Skip to main content

Example Evidence for Not Monitored Controls (NIST 800-171 Rev 3)

Updated over 3 weeks ago

The following is a list of example evidence for controls not monitored in Drata for NIST 800-171 Rev 3.

Note: An auditor may request additional evidence for each control.

Code

Name

Evidence Example

DCF-7

Separate Environments

Screenshots from test and production environments for the application

DCF-9

Internal Communication Channels

Screenshots from communication tools (Slack, PagerDuty) showing the process for security events to be communicated to appropriate personnel.

DCF-19

Penetration Tests

Most recently completed annual penetration test.

DCF-20

Asset Inventory

1. Formal, documented listing of all assets (workstations, mobile devices, servers, databases, etc.)

2. For cloud infrastructure, screenshots from cloud environments listing all infrastructure

DCF-29

Incident Response Team

Provide the documented list of Incident Response team members who have the responsibility and authority to coordinate and execute incident response procedures.

DCF-30

Incident Response Lessons Learned Documented

For an example security event deemed an incident, upload the incident documentation including evidence of internal tracking (e.g., internal ticket), root-cause analysis (RCA)/post-mortem, lessons learned, etc.

DCF-46

Formal Screening Process

Upload evidence of the formal interview/recruitment process for a recently hired personnel.

Example: Calendar invites for interviews, documented feedback notes from interviewers, exports from the candidate's profile within the applicant tracking system, evidence of evaluation of resume and professional credentials etc.

DCF-56

Vendor Register and Agreements

  1. Provide evidence of a centralized, up-to-date inventory listing all your vendors/third parties. This should include details such as vendor name, relationship owner, a description of services, and their assigned risk rating.

    1. Screenshots from your vendor management system (e.g., Drata's TPRM module, a dedicated GRC tool, or a comprehensive spreadsheet) clearly showing the categorized list of vendors based on impact/risk, along with the other required attributes.

  2. Upon request from your auditor for their selected sample(s), provide evidence of an example executed agreement/contract with a vendor or service provider. This should be an agreement with a vendor involved in accessing, processing, storing, or managing your information assets.

DCF-57

Vendor Compliance Monitoring

Provide documentation showing that your organization obtains and reviews compliance reports or other evidence for critical vendors at least annually.

Documentation can include:

  • SOC 2 Type 2 Reports

  • Completed security questionnaire (e.g. SIG, CAIQ, custom vendor security assessment)

  • ISO 27001 certificate

DCF-58

Centralized Authentication and Account Management

1. If SSO is an option, screenshots of a user logging in with SSO.

2. If username and password is an option, screenshots of a user logging in with a username and password.

3. Screenshots of MFA being required for employee users.

4. If customer users have the option to enable MFA, screenshots showing they are provided the option to enable MFA.

DCF-60

Secure Password Storage

If username and password is required, screenshots from the database showing that password are stored using a salted hash.

DCF-62

Session Termination

1. Screenshots of users being logged out of the application when browser/tab is closed and being forced to reauthenticate upon next login.

2. Screenshots showing that a user is logged out after pre-defined activity timeout and being forced to reauthenticate upon next login.

DCF-69

Access Provisioning

Formal, documented access request form/help desk ticket for a recent new hire.

DCF-76

Critical Change Management

Formal, documented emergency change procedures for critical changes.

DCF-91

Intrusion Detection/Prevention System

1. Screenshots from AWS GuardDuty, Azure Sentinel, GCP Security Command Center or equivalent monitoring tool showing that the service is enabled.

2. Screenshots from the mentioned applications/tools/services showing the types of threats that would be detected.

3. Screenshots from the mentioned applications/tools/services showing how personnel would be alerted and who would be alerted when threats are detected.

DCF-92

Encrypted Remote Production Access

1. Screenshots of a user trying to access production systems without being connected to a VPN and providing access is denied.

- and -

2. Screenshots of a user accessing production after connecting to a VPN to show a successful connection.

DCF-108

Secure Storage Mechanisms

Pictures of secure storage bins from office locations.

DCF-132

Privacy and Security Requirements in Third-Party Agreements

Executed agreements (such Data Processing Agreements, Business Associates Agreements, Service Provider Agreements) with third parties and vendors that are provided access to personal data.

DCF-135

Notification of Incidents or Breaches

1. Formal, documented breach notification procedures.

- and -

2. Breach Notification Template

DCF-154

Incident Response Test

Most recently completed incident response tabletop test.

DCF-155

Testing of Changes

Screenshots from the ticketing system for a few changes showing that changes were tested.

DCF-156

Change Releases Approved

Screenshots from the ticketing system for a few changes showing that changes were approved by appropriate personnel.

DCF-165

Periodic Independent Assessments

1. Evidence of testing performed for internal audit.

2. Internal audit report.

DCF-171

Documented Operating Procedures

This will be a part of your ISMS policy.

DCF-174

Telework and Endpoint Devices

This section is from the information security policy

DCF-180

Secure Information Transfer

Upload the Data Protection Policy

DCF-182

Asset Management Policy

Upload the Asset Management Policy

DCF-188

Communication with Advisories and Special Interest Groups

Upload evidence showing that the organization and members of management maintain contact with special interest groups (e.g., security groups, privacy groups, etc.).

For example, screenshots or exports showing members of management receive newsletters and updates from professional association groups, email alerts from security advisories such as CISA, participation in conferences, threat advisories, etc.

DCF-201

Network Security Controls Configuration Standards

  1. Formal, documented testing and approval procedures for network connections.

  2. Formal documented testing and approval procedures for changes to firewall and router configurations.

  3. Example documentation supporting a network connection was tested and approved.

  4. Example documentation supporting a recent firewall or router change was tested and approved.

DCF-204

Dataflow Diagram

Formal Data Flow Diagram for the Cardholder Data Environment including the date the diagram was finalized.

DCF-206

Network Security Controls Between Trusted and Untrusted Networks

  1. Formal, documented firewall and router configuration standards.

  2. Screenshots of firewall configurations showing that firewalls are configured in a manner consistent with the Firewall and Router configuration standards.

DCF-216

Network Security Controls Restricting Wireless Network Traffic

  1. Screenshots from the firewalls and routers installed between wireless networks and Cardholder Data Environment.

  2. Configuration files from these firewalls and routers to verify that traffic has been restricted.

  3. Network Diagram

DCF-220

Anti-Spoofing Measures

Screenshots showing that anti-spoofing methods have been implemented, such as blocking traffic coming into the DMZ which have an IP Address that matches the IP Address of devices within the Cardholder Data Environment.

DCF-223

Sensitive Data Not Directly Accessible From Untrusted Networks

  1. Internal firewall and router configurations showing that the internal network zone is separate from the DMZ and untrusted networks.

  2. Network diagram.

DCF-233

Wireless Network Vendor Defaults Changed

  1. Any policy or procedures documenting a requirement that All vendor supplied default account information must be changed.

  2. Screenshots showing that vendor supplied passwords/passphrases for wireless access points have been replaced.

NOTE - Mark this control out of scope if there are no wireless environments connected to the cardholder data environment or transmitting cardholder data.

DCF-239

One Primary Function per System Component

Screenshots of virtual server system configurations for virtual technologies in the CDE, showing that each component only serves one primary function (For example, web servers, database servers, and DNS should be implemented on separate servers.)

DCF-240

Only Necessary System Function Services Used

Screenshots showing the enabled services being run system components in the CDE.

DCF-244

System Security Parameters in Configuration Standards

Documented Server configuration standards showing that security parameter settings are contained within the standard.

DCF-249

Encrypted Non-Console Administrative Access

  1. Screenshots showing encryption settings for non-console administrative login to system components from the CDE.

  2. Screenshots showing the login process for non-console administrative access for system components in the CDE.

NOTE: Non-console access refers to logical access to a system component that occurs over a network interface rather than via a direct, physical connection to the system component. Non-console access includes access from within local/internal networks as well as access from external, or remote, networks.

DCF-257

Sensitive Authentication Data Storage

For issuers and/or companies that support issuing services and store sensitive authentication data, policies describing the documented business justification for the storage of sensitive authentication data.

DCF-258

Sensitive Authentication Data Secured

For issuers and/or companies that support issuing services and store sensitive authentication data, screenshots of data stores and system configurations showing that the sensitive authentication data is secured.

DCF-259

Sensitive Authentication Data Deleted after Authorization Process

  1. For entities which are not issuers or or don’t support issuing services, documented policies and procedures describing how sensitive authentication data is deleted securely after the authorization process.

  2. Screenshots from in-scope systems showing how this process is configured and that it is carried out as specified in the documented procedures.

DCF-265

Separate Encrypted File System Access Management

If disk encryption is used, screenshots of the configurations showing that logical access to encrypted file systems is implemented via a mechanism that is separate from the native operating system’s authentication mechanism (for example, not using local user account databases or general network login credentials).

DCF-273

Strong Key Generation Policies and Procedures

1. Documented key management procedures which specify how to generate strong cryptographic keys.

2. Screenshots showing the strong cryptographic key generation process.

DCF-278

Key Retirement Policies and Procedures

Documented key management procedures which include guidance for: Replacement of known or suspected compromised keys.

DCF-284

Key and Certificate Validation

1. Documented policies and procedures which specify processes for accepting only trusted keys and certificates (Encryption Policy).

2. Screenshots showing that keys and certificates used in the environment are trusted.

DCF-288

Strong Encryption for Wireless Network Transmission

  1. List of all wireless networks transmitting cardholder data or connected to the CDE.

  2. Documented standards for these wireless networks.

  3. Screenshots from the configurations of these networks showing that:

  • Industry best practices are used to implement strong encryption for authentication and transmission.

  • Weak encryption such as WEP is not used.

DCF-291

Anti-Malware on All System Components

  1. Vendor documentation for all anti-virus software used within the CDE.

  2. Screenshots from the anti-virus tools in use to verify that the solutions:

  • Detects all known types of malicious software.

  • Remove all known types of malicious software.

  • Protect against all known types of malicious software.

Examples of types of malicious software include viruses, Trojans, worms, spyware, adware, and rootkits.

DCF-293

Anti-Malware Capabilities and Automatic Updates

Upload evidence showing that the deployed anti-malware solution is kept via automatic updates and configured to detect all known types of malware and to remove, block, or contain all known types of malware.

Examples: Screenshots from the anti-malware solution console showing configurations for automated updates and detection and containment actions.

DCF-294

Anti-Malware Tools Behavior

Upload screenshots from your anti-malware solution console showing it is configured to perform periodic scans and active/real-time scans (e.g., scanning files from external sources as they are downloaded, opened, or executed) or to perform continuous behavioral analysis of systems or processes.

DCF-297

Patch Management

  1. Lists of patches provided by the vendor for systems within the CDE.

  2. Screenshots from systems within the CDE showing that critical security patches have been installed.

DCF-305

Production Components Change Control Procedures

For a non-software development change, upload documentation showing that the change was implemented in accordance with formal change management policies and procedures. For example, documentation of change description, justification, evaluation of security requirements and impact, approval by authorized parties, rollback procedures, etc., and records of testing (for example, acceptance and security impact testing).

Examples of changes include: infrastructure, network, configuration changes, etc.

DCF-312

Secure Code Development Training

Upload evidence of secure code development training completed by a member of personnel within the past year.

Example: Training content (videos, presentations, agenda) showing topics covered, and records of completion for one personnel.

The secure code development training program may be implemented through a third party or delivered in-house (e.g., team training session by engineering leadership, etc.).

DCF-327

System Access Roles Defined

Documented access needs for each role within the CDE which includes:

  • System components and data resources required for the job function.

  • Level of privilege required for accessing resources (user, administrator, etc.)

DCF-329

Access Control System

Screenshots from the access control system for all system components.

DCF-336

Third Party Remote Access Monitored

  1. Documented policies and procedures for Identity Management which have a requirement to disable accounts of third parties (vendors) when not in use and enable these accounts on when needed.

  2. Screenshots or system user access lists showing that third party user accounts (vendor accounts) are enabled only when needed and disabled after use.

DCF-339

Account Lockout after Failed Logins

Upload evidence of the account lockout configurations after failed login attempts for relevant systems where this is a configurable attribute, showing number of attempts that trigger the lockout and lockout duration.

DCF-340

Lockout Duration

  1. Documented policies and procedures related to Identity Management which state a requirement that locked out accounts will remain locked out for no less than 30 minutes or until unlocked by an administrator.

  2. Screenshots of system configurations showing how this account lockout duration is enforced.

DCF-343

Strong Encryption of Authentication Credentials During Transmission and Storage

  1. Vendor documentation showing how authentication credentials (passwords) are stored during transmission and storage.

  2. Screenshots of system configurations showing that passwords are protected with strong cryptography during transmission and storage.

DCF-345

User Identity Verification Before Modifying Authentication

Documented policies and procedures which state a requirement to verify a user’s identity prior to modifying authentication information (password resets, generating new keys, etc.).

DCF-352

Unique First-time Passwords With One-Time Use

Upload evidence showing that for organization systems passwords are set to a unique value for first-time use and upon reset and temporary initial passwords are forced to be changed immediately after the first use.

Example: Screenshots of system configurations or screenshots from a walkthrough of the password reset process.

DCF-355

MFA for Remote Access

  1. Screenshots of the system configurations which enforce multi-factor authentication for all remote access into the CDE network.

  2. Screenshots of the authentication process showing that MFA is required for remote network access for both a non-administrative and administrative user.

DCF-359

Authentication Mechanism Use

  1. If other authentication mechanisms besides passwords (such as smart cards, physical or digital tokens, etc.) are used, documented policies and procedures related to Authentication which state a requirement:

  • Authentication mechanisms are assigned to an individual account and not shared.

  • Physical and/or logical controls are defined to ensure only the intended account can use that mechanism to gain access.

    2. Screenshots of system configuration settings and/or physical controls as applicable showing that only the intended account can use the authentication mechanism to gain access.

DCF-363

Entry Controls in Place

For each computer room, data center, and other physical areas which contain systems:

  • Pictures showing that access is controlled using badge readers or other devices including authorizing badges and lock and key.

  • Screenshots or video showing an administrator’s attempt to log into system consoles showing that these systems are “locked” to prevent unauthorized access.

DCF-364

Physical Access Controlled

Pictures showing that video camera or access control mechanisms (or both) are used to monitor the entry/exit points to sensitive areas.

DCF-365

Secure Physical Access Control Mechanisms

Pictures showing how video cameras or access control mechanisms (or both) are protected from tampering and disabling.

DCF-366

Physical Access Control Mechanism Periodic Data Review

Documented procedures around reviewing data from video cameras and/or access control mechanisms.

DCF-369

Restricted Physical Access to Network Components

Observation of physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within the company facilities being restricted

DCF-374

Visitors Authorized and Escorted

Observation of a visitor being escorted when entering company facilities

(Note: Observations should be performed by auditors on-site, or via virtual meeting)

DCF-375

Personnel and Visitor Badges

Observation of visitor obtaining a visitor badge and example of a visitor badge

(Note: Observations should be performed by auditors on-site, or via virtual meeting)

DCF-381

Media Physically Secured

Documented policies and procedures related to physically securing all media (including computers, removable media, paper receipts, paper records, and faxes).

DCF-382

Security of Offline Media Backup Storage

Documented review of the security of the backup media storage location from the last 12 months.

DCF-385

Media Transported Securely

For one instance of media moved outside or within the facilities, upload evidence of management's documented approval for the movement of media.

DCF-386

Management Approval for Media Transport

Documentation from a recent media transfer (including media distribution to individuals) showing that the transfer was approved by an authorized member of management.

DCF-388

Media Inventory Logs

If your organization manages electronic media with sensitive data, upload evidence of your media inventory.

Without careful inventory methods and storage controls, stolen or missing electronic media could go unnoticed for an indefinite amount of time.

DCF-409

Audit Trail for Privileged Access

Upload evidence showing that audit trails or logs are implemented for system components to capture all actions taken by any identities with administrative access, including execution of privileged functions and any interactive use of application or system accounts.

Example: Screenshot or export of a sample log showing the relevant log contents.

Identities with increased access privileges, such as “administrator” or “root” accounts, have the potential to significantly impact the security or operational functionality of a system. Without a log of the activities performed, an organization cannot trace any issues resulting from an administrative mistake or misuse of privilege back to the specific action and account.

DCF-411

Audit Trail for Invalid Access Attempts

Upload evidence showing that audit trails or logs are implemented for system components to capture invalid access attempts.

Example: Screenshot or export of a sample log showing the relevant log contents.

Malicious individuals will often perform multiple access attempts on targeted systems. Multiple invalid login attempts may be an indication of an unauthorized user’s attempts to “brute force” or guess a password.

DCF-413

Audit Trail of Changes to Audit Logs

  1. Screenshots of audit log settings showing that the initialization of logging and stopping or pausing of logging are logged.

  2. Screenshots showing that these log settings are functioning correctly.

DCF-421

Clock Synchronization

Upload evidence showing that the organization synchronizes all critical system clocks and times using time-synchronization technology (such as Network Time Protocol (NTP)).

DCF-422

Time-related System Parameters

Upload evidence showing that internal systems receive time information only from designated central time server or servers that are configured to receive time from industry-accepted external sources based on International Atomic Time or Coordinated Universal Time (UTC).

If there is more than one designated time server, upload evidence showing that the time servers peer with one another to keep accurate time.

DCF-424

System Time Source

Upload evidence showing that internal systems receive time information only from designated central time server or servers that are configured to receive time from industry-accepted external sources based on International Atomic Time or Coordinated Universal Time (UTC).

If there is more than one designated time server, upload evidence showing that the time servers peer with one another to keep accurate time.

DCF-429

Limited Access to Audit Trails

Upload evidence of the users with elevated access to log systems and log data.

Example: Screenshots of the users with administrative or privileged access to log systems and log data.

DCF-430

Audit Trail Files Protected

Screenshots or pictures showing that audit trails are protected from unauthorized access/modification/deletion through access control mechanisms, physical segregation, and/or logical network segregation.

DCF-434

Policies and Procedures for Logging

Upload the Logging and Monitoring Policy

DCF-444

Critical Security Control System Failure Alert

Screenshots showing how alerts are configured for the following systems:

  • Firewalls

  • IDS/IPS

  • FIM

  • Anti-virus

  • Physical access controls

  • Logical access controls

  • Audit logging mechanisms

  • Segmentation controls (if used)

DCF-445

Critical Security Control System Failure Response

Documented policies and procedures for responding to the failure of security controls which cover the following items:

  • Restoring security functions

  • Identifying and documenting the duration (date and time start to end) of the failure

  • Identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause.

  • Identifying and addressing any security issues that arose during the failure.

  • Performing a risk assessment to determine whether further actions are required as a result of the security failure.

  • Implementing controls to prevent cause of failure from reoccurring.

  • Resuming monitoring of security controls.

DCF-449

Unauthorized Wireless Access Points Detected and Identified

Documented policies and procedures related to detecting and identifying any unauthorized wireless access points on at least a quarterly basis which includes at least the following devices will be detected:

  • WLAN cards inserted into system components

  • Portable or mobile devices attached to system components to create a wireless access point

  • Wireless devices attached to a network port or network device

DCF-452

Inventory of Authorized Wireless Access Points

Documented inventory of authorized wireless devices including business justification for each wireless access point.

DCF-456

Vulnerabilities Identified and Resolved

  1. Documentation showing that any high-risk items in quarterly vulnerability scans have been remediated.

  2. Rescan reports showing that all high-risk items identified in quarterly internal scans have been remediated.

DCF-488

Network Connection Termination

  1. Documented policies for acceptable use of critical technologies which states that remote access technologies will be disconnected after a specified period of inactivity.

  2. Screenshots of remote access technology configurations showing that remote access sessions will be disconnected after a set period of inactivity.

DCF-503

Multiple Methods for Security Awareness

Upload evidence showing that periodic security updates are provided to personnel through different mechanisms (such as screenshots of internal newsletters or intranet with security reminders, security updates sent out via Slack or other internal communication channels)

DCF-504

Cardholder Data Security Awareness Training

Training records showing that all personnel have received training upon hire and at least annually thereafter on cardholder data security..

DCF-516

Incident Response Training

Documented policies or procedures related to Incident Response or Training which include a requirement to train staff with Incident Response roles on a periodic basis.

DCF-524

Periodic Review of Application and System Accounts

Upload documentation showing records of periodic reviews of application and system accounts, including dates and details of each review. This should outline the accounts reviewed, associated privileges, and any changes made, such as access modifications or account removals.

Example:

  • Review Logs: Logs documenting the accounts reviewed, their privileges, and any changes made.

  • Meeting Minutes or Reports: Minutes or reports from meetings or system administrators confirming review details.

  • Change Request Forms/Approval Records: Forms or records showing how changes were approved and implemented.

DCF-557

Shared Account Management

For any highly privileged shared accounts, upload evidence of the business justification and evidence of how these shared accounts are securely managed.

Example: Documentation of the business purpose of the shared account(s) with management approval and screenshots showing how the shared accounts are securely managed (e.g., through password vaults restricted to specific personnel, etc.).

DCF-558

Restrictions on Software Installation and Execution

Upload evidence showing that the organization has implemented mechanisms to prevent the installation and use of unauthorized software in company-managed assets (e.g., screenshots from MDM tools showing rules preventing software installation are enforced on company devices, access controls limiting access to run executables, etc.)

DCF-562

Management of Utility Programs

Upload screenshots or exports of user lists (with a screenshot of parameters used for exporting) showing the users with administrative or privileged access to the systems (e.g., super users, administrators, power users, etc.) for relevant systems.

Relevant systems may include cloud infrastructure provider, code repositories, identity provider, password vault systems, VPN clients, systems with stored customer data (e.g., database as a service), utility programs (e.g., antivirus consoles) and others based on the scope of the engagement. Discuss system scope with your chosen auditor.

DCF-566

Management of Nonconformities

  1. Upload formal documentation for identified issues (e.g., incidents, audit findings.)

  2. Upload Corrective Action Plan reports: steps planned and taken to address the root cause.

  3. Evidence of Corrective Action Completion: screenshots, system logs, configuration change records, or tickets (e.g., Jira) showing remediation.

DCF-574

Mobile Device Management Software

Upload evidence to show that a mobile device management (MDM) tool has been implemented to enforce security controls on mobile devices (e.g., screenshots from the MDM's centralized management console, screenshots of baseline configurations, security policies or blueprints enforced on devices per OS type, etc.)

DCF-575

Maintenance Management Policy

Upload Maintenance Management Policy

DCF-578

System and Services Acquisition Policy

Upload System and Services Acquisition Policy

DCF-580

Disabling High Risk User Accounts

Documented policies and procedures for Identity Management which have a requirement to disable high risk user accounts when not in use and enable these accounts only when needed.

Screenshots or system user access lists showing that high risk user accounts are enabled only when needed and disabled after use.

DCF-581

Encrypted Information Flow Control

  1. Upload documented policies and procedures for Information Security Policy, Data Protection Policy, Network Security Policy, Encryption standards documentation.

  2. MDM or endpoint management screenshots showing disk/network encryption policies (if applicable).

  3. Screenshots or exports of firewall rules or load balancer settings enforcing HTTPS/TLS for data in transit.

DCF-582

Accounts Unlocked by Admin

  1. Upload documented policies and procedures for Access Control.

  2. Example Evidence: Admin Role Permissions Screenshot.

  3. Upload Audit Logs or System Reports that details date/time, user account unlocked, Administrator account that performed the action.

  4. Help Desk or Ticketing System Record. A Sample service ticket (e.g., Jira).

DCF-583

System Use Notification

  1. Upload documented policy that outlines the organization's requirements for system use notifications.

  2. Screenshots of the actual notification message displayed to users before they are granted access to the system (e.g., at login, upon first access to a specific module, or before submitting data). This could be a login banner, a splash screen, or a pop-up.

DCF-589

Verified External Systems Controls

  1. Completed risk assessments for all external systems (vendors, partners, service providers) that access your systems.

  2. Vendor Contracts / Data Processing Agreements (DPAs) / Service Level Agreements (SLAs).

  3. Evidence of regular security review and/or audits of external systems. (e.g., SOC 2 Report, Penetration Tests, Vulnerability Scan Results, etc).

DCF-590

Information Sharing

  1. Documented policies and procedures such as Data Classification Policy and Data Protection Policy. The relevant policy and procedures should outline levels such as "Public," "Internal," "Confidential," and "Restricted,".

  2. Examples: Screenshots of automated systems/tools enforcing data sharing rules. (e.g., SharePoint Online settings blocking public sharing by default.)

  3. System or application access controls that automate who can share what data and with whom.

  4. Data Loss Prevention (DLP) or CASB Reports.

DCF-591

Management of Publicly Accessible Content

  1. Policy, Procedures or Standard Operating Procedure (SOP) Documentation that define the review process for publishing public content.

  2. Evidence showing that content was reviewed and approved before publishing. For example, Ticketing Systems (e.g., Jira) showing content approval workflow.

  3. Evidence for Corrective Action or Incident Records. For example, Screenshot of updated content with sensitive data removed and date/time of fix.

DCF-599

High Risk Area System Configuration

  1. Documented policies outlining procedures for securing systems during travel to high-risk regions.

  2. Pre-Travel Checklist or Approval Forms used before international travel, indicating risk assessment and configuration requirements.

  3. Device Configuration Screenshots or MDM Settings. For example, Screenshots or logs showing device hardening prior to travel.

  4. VPN or Remote Access Enforcement Logs. Provide a screenshot that secure remote access is enforced.

DCF-606

Device Identification and Authentication

  1. Upload Asset Management Policy, Access Control Policy, Configuration Policy

  2. Asset Inventory list: An up-to-date asset inventory with device IDs, MAC/IP addresses, assigned users, etc.

  3. Sample of Logs or Reports: Authentication logs or access reports showing device-level authentication or denial events based on unrecognized devices.

DCF-607

System Identifier Management

  1. Upload Access Control Policy

  2. Screenshot or Exported logs from IAM or Directory Services (e.g., Active Directory, Entra ID, Okta)

  3. Termination or Offboarding Checklist

DCF-608

Management of At-risk Passwords

  1. Upload Password Policy

  2. Screenshots from your password management system (e.g., Entra ID, Okta, Active Directory, etc.)

  3. Audit Logs or Reports. Example screenshot for enforcement of at-risk password policies or showing blocked attempts due to weak password use.

DCF-609

Public Key Authentication

  1. Upload evidence of a documented policy or procedure establishing public key authentication processes for individuals, machines, and devices.

  2. Upload configuration records or system settings demonstrating implementation of public key authentication mechanisms.

  3. Upload audit logs or review records verifying proper use, management, and periodic validation of public key authentication for authorized entities.

DCF-610

Authenticators Protected

  1. Upload evidence of a documented policy or procedure requiring protection of authenticators commensurate with the highest security category of information on the system.

  2. Upload configuration settings or technical controls enforcing enhanced protection of authenticators (e.g., multi-factor authentication, encryption, secure storage).

  3. Upload audit reports or assessment records verifying that authenticator protections meet or exceed requirements based on the system’s highest security category.

DCF-611

Obscured Authentication Feedback

Screenshot of user interface during the authentication process to show authentication feedback is hidden (e.g. password entry fields displaying asterisks or limited visibility feedback)

DCF-616

Remote Maintenance

  1. Upload evidence of a documented policy or procedure requiring approval and monitoring of all nonlocal maintenance and diagnostic activities.

  2. Upload documented records showing approvals granted for specific nonlocal maintenance or diagnostic sessions.

  3. Upload logs or system records verifying that external session and network connections are terminated promptly upon completion of nonlocal maintenance activities.

DCF-617

Maintenance Personnel Authorization

  1. Upload evidence of a documented policy or procedure defining the authorization process for maintenance personnel and organizations, including criteria for access and competence.

  2. Upload the current documented list of authorized maintenance personnel and organizations with approved access permissions.

  3. Upload records demonstrating assignment of organizational personnel with required access and technical competence to supervise maintenance activities performed by unauthorized personnel.

DCF-619

Media Sanitization

Upload evidence for one instance of data disposal on hardware showing that data was disposed securely.

Examples: one example certificate of destruction of hardware, screenshots showing that hard drive data on an endpoint were wiped prior to reuse of the device, etc.

DCF-632

Supply Chain Risk Assessment

  1. Upload evidence of a documented policy or procedure requiring assessment and periodic update of supply chain risks related to system components and services.

  2. Upload completed supply chain risk assessments identifying potential threats, vulnerabilities, and mitigations associated with suppliers, components, or services.

  3. Upload evidence of periodic reviews or updates to supply chain risk assessments, including meeting minutes, risk register updates, or third-party monitoring reports.

DCF-639

Shared System Information Security

  1. Upload evidence of a documented policy or procedure requiring technical controls to prevent unauthorized or unintended information transfer through shared system resources (e.g., memory, cache, storage).

  2. Upload system or security configuration settings demonstrating implementation of controls such as memory isolation, process separation, or virtualization protections.

  3. Upload audit reports, security test results, or system design documentation verifying enforcement of protections against information leakage through shared resources.

DCF-643

Collaborative Computing Devices and Applications

  1. Upload evidence of a documented policy or procedure prohibiting remote activation of collaborative computing devices and requiring explicit user notification when such devices are in use.

  2. Upload system configurations or device settings showing restrictions on remote activation and implementation of user-visible indicators (e.g., LED lights, on-screen prompts).

  3. Upload audit logs, device management records, or review reports verifying enforcement of remote activation restrictions and presence of user indicators.

DCF-644

Mobile Code Management

  1. Upload evidence of a documented policy or procedure defining acceptable and unacceptable mobile code technologies and specifying usage restrictions.

  2. Upload system configuration settings, group policy objects (GPOs), or other technical controls enforcing restrictions on the use of unauthorized mobile code technologies.

  3. Upload audit logs, scan reports, or review records verifying enforcement of mobile code restrictions and identification of any unauthorized use.

DCF-645

Session Authentication Management

  1. Upload evidence of a documented policy or procedure requiring protection of communication at the session level, such as the use of encryption for data in transit.

  2. Upload system configuration settings or network architecture diagrams showing implementation of session-level protections (e.g., TLS, VPN, SSH).

  3. Upload logs, test results, or audit reports verifying that session-level communication protections are in place and functioning as intended.

DCF-648

Unauthorized Network Services Monitoring and Alert

  1. Upload evidence of a documented policy or procedure requiring the detection of unauthorized network services and alerting designated personnel upon detection.

  2. Upload system or tool configuration records showing active monitoring for unauthorized network services, including detection rules, thresholds, or signatures.

  3. Upload logs or alert reports demonstrating detection of unauthorized services and notification to designated personnel, along with any follow-up actions taken.

DCF-671

External Systems Inventoried

  1. Upload evidence of a documented policy or procedure requiring the identification, documentation, and maintenance of an inventory of all external assets.

  2. Upload the current inventory of external assets, including asset type, ownership, location, purpose, and any relevant attributes or relationships to organizational systems.

  3. Upload evidence of periodic reviews or updates to the external asset inventory, including change logs, asset lifecycle updates, or audit records.

DCF-687

Email Protection Mechanisms

  1. Upload evidence showing that phishing and spam detection mechanisms have been implemented in your organization.

Example: Screenshots showing SPF, DMARC, DKIM configurations enabled for email authentication.

DCF-688

Return of Assets

For one recently terminated personnel, upload evidence showing that assets were returned to the company.

Example: Screenshots of offboarding checklists or internal tickets showing tracking of return of devices, badges, tokens, etc., upon termination, evidence of pre-paid labels sent to remote personnel for asset return and tracking, etc.

DCF-698

Automated Mechanisms for Audit Log Reviews

Upload evidence to demonstrate that your organization has implemented automated mechanisms for audit record reduction and log analysis.

Examples:

System Configuration Documentation: Documentation for your SIEM or log management platform showing how automated log reduction and correlation are configured.

Log Management System Reports: Reports from your log management system demonstrating automated log reduction and correlated event analysis.

DCF-708

Software and Third Party Libraries Inventory

  1. Upload evidence of your organization's software and third party libraries Inventory (i.e., software bill of materials).

Example: Screenshots from software composition analysis tools showing software bill of materials (SBOM).

DCF-712

Static Application Security Testing

Upload evidence that static application security testing (SAST) is conducted for software development testing.

Example: Screenshots from the CI/CD pipeline for relevant code repositories showing a SAST scan automatically executes every time new code is committed, screenshots of configurations and dashboards from SAST tools such as SonarCloud, etc.

DCF-716

Application and System Accounts Authorized

Upload company’s access control policies, access request forms or approval tickets, access logs demonstrating privileges align with system needs, signed management approval for provisioning access, and periodic access review records.

Examples:

  • Access Control Policies: Upload the company’s access control policies that define the rules and requirements for granting, managing, and reviewing access to systems.

  • Access Request Forms or Approval Tickets: Provide sample access request forms or approval tickets showing how access is requested and approved.

  • Access Logs: Include access logs that show how user privileges align with system needs, ensuring users only have the necessary access.

  • Signed Management Approval: Upload signed management approval records for access provisioning to demonstrate that access was granted with appropriate oversight.

  • Periodic Access Review Records: Provide documentation showing the periodic review of user access, confirming that access privileges are reassessed regularly.

DCF-725

MFA Configured to Prevent Misuse

Upload the MFA Policy or Configuration Procedure detailing how replay attacks are prevented, two-factor authentication is required, and MFA bypass is restricted. Include screenshots of system settings that show alignment with the policy. Also, provide documentation for any exceptions authorized by management, including justification and timeframes.

Examples:

  • MFA Policy or Procedure: Document describing MFA configurations.

  • System Settings Screenshots: Screenshots showing MFA settings.

  • Exception Documentation: Approval forms or emails for any MFA exceptions.

DCF-726

Interactive Use of System and Application Accounts Managed

Include screenshots of system settings that restrict interactive login, along with signed approval forms or emails for exceptional access. Provide business justification documentation and audit logs showing individual user actions taken during those exceptions.

Examples:

  • System Settings Screenshots: Configuration showing login restrictions.

  • Signed Approval Forms/Emails: Documents authorizing exceptional access.

  • Business Justification: Documentation explaining the need for exceptions.

  • Audit Logs: Logs tracking user actions during the exception period.

DCF-727

Passwords for System and Application Accounts Changed Periodically

  1. Provide the "Password Management Policy" or "Access Control Policy" that outlines password change procedures based on the entity's risk analysis and after a compromise.

Examples:

Password Management Policy: Document outlining password change procedures.

Screenshots of Password Complexity Settings: System settings showing password rules.

Records of Password Changes: Logs showing when passwords were updated.

Change Logs/Incident Reports: Documentation of actions taken after a compromise

DCF-730

Security Controls on Devices that Connect to the Internet

Evidence:

  1. Security Control Inventory: Upload a document (e.g., a spreadsheet or list) showing all active security controls such as firewalls, endpoint protection software, and any other relevant security measures.

  2. Configuration Settings: Provide screenshots or configuration files that demonstrate the security controls are configured and active on both company- and employee-owned devices.

  3. Logs: Include logs that verify the application of these security controls across the devices, confirming they are being enforced properly.

DCF-741

Logging and Monitoring Policy

Upload Logging and Monitoring Policy.

DCF-742

Insider Threat Awareness and Training

  1. Upload evidence of a documented policy or procedure requiring periodic insider threat awareness training for managers and employees, including reporting mechanisms and communication protocols.

  2. Upload training materials or course content covering recognition and reporting of potential insider threat indicators, including how to escalate concerns through appropriate channels.

  3. Upload training records or attendance logs demonstrating that employees and managers have completed insider threat awareness training as required.

DCF-744

Contact with Authorities

  1. Upload evidence of incident response procedures/playbooks or documented communication plans showing that your organization has identified and documented authorities to be contacted (such as law enforcement, regulatory bodies, supervisory authorities) as well as the events or circumstances that would require communication and the methods and responsibilities for communication with authorities.

Maintaining such contacts can be a requirement to support information security incident management or the contingency planning and business continuity processes. Contacts with regulatory bodies are also useful to anticipate and prepare for upcoming changes in relevant laws or regulations that affect the organization.

DCF-745

Segregation of Duties

Upload evidence showing that your organization has identified conflicting duties and conflicting areas of responsibility that must be segregated and implemented mechanisms for segregation of duties.

Your organization should determine which duties and areas of responsibility need to be segregated to reduce the risk of fraud, error, and bypassing of information security controls. The following are examples of activities that can require segregation:

  • Initiating, approving and executing a change

  • requesting, approving and implementing access rights

  • Initiating and approving transactions

  • Using applications and administering databases

  • It is recommended that the organization's approach to managing segregation of duties is documented, including the identified activities to be segregated and how segregation of duties is achieved for each (e.g., through role-based access control, assigning duties to different individuals, etc.).

DCF-761

Incident Management Procedures for Collection of Evidence

  1. Upload evidence of a documented incident response policy or procedure that includes guidelines for identification, collection, acquisition, and preservation of incident-related evidence and metadata.

  2. Upload incident response records or reports demonstrating application of evidence handling procedures during actual or test incidents.

  3. Upload evidence of periodic reviews or training records verifying that staff are aware of and follow evidence collection and preservation processes during incident response.

DCF-784

Software Composition Analysis (SCA)

  1. Upload evidence to show that your organization checks software components and libraries for policy and license compliance, security risks, and supported versions.

Example: Screenshots showing that software composition analysis tools are used as part of your CI/CD pipeline to check for vulnerabilities in third party libraries.

DCF-787

Re-authentication Configurations

  1. Upload evidence of a documented policy or procedure requiring periodic or conditional re-authentication to systems, including session timeout and inactivity settings.

  2. Upload system configuration records or settings showing enforcement of re-authentication requirements such as session lifetimes and automatic logouts after inactivity.

  3. Upload evidence of periodic reviews or audits verifying that re-authentication controls are properly implemented and enforced according to policy.

DCF-788

CUI Data Inventory

  1. Upload evidence of a documented policy or procedure requiring the creation, maintenance, and update of an inventory of all systems, components, products, or services that store or process Controlled Unclassified Information (CUI).

  2. Upload the current inventory of CUI-related systems, including details on data types, storage or processing locations, metadata, access controls, and other relevant attributes.

  3. Upload evidence of inventory reviews and updates triggered by changes in CUI storage or processing locations, including change logs, review records, or version histories.

DCF-790

System Security Plans

  1. Upload evidence of a documented policy or procedure requiring the development, review, and periodic update of System Security Plans (SSPs) in alignment with compliance or regulatory requirements.

  2. Upload completed SSPs detailing system components and boundaries, data types processed, security safeguards (in place or planned), system interconnections, threats of concern, and responsible parties.

  3. Upload evidence of periodic SSP reviews and updates, including review logs, version history, and documentation of changes based on system modifications, assessments, or organizational requirements.

DCF-791

Plans of Action and Milestones

  1. Upload evidence of a documented policy or procedure requiring the creation, maintenance, and periodic update of POA&Ms for unimplemented or deficient security requirements.

  2. Upload completed and up-to-date POA&M records showing identified gaps, assigned remediation actions, responsible personnel, timelines, and current status.

  3. Upload evidence of periodic POA&M reviews and updates based on security assessments, audits, or continuous monitoring, including related reports and management approvals.

DCF-792

Regulation of Cryptographic Controls

  1. Upload evidence of a documented policy or standard requiring the use of cryptographic methods compliant with regulatory requirements (e.g., FIPS-validated cryptography for protecting CUI).

  2. Upload system configurations or encryption module documentation showing that FIPS-validated cryptographic algorithms and libraries are implemented on systems handling sensitive information.

  3. Upload evidence of periodic reviews or audits confirming continued compliance with cryptographic standards and identifying any updates based on changes in regulations or technology.

DCF-793

Dedicated Accounts or Roles for Admin Functions

  1. Upload evidence of a documented policy or procedure requiring the use of separate administrator accounts or roles for accessing administrative or security functions.

  2. Upload account configuration records or system settings showing that users have dedicated admin accounts for privileged access and separate standard accounts for non-privileged use.

  3. Upload evidence of periodic reviews or audits verifying proper use of admin and standard accounts, and ensuring least privilege is enforced.

DCF-795

Transferred Personnel Access Validation

  1. Upload evidence of a documented policy or procedure that defines how logical and physical access is reviewed and updated when personnel are reassigned or transferred.

  2. Upload records of access reviews and modifications performed for reassigned personnel, showing changes made to align with new job responsibilities.

  3. Upload evidence of periodic audits or access validation logs confirming that access reviews are conducted and documented in accordance with policy.

DCF-796

Training for Posting Public Content

  1. Upload evidence of a documented policy or procedure that defines how individuals are authorized to post publicly accessible content.

  2. Upload a list of authorized individuals and training records showing they have completed training on preventing the release of CUI in public content.

  3. Upload evidence of periodic reviews or audits of public content and updates to training or procedures based on incidents or policy changes.

DCF-797

CUI Markings

  1. Upload evidence of a documented media marking policy that defines how CUI on system media is marked, including required handling caveats and distribution limitations.

  2. Upload samples of marked media and related training records showing that personnel are trained and that CUI markings are applied in practice.

  3. Upload evidence of periodic reviews or audits verifying correct media marking and alignment with regulatory requirements (e.g., CUI registry, DoD guidance).

DCF-798

CUI Risk Assessment

  1. Upload evidence of a documented risk assessment methodology that includes evaluation of risks to CUI, including supply chain-related risks.

  2. Upload completed risk assessment reports and related documentation showing evaluation of unauthorized disclosure risks during CUI processing, storage, or transmission.

  3. Upload evidence of periodic reviews, updates, and management approval of risk assessments, including how supply chain risks and mitigation actions are addressed.

DCF-814

Security Impact Assessment for Changes

  1. Upload evidence of the documented process for evaluating the security impact of system changes and validating security requirements after implementation.

Examples:

Change Management Policy/Procedure: A copy of the documented policy or procedure that outlines the process for evaluating the security impact of system changes before implementation.

Change Impact Assessment Records: Evidence of completed security impact assessments for system changes, including any findings or recommendations related to vulnerabilities or security risks.

Post-Implementation Validation Records: Documentation that confirms security requirements were validated after system changes were implemented, such as validation reports, testing records, or sign-offs by responsible personnel.

DCF-815

Incident Response Training Content Review

  1. Upload evidence of a documented incident response training program, including training objectives, target personnel, frequency, and content.

  2. Upload training completion records and management approvals showing that personnel received the training and that updates were formally approved.

  3. Upload evidence of periodic reviews and updates to the training program, including changes made after significant events (e.g., incidents, assessments, regulatory changes) with supporting documentation.

DCF-816

Physical Access Restrictions for Changes

  1. Upload evidence of a documented policy defining physical access restrictions for initiating changes to system components, along with records of periodic reviews and updates to these controls and procedures.

  2. Upload access approval records and physical access logs (e.g., badge records) showing that only authorized individuals are granted and have accessed sensitive areas, demonstrating enforcement of physical access restrictions.

DCF-817

Cloud Security Configuration Monitoring

  1. Upload evidence of a documented policy or procedure describing the use of automated tools for continuous monitoring of cloud security configurations and risks.

  1. Upload evidence of the tool’s configuration settings showing how it detects misconfigurations, vulnerabilities, and security risks.

  2. Upload recent scan or monitoring reports from the automated tool showing identified findings in the cloud environment.

  3. Upload remediation or incident tickets showing how findings were reviewed and resolved, along with evidence of periodic reviews and updates to the monitoring tools and processes (e.g., meeting notes, change logs).

DCF-818

Physical Access Devices Controlled

  1. Upload evidence of policies and procedures for assigning, tracking, and managing physical access devices throughout their lifecycle.

  2. Upload evidence of an inventory or register of all physical access devices, including assigned personnel and device status.

DCF-819

Control of Removable Media

  1. Upload evidence of documented policies and procedures restricting the use of removable media to only authorized media types with documented business justification.

Examples: Acceptable Use Policy, Removable Media Policy, or IT Security Policy with a section on removable media usage.

2. Upload evidence of technical controls implemented to enforce the restriction of unauthorized removable media on organizational systems.

3. Upload evidence of personnel acknowledgment of the policies and rules of behavior regarding removable media use.

DCF-820

Password Minimum Change of Characters

  1. Upload evidence of your formal, documented password policy that explicitly defines the requirement for a minimum number of characters to be changed when passwords are updated.

  2. Upload evidence of the technical configurations on your relevant systems (e.g., Active Directory, identity management systems, operating systems, applications) that enforce the minimum characters changed requirement for password updates.

  3. Upload evidence that your password policy (including the character change requirement) and its technical enforcement configurations are periodically reviewed and updated.

DCF-821

Removable System Media Ownership

  1. Upload evidence of documented policies and procedures that mandate the assignment of identifiable owners to all removable system media and prohibit the use of unowned media.

  2. Upload evidence of a comprehensive register or inventory system that tracks all authorized removable system media and clearly records their identifiable owners.

  3. Upload evidence of procedures and technical mechanisms implemented to enforce the prohibition of using removable system media that have no identifiable owner.

  4. Upload evidence of audit logs and records that demonstrate enforcement of media ownership policies and detection/handling of unauthorized or unowned media use attempts.

DCF-822

Remote Access Management

  1. Upload evidence of documented usage restrictions specifying what activities are permitted or prohibited for each type of allowable remote system access.

  2. Upload evidence of documented configuration requirements and security baselines for the technical setup of each type of allowable remote system access.

  3. Upload evidence of documented connection requirements that personnel must meet to establish a remote system access session.

  4. Upload evidence of consolidated documentation for all types of remote access, demonstrating how usage, configuration, and connection requirements are applied comprehensively, along with any formal exception process.

Examples: Remote Access Architecture Diagrams, Exception Process Documentation, Regular Review Records

DCF-823

Diagnostic Media Verification

  1. Upload evidence of documented policies and procedures that require checking media containing diagnostic and test programs for malicious code before use.

Examples: Media Protection Policy, Media Handling Procedures, Secure Baseline for Diagnostic/Test Tools

2. Upload evidence of actual records demonstrating that media containing diagnostic and test programs have been checked for malicious code before use.

3. Upload evidence of your organization's practice of retaining supporting documentation related to the checking of diagnostic and test media.

Examples: Log Retention Policy, Archived Scan Reports, Evidence Storage Locations

DCF-824

Remote Connection Monitoring

  1. Upload evidence of documented policies and procedures that govern remote access, including explicit requirements for monitoring remote access sessions.

  2. Upload evidence of the configurations of systems and tools used to monitor remote access sessions on various system components.

  3. Upload evidence of actual log data, audit trails, and reports generated from monitoring remote access sessions on system components.

  4. Upload evidence of configured alerting mechanisms designed to notify appropriate personnel of unusual or unauthorized remote access activities or events.

  5. Upload evidence of defined baselines for "normal" remote access activity against which "unusual or unauthorized activities" can be detected.

DCF-826

Role-Based Security Training

  1. Upload evidence of documented security roles and responsibilities within your organization, along with the specific specialized information security training required for each role.

  2. Upload evidence of the actual specialized information security training curriculum and content provided to personnel with security-related duties.

  3. Upload evidence of personnel completing their assigned specialized security training, including initial training (prior to access/duties) and periodic refresher training.

  4. Upload evidence that specialized security training is provided or updated when required by system changes or other defined significant events impacting security responsibilities.

DCF-827

Role-Based Security Training Program Updates

  1. Upload evidence of documented policies and/or procedures that mandate and guide the periodic review and update of your role-based security training program.

Examples: Training Program Review Policy,Training Content Update Procedure, Training Needs Assessment Procedure

2. Upload evidence of completed reviews of your role-based security training program conducted at defined periodic intervals.

3. Upload evidence of reviews and subsequent updates to the role-based security training program that were initiated by specific significant events.

Examples: Incident Response After-Action Reports, Assessment Findings/Audit Reports,Change Management Documentation

4. Upload evidence that significant changes to the role-based security training program (e.g., major content revisions, schedule changes) receive appropriate management approval.

DCF-828

Incident Handling Capability

  1. Upload evidence of your comprehensive and formally approved Incident Response Plan (IRP) that outlines the full lifecycle of incident handling.

  2. Upload evidence demonstrating your organization's capability to detect and analyze cybersecurity incidents.

  3. Upload evidence of recurring training for incident response personnel and records of incident response exercises.

DCF-829

Network Traffic Monitoring

  1. Upload evidence of documented policies and procedures that define how your organization monitors and logs inbound and outbound network communications traffic.

  2. Upload evidence of the configurations of your network monitoring tools demonstrating their capability to capture and analyze inbound and outbound traffic for unusual or unauthorized activities.

  3. Upload evidence of your processes for detecting, alerting on, and responding to unusual or unauthorized inbound and outbound communications traffic.

  4. Upload evidence of actual log data and audit trails generated from your network monitoring systems, demonstrating the collection of inbound and outbound communication events.

DCF-868

Cybersecurity Supply Chain Risk Management Program

  1. Upload evidence of your defined and documented Cybersecurity Supply Chain Risk Management (C-SCRM) program plan. The master document detailing your C-SCRM strategy, scope, roles, and milestones.

  2. Upload evidence of documented policies that establish the organization's stance and requirements for cybersecurity supply chain risk management.

Example: Cybersecurity Supply Chain Risk Management Policy,

3. Upload evidence of a defined process for periodically reviewing and improving the C-SCRM program, policies, and procedures.

Example: Documentation showing how you regularly check and update your C-SCRM program.

DCF-870

Integrated Cybersecurity Supply Chain Risk Management

Upload evidence of your documented C-SCRM plan that outlines your strategy for identifying, assessing, and mitigating cybersecurity risks associated with your supply chain.

  1. Upload evidence demonstrating how cybersecurity supply chain risks are formally aggregated and managed alongside other enterprise risks within your organization's enterprise risk management framework.

Example: Evidence showing C-SCRM risks are tracked alongside all other organizational risks.

2. Upload copies of contractual agreements with your suppliers, particularly those handling or impacting Controlled Unclassified Information (CUI), demonstrating the inclusion of security clauses and "flow-down" requirements.

3. Upload evidence of your processes for continuously monitoring the security posture of your supply chain partners and how supply chain-related incidents are incorporated into your overall incident response plan.

Example: Continuous Monitoring Reports, Supplier Performance Reviews, Incident Response Plan (IRP) Addendum, Supply Chain Incident Drills/Tabletops.

Related Articles
Example Evidence for Not Monitored Controls (NIST 800-53r5)
Example Evidence for Not Monitored Controls (HIPAA)
Example Evidence for Not Monitored Controls (ISO 27001)
Example Evidence for Not Monitored Controls (SOC 2)
Example Evidence for Not Monitored Controls (PCI DSS v4.0.1 )
Did this answer your question?