system automatically disables inactive accounts after an organization-defined time period. |
CCI-000018 | The information system automatically audits account creation actions. |
CCI-000019 | Other defined situation could be policy that users must log out at the end of the day. |
CCI-000020 | The information system dynamically manages user privileges and associated access authorizations. |
CCI-000021 | The information system enforces dual authorization for organization-defined privileged commands and/or other organization-defined actions. |
CCI-000022 | The information system enforces one or more organization-defined nondiscretionary access control policies over an organization-defined set of users and resources. |
CCI-000023 | The organization develops an organization-wide information security program plan that provides sufficient information about the program management controls and common controls (including specification of parameters for any assignment and selection operations either explicitly or by reference) to enable an implementation that is unambiguously compliant with the intent of the plan, and a determination of the risk to be incurred if the plan is implemented as intended. |
CCI-000024 | The information system prevents access to organization-defined security-relevant information except during secure, non-operable system states. |
CCI-000025 | The information system enforces information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions. |
CCI-000026 | The information system uses protected processing domains to enforce organization-defined information flow control policies as a basis for flow control decisions. |
CCI-000027 | The information system enforces dynamic information flow control based on organization-defined policies. |
CCI-000028 | The information system prevents encrypted information from bypassing content-checking mechanisms by employing organization-defined procedures or methods. |
CCI-000029 | The information system enforces organization-defined limitations on the embedding of data types within other data types. |
CCI-000030 | The information system enforces information flow control based on organization-defined metadata. |
CCI-000031 | The information system enforces organization-defined one-way flows using hardware mechanisms. |
CCI-000032 | The information system enforces information flow control using organization-defined security policy filters as a basis for flow control decisions for organization-defined information flows. |
CCI-000033 | The information system enforces the use of human review for organization-defined security policy filters when the system is not capable of making an information flow control decision. |
CCI-000034 | The information system provides the capability for a privileged administrator to enable/disable organization-defined security policy filters under organization-defined conditions. |
CCI-000035 | The information system provides the capability for privileged administrators to configure the organization-defined security policy filters to support different security policies. |
CCI-000036 | The organization separates organization-defined duties of individuals. |
CCI-000037 | The organization implements separation of duties through assigned information system access authorizations. |
CCI-000038 | The organization explicitly authorizes access to organization-defined security functions and security-relevant information. |
CCI-000039 | The organization requires that users of information system accounts or roles, with access to organization-defined security functions or security-relevant information, use non-privileged accounts, or roles, when accessing nonsecurity functions. |
CCI-000040 | The organization audits any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions. |
CCI-000041 | The organization employs the concept of least privilege, limiting authorized access for users (and processes acting on behalf of users) as necessary, to accomplish assigned tasks. |
CCI-000042 | The organization employs the concept of least privilege, limiting authorized access for users (and processes acting on behalf of users) as necessary, to accomplish assigned tasks. |
CCI-000043 | The organization defines the maximum number of consecutive invalid logon attempts to the information system by a user during an organization-defined time period. |
CCI-000044 | The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period. |
CCI-000045 | The organization defines in the security plan, explicitly or by reference, the time period for lock out mode or delay period. |
CCI-000046 | The organization selects either a lock out mode for the organization-defined time period or delays the next login prompt for the organization-defined delay period for information system responses to consecutive invalid access attempts. |
CCI-000047 | The information system delays next login prompt according to the organization-defined delay algorithm, when the maximum number of unsuccessful attempts is exceeded, automatically locks the account/node for an organization-defined time period or locks the account/node until released by an Administrator IAW organizational policy. |
CCI-000048 | The information system displays an organization-defined system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. |
CCI-000049 | The organization defines a system use notification message or banner displayed before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: (i) users are accessing a U.S. Government information system; (ii) system usage may be monitored, recorded, and subject to audit; (iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and (iv) use of the system indicates consent to monitoring and recording. |
CCI-000050 | The information system retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system. |