Appendix A CMSR High Impact Level Data

Transcription

1 Office of Information Services Centers for Medicare & Medicaid Services 7500 Security Boulevard Baltimore, Maryland Appendix A CMSR High Impact Level Data FINAL Version 2.0 September 20, 2013 Document Number: CMS-CIO-STD-SEC01-2.0

2 CMS Information Security ARS CMS-CIO-STD-SEC APPROVED Teresa Fryer CMS Chief Information Security Officer and Director, Enterprise Information Security Group This document will be reviewed periodically, but no less than annually, by the CMS Enterprise Information Security Group (EISG), and updated as necessary to reflect changes in policy or process. If you have any questions regarding the accuracy, completeness, or content of this document, please contact the EISG at ii September 20, 2013-Version 2.0 (FINAL)

3 CMS-CIO-STD-SEC CMS Information Security ARS Access (AC) AC-1 Access Policy and Procedures (High) Assurance - The organization: a. Develops, documents, and disseminates to applicable personnel: 1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the access control policy and associated access controls; and b. Reviews and updates (as necessary) the current: 1. Access control policy within every three hundred sixty-five (365) days; and 2. Access control procedures within every three hundred sixty-five (365) days. This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. FISCAM: AS-1, SM-1, SM-3; HIPAA: (a)(3)(i), (a)(3)(ii)(A), (a)(4)(i), (a)(4)(ii)(B), (a)(4)(ii)(C), (a)(1); IRS-1075: 9.2#1; NIST SP: , ASSESSMENT PROCEDURE: AC-1.1 (i) the organization develops and documents access control policy; (ii) the organization access control policy addresses: - purpose; - scope; - roles and responsibilities; - management commitment; - coordination among organizational entities; - compliance; Related s Requirement(s): PM-9 (iii) the organization disseminates documented access control policy to applicable personnel within the organization having associated access control roles and responsibilities; (iv) the organization develops and documents access control procedures; (v) the organization access control procedures facilitate implementation of the access control policy and associated access controls; (vi) the organization disseminates documented access control procedures to elements within the organization having associated access control roles and responsibilities; (vii) the organization reviews the access control policy and procedures within every three hundred sixty-five (365) days, and updates them as necessary. Examine: Access control policy and procedures; other relevant documents or records. Interview: Organizational personnel with access control responsibilities. September 20, 2013-Version 2.0 (FINAL) 1

4 CMS Information Security ARS CMS-CIO-STD-SEC AC-2 Account Management (High) The organization: a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: individual, group, system, application, guest/anonymous, emergency, and temporary; b. Assigns account managers for information system accounts; c. Establishes conditions for group and role membership; d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; e. Requires approvals by defined personnel or roles (defined in the applicable security plan) for requests to create information system accounts; f. Creates, enables, modifies, disables, and removes information system accounts in accordance with ARS requirements and Risk Management Handbook (RMH) Standards and Procedures; g. Monitors the use of, information system accounts; h. Notifies account managers: 1. When accounts are no longer required; 2. When users are terminated or transferred; and 3. When individual information system usage or need-to-know changes; i. Authorizes access to the information system based on: 1. A valid access authorization; 2. Intended system usage; and 3. Other attributes as required by the organization or associated missions/business functions; j. Reviews accounts for compliance with account management requirements using the frequency specified in Implementation Standard 1; and k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. Implementation Standard(s) 1. Review information system accounts for compliance with account management requirements within every ninety (90) days, and require annual certification of all accounts within every three hundred sixty-five (365) days. 2. Remove or disable default user accounts. Rename active default accounts. 3. Implement centralized control of user access administrator functions. 4. Regulate the access provided to contractors and define security requirements for contractors. Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems. The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access. Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day-of-week, and point-of-origin. In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Failure to consider these factors could affect information system availability. Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for shortterm accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include, for example: (i) when shared/group, emergency, or temporary accounts are no longer required; or (ii) when individuals are transferred or terminated. Some types of information system accounts may require specialized training. FISCAM: AC-3, AS-2; HIPAA: (a)(3)(ii)(B), (a)(4)(i), (a)(4)(ii)(B), (a)(4)(ii)(C), (a)(5)(ii)(C), (a)(2)(i), (a)(2)(ii); IRS-1075: 5.3#3, 9.2#2.1, 9.2#2.3-end Related s Requirement(s): AC-3, AC-4, AC-5, AC-6, AC-10, AC-17, AC-19, AC-20, AU-9, CM-5, CM-6, 2 September 20, 2013-Version 2.0 (FINAL)

5 CMS-CIO-STD-SEC CMS Information Security ARS ASSESSMENT PROCEDURE: AC-2.1 CM-11, IA-2, IA-4, IA-5, IA-8, MA-3, MA-4, MA-5, PL-4, SC-13 (i) the organization manages information system accounts, including; - identifying account types (i.e., individual, group, system, application, guest/anonymous, and temporary); - establishing conditions for group membership; - identifying authorized users of the information system and specifying access privileges; - requiring appropriate approvals for requests to establish accounts; - establishing, activating, modifying, disabling, and removing accounts; - specifically authorizing and monitoring the use of guest/anonymous and temporary accounts; - notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes; - authorizes access to the system based on: (a) a valid access authorization; (b) intended system usage; and (c) other attributes as required by the organization or associated missions/business functions; (ii) the organization reviews information system accounts in accordance with the frequency specified in Implementation Standard 1; (iii) the organization establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. (iv) the organization meets all the requirements specified in the applicable Implementation Standard(s). Examine: Access control policy; procedures addressing account management; security plan; list of active information system accounts along with the name of the individual associated with each account; list of guest/anonymous and temporary accounts along with the name of the individual associated with the each account and the date the account expires; lists of recently transferred, separated, or terminated employees; list of recently disabled information system accounts along with the name of the individual associated with each account; system-generated records with user IDs and last login date; other relevant documents or records. Interview: Organizational personnel with account management responsibilities. AC-2(1) - Automated Information System Account Management Enhancement (High) The organization employs automated mechanisms to support the management of information system accounts. The use of automated mechanisms can include, for example: using or text messaging to automatically notify account managers when users are terminated or transferred; using the information system to monitor account usage; and using telephonic notification to report atypical information system account usage. IRS-1075: 9.2#2.1 ASSESSMENT PROCEDURE: AC-2(1).1 Determine if the organization employs automated mechanisms to support information system account management functions. Related s Requirement(s): Examine: Procedures addressing account management; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records. Test: Automated mechanisms implementing account management functions. September 20, 2013-Version 2.0 (FINAL) 3

6 CMS Information Security ARS CMS-CIO-STD-SEC AC-2(2) - Removal of Temporary/Emergency Accounts Enhancement (High) The information system automatically disables emergency accounts within twenty-four (24) hours and temporary accounts with a fixed duration not to exceed thirty (30) days. This control enhancement requires the removal of both temporary and emergency accounts automatically after a predefined period of time has elapsed, rather than at the convenience of the systems administrator. IRS-1075: 9.2#2.1 ASSESSMENT PROCEDURE: AC-2(2).1 Related s Requirement(s): (i) the organization defines in the security plan, explicitly or by reference, a time period for each type of account after which the information system disables temporary and emergency accounts; (ii) the information system automatically disables temporary and emergency accounts after organization-defined time period for each type of account. Examine: Security plan; information system design documentation; information system configuration settings and associated documentation; information system-generated list of active accounts; information system audit records; other relevant documents or records. Test: Automated mechanisms implementing account management functions. AC-2(3) - Disable Inactive Accounts Enhancement (High) The information system automatically disables inactive accounts within sixty (60) days. IRS-1075: 9.2#2.1 ASSESSMENT PROCEDURE: AC-2(3).1 Related s Requirement(s): (i) the organization defines in the security plan, explicitly or by reference, a time period after which the information system disables inactive accounts; (ii) the information system automatically disables inactive accounts after organization-defined time period. Examine: Procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; information system-generated list of last login dates; information system-generated list of active accounts; information system audit records; other relevant documents or records. Test: Automated mechanisms implementing account management functions. AC-2(4) - Automated Audit Actions Enhancement (High) The information system automatically audits account creation, modification, enabling, disabling, and removal actions and notifies defined personnel or roles (defined in the applicable security plan). IRS-1075: 9.2#2.1 Related s Requirement(s): AU-2, AU-12 4 September 20, 2013-Version 2.0 (FINAL)

7 CMS-CIO-STD-SEC CMS Information Security ARS ASSESSMENT PROCEDURE: AC-2(4).1 (i) the information system automatically audits: - account creation; - modification; - enabling; - disabling; - removal actions; (ii) the information system notifies appropriate individuals. Examine: Procedures addressing account management; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Test: Automated mechanisms implementing account management functions. AC-2(5) - Inactivity Logout Enhancement (High) The organization requires that users log out when the time-period of expected inactivity exceeds ninety (90) minutes. ASSESSMENT PROCEDURE: AC-2(5).1 (i) the organization defines the time period of expected inactivity and/or description of when users log out; Related s Requirement(s): SC-23 (ii) the organization requires that users log out in accordance with the organization-defined time-period of inactivity and/or description of when to log out; (iii) the organization determines normal time-of-day and duration usage for information system accounts; (iv) the organization monitors for atypical usage of information system accounts; (v) the organization reports atypical usage to designated organizational officials. Examine: Procedures addressing account management; security plan; information system design documentation; information system configuration settings and associated documentation; security violation reports; information system audit records; other relevant documents or records. Interview: Organizational personnel with account management responsibilities. AC-2(12) - Account Monitoring/Atypical Usage Enhancement (High) The organization: (a) Monitors information system accounts for atypical use; and (b) Reports atypical usage of information system accounts to defined personnel or roles (defined in the applicable security plan), and if necessary, incident response team. Atypical usage includes, for example, accessing information systems at certain times of the day and from locations that are not consistent with the normal usage patterns of individuals working in organizations. Related s Requirement(s): CA-7 September 20, 2013-Version 2.0 (FINAL) 5

8 CMS Information Security ARS CMS-CIO-STD-SEC ASSESSMENT PROCEDURE: AC-2(12).1 (i) the organization monitors information system accounts for atypical use; (ii) the organization reports atypical usage of information system accounts to appropriate officials, and if necessary, incident response team. Examine: Procedures addressing account management; security plan; information system configuration settings and associated documentation; information system audit records; audit tracking and monitoring reports; other relevant documents or records. Interview: Organizational personnel with account management responsibilities. AC-2(13) - Disable Accounts for High-Risk Individuals Enhancement (High) The organization disables accounts of users posing a significant risk within sixty (60) minutes of discovery of the risk. Users posing a significant risk to organizations include individuals for whom reliable evidence or intelligence indicates either the intention to use authorized access to information systems to cause harm or through whom adversaries will cause harm. Harm includes potential adverse impacts to organizational operations and assets, individuals, other organizations, or the Nation. Close coordination between authorizing officials, information system administrators, and human resource managers is essential in order for timely execution of this control enhancement. ASSESSMENT PROCEDURE: AC-2(13).1 Determine if the organization disables accounts of users posing a significant risk within the stated time period of discovery of the risk. Related s Requirement(s): PS-4 Examine: Procedures addressing account management; security plan; information system configuration settings and associated documentation; information system audit records; audit tracking and monitoring reports; other relevant documents or records. Interview: Organizational personnel with account management responsibilities. AC-3 Access Enforcement (High) The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. Implementation Standard(s) 1. If encryption is used as an access control mechanism it must meet CMS approved (FIPS compliant and a NIST validated module) encryption standards (see SC-13). 2. Configure operating system controls to disable public "read" and "write" access to all system files, objects, and directories. Configure operating system controls to disable public "read" access to files, objects, and directories that contain sensitive information. 3. Data stored in the information system must be protected with system access controls and must be encrypted when residing in non-secure areas. Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security. 6 September 20, 2013-Version 2.0 (FINAL)

9 CMS-CIO-STD-SEC CMS Information Security ARS For minimum authentication requirements, refer to Risk Management Handbook (RMH), Volume III, Standard 3.1, CMS Authentication Standards. FISCAM: AC-3, AS-2; HIPAA: (a)(3)(ii)(A), (a)(4)(ii)(B), (a)(4)(ii)(C), (a)(2)(iii), (b), (a)(1), (a)(2)(i), (a)(2)(ii), (a)(2)(iv); IRS-1075: 9.2#2.2, 9.3#3 ASSESSMENT PROCEDURE: AC-3.1 (i) the information system enforces approved authorizations for logical access to the system in accordance with applicable policy. (ii) the organization meets all the requirements specified in the applicable Implementation Standard(s). Related s Requirement(s): AC-2, AC-4, AC-5, AC-6, AC-16, AC-17, AC-18, AC-19, AC-20, AC-21, AC-22, AU-9, CM-5, CM-6, CM-11, MA-3, MA-4, MA-5, PE-3 Examine: Access control policy; procedures addressing access enforcement; information system configuration settings and associated documentation; list of approved authorizations (user privileges); information system audit records; other relevant documents or records. Test: Automated mechanisms implementing access enforcement policy. AC-4 Information Flow Enforcement (High) The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy. Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. NIST control enhancements 3 through 22 primarily address crossdomain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products. FISCAM: AC-1, AS-2; HIPAA: (a)(3)(ii)(A), (a)(4)(ii)(B), (b); IRS-1075: 9.2#2.2; Web: ucdmo.gov ASSESSMENT PROCEDURE: AC-4.1 (i) the organization defines applicable policy for controlling the flow of information within the system and between interconnected systems; Related s Requirement(s): AC-3, AC-17, AC-19, AC-21, CM-6, CM-7, SA-8, SC-2, SC-5, SC-7, SC-18 September 20, 2013-Version 2.0 (FINAL) 7

10 CMS Information Security ARS CMS-CIO-STD-SEC (ii) the organization defines approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy; (iii) the information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy. Examine: Access control policy; procedures addressing information flow enforcement; information system design documentation; information system configuration settings and associated documentation; information system baseline configuration; list of information flow authorizations; information system audit records; other relevant documents or records. Test: Automated mechanisms implementing information flow enforcement policy. AC-5 Separation of Duties (High) The organization: a. Separates duties of individuals as necessary, to prevent malevolent activity without collusion; b. Documents separation of duties; and c. Defines information system access authorizations to support separation of duties. Implementation Standard(s) 1. Ensure that audit functions are not performed by security personnel responsible for administering access control. 2. Maintain a limited group of administrators with access based upon the users' roles and responsibilities. 3. Ensure that critical mission functions and information system support functions are divided among separate individuals. 4. Ensure that information system testing functions (i.e., user acceptance, quality assurance, information security) and production functions are divided among separate individuals or groups. 5. Ensure that an independent entity, not the Business Owner, System Developer(s)/Maintainer(s), or System Administrator(s) responsible for the information system, conducts information security testing of the information system. 6. Ensure that quality assurance and code reviews of custom-developed applications, scripts, libraries, and extensions are conducted by an independent entity, not the code developers. Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions. FISCAM: AS-4, SD-1, SD-2; HIPAA: (a)(3)(i), (a)(4)(i), (a)(4)(ii)(A), (a)(1); IRS-1075: 9.2#4.1, 9.3#3, 9.6#1 ASSESSMENT PROCEDURE: AC-5.1 (i) the organization separates duties of individuals as necessary, to prevent malevolent activity without collusion; (ii) the organization documents separation of duties; (iii) the organization defines information system access authorizations to support separation of duties. (iv) the organization meets all the requirements specified in the applicable Implementation Standard(s). Related s Requirement(s): AC-3, AC-6, PE-3, PE-4, PS-2 Examine: Access control policy; procedures addressing divisions of responsibility and separation of duties; information system configuration settings and associated documentation; list of divisions of responsibility and separation of duties; information system audit records; other relevant documents or records. 8 September 20, 2013-Version 2.0 (FINAL)

11 CMS-CIO-STD-SEC CMS Information Security ARS Interview: Organizational personnel with responsibilities for defining appropriate divisions of responsibility and separation of duties. Test: Automated mechanisms implementing separation of duties policy. AC-6 Least Privilege (High) The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with CMS missions and business functions. Implementation Standard(s) 1. Disable all file system access not explicitly required for system, application, and administrator functionality. 2. Contractors must be provided with minimal system and physical access, and must agree to and support the CMS security requirements. The contractor selection process must assess the contractor's ability to adhere to and support CMS security policy. 3. Restrict the use of database management utilities to only authorized database administrators. Prevent users from accessing database data files at the logical data view, field, or field-value levels. Implement column-level access controls. 4. Ensure that only authorized users are permitted to access those files, directories, drives, workstations, servers, network shares, ports, protocols, and services that are expressly required for the performance of job duties. 5. Disable all system and removable media boot access unless it is explicitly authorized by the CIO for compelling operational needs. If system and removable media boot access is authorized, boot access is password protected. Organizations employ least privilege for specific duties and information systems. The principle of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions/business functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary, to achieve least privilege. Organizations also apply least privilege to the development, implementation, and operation of organizational information systems. FISCAM: AC-3, AS-2; HIPAA: (a)(3)(i), (a)(4)(i), (a)(4)(ii)(A), (a)(1); HSPD 7: D(10); IRS-1075: 9.2#4.2, 9.6#1 ASSESSMENT PROCEDURE: AC-6.1 Related s Requirement(s): AC-2, AC-3, AC-5, CM-6, CM-7, PL-2 (i) the organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. (ii) the organization meets all the requirements specified in the applicable Implementation Standard(s). Examine: Access control policy; procedures addressing least privilege; list of assigned access authorizations (user privileges); information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks. AC-6(1) - Authorize Access to Security Functions Enhancement (High) At a minimum, the organization explicitly authorizes access to the following list of security functions (deployed in hardware, software, and firmware) and security-relevant information: - Setting/modifying audit logs and auditing behavior; - Setting/modifying boundary protection system rules; - Configuring/modifying access authorizations (i.e., permissions, privileges); - Setting/modifying authentication parameters; and - Setting/modifying system configurations and parameters. September 20, 2013-Version 2.0 (FINAL) 9

12 CMS Information Security ARS CMS-CIO-STD-SEC Security functions include, for example, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. Security-relevant information includes, for example, filtering rules for routers/firewalls, cryptographic key management information, configuration parameters for security services, and access control lists. Explicitly authorized personnel include, for example, security administrators, system and network administrators, system security officers, system maintenance personnel, system programmers, and other privileged users. ASSESSMENT PROCEDURE: AC-6(1).1 Related s Requirement(s): AC-17, AC-18, AC-19 (i) the organization defines the security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized; (ii) the organization explicitly authorizes access to the organization-defined security functions and security-relevant information. Examine: Access control policy; procedures addressing least privilege; list of security functions and security-relevant information for which access must be explicitly authorized; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks. AC-6(2) - Non-Privileged Access for Nonsecurity Functions Enhancement (High) At a minimum, the organization requires that users of information system accounts, or roles, with access to the following list of security functions or security-relevant information, use non-privileged accounts, or roles, when accessing other system functions, and if feasible, audits any use of privileged accounts, or roles, for such functions: - Setting/modifying audit logs and auditing behavior; - Setting/modifying boundary protection system rules; - Configuring/modifying access authorizations (i.e., permissions, privileges); - Setting/modifying authentication parameters; and - Setting/modifying system configurations and parameters. This control enhancement limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies such as role-based access control and where a change of role provides the same degree of assurance in the change of access authorizations for both the user and all processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account. ASSESSMENT PROCEDURE: AC-6(2).1 Related s Requirement(s): PL-4 (i) the organization defines the security functions or security-relevant information to which users of information system accounts, or roles, have access; (ii) the organization requires that users of information system accounts, or roles, with access to organization-defined security functions or security-relevant information, use nonprivileged accounts, or roles, when accessing other system functions; (iii) the organization, if deemed feasible, audits any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions. Examine: Access control policy; procedures addressing least privilege; list of system-generated security functions or security-relevant information assigned to information system accounts or roles; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. 10 September 20, 2013-Version 2.0 (FINAL)

13 CMS-CIO-STD-SEC CMS Information Security ARS Interview: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks. AC-6(3) - Network Access to Privileged Commands Enhancement (High) The organization authorizes network access to privileged commands only for defined compelling operational needs (defined in the applicable security plan) and documents the rationale for such access in the security plan for the information system. Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device). ASSESSMENT PROCEDURE: AC-6(3).1 (i) the organization defines the privileged commands to which network access is to be authorized only for compelling operational needs; (ii) the organization authorizes network access to organization-defined privileged commands only for compelling operational needs; Related s Requirement(s): AC-17 (iii) the organization documents the rationale for authorized network access to organization-defined privileged commands in the security plan for the information system. Examine: Access control policy; procedures addressing least privilege; security plan; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks. AC-6(5) - Privileged Accounts Enhancement (High) The organization restricts privileged accounts on the information system to defined personnel or roles (defined in the applicable security plan). Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from having access to privileged information/functions. Organizations may differentiate in the application of this control enhancement between allowed privileges for local accounts and for domain accounts provided organizations retain the ability to control information system configurations for key security parameters and as otherwise necessary to sufficiently mitigate risk. ASSESSMENT PROCEDURE: AC-6(5).1 Related s Requirement(s): CM-6 Determine if the organization restricts privileged accounts on the information system to organization-defined system administration personnel or roles. Examine: Access control policy; procedures addressing least privilege; list of system-generated super user accounts; list of system administration personnel; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with responsibilities for defining least privileges necessary to accomplish specified tasks. AC-6(9) - Auditing Use of Privileged Functions Enhancement (High) The information system audits the execution of privileged functions. September 20, 2013-Version 2.0 (FINAL) 11

14 CMS Information Security ARS CMS-CIO-STD-SEC Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat (APT). AC-6(10) - Prohibit Non-Privileged Users from Executing Privileged Functions Enhancement (High) Related s Requirement(s): AU-2 The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. Privileged functions include, for example, establishing information system accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals that do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. AC-7 Unsuccessful Logon Attempts (High) Related s Requirement(s): The information system: a. Enforces the limit of consecutive invalid login attempts by a user specified in Implementation Standard 1 during the time period specified in Implementation Standard 1; and b. Automatically disables or locks the account/node until released by an administrator or after the time period specified in Implementation Standard 1 when the maximum number of unsuccessful attempts is exceeded. Implementation Standard(s) 1. Configure the information system to lock out the user account automatically after three (3) invalid login attempts during a one (1) hour time period. Require the lock out to persist for a minimum of three (3) hours. This control applies regardless of whether the logon occurs via a local or network connection. Due to the potential for denial of service, automatic lockouts initiated by information systems are usually temporary and automatically release after a predetermined time period established by organizations. If a delay algorithm is selected, organizations may choose to employ different algorithms for different information system components based on the capabilities of those components. Responses to unsuccessful logon attempts may be implemented at both the operating system and the application levels. FISCAM: AC-2, AS-2; IRS-1075: 9.2#5 ASSESSMENT PROCEDURE: AC-7.1 Related s Requirement(s): AC-2, AC-9, AC-14, IA-5 (i) the organization defines in the security plan, explicitly or by reference, the maximum number of consecutive invalid login attempts to the information system by a user and the time period in which the consecutive invalid login attempts occur; (ii) the information system enforces the organization-defined limit of consecutive invalid login attempts by a user during the organization-defined time period; (iii) the organization defines action to be taken by the system when the maximum number of unsuccessful login attempts is exceeded as: - lock out the account/node for a specified time period; - lock out the account/note until released by an administrator; or - delay the next login prompt according to organization-defined delay algorithm; P2 12 September 20, 2013-Version 2.0 (FINAL)

15 CMS-CIO-STD-SEC CMS Information Security ARS (iv) the information system either automatically locks the account/node for the organization-defined time period, locks the account/node until released by an administrator, or delays next login prompt for the organization-defined delay period when the maximum number of unsuccessful login attempts is exceeded; (v) the information system performs the organization-defined actions when the maximum number of unsuccessful login attempts is exceeded. (vi) the organization meets all the requirements specified in the applicable Implementation Standard(s). Examine: Access control policy; procedures addressing unsuccessful login attempts; security plan; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Test: Automated mechanisms implementing the access control policy for unsuccessful login attempts. AC-8 System Use Notification (High) The information system: a. Displays an approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. The approved banner states: - You are accessing a U.S. Government information system, which includes: (1) this computer, (2) this computer network, (3) all computers connected to this network, and (4) all devices and storage media attached to this network or to a computer on this network. This information system is provided for U.S. Government-authorized use only. - Unauthorized or improper use of this system may result in disciplinary action, as well as civil and criminal penalties. - By using this information system, you understand and consent to the following: * You have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system. At any time, and for any lawful Government purpose, the Government may monitor, intercept, and search and seize any communication or data transiting or stored on this information system. * Any communication or data transiting or stored on this information system may be disclosed or used for any lawful Government purpose. b. Retains the notification message or banner on the screen until users take explicit actions to log on to or further access the information system; and c. For publicly accessible systems: 1. Displays system use information when appropriate, before granting further access; 2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and 3. Includes a description of the authorized uses of the system. The warning banner language has very important legal implications for CMS and its information system resources. Should content need to be added to this banner, submit the modified warning banner language to the CMS CIO for review and approval prior to implementation. If an information system has character limitations related to the warning banner display, the CMS CIO can provide an abbreviated warning banner version. If this banner is inconsistent with any directives, policies, regulations, or standards, notify the CMS CIO immediately. All information system computers and network devices under CMS control, prominently display the notice and consent banner immediately upon users' authentication to the system, including, but not limited to, web sites, web pages where substantial personal information from the public is collected, sftp, SSH, or other services accessed. System use notifications can be implemented using messages or warning banners displayed before individuals log in to information systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. FISCAM: AC-1, AS-2; IRS-1075: 5.1#1.3, 9.2#6 ASSESSMENT PROCEDURE: AC-8.1 Related s Requirement(s): (i) the information system displays the CMS-approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: - users are accessing a U.S. Government information system; - system usage may be monitored, recorded, and subject to audit; - unauthorized use of the system is prohibited and subject to criminal and civil penalties; - use of the system indicates consent to monitoring and recording; September 20, 2013-Version 2.0 (FINAL) 13

16 CMS Information Security ARS CMS-CIO-STD-SEC (ii) the information system retains the notification message or banner on the screen until the user takes explicit actions to log on to or further access the information system; (iii) the system use notification message remains on the screen until the user takes explicit actions to log on to the information system. Examine: Access control policy; privacy and security policies; procedures addressing system use notification; documented approval of information system use notification messages or banners; information system notification messages; information system configuration settings and associated documentation; information system audit records for user acceptance of notification message or banner; other relevant documents or records. Test: Automated mechanisms implementing the access control policy for system use notification. ASSESSMENT PROCEDURE: AC-8.2 (i) the information system (for publicly accessible systems) displays the system use information when appropriate, before granting further access; (ii) the information system (for publicly accessible systems) displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; (iii) the information system (for publicly accessible systems) includes in the notice given to public users of the information system, a description of the authorized uses of the information system. Examine: Access control policy; privacy and security policies; procedures addressing system use notification; documented approval of information system use notification messages or banners; information system notification messages; information system configuration settings and associated documentation; other relevant documents or records. Test: Automated mechanisms implementing the access control policy for system use notification. AC-9 Previous Logon (Access) Notification (High) The information system notifies the user, upon successful logon (access) to the system, of the date and time of the last logon (access). This control is applicable to logons to information systems via human user interfaces and logons to systems that occur in other types of architectures (e.g., service-oriented architectures). FISCAM: AC-1, AS-2 ASSESSMENT PROCEDURE: AC-9.1 Related s Requirement(s): AC-7, CA-7(1), PL-4 Determine if the information system, upon successful user logon (access) to the system, displays to the user the date and time of the last logon (access). Examine: Access control policy; procedures addressing previous logon notification; information system configuration settings and associated documentation; information system notification messages; information system design documentation; other relevant documents or records. Test: Automated mechanisms implementing the access control policy for previous logon notification. AC-9(1) - Unsuccessful Logons Enhancement (High) The information system notifies the user, upon successful logon/access, of the number of unsuccessful logon/access attempts since the last successful logon/access. Due to the possibility that an unauthorized person may have the ability to logon to a system or application using an authorized person's logon account, all systems and applicable P2 P2 14 September 20, 2013-Version 2.0 (FINAL)

17 CMS-CIO-STD-SEC CMS Information Security ARS applications will provide an automated method of notifying the authorized user of the last successful logon date and time, and a number of previously unsuccessful logon attempts. It is important that training include reporting procedures and responsibility for authorized users to report unauthorized logons and unauthorized attempts to logon. ASSESSMENT PROCEDURE: AC-9(1).1 Related s Requirement(s): Determine if the information system, upon successful user logon/access, displays to the user the number of unsuccessful logon/access attempts since the last successful logon/access. Examine: Access control policy; procedures addressing previous logon notification; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Test: Automated mechanisms implementing the access control policy for previous logon notification. AC-10 Concurrent Session (High) The information system limits the number of concurrent sessions for each system account to one (1) session. The number of concurrent application/process sessions is limited and enforced to the number of sessions expressly required for the performance of job duties and any requirement for more than one (1) concurrent application/process session is documented in the security plan. Organizations may define the maximum number of concurrent sessions for information system accounts globally, by account type (e.g., privileged user, non-privileged user, domain, specific application), by account, or a combination. For example, organizations may limit the number of concurrent sessions for system administrators or individuals working in particularly sensitive domains or mission-critical applications. This control addresses concurrent sessions for information system accounts and does not address concurrent sessions by single users via multiple system accounts. A session is defined as an encounter between an end-user interface device (e.g., computer, terminal, process) and an application, including a network logon. One user session is the time between starting the application and quitting. Some systems may require concurrent user sessions to function properly. However, based on the operational needs, automated mechanisms limit the number of concurrent user sessions. It is good practice to have management's approval for any system to have user concurrent sessions. Management should review the need for user concurrent sessions within every three hundred sixty-five (365) days. FISCAM: AC-2, AS-2 ASSESSMENT PROCEDURE: AC-10.1 Related s Requirement(s): (i) the organization defines in the security plan, explicitly or by reference, the maximum number of concurrent sessions to be allowed for each system account; (ii) the information system limits the number of concurrent sessions for each system account to the organization-defined number of sessions. Examine: Access control policy; procedures addressing concurrent session control; information system design documentation; information system configuration settings and associated documentation; security plan; other relevant documents or records. Test: Automated mechanisms implementing the access control policy for concurrent session control. AC-11 Session Lock (High) The information system: a. Prevents further access to the system by initiating a session lock after thirty (30) minutes of inactivity or upon receiving a request from a user; and b. Retains the session lock until the user reestablishes access using established identification and authentication procedures. P2 P3 September 20, 2013-Version 2.0 (FINAL) 15

18 CMS Information Security ARS CMS-CIO-STD-SEC Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined. This is typically at the operating system level, but can also be at the application level. Session locks are not an acceptable substitute for logging out of information systems, for example, if organizations require users to log out at the end of workdays. FISCAM: AC-1, AS-2; HIPAA: (b), (a)(2)(iii); IRS-1075: 9.2#7; OMB: M ASSESSMENT PROCEDURE: AC-11.1 Related s Requirement(s): AC-7 (i) the organization defines in the security plan, explicitly or by reference, the time period of user inactivity after which the information system initiates a session lock; (ii) the information system initiates a session lock after the organization-defined time period of inactivity or upon receiving a request from a user; (iii) the information system retains the session lock until the user reestablishes access using established identification and authentication procedures. Examine: Access control policy; procedures addressing session lock; information system design documentation; information system configuration settings and associated documentation; security plan; other relevant documents or records. Test: Automated mechanisms implementing the access control policy for session lock. AC-11(1) - Pattern-Hiding Displays Enhancement (High) The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information. ASSESSMENT PROCEDURE: AC-11(1).1 Related s Requirement(s): Determine if the information system conceals, via the session lock, information previously visible on the display with a publicly viewable image. Examine: Access control policy; procedures addressing session lock; display screen with session lock activated; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records. Test: Information system session lock mechanisms. AC-12 Session Termination (High) The information system automatically terminates a user session after defined conditions or trigger events (defined in the applicable security plan) requiring session disconnect. This control addresses the termination of user-initiated logical sessions in contrast to SC-10 which addresses the termination of network connections that are associated with communications sessions (i.e., network disconnect). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access) without terminating network sessions. Session termination terminates all processes associated with a user s logical session except those processes that are specifically created by the user (i.e., session owner) to continue P3 P2 16 September 20, 2013-Version 2.0 (FINAL)

19 CMS-CIO-STD-SEC CMS Information Security ARS after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information system use. ASSESSMENT PROCEDURE: AC-12.1 Related s Requirement(s): SC-10, SC-23 Determine if the information system automatically terminates a user session after defined conditions or trigger events requiring session disconnect. Examine: Access control policy; procedures addressing session lock; information system design documentation; information system configuration settings and associated documentation; security plan; other relevant documents or records. Test: Automated mechanisms implementing the account control policy for session termination. AC-14 Permitted Actions Without Identification or Authentication (High) The organization: a. Identifies specific user actions that can be performed on the information system without identification or authentication; b. Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication; and c. Configures Information systems to permit public access only to the extent necessary to accomplish mission objectives, without first requiring individual identification and authentication. This control addresses situations in which organizations determine that no identification or authentication is required in organizational information systems. Organizations may allow a limited number of user actions without identification or authentication including, for example, when individuals access public websites or other publicly accessible federal information systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations also identify actions that normally require identification or authentication but may under certain circumstances (e.g., emergencies), allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. This control does not apply to situations where identification and authentication have already occurred and are not repeated, but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational information systems without identification and authentication and thus, the values for assignment statements can be none. FISCAM: AC-2, AS-2 ASSESSMENT PROCEDURE: AC-14.1 (i) the organization identifies specific user actions that can be performed on the information system without identification or authentication; Related s Requirement(s): CP-2, IA-2 (ii) the organization documents or provides supporting rationale in the security plan for the information system, user actions not requiring identification and authentication. Examine: Access control policy; procedures addressing permitted actions without identification and authentication; information system configuration settings and associated documentation; security plan; list of information system actions that can be performed without identification and authentication; information system audit records; other relevant documents or records. AC-14(1) - Necessary Uses Enhancement (High) [Withdrawn: Incorporated into AC-14]. P3 September 20, 2013-Version 2.0 (FINAL) 17

20 CMS Information Security ARS CMS-CIO-STD-SEC AC-17 Remote Access (High) The organization monitors for unauthorized remote access to the information system. Remote access for privileged functions shall be permitted only for compelling operational needs, shall be strictly controlled, and must be explicitly authorized, in writing, by the CIO or his/her designated representative. If remote access is authorized, the organization: a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorizes remote access to the information system prior to allowing such connections. Implementation Standard(s) 1. Require callback capability with re-authentication to verify connections from authorized locations when the CMS Net or Multi Protocol Label Switching (MPLS) service network cannot be used. For application systems and turnkey systems that require the vendor to log-on, the vendor will be assigned a User ID and password and enter the network through the standard authentication process. Access to such systems will be authorized and logged. User IDs assigned to vendors will be recertified within every three hundred sixty-five (365) days. 2. All computers and devices, whether government-furnished equipment (GFE) or contractor-furnished equipment (CFE), that require any network access to a network or system are securely configured and meet at least the following security requirements: (i) up-to-date system patches, and (ii) current anti-virus software; and (iii) functionality that provides the capability for automatic execution of code disabled. Remote access is access to organizational information systems by users (or processes acting on behalf of users) communicating through external networks (e.g., the Internet). Remote access methods include, for example, dial-up, broadband, and wireless. Organizations often employ encrypted virtual private networks (VPNs) to enhance confidentiality and integrity over remote connections. The use of encrypted VPNs, does not make the access non-remote; however, the use of VPNs, when adequately provisioned with appropriate security controls (e.g., employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as internal networks. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. Also, VPNs with encrypted tunnels can affect the organizational capability to adequately monitor network communications traffic for malicious code. Remote access controls apply to information systems other than public web servers or systems designed for public access. This control addresses authorization prior to allowing remote access without specifying the formats for such authorization. While organizations may use interconnection security agreements to authorize remote access connections, such agreements are not required by this control. Enforcing access restrictions for remote connections is addressed in AC-3. For minimum authentication requirements, refer to Risk Management Handbook (RMH), Volume III, Standard 3.1, CMS Authentication Standards. FISCAM: AC-1, AS-2; HIPAA: (b); IRS-1075: 9.2#10, #1, #2; NIST SP: , , , , ASSESSMENT PROCEDURE: AC-17.1 Related s Requirement(s): AC-2, AC-3, AC-18, AC-19, AC-20, CA-3, CA-7, CM-8, IA-2, IA-3, IA-8, MA-4, PE-17, PL-4, SC-10, SI-4 (i) the organization establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each allowed type of remote access method allowed; (ii) the organization monitors for unauthorized remote access to the information system; (iii) the organization authorizes remote access to the information system prior to allowing such connections; (iv) the organization meets all the requirements specified in the applicable Implementation Standard(s). Examine: Access control policy; procedures addressing remote access to the information system; information system configuration settings and associated documentation; information system audit records; other relevant documents or records. Interview: Organizational personnel with remote access authorization, monitoring, and control responsibilities. Test: Remote access methods for the information system. 18 September 20, 2013-Version 2.0 (FINAL)