The following is a list of example evidence for controls not monitored in Drata for NIST 800-171 Rev 3.
Note: An auditor may request additional evidence for each control.
Code | Name | Evidence Example |
DCF-7 | Separate Environments | Screenshots from test and production environments for the application |
DCF-9 | Internal Communication Channels | Screenshots from communication tools (Slack, PagerDuty) showing the process for security events to be communicated to appropriate personnel. |
DCF-19 | Penetration Tests | Most recently completed annual penetration test. |
DCF-20 | Asset Inventory | 1. Formal, documented listing of all assets (workstations, mobile devices, servers, databases, etc.)
2. For cloud infrastructure, screenshots from cloud environments listing all infrastructure |
DCF-29 | Incident Response Team | Provide the documented list of Incident Response team members who have the responsibility and authority to coordinate and execute incident response procedures. |
DCF-30 | Incident Response Lessons Learned Documented | For an example security event deemed an incident, upload the incident documentation including evidence of internal tracking (e.g., internal ticket), root-cause analysis (RCA)/post-mortem, lessons learned, etc. |
DCF-46 | Formal Screening Process | Upload evidence of the formal interview/recruitment process for a recently hired personnel. Example: Calendar invites for interviews, documented feedback notes from interviewers, exports from the candidate's profile within the applicant tracking system, evidence of evaluation of resume and professional credentials etc. |
DCF-56 | Vendor Register and Agreements |
|
DCF-57 | Vendor Compliance Monitoring | Provide documentation showing that your organization obtains and reviews compliance reports or other evidence for critical vendors at least annually.
Documentation can include:
|
DCF-58 | Centralized Authentication and Account Management | 1. If SSO is an option, screenshots of a user logging in with SSO.
2. If username and password is an option, screenshots of a user logging in with a username and password.
3. Screenshots of MFA being required for employee users.
4. If customer users have the option to enable MFA, screenshots showing they are provided the option to enable MFA. |
DCF-60 | Secure Password Storage | If username and password is required, screenshots from the database showing that password are stored using a salted hash. |
DCF-62 | Session Termination | 1. Screenshots of users being logged out of the application when browser/tab is closed and being forced to reauthenticate upon next login.
2. Screenshots showing that a user is logged out after pre-defined activity timeout and being forced to reauthenticate upon next login. |
DCF-69 | Access Provisioning | Formal, documented access request form/help desk ticket for a recent new hire. |
DCF-76 | Critical Change Management | Formal, documented emergency change procedures for critical changes. |
DCF-91 | Intrusion Detection/Prevention System | 1. Screenshots from AWS GuardDuty, Azure Sentinel, GCP Security Command Center or equivalent monitoring tool showing that the service is enabled.
2. Screenshots from the mentioned applications/tools/services showing the types of threats that would be detected.
3. Screenshots from the mentioned applications/tools/services showing how personnel would be alerted and who would be alerted when threats are detected. |
DCF-92 | Encrypted Remote Production Access | 1. Screenshots of a user trying to access production systems without being connected to a VPN and providing access is denied.
- and -
2. Screenshots of a user accessing production after connecting to a VPN to show a successful connection. |
DCF-108 | Secure Storage Mechanisms | Pictures of secure storage bins from office locations. |
DCF-132 | Privacy and Security Requirements in Third-Party Agreements | Executed agreements (such Data Processing Agreements, Business Associates Agreements, Service Provider Agreements) with third parties and vendors that are provided access to personal data. |
DCF-135 | Notification of Incidents or Breaches | 1. Formal, documented breach notification procedures.
- and -
2. Breach Notification Template |
DCF-154 | Incident Response Test | Most recently completed incident response tabletop test. |
DCF-155 | Testing of Changes | Screenshots from the ticketing system for a few changes showing that changes were tested. |
DCF-156 | Change Releases Approved | Screenshots from the ticketing system for a few changes showing that changes were approved by appropriate personnel. |
DCF-165 | Periodic Independent Assessments | 1. Evidence of testing performed for internal audit.
2. Internal audit report. |
DCF-171 | Documented Operating Procedures | This will be a part of your ISMS policy. |
DCF-174 | Telework and Endpoint Devices | This section is from the information security policy |
DCF-180 | Secure Information Transfer | Upload the Data Protection Policy |
DCF-182 | Asset Management Policy | Upload the Asset Management Policy |
DCF-188 | Communication with Advisories and Special Interest Groups | Upload evidence showing that the organization and members of management maintain contact with special interest groups (e.g., security groups, privacy groups, etc.).
For example, screenshots or exports showing members of management receive newsletters and updates from professional association groups, email alerts from security advisories such as CISA, participation in conferences, threat advisories, etc. |
DCF-201 | Network Security Controls Configuration Standards |
|
DCF-204 | Dataflow Diagram | Formal Data Flow Diagram for the Cardholder Data Environment including the date the diagram was finalized. |
DCF-206 | Network Security Controls Between Trusted and Untrusted Networks |
|
DCF-216 | Network Security Controls Restricting Wireless Network Traffic |
|
DCF-220 | Anti-Spoofing Measures | Screenshots showing that anti-spoofing methods have been implemented, such as blocking traffic coming into the DMZ which have an IP Address that matches the IP Address of devices within the Cardholder Data Environment. |
DCF-223 | Sensitive Data Not Directly Accessible From Untrusted Networks |
|
DCF-233 | Wireless Network Vendor Defaults Changed |
NOTE - Mark this control out of scope if there are no wireless environments connected to the cardholder data environment or transmitting cardholder data. |
DCF-239 | One Primary Function per System Component | Screenshots of virtual server system configurations for virtual technologies in the CDE, showing that each component only serves one primary function (For example, web servers, database servers, and DNS should be implemented on separate servers.) |
DCF-240 | Only Necessary System Function Services Used | Screenshots showing the enabled services being run system components in the CDE. |
DCF-244 | System Security Parameters in Configuration Standards | Documented Server configuration standards showing that security parameter settings are contained within the standard. |
DCF-249 | Encrypted Non-Console Administrative Access |
NOTE: Non-console access refers to logical access to a system component that occurs over a network interface rather than via a direct, physical connection to the system component. Non-console access includes access from within local/internal networks as well as access from external, or remote, networks. |
DCF-257 | Sensitive Authentication Data Storage | For issuers and/or companies that support issuing services and store sensitive authentication data, policies describing the documented business justification for the storage of sensitive authentication data. |
DCF-258 | Sensitive Authentication Data Secured | For issuers and/or companies that support issuing services and store sensitive authentication data, screenshots of data stores and system configurations showing that the sensitive authentication data is secured. |
DCF-259 | Sensitive Authentication Data Deleted after Authorization Process |
|
DCF-265 | Separate Encrypted File System Access Management | If disk encryption is used, screenshots of the configurations showing that logical access to encrypted file systems is implemented via a mechanism that is separate from the native operating system’s authentication mechanism (for example, not using local user account databases or general network login credentials). |
DCF-273 | Strong Key Generation Policies and Procedures | 1. Documented key management procedures which specify how to generate strong cryptographic keys. 2. Screenshots showing the strong cryptographic key generation process. |
DCF-278 | Key Retirement Policies and Procedures | Documented key management procedures which include guidance for: Replacement of known or suspected compromised keys. |
DCF-284 | Key and Certificate Validation | 1. Documented policies and procedures which specify processes for accepting only trusted keys and certificates (Encryption Policy). 2. Screenshots showing that keys and certificates used in the environment are trusted. |
DCF-288 | Strong Encryption for Wireless Network Transmission |
|
DCF-291 | Anti-Malware on All System Components |
Examples of types of malicious software include viruses, Trojans, worms, spyware, adware, and rootkits. |
DCF-293 | Anti-Malware Capabilities and Automatic Updates | Upload evidence showing that the deployed anti-malware solution is kept via automatic updates and configured to detect all known types of malware and to remove, block, or contain all known types of malware. Examples: Screenshots from the anti-malware solution console showing configurations for automated updates and detection and containment actions. |
DCF-294 | Anti-Malware Tools Behavior | Upload screenshots from your anti-malware solution console showing it is configured to perform periodic scans and active/real-time scans (e.g., scanning files from external sources as they are downloaded, opened, or executed) or to perform continuous behavioral analysis of systems or processes. |
DCF-297 | Patch Management |
|
DCF-305 | Production Components Change Control Procedures | For a non-software development change, upload documentation showing that the change was implemented in accordance with formal change management policies and procedures. For example, documentation of change description, justification, evaluation of security requirements and impact, approval by authorized parties, rollback procedures, etc., and records of testing (for example, acceptance and security impact testing). Examples of changes include: infrastructure, network, configuration changes, etc. |
DCF-312 | Secure Code Development Training | Upload evidence of secure code development training completed by a member of personnel within the past year. Example: Training content (videos, presentations, agenda) showing topics covered, and records of completion for one personnel. The secure code development training program may be implemented through a third party or delivered in-house (e.g., team training session by engineering leadership, etc.). |
DCF-327 | System Access Roles Defined | Documented access needs for each role within the CDE which includes:
|
DCF-329 | Access Control System | Screenshots from the access control system for all system components. |
DCF-336 | Third Party Remote Access Monitored |
|
DCF-339 | Account Lockout after Failed Logins | Upload evidence of the account lockout configurations after failed login attempts for relevant systems where this is a configurable attribute, showing number of attempts that trigger the lockout and lockout duration. |
DCF-340 | Lockout Duration |
|
DCF-343 | Strong Encryption of Authentication Credentials During Transmission and Storage |
|
DCF-345 | User Identity Verification Before Modifying Authentication | Documented policies and procedures which state a requirement to verify a user’s identity prior to modifying authentication information (password resets, generating new keys, etc.). |
DCF-352 | Unique First-time Passwords With One-Time Use | Upload evidence showing that for organization systems passwords are set to a unique value for first-time use and upon reset and temporary initial passwords are forced to be changed immediately after the first use. Example: Screenshots of system configurations or screenshots from a walkthrough of the password reset process. |
DCF-355 | MFA for Remote Access |
|
DCF-359 | Authentication Mechanism Use |
|
DCF-363 | Entry Controls in Place | For each computer room, data center, and other physical areas which contain systems:
|
DCF-364 | Physical Access Controlled | Pictures showing that video camera or access control mechanisms (or both) are used to monitor the entry/exit points to sensitive areas. |
DCF-365 | Secure Physical Access Control Mechanisms | Pictures showing how video cameras or access control mechanisms (or both) are protected from tampering and disabling. |
DCF-366 | Physical Access Control Mechanism Periodic Data Review | Documented procedures around reviewing data from video cameras and/or access control mechanisms. |
DCF-369 | Restricted Physical Access to Network Components | Observation of physical access to wireless access points, gateways, networking/communications hardware, and telecommunication lines within the company facilities being restricted |
DCF-374 | Visitors Authorized and Escorted | Observation of a visitor being escorted when entering company facilities (Note: Observations should be performed by auditors on-site, or via virtual meeting) |
DCF-375 | Personnel and Visitor Badges | Observation of visitor obtaining a visitor badge and example of a visitor badge (Note: Observations should be performed by auditors on-site, or via virtual meeting) |
DCF-381 | Media Physically Secured | Documented policies and procedures related to physically securing all media (including computers, removable media, paper receipts, paper records, and faxes). |
DCF-382 | Security of Offline Media Backup Storage | Documented review of the security of the backup media storage location from the last 12 months. |
DCF-385 | Media Transported Securely | For one instance of media moved outside or within the facilities, upload evidence of management's documented approval for the movement of media. |
DCF-386 | Management Approval for Media Transport | Documentation from a recent media transfer (including media distribution to individuals) showing that the transfer was approved by an authorized member of management. |
DCF-388 | Media Inventory Logs | If your organization manages electronic media with sensitive data, upload evidence of your media inventory. Without careful inventory methods and storage controls, stolen or missing electronic media could go unnoticed for an indefinite amount of time. |
DCF-409 | Audit Trail for Privileged Access | Upload evidence showing that audit trails or logs are implemented for system components to capture all actions taken by any identities with administrative access, including execution of privileged functions and any interactive use of application or system accounts. Example: Screenshot or export of a sample log showing the relevant log contents. Identities with increased access privileges, such as “administrator” or “root” accounts, have the potential to significantly impact the security or operational functionality of a system. Without a log of the activities performed, an organization cannot trace any issues resulting from an administrative mistake or misuse of privilege back to the specific action and account. |
DCF-411 | Audit Trail for Invalid Access Attempts | Upload evidence showing that audit trails or logs are implemented for system components to capture invalid access attempts. Example: Screenshot or export of a sample log showing the relevant log contents. Malicious individuals will often perform multiple access attempts on targeted systems. Multiple invalid login attempts may be an indication of an unauthorized user’s attempts to “brute force” or guess a password. |
DCF-413 | Audit Trail of Changes to Audit Logs |
|
DCF-421 | Clock Synchronization | Upload evidence showing that the organization synchronizes all critical system clocks and times using time-synchronization technology (such as Network Time Protocol (NTP)). |
DCF-422 | Time-related System Parameters | Upload evidence showing that internal systems receive time information only from designated central time server or servers that are configured to receive time from industry-accepted external sources based on International Atomic Time or Coordinated Universal Time (UTC). If there is more than one designated time server, upload evidence showing that the time servers peer with one another to keep accurate time. |
DCF-424 | System Time Source | Upload evidence showing that internal systems receive time information only from designated central time server or servers that are configured to receive time from industry-accepted external sources based on International Atomic Time or Coordinated Universal Time (UTC). If there is more than one designated time server, upload evidence showing that the time servers peer with one another to keep accurate time. |
DCF-429 | Limited Access to Audit Trails | Upload evidence of the users with elevated access to log systems and log data. Example: Screenshots of the users with administrative or privileged access to log systems and log data. |
DCF-430 | Audit Trail Files Protected | Screenshots or pictures showing that audit trails are protected from unauthorized access/modification/deletion through access control mechanisms, physical segregation, and/or logical network segregation. |
DCF-434 | Policies and Procedures for Logging | Upload the Logging and Monitoring Policy |
DCF-444 | Critical Security Control System Failure Alert | Screenshots showing how alerts are configured for the following systems:
|
DCF-445 | Critical Security Control System Failure Response | Documented policies and procedures for responding to the failure of security controls which cover the following items:
|
DCF-449 | Unauthorized Wireless Access Points Detected and Identified | Documented policies and procedures related to detecting and identifying any unauthorized wireless access points on at least a quarterly basis which includes at least the following devices will be detected:
|
DCF-452 | Inventory of Authorized Wireless Access Points | Documented inventory of authorized wireless devices including business justification for each wireless access point. |
DCF-456 | Vulnerabilities Identified and Resolved |
|
DCF-488 | Network Connection Termination |
|
DCF-503 | Multiple Methods for Security Awareness | Upload evidence showing that periodic security updates are provided to personnel through different mechanisms (such as screenshots of internal newsletters or intranet with security reminders, security updates sent out via Slack or other internal communication channels) |
DCF-504 | Cardholder Data Security Awareness Training | Training records showing that all personnel have received training upon hire and at least annually thereafter on cardholder data security.. |
DCF-516 | Incident Response Training | Documented policies or procedures related to Incident Response or Training which include a requirement to train staff with Incident Response roles on a periodic basis. |
DCF-524 | Periodic Review of Application and System Accounts | Upload documentation showing records of periodic reviews of application and system accounts, including dates and details of each review. This should outline the accounts reviewed, associated privileges, and any changes made, such as access modifications or account removals.
Example:
|
DCF-557 | Shared Account Management | For any highly privileged shared accounts, upload evidence of the business justification and evidence of how these shared accounts are securely managed. Example: Documentation of the business purpose of the shared account(s) with management approval and screenshots showing how the shared accounts are securely managed (e.g., through password vaults restricted to specific personnel, etc.). |
DCF-558 | Restrictions on Software Installation and Execution | Upload evidence showing that the organization has implemented mechanisms to prevent the installation and use of unauthorized software in company-managed assets (e.g., screenshots from MDM tools showing rules preventing software installation are enforced on company devices, access controls limiting access to run executables, etc.) |
DCF-562 | Management of Utility Programs | Upload screenshots or exports of user lists (with a screenshot of parameters used for exporting) showing the users with administrative or privileged access to the systems (e.g., super users, administrators, power users, etc.) for relevant systems.
Relevant systems may include cloud infrastructure provider, code repositories, identity provider, password vault systems, VPN clients, systems with stored customer data (e.g., database as a service), utility programs (e.g., antivirus consoles) and others based on the scope of the engagement. Discuss system scope with your chosen auditor. |
DCF-566 | Management of Nonconformities |
|
DCF-574 | Mobile Device Management Software | Upload evidence to show that a mobile device management (MDM) tool has been implemented to enforce security controls on mobile devices (e.g., screenshots from the MDM's centralized management console, screenshots of baseline configurations, security policies or blueprints enforced on devices per OS type, etc.) |
DCF-575 | Maintenance Management Policy | Upload Maintenance Management Policy |
DCF-578 | System and Services Acquisition Policy | Upload System and Services Acquisition Policy |
DCF-580 | Disabling High Risk User Accounts | Documented policies and procedures for Identity Management which have a requirement to disable high risk user accounts when not in use and enable these accounts only when needed.
Screenshots or system user access lists showing that high risk user accounts are enabled only when needed and disabled after use. |
DCF-581 | Encrypted Information Flow Control |
|
DCF-582 | Accounts Unlocked by Admin |
|
DCF-583 | System Use Notification |
|
DCF-589 | Verified External Systems Controls |
|
DCF-590 | Information Sharing |
|
DCF-591 | Management of Publicly Accessible Content |
|
DCF-599 | High Risk Area System Configuration |
|
DCF-606 | Device Identification and Authentication |
|
DCF-607 | System Identifier Management |
|
DCF-608 | Management of At-risk Passwords |
|
DCF-609 | Public Key Authentication |
|
DCF-610 | Authenticators Protected |
|
DCF-611 | Obscured Authentication Feedback | Screenshot of user interface during the authentication process to show authentication feedback is hidden (e.g. password entry fields displaying asterisks or limited visibility feedback) |
DCF-616 | Remote Maintenance |
|
DCF-617 | Maintenance Personnel Authorization |
|
DCF-619 | Media Sanitization | Upload evidence for one instance of data disposal on hardware showing that data was disposed securely. Examples: one example certificate of destruction of hardware, screenshots showing that hard drive data on an endpoint were wiped prior to reuse of the device, etc. |
DCF-632 | Supply Chain Risk Assessment |
|
DCF-639 | Shared System Information Security |
|
DCF-643 | Collaborative Computing Devices and Applications |
|
DCF-644 | Mobile Code Management |
|
DCF-645 | Session Authentication Management |
|
DCF-648 | Unauthorized Network Services Monitoring and Alert |
|
DCF-671 | External Systems Inventoried |
|
DCF-687 | Email Protection Mechanisms |
Example: Screenshots showing SPF, DMARC, DKIM configurations enabled for email authentication. |
DCF-688 | Return of Assets | For one recently terminated personnel, upload evidence showing that assets were returned to the company. Example: Screenshots of offboarding checklists or internal tickets showing tracking of return of devices, badges, tokens, etc., upon termination, evidence of pre-paid labels sent to remote personnel for asset return and tracking, etc. |
DCF-698 | Automated Mechanisms for Audit Log Reviews | Upload evidence to demonstrate that your organization has implemented automated mechanisms for audit record reduction and log analysis.
Examples: System Configuration Documentation: Documentation for your SIEM or log management platform showing how automated log reduction and correlation are configured.
Log Management System Reports: Reports from your log management system demonstrating automated log reduction and correlated event analysis. |
DCF-708 | Software and Third Party Libraries Inventory |
Example: Screenshots from software composition analysis tools showing software bill of materials (SBOM). |
DCF-712 | Static Application Security Testing | Upload evidence that static application security testing (SAST) is conducted for software development testing.
Example: Screenshots from the CI/CD pipeline for relevant code repositories showing a SAST scan automatically executes every time new code is committed, screenshots of configurations and dashboards from SAST tools such as SonarCloud, etc. |
DCF-716 | Application and System Accounts Authorized | Upload company’s access control policies, access request forms or approval tickets, access logs demonstrating privileges align with system needs, signed management approval for provisioning access, and periodic access review records.
Examples:
|
DCF-725 | MFA Configured to Prevent Misuse | Upload the MFA Policy or Configuration Procedure detailing how replay attacks are prevented, two-factor authentication is required, and MFA bypass is restricted. Include screenshots of system settings that show alignment with the policy. Also, provide documentation for any exceptions authorized by management, including justification and timeframes.
Examples:
|
DCF-726 | Interactive Use of System and Application Accounts Managed | Include screenshots of system settings that restrict interactive login, along with signed approval forms or emails for exceptional access. Provide business justification documentation and audit logs showing individual user actions taken during those exceptions.
Examples:
|
DCF-727 | Passwords for System and Application Accounts Changed Periodically |
Examples:
Password Management Policy: Document outlining password change procedures.
Screenshots of Password Complexity Settings: System settings showing password rules.
Records of Password Changes: Logs showing when passwords were updated.
Change Logs/Incident Reports: Documentation of actions taken after a compromise |
DCF-730 | Security Controls on Devices that Connect to the Internet | Evidence:
|
DCF-741 | Logging and Monitoring Policy | Upload Logging and Monitoring Policy. |
DCF-742 | Insider Threat Awareness and Training |
|
DCF-744 | Contact with Authorities |
Maintaining such contacts can be a requirement to support information security incident management or the contingency planning and business continuity processes. Contacts with regulatory bodies are also useful to anticipate and prepare for upcoming changes in relevant laws or regulations that affect the organization. |
DCF-745 | Segregation of Duties | Upload evidence showing that your organization has identified conflicting duties and conflicting areas of responsibility that must be segregated and implemented mechanisms for segregation of duties. Your organization should determine which duties and areas of responsibility need to be segregated to reduce the risk of fraud, error, and bypassing of information security controls. The following are examples of activities that can require segregation:
|
DCF-761 | Incident Management Procedures for Collection of Evidence |
|
DCF-784 | Software Composition Analysis (SCA) |
Example: Screenshots showing that software composition analysis tools are used as part of your CI/CD pipeline to check for vulnerabilities in third party libraries. |
DCF-787 | Re-authentication Configurations |
|
DCF-788 | CUI Data Inventory |
|
DCF-790 | System Security Plans |
|
DCF-791 | Plans of Action and Milestones |
|
DCF-792 | Regulation of Cryptographic Controls |
|
DCF-793 | Dedicated Accounts or Roles for Admin Functions |
|
DCF-795 | Transferred Personnel Access Validation |
|
DCF-796 | Training for Posting Public Content |
|
DCF-797 | CUI Markings |
|
DCF-798 | CUI Risk Assessment |
|
DCF-814 | Security Impact Assessment for Changes |
Examples:
Change Management Policy/Procedure: A copy of the documented policy or procedure that outlines the process for evaluating the security impact of system changes before implementation. Change Impact Assessment Records: Evidence of completed security impact assessments for system changes, including any findings or recommendations related to vulnerabilities or security risks.
Post-Implementation Validation Records: Documentation that confirms security requirements were validated after system changes were implemented, such as validation reports, testing records, or sign-offs by responsible personnel. |
DCF-815 | Incident Response Training Content Review |
|
DCF-816 | Physical Access Restrictions for Changes |
|
DCF-817 | Cloud Security Configuration Monitoring |
|
DCF-818 | Physical Access Devices Controlled |
|
DCF-819 | Control of Removable Media |
Examples: Acceptable Use Policy, Removable Media Policy, or IT Security Policy with a section on removable media usage.
2. Upload evidence of technical controls implemented to enforce the restriction of unauthorized removable media on organizational systems.
3. Upload evidence of personnel acknowledgment of the policies and rules of behavior regarding removable media use. |
DCF-820 | Password Minimum Change of Characters |
|
DCF-821 | Removable System Media Ownership |
|
DCF-822 | Remote Access Management |
Examples: Remote Access Architecture Diagrams, Exception Process Documentation, Regular Review Records |
DCF-823 | Diagnostic Media Verification |
Examples: Media Protection Policy, Media Handling Procedures, Secure Baseline for Diagnostic/Test Tools
2. Upload evidence of actual records demonstrating that media containing diagnostic and test programs have been checked for malicious code before use.
3. Upload evidence of your organization's practice of retaining supporting documentation related to the checking of diagnostic and test media.
Examples: Log Retention Policy, Archived Scan Reports, Evidence Storage Locations |
DCF-824 | Remote Connection Monitoring |
|
DCF-826 | Role-Based Security Training |
|
DCF-827 | Role-Based Security Training Program Updates |
Examples: Training Program Review Policy,Training Content Update Procedure, Training Needs Assessment Procedure
2. Upload evidence of completed reviews of your role-based security training program conducted at defined periodic intervals.
3. Upload evidence of reviews and subsequent updates to the role-based security training program that were initiated by specific significant events.
Examples: Incident Response After-Action Reports, Assessment Findings/Audit Reports,Change Management Documentation
4. Upload evidence that significant changes to the role-based security training program (e.g., major content revisions, schedule changes) receive appropriate management approval.
|
DCF-828 | Incident Handling Capability |
|
DCF-829 | Network Traffic Monitoring |
|
DCF-868 | Cybersecurity Supply Chain Risk Management Program |
Example: Cybersecurity Supply Chain Risk Management Policy,
3. Upload evidence of a defined process for periodically reviewing and improving the C-SCRM program, policies, and procedures. Example: Documentation showing how you regularly check and update your C-SCRM program.
|
DCF-870 | Integrated Cybersecurity Supply Chain Risk Management | Upload evidence of your documented C-SCRM plan that outlines your strategy for identifying, assessing, and mitigating cybersecurity risks associated with your supply chain.
Example: Evidence showing C-SCRM risks are tracked alongside all other organizational risks.
2. Upload copies of contractual agreements with your suppliers, particularly those handling or impacting Controlled Unclassified Information (CUI), demonstrating the inclusion of security clauses and "flow-down" requirements.
3. Upload evidence of your processes for continuously monitoring the security posture of your supply chain partners and how supply chain-related incidents are incorporated into your overall incident response plan. Example: Continuous Monitoring Reports, Supplier Performance Reviews, Incident Response Plan (IRP) Addendum, Supply Chain Incident Drills/Tabletops. |