Example Evidence for Not Monitored NIST 800-53r5 Controls
NIST SP 800-53r5 is a comprehensive control framework that provides guidelines and controls for managing and securing federal information systems. The following is a list of example evidence that can be provided when preparing for your NIST 800-53r5 audit. It is important to note that your auditor will likely request additional evidence. The list below includes the controls from NIST 800-53r5.
Code | NIST 800-53r5 Requirement | Name | Example Evidence |
DCF-7 | SA-11-00, CM-04-01 | Separate Testing and Production Environments | 1. Screenshots from test and production environments for the application |
DCF-11 | AC-06-07, PS-02-00, PS-04-02, PS-05-00, PE-02-00, PE-03-00, PE-06-00, AC-02-00, AC-03-00, AC-05-00, AC-06-00, AC-06-01, IA-02-02, IA-02-05, IA-02-08, IA-03-00, IA-04-00, IA-04-04, IA-05-00, IA-05-01, IA-05-02 | Annual Access Control Review | 1. Tickets documenting the access control lists that were reviewed for in scope cloud environments, SaaS applications, infrastructure as code tools, and security protection tools (as applicable) 2. Tickets should be marked as completed/closed and the reviewer should provide comments on the results of the reviews. |
DCF-12 | CM-06-00, CM-02-00, PL-10-00, PL-11-00, SA-08-00 | Hardening Standards in Place | 1. Evidence from infrastructure as code tools showing configurations that would be implemented when new infrastructure is deployed. 2. Any type of document that formally documents the configurations that should be implemented for newly deployed infrastructure. |
DCF-16 | AU-03-03, CA-01-00, CA-02-00, CA-02-01 | Annual Risk Assessment | 1. Most recently completed risk assessment report. |
DCF-17 | RA-03-00, CP-02-01, CP-06-00, CP-06-01, CP-06-02, CP-06-03, CP-07-00, CP-07-01, CP-07-02, CP-07-03, CP-08-03, CA-02-00, CA-05-00, CP-04-01, CP-04-02, CP-08-00, CP-08-01, CP-08-02, IR-02-01, IR-04-01, IR-08-00 | Remediation Plan | 1. Documented remediation plans for risks identified during the risk assessment. |
DCF-19 | CA-02-02, CA-08-00, CA-08-01 | Annual Penetration Tests | 1. Most recently completed annual penetration test. |
DCF-20 | CM-08-01, CM-12-00, PM-05-01, SA-22-00, CP-02-08, CM-08-00, CM-08-02, CP-03-00, RA-09-00 | Asset Inventory | 1. Formal, documented listing of all assets (workstations, mobile devices, servers, databases, etc.) 2. For cloud infrastructure, screenshots from cloud environments listing all infrastructure |
DCF-21 | PL-08-00, SA-17-00, SC-07-21, AC-06-00, AC-18-00, SC-07-08 | Architectural Diagram | 1. Approved Architectural Diagram |
DCF-22 | AC-04-00, AC-18-00 | Network Diagram | 1. Formal, documented network/architecture diagram evidencing network segmentation of your cloud environments. |
DCF-26 | CP-01-00, CP-02-00, CP-02-01, CP-02-03, CP-06-00, CP-06-01, CP-06-02, CP-07-00, CP-07-01, CP-07-02, CP-07-03, CP-04-00, CP-04-01, CP-04-02, IR-03-02, IR-07-00 | BCP/DR Tests Conducted Annually | 1. Most recently completed BCP/DR test. |
DCF-35 | CP-03-01, CP-04-00, CP-04-01, CP-04-02, IR-07-00, IR-07-01, IR-08-00 | Security Team Communicates in a Timely Manner | 1. Screenshots from communication tools (Slack, PagerDuty) showing the process for security events to be communicated to appropriate personnel. |
DCF-42 | PS-09-00, AC-06-02 | Defined Management Roles & Responsibilities | 1. Roles and Responsibilities section from the information security policy. |
DCF-43 | PS-04-02, PE-02-00 | Termination/Offboarding Checklist | 1. Formal documented termination checklist/help desk ticket for a recent terminated employee. |
DCF-56 | SA-09-00, SR-08-00 | Vendor Register and Agreements | 1. Executed Agreement/contract between the entity and key vendors. |
DCF-57 | SA-09-02, SR-03-00 | Vendor Compliance Monitoring
| 1. Screenshots from the vendor directory showing that vendors are categorized based on impact /risk. 2. Review documents showing that vendors' SOC2 reports were reviewed (Drata can provide a review template for this). |
DCF-58 | AC-18-00, IA-11-00, IA-07-00, IA-12-03 | Authentication Protocol | 1. If SSO is an option, screenshots of a user logging in with SSO. 2. If username and password is an option, screenshots of a user logging in with a username and password. 3. Screenshots of MFA being required for employee users. 4. If customer users have the option to enable MFA, screenshots showing they are provided the option to enable MFA. |
DCF-59 | AC-06-10, PS-09-00, AC-01-00, AC-03-00, AC-05-00, AC-06-00, AC-06-01, AC-06-02, IA-07-00 | Role-Based Security Implementation | 1. Screenshots from the application showing how users are assigned roles. |
DCF-62 | AC-02-05, AC-11-00, AC-12-00, SC-10-00, IA-11-00 | Inactivity and Browser Exit Logout | 1. Screenshots of users being logged out of the application when browser/tab is closed and being forced to reauthenticate upon next login. 2. Screenshots showing that a user is logged out after pre-defined activity timeout and being forced to reauthenticate upon next login. |
DCF-69 | PM-10-00, IA-12-00, IA-12-02, IA-12-04, IA-12-05, AC-03-00, AC-05-00, AC-06-00, CP-03-00, IA-02-01, IA-02-02, IA-02-05, IA-02-08, IA-03-00, IA-04-00, IA-04-04, IA-05-00, IA-05-01, IA-05-02, IA-07-00 | System Access Granted | 1.Formal, documented access request form/help desk ticket for a recent new hire. |
DCF-72 | AC-06-05, AC-17-02, IA-02-01, IA-02-02, IA-02-05, IA-02-08, IA-04-04, IA-05-00, IA-05-01 | Unique SSH | 1. Screenshots of a user logging into the production systems, showing that they have to use a unique SSH account. 2. Screenshot of the setting from the production servers showing that the "root" account cannot be used to login to production. |
DCF-74 | SI-05-01 | Customers Informed of Changes | 1. Example emails communicating changes to customers. 2. Screenshots of banners warning customers of downtime prior to system maintenance. |
DCF-76 | SI-02-00, SI-02-02, SI-05-01, CM-03-04, CM-04-02, CM-05-00 | Critical Change Management | 1. Formal, documented emergency change procedures for critical changes. |
DCF-79 | AC-17-01, AU-06-01, AU-07-00, AU-09-02, AU-12-01, PL-09-00, AU-02-00, AU-03-01, AU-06-03, SI-04-00, SI-04-02 | Logs Centrally Stored | 1. Screenshots from the location where logs of system activity are stored. |
DCF-80 | AC-17-01, AU-04-00, AU-05-00, AU-05-02, AU-06-00, AU-07-00, AU-10-00, AU-12-00, AU-12-03, CM-05-01, SI-04-04, SI-04-05, SI-04-12, PE-08-01, AC-02-04, AU-01-00, AU-02-00, SI-04-00, SI-04-02 | Log Management System | 1. Screenshots from the location where logs of system activity are stored. |
DCF-86 | PM-06-00, AU-01-00, AU-03-01 | Operational Monitoring
| 1. Screenshots from the systems used to monitor for system availability issues. 2. Screenshots showing how personnel would be alerted of availability issues and who would be alerted. |
DCF-91 | SI-04-14, AC-06-01 | Intrusion Detection System in Place | 1. Screenshots from AWS GuardDuty, Azure Sentinel, GCP Security Command Center or equivalent monitoring tool showing that the service is enabled. 2. Screenshots from the mentioned applications/tools/services showing the types of threats that would be detected. 3. Screenshots from the mentioned applications/tools/services showing how personnel would be alerted and who would be alerted when threats are detected. |
DCF-92 | AC-17-00, AC-17-01, AC-17-02, AC-17-03, AC-18-01, SC-07-07, AC-18-00 | Encrypted Remote Production Access | 1. screenshots of a user trying to access production systems without being connected to a VPN and providing access is denied. 2. Screenshots of a user accessing production after connecting to a VPN to show a successful connection. |
DCF-95 | AU-04-00, CP-02-02 | Monitoring Processing Capacity and Usage | 1. Evidence that management reviewed processing capacity and usage reports on a quarterly basis |
DCF-97 | CP-02-02 | Auto-Scale Configuration | 1. Screenshot of auto scaling configurations for EC2 instances. |
DCF-98 | CP-09-01, CP-09-02, CP-09-03, CP-09-05, CP-09-08 | Daily Backup Statuses Monitored | 1. Tickets showing that backup failures were monitored and resolved. |
DCF-100 | CP-09-01, CP-09-02, CP-10-00, CP-10-02, CP-10-04, CP-04-01, CP-04-02, IR-07-00 | Backup Integrity and Completeness | 1. Screenshots showing a backup snapshot was restored completely and accurately. 2. Evidence from the annual DR tests showing that backups were restored completely and accurately. |
DCF-109 | SR-12-00 | Disposal of Sensitive Data on Hardware | 1. Data Deletion Policy or equivalent policy documenting this policy and procedure. |
DCF-110 | SI-10-00 | Application Edits | 1. Screenshots of users entering data into the application to confirm that the application limits input values to only valid values. |
DCF-112 | PT-02-00, PT-05-00, SC-07-24 | Provide Notice of Privacy Practices | 1. Screenshots of the new user registration process where new users are provided the notice of privacy practices before completing the registration process. |
DCF-114 | PM-20-00, PM-20-01 | Privacy Policy Publicly Available | 1. Screenshot of privacy practices posted on the entity's website. |
DCF-115 | AC-03-14, PT-03-00, PT-04-00, PT-05-00 | Privacy Policy Inclusions | 1. Formal, documented privacy practices from the entity's website. |
DCF-116 | AC-03-14, SI-12-01, SI-12-02 | Accept The Privacy Policy | 1. Screenshots of the new user registration process showing that users are required to explicitly agree to the notice of privacy practices prior to the completion of the registration process. |
DCF-117 | PM-25-00, SA-08-33, SI-12-01, SI-12-02 | Minimal Information Required | 1. Screenshot of all information that the user can enter when providing data through the application. |
DCF-120 | PM-22-00 | Annual Review of Purposes | 1. Meeting minutes for management's annual review of privacy policies |
DCF-121 | SC-07-24, SI-12-01 | Purposeful Use Only | 1. Section from privacy practices/policy that covers this item. |
DCF-122 | AC-03-14 | Requests for Deletion | 1. Example requests for deletion of personal information and evidence that the data was deleted timely. |
DCF-123 | SI-12-03, SR-12-00 | Data Destruction Policy | 1. Formal, documented data deletion policy. |
DCF-124 | IA-02-01, IA-02-02, IA-02-05, IA-02-08, IA-03-00, IA-04-00, IA-04-04, IA-05-00, IA-05-01, IA-05-02 | Require Authentication for Access | 1. Screenshots of a user authenticating to the application prior to seeing their information. |
DCF-126 | SI-18-00, SI-18-04 | Users Can Update their Information | 1. Screenshots of a user modifying their personal information within the application. |
DCF-131 | IR-01-00, IR-04-01, IR-04-11, IR-05-00, IR-05-01, IR-06-00, IR-06-01, IR-07-00, IR-07-01, IR-08-00 | Incident Report Template and Process | 1. Formal, documented incident response procedures. |
DCF-134 | IR-06-03, IR-08-01 | 3rd Parties and Vendors Given Instructions on Breach Reporting | 1. Executed contracts with third parties that are provided access to PII to confirm that third parties are provided with information on how to report breaches of PII to the entity. |
DCF-135 | CP-03-01, CP-04-00, CP-04-01, CP-04-02, IR-07-00, IR-07-01, IR-08-00 | Notice of Breach to Affected Users | 1. Formal, documented breach notification procedures. 2. Breach Notification Template |
DCF-137 | SI-10-00, SI-18-00, SI-18-04 | Data Entry Field Completion Automated | 1. Screenshots of a user enter information into the application to confirm that edit checks are included in fields. |
DCF-138 | SI-18-00, SI-18-04 | Confirmation Before Submission | 1. Screenshots of a user entering information into the application to confirm that users are asked to confirm that their information is correct, prior to submitting information. |
DCF-139 | PM-26-00 | Contact Information for Privacy Concerns | 1. Section from privacy practices on your website showing contact information for how external personnel contact you with inquiries, complaints, and disputes. |
DCF-140 | PM-26-00 | Customer Portal | 1. Screenshots of how a customer can submit inquiries, complaints or disputes about privacy issues. |
DCF-141 | PM-26-00 | Customer Inquiries Tracked | 1. Screenshots of the incident tracking system used to track users' complaints, inquiries and disputes. 2. Example submitted inquiries, complaints or disputes and evidence that resolution was communicated to the customer and corrective actions were performed, as necessary. |
DCF-147 | PE-02-00, PE-03-00, PE-03-01, PE-04-00, PE-06-01, PE-08-00 | Physical Access to Facilities is Protected | 1. Physical Access Control Policy |
DCF-148 | CM-04-02 | Regression Testing in Place | 1. Example of regression testing that was performed prior to a recent major product release. |
DCF-149 | AC-20-02, IR-08-01 | Removable Media Device Encryption | 1. If removable media devices are issued by the company to employees, provide evidence that removable media devices are encrypted. |
DCF-151 | SR-09-00, SR-09-01 | FIM (File Integrity Monitoring) Software in Place | 1. Screenshots of FIM software. 2. Examples of FIM detecting changes. |
DCF-152 | SI-02-00, SI-02-02 | Virtual Machine OS are Patched Monthly | 1. Evidence from servers or patching systems showing that operating systems were patched monthly. |
DCF-153 | CA-02-00, CA-02-01, IR-07-00, PL-10-00, PL-11-00 | Conduct Control Self-Assessments | 1. Screenshots of how Drata is used for continuous monitoring of controls. |
DCF-154 | CP-03-01, CP-04-00, CP-04-01, CP-04-02, IR-02-01, IR-02-02, IR-02-03, IR-03-00, IR-03-02, IR-04-01, IR-07-00, IR-08-00, PM-14-00 | Annual Incident Response Test | 1. Most recently completed incident response tabletop test. |
DCF-155 | CM-04-02 | Code Changes are Tested | 1. Screenshots from the ticketing system for a few changes showing that changes were tested. |
DCF-158 | IA-07-00, IA-12-03 | MFA Available for External Users | 1. Screenshots from the application showing that customers have the option of using MFA for their accounts. |
DCF-160 | CA-07-01, PM-06-00, AC-02-04, AU-01-00, AU-02-00, AU-03-01, CA-07-00, CA-07-04, PM-31-00, SI-04-00, SI-04-02 | Continuous Control Monitoring | 1. Screenshots of how Drata is used for continuous monitoring of controls. |
DCF-165 | AU-02-00, AU-06-03 | Independent Assessment | 1. Evidence of testing performed for internal audit. 2. Internal audit report. |
DCF-166 | PE-17-00, SI-04-12, CP-01-00, CP-02-00, CP-02-01, CP-02-03, CP-02-05, CP-06-00, CP-06-01, CP-06-02, CP-07-04, CP-08-03, CP-09-02, CP-09-03, CP-09-05, CP-09-08, IR-06-03, CA-05-00, CP-03-00, CP-03-01, CP-04-00, CP-04-01, CP-04-02, CP-08-00, CP-08-01, CP-08-02, IR-01-00, IR-02-00, IR-02-01, IR-02-02, IR-02-03, IR-03-02, IR-04-11, IR-05-00, IR-05-01, IR-06-00, IR-06-01, IR-07-00, IR-07-01, IR-08-00 | Business Continuity Plan | 1. Business Continuity Plan. |
DCF-167 | CP-01-00, CP-02-00, CP-02-03, CP-02-05, CP-02-08, CP-06-02, CP-10-00, CP-10-04, IR-07-00, IR-07-01, IR-08-00 | Business Impact Analysis | 1. Business Impact Analysis (Typically part of the business continuity plan). |
DCF-168 | AC-20-00, PS-07-00, SA-04-00, SA-04-01, SA-04-02, SA-09-00, SA-09-02, SR-06-00, SR-08-00, SR-02-01, CP-08-04, SC-07-04, SR-01-00, SR-11-01, SR-11-02 | Vendor Management Policy | 1. Vendor Management Policy. |
DCF-171 | CP-09-00, CP-09-02, CP-09-03, CP-09-05, CP-09-08, CP-10-00, CP-10-02, CP-10-04, CP-08-00, CP-08-01, CP-08-02 | Operating Procedures | 1. Will be a part of your ISMS policy. |
DCF-172 | CM-03-01, CM-04-00, AC-02-02, CA-05-00, CM-03-02, CM-03-04, CM-04-01, CM-04-02, CM-05-00 | Organizational Change Management | 1. Will be a part of your ISMS policy. |
DCF-174 | AC-19-00, AC-14-00, SC-18-00 | Telework and Endpoint Devices | 1. Section from the information security policy |
DCF-176 | CA-07-00, CA-07-04, CP-04-00, CP-04-01, CP-04-02, SI-04-00 | Monitoring Plan | 1. Will be a part of your ISMS policy. |
DCF-177 | AC-06-09, AC-17-01, AU-03-00, AU-04-00, AU-05-00, AU-05-02, AU-06-00, AU-06-01, AU-06-05, AU-07-01, AU-08-00, AU-12-00, CM-05-01, SI-04-20, AU-06-06, CP-10-00, CP-10-02, CP-10-04, AC-02-04, AC-02-12, AU-01-00, AU-02-00, AU-03-01, CM-04-02, SI-04-02 | Event Logging | 1. Section from the Data Protection Policy |
DCF-180 | AC-20-01, CA-03-06, CA-09-00, SC-08-00, CP-09-05, MP-05-00, AC-04-00 | Secure Information Transfer | 1. Section from the Data Protection Policy |
DCF-182 | AC-19-00, CM-01-00, CM-08-01, CM-08-04, CM-09-00, CM-10-00, CM-12-00, RA-02-00, SA-22-00, CA-03-00, MP-06-07, MP-06-08, PS-04-00, CP-02-08, CP-06-00, CP-06-01, CP-06-02, MP-03-00, MP-04-00, MP-05-00, MP-06-00, MP-06-02, MP-06-03, MP-07-00, AC-02-00, AC-04-00, AC-05-00, CM-03-00, CM-08-00, CM-08-02, CP-03-00, CP-04-00, CP-04-01, CP-04-02, MP-06-01, PM-31-00, SC-07-08 | Asset Management Policy | 1. Asset Management Policy. |
DCF-183 | CA-01-00, RA-05-00, RA-05-11, RA-07-00, RA-08-00, CA-02-00 | Vulnerability Management | 1. Vulnerability Management Policy. |
DCF-185 | RA-05-02, SI-05-00, SI-05-01 | Periodic Dynamic Threat Assessment | 1. Completed Threat Assessment Plan contained within Appendix A of the Security version of the Risk Assessment Policy and Appendix C in the Privacy version of Risk Assessment Policy. 2. Screenshots showing that your organization is subscribed to a service or mailing list that provides information on new/developing security issues. 3. Evidence demonstrating that threats are being assessed according to the defined Threat Assessment Plan. |
DCF-186 | SI-19-00 | Data De-identification | 1. Link to Data Classification Policy 2. Link to Data Protection Policy |
DCF-187 | CM-06-00, CM-09-00, SA-10-00, SI-04-22 | Configuration Management Plan | 1. Completed Appendix A within the Change Management Policy |
DCF-188 | SI-05-01 | Communication with Security and Privacy Organizations | 1. Screenshots showing that your organization is subscribed to a service or mailing list that provides information on new/developing security/privacy issues. 2. Screenshots showing that members of your organization responsible for security or privacy belong to industry groups related to security or privacy. |
DCF-189 | AC-06-09, AU-06-00, AU-06-01, SI-04-00, PM-14-00 | Activity Review | 1. For this control, your organization will have to define a frequency for each of the three covered activities. This could be weekly, monthly, quarterly, it will depend on the size of your organization and what makes sense for each of the three areas: 2. Audit log reviews - A ticket from the ticketing system documenting which audit logs were reviewed, who reviewed them, and when the review was completed. 3. Security Incident Tracking Reports - A ticket documenting the review of incident reports including who completed the review and when the review was completed. Or meeting minutes demonstrating that incident reports were reviewed including who attended the meeting and the date. 4. Ticket documenting which system activity logs were reviewed, who reviewed these activity reports, and when the review was completed. |
DCF-190 | CA-06-00, CM-03-04 | Designated Security Officials | 1. Can be outlined under the Roles and Responsibilities section of your Information Security Policy, OR 2. Job description of designated Security Official(s) outlining their responsibility for overseeing the organizations’ compliance with the security rule. |
DCF-201 | CM-04-02 | Firewall and Router Configuration Standards | 1. Formal, documented testing and approval procedures for network connections. 2. Formal documented testing and approval procedures for changes to firewall and router configurations. 3. Example documentation supporting a network connection was tested and approved. 4. Example documentation supporting a recent firewall or router change was tested and approved. . |
DCF-204 | AC-04-00 | Dataflow Diagram | 1. Formal Data Flow Diagram including the date the diagram was finalized. |
DCF-206 | SC-07-00 | Firewall Configuration | 1. Formal, documented firewall and router configuration standards. 2. Screenshots of firewall configurations showing that firewalls are configured in a manner consistent with the Firewall and Router configuration standards. |
DCF-208 | AC-06-03 | Network Management Roles and Responsibilities | 1. Skills Matrix or Formal job description including roles and responsibilities for the Network Administrator or similar position. 2. Documented firewall and router configuration standards showing that roles and responsibilities for firewall/router management are identified. |
DCF-209 | CM-07-00, CM-07-01, SA-04-09 | Services, Protocols, and Ports Approval List | 1. Firewall and router configuration standards which document a list of approved Services, Protocols, and Ports authorized for use within the environment including approval and justification for each item listed. |
DCF-210 | CM-07-00, CM-07-01 | Insecure Services, Protocols, and Ports List | 1. Firewall and router configuration standard which documents a list of any insecure Services, Protocols, and Ports used within the environment and controls/security features implemented to mitigate these weaknesses. 2. If Insecure Services, Protocols, or Ports must be used, screenshots showing that documented security features/compensating controls have been implemented for each insecure Service, Protocol, and Port. |
DCF-214 | CM-07-00, SC-05-00 | Network Traffic Denial | 1. Screenshots showing the presence of deny any any rule as the final rule within Firewall or Router rule sets. 2. (Alternate) If Firewall or Router brands do not display this, documentation from the Firewall/Router vendor documenting that this is implicit. |
DCF-218 | CM-07-00, SC-07-00, SC-07-21 | DMZ Implemented | 1. Network diagram showing that a DMZ has been implemented. 2. Firewall and Router configurations showing how the DMZ has been established and that it only allows approved Services, Functions, Ports, and Protocols through. |
DCF-224 | SC-07-08 | Prevention of Private IP Information Disclosure | 1. Screenshots of firewall and router configurations showing that private IP information will not be disclosed. Commonly accomplished through the implementation of: - Network Address Translation (NAT). - Placing internal servers behind proxies. - Removal or filtering of route advertisements for private networks that use registered addressing. - Internal use of RFC1918 address space instead of registered addresses. |
DCF-226 | AC-20-02 | Personal Firewall Installed on Portable Devices | 1. If public-facing web applications exist, documented policies and procedures which document a requirement for web application security scans (vulnerability scans), and screenshots showing records of these assessments. Documented processes must include guidance for performing assessments: - At least annually - After any changes - By an organization which specializes in application security - That, at a minimum, all vulnerabilities contained in DCF-314 through DCF-323 are covered. - That all vulnerabilities are corrected. - And that the application is reassessed after vulnerabilities have been corrected.
2. OR screenshots from an automated solution which detects and prevents web-based attacks (web application firewall) is in place/ Screenshots must show that: - The solution sits in front of the public-facing web applications. - Is actively running and as up-to-date as applicable to your organization. - Is generating audit logs. - Is configured to either block web-based attacks or generate an alert which is immediately investigated. |
DCF-227 | AC-19-00, AC-20-02 | Personal Firewall on Portable Devices Configured Properly | 1. Screenshots showing personal firewalls are configured according to the standard. 2. Screenshots showing personal firewalls installed/active on laptops or other portable devices. 3. Screenshots showing that personal firewalls cannot be disabled and that settings cannot be changed by non-administrative personnel. *NOTE - Mark the control out of scope if devices cannot access the organizational systems outside of the network. *NOTE - This control covers employee-owned and company-owned devices. |
DCF-229 | AC-06-05, AC-02-02, AC-02-12 | Default Accounts Changed | 1. Any policy or procedures documenting a requirement stating that ALL vendor supplied default account information must be changed. 2. Screenshots showing that vendor default accounts have been removed, had their default configurations changed, or are disabled. |
DCF-230 | AC-02-03, AC-06-05, AC-02-02 | Unnecessary Default Accounts Removed/Disabled | 1. Any policy or procedures documenting a requirement stating that ALL vendor supplied default account information must be changed. 2. Screenshots showing that vendor default accounts have been removed, had their default configurations changed, or are disabled. |
DCF-231 | SC-12-01 | Changes in Encryption Keys | 1. Any policy or procedures documenting a requirement that all default encryption keys must be changed when deploying wireless infrastructure or when someone with knowledge of the encryption keys leave the company. 2. Screenshots showing that vendor supplied encryption keys for wireless networks have been replaced. |
DCF-234 | AC-19-05, SI-02-00 | Updated Firmware on Wireless Devices | 1. Wireless device (routers, wireless access points, etc.) hardening procedures. 2. Screenshots showing that firmware on wireless networking devices has been updated. |
DCF-236 | RA-05-02, RA-07-00 | Update Configuration Standards after New Vulnerabilities | 1. System hardening procedures. |
DCF-237 | RA-05-05 | System Configuration Standards | 1. System hardening procedures which cover the following attributes: - Changing of all vendor-supplied defaults and elimination of unnecessary default accounts - Implementing only one primary function per server to prevent functions that require different security levels from coexisting on the same server - Enabling only necessary services, protocols, daemons, etc., as required for the function of the system - Implementing additional security features for any required services, protocols or daemons that are considered to be insecure - Configuring system security parameters to prevent misuse - Removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers |
DCF-238 | SC-39-00 | One Primary Function per Server | 1. Screenshots of system configurations for system components in the environment, showing that each component only serves one primary function (For example, web servers, database servers, and DNS should be implemented on separate servers.). *NOTE - If all your assets are virtualized, then this will be covered in DCF 2391. |
DCF-240 | AC-18-03 | Enable Only Necessary System Function Services | 1. Screenshots showing the enabled services being run system components in the environment. |
DCF-244 | CM-06-00 | Common System Security Parameters in Configuration Standards | 1. Documented Server configuration standards showing that security parameter settings are contained within the standard. |
DCF-247 | CM-06-00 | Enabled Functions Documented | 1. Configuration documentation from system components in the environment showing that enabled functionality is documented including rationale for why the services are enabled. |
DCF-250 | AC-17-01, AC-18-01 | Insecure Remote Login Commands Prevented | 1. Screenshots from system components in the environment, showing that insecure remote login commands (such as Telnet) are prevented from connecting to internal systems. |
DCF-251 | SA-09-00, SA-09-02 | Vendor Management Security Policies and Operational Procedures Documented and Accessible | 1. Vendor management policy. 2. Operational procedures such as vendor system hardening procedures for system components in the environment. |
DCF-266 | SC-13-00 | Cryptographic Keys Stored Securely | 1. Screenshots showing how cryptographic keys are stored securely. |
DCF-274 | SC-17-00 | Secure Key Distribution Procedure | 1. Documented procedures for distributing cryptographic keys securely. |
DCF-283 | CP-09-08 | Secure and Encrypted Data Transmission | 1. List of all locations where data is transmitted or received over open, public networks. 2. Documented standards which detail the level of security protocols and cryptographic algorithms used to protect potentially sensitive data. 3. Screenshots from the system configurations of the systems receiving this data showing the implementation of these security protocols and encryption algorithms. |
DCF-284 | SC-17-00 | Only Trusted Keys or Certificates Accepted | 1. Documented policies and procedures which specify processes for accepting only trusted keys and certificates. 2. Screenshots showing that keys and certificates used in the environment are trusted. |
DCF-291 | CM-08-03, SI-03-00 | Anti-Virus Capability | 1. Vendor documentation for all anti-virus software used within the environment. 2. Screenshots from the anti-virus tools in use to verify that the solutions: - Detects all known types of malicious software. - Remove all known types of malicious software. - Protect against all known types of malicious software (Examples of types of malicious software include viruses, Trojans, worms, spyware, adware, and rootkits) |
DCF-292 | SI-03-00, SI-08-00, SI-08-02 | Periodic Evaluation of Malware Threats | 1. For systems not commonly affected by malicious software, job description of the individuals responsible for evaluating new/emerging malware threats. 2. Screenshots of any tools, group memberships, or mailing lists used to assist in this monitoring. |
DCF-297 | SI-02-00, SI-02-02 | Critical Patches Installed | 1. Lists of patches provided by the vendor for systems within the environment. 2. Screenshots from systems within the environment showing that critical security patches have been installed. |
DCF-300 | AC-02-03, AC-02-02 | Removal of Account Information before Application Release | 1. Documented SDLC policy or procedures which list a requirement to ensure that pre-production (development, test, staging, QA) accounts, user IDs, and/or passwords are removed from the system before being deployed to production. |
DCF-303 | SC-02-00 | Separation of Duties in Test and Production Environments | 1. Documented policies and procedures which require a separation of duties between personnel assigned to test regions and prod regions. 2. Screenshots from the access control configurations/lists showing that separate personnel are assigned roles in test and production regions. |
DCF-304 | AC-02-02 | Test Data Removed before System Activation | 1. Screenshots from non-production regions showing that live PAN data is not used within non-production regions. 2. Screenshots from non-production systems showing that test accounts are removed. |
DCF-312 | AT-02-02, AT-03-00 | Annual Training for Developer Secure Coding Techniques | 1. Screenshots or exported training records showing that developers have received secure coding training, including how to avoid common software vulnerabilities, within the last 12 months. |
DCF-318 | SI-11-00 | Improper Error Handling | 1. Documented software development policies and procedures which include processes to protect custom code from Improper Error Handling which include: 2. Techniques which do not leak information through error messages (usually achieved by presenting generic error messages rather than specific error details). |
DCF-319 | RA-05-02 | High Risk Vulnerabilities | 1. Documented software development policies and procedures which include processes to protect custom code from all High Risk Vulnerabilities identified during the vulnerability management process. |
DCF-324 | RA-05-02, SI-02-02 | Public-Facing Web Application Vulnerability Assessment | 1. If public-facing web applications exist, documented policies and procedures which document a requirement for web application security scans (vulnerability scans), and screenshots showing records of these assessments. Documented processes must include guidance for performing assessments: - At least annually - After any changes - By an organization which specializes in application security - That, at a minimum, all vulnerabilities contained in DCF-314 through DCF-323 are covered. - That all vulnerabilities are corrected. - And that the application is reassessed after vulnerabilities have been corrected. 2. OR screenshots from an automated solution which detects and prevents web-based attacks (web application firewall) is in place/ Screenshots must show that: - The solution sits in front of the public-facing web applications. - Is actively running and as up-to-date as applicable to your organization. - Is generating audit logs. - Is configured to either block web-based attacks or generate an alert which is immediately investigated. |
DCF-326 | AC-06-07, SC-02-00, AC-06-01, AC-06-02 | System Access Control Policy | 1. Documented System Access Control which documents the following: - Defining access needs and privilege assignments for each role. - Restricting access to privileged IDs to the least level of privilege necessary to perform job functions. - Assigning access based on individual personnel’s job classification and function. - Documenting approval by authorized parties for all access, including listing the specific privileges approved. |
DCF-327 | AC-06-05, AC-06-07, AC-06-10, SC-02-00, SC-03-00, AC-02-00, AC-06-01, AC-06-02 | System Access Roles Defined | 1. Documented access needs for each role within the environment which includes: - System components and data resources required for the job function. - Level of privilege required for accessing resources (user, administrator, etc.) |
DCF-328 | AC-06-01, AC-06-02 | Documented Approval by Authorized Parties | 1. Screenshots of the privileges assigned to an example user ID. 2. A documented example of an approval for the example user ID provided by an authorized party for access which includes the following: - Evidence that the documented approval exists. - That approval was provided by an authorized party. - That the specific privileges assigned to that user match their assigned privileges. |
DCF-329 | AC-05-00 | Access Control System in Place | 1. Screenshots from the access control system for all system components. |
DCF-330 | AC-06-07, AC-06-10, CA-03-06, AC-05-00, AC-06-01, AC-06-02 | Role-Based Access Control System | 2. Screenshots showing how the access control system(s) are configured to enforce privilege assignments to individuals based on job classification and function. |
DCF-334 | AC-06-07, AC-06-10, RA-05-05, AC-06-01, AC-06-02 | Privileged and General User ID Authorization | 1. Documented policies and procedures for Identity Management which include processes for controlling the addition, deletion, and modification of user IDs, credentials, and other identifier objects. 2. Documented access authorization for an example administrative/privileged user. 3. Screenshots from the example administrative/privileged user showing that the account has only been assigned the approved permissions. 4. Documented access authorization for an example general/non-privileged user. 5. Screenshots from the example general/non-privileged user showing that the account has only been assigned the approved privileges. |
DCF-335 | AC-02-03, AC-02-05, AC-06-03 | Inactive User Accounts Removed | 1. Documented policies and procedures for Identity Management which include a requirement to remove or disable user accounts over 90 days old. 2. System user access lists showing that no account inactive for 90 days or more is still active and/or present on the system. |
DCF-336 | AC-18-01, AC-02-02 | Access Management of Accounts Used by Remote 3rd Parties | 1. Documented policies and procedures for Identity Management which have a requirement to disable accounts of third parties (vendors) when not in use and enable these accounts on when needed. 2. Screenshots or system user access lists showing that third party user accounts (vendor accounts) are enabled only when needed and disabled after use. |
DCF-337 | AC-17-01 | Access to Accounts Used by Remote 3rd Parties Monitored | 1. Documented policies and procedures for Identity Management which state a requirement to monitor access by third party users (vendors) when they are active within the system. 2. Screenshots showing how these accounts and their associated activities are monitored. |
DCF-338 | AC-07-00 | User ID Lockout After Repeated Access Attempts | 1. Documented policies and procedures for Identity Management which document a requirement to lock users out of accounts after no more than six unsuccessful attempts. 2. Screenshots of system configurations which implement the documented account lockout requirements. |
DCF-340 | IR-01-00 | Lockout Duration | 1. Documented policies and procedures related to Identity Management which state a requirement that locked out accounts will remain locked out for no less than 30 minutes or until unlocked by an administrator. 2. Screenshots of system configurations showing how this account lockout duration is enforced. |
DCF-341 | AC-11-00, IA-11-00 | Reauthentication of Idle Sessions | 1. Documented policies and procedures related to Identity Management which include a requirement to re-authenticate terminals or sessions after 15 minutes of inactivity. 2. Screenshots from system configurations showing how this session inactivity timeout is enforced. |
DCF-342 | IA-03-00, IA-04-00, IA-04-04, IA-05-00, IA-05-01, IA-05-02 | User Authentication Methods | 1. Documented policies and procedures which contain guidance on the authentication methods for non-consumer (employee, third party, contractor, but not customer) and administrator accounts. 2. Screenshots showing the authentication methods used for logging into organizational system components. |
DCF-355 | AC-17-00 | MFA for Remote Network Access | 1. Screenshots of the system configurations which enforce multi-factor authentication for all remote access into the internal network. 2. Screenshots of the authentication process showing that MFA is required for remote network access for both a non-administrative and administrative user. |
DCF-356 | AC-02-00 | Authentication Policy Inclusions | 1. Screenshots showing where employees can find policies and procedures related to Authentication. 2. Documented policies and procedures related to Authentication which include the following: - Guidance on selecting strong authentication credentials. - Guidance for how users should protect their authentication credentials. - Instructions to not use previously used passwords. - Instructions stating to change a password if the password is suspected to be compromised. |
DCF-359 | AC-10-00, AC-12-00, IA-05-02 | Authentication Mechanism Use | 1. If other authentication mechanisms besides passwords (such as smart cards, physical or digital tokens, etc.) are used, documented policies and procedures related to Authentication which state a requirement: - Authentication mechanisms are assigned to an individual account and not shared. - Physical and/or logical controls are defined to ensure only the intended account can use that mechanism to gain access. - Screenshots of system configuration settings and/or physical controls as applicable showing that only the intended account can use the authentication mechanism to gain access. |
DCF-363 | PE-03-00 | Entry Controls in Place | 1. For each computer room, data center, and other physical area which contains organizational system components: - Pictures showing that access is controlled using badge readers or other devices including authorizing badges and lock and key. - Screenshots or video showing an administrator’s attempt to log into consoles for systems within the environment showing that these systems are “locked” to prevent unauthorized access. |
DCF-364 | PE-16-00, PE-06-01, PE-06-04 | Physical Access Control to Sensitive Areas | 1. Pictures showing that video camera or access control mechanisms (or both) are used to monitor the entry/exit points to sensitive areas. |
DCF-365 | SR-09-00, PE-06-00 | Secure Physical Access Control Mechanisms | 1. Pictures showing how video cameras or access control mechanisms (or both) are protected from tampering and disabling. |
DCF-366 | PE-06-00, PE-06-01 | Physical Access Control Mechanism Data Review | 1. Documented procedures around reviewing data from video cameras and/or access control mechanisms. |
DCF-367 | PE-06-00 | Physical Access Control Mechanism Data Retention | 1. Screenshots showing that video camera and/or access control mechanism data is stored for at least three months, unless otherwise restricted by law. |
DCF-368 | PE-04-00, PE-05-00 | Restricted Physical Access to Publicly Accessible Network Jacks | 1. Documented procedures which detail how publicly accessible network jacks are restricted (such as disabling access to publicly accessible network jacks unless explicitly authorized). 1. Pictures or videos showing how these procedures have been implemented. |
DCF-370 | PE-03-01 | Onsite Identification Management | 1. Documented policies and procedures related to Physical Access which include the following elements for identifying and distinguishing between onsite personnel and visitors: - Identifying onsite personnel and visitors (such as assigning ID badges). - Handling changes to access requirements. - Revoking terminated onsite personnel and expired visitor identification (such as ID badges). |
DCF-373 | MP-02-00, PE-03-00, PE-03-01 | Role-Based Physical Access | 1. User access control lists from the physical access control system showing that access is role-based. 2. Termination/offboarding checklist showing that physical access was revoked. |
DCF-378 | PE-08-00 | Visitor Log to Facility and Data Storage Areas | 1. Pictures showing that visitor log is in place and used for access to the facility as well as any computer, server, datacenter, or data storage rooms. |
DCF-379 | PE-08-03, PE-08-00 | Visitor Log Inclusions | 1. Pictures from the visitor log showing that the following information is captured: - Visitor’s name - Firm the visitor represents - Onsite personnel authorizing access |
DCF-380 | PE-08-01, PE-08-00 | Visitor Log Retention | 1. Pictures showing that the visitor’s log is retained for at least 3 months. |
DCF-381 | MP-02-00, MP-04-00 | Media Physically Secured | 1. Documented policies and procedures related to physically securing all media (including computers, removable media, paper receipts, paper records, and faxes). |
DCF-382 | CP-06-00, CP-06-01, CP-06-02, CP-06-03, CP-07-00, CP-07-01, CP-07-02, CP-07-03, CP-09-02, CP-09-03, CP-09-05, CP-09-08, CP-10-00, CP-10-02, CP-10-04, CP-04-01 | Security Review of Media Backup Storage Location | 1. Documented review of the security of the backup media storage location from the last 12 months. |
DCF-383 | MP-05-00 | Media Transfer Procedures | 1. Documented policies and procedures related to the distribution of media and covers distribution of all types of media distributed to individuals. |
DCF-384 | PM-05-01, MP-03-00 | Media Classification | 1. Screenshots and/or pictures showing how media is classified including labels showing data sensitivity. |
DCF-385 | MP-05-00 | Media Transferred Securely | 1. Documented procedures related to media transfer which include acceptable methods of information transfer including authorized couriers and the ability to track media transfers. 2. Screenshots or documentation showing how media transfers are logged. 3. Documentation for a recent media transfer showing that tracking information was logged. |
DCF-387 | MP-04-00 | Media Storage and Accessibility | 1. Documented policy and procedures related to Media Storage and Accessibility which includes a requirement for periodic inventory of media. |
DCF-388 | MP-06-01 | Media Inventory Logs | 1. Documented media inventory logs. |
DCF-390 | MP-06-00, MP-06-01 | Media Destruction | 1. Documented policies and procedures related to Media Destruction. |
DCF-391 | MP-06-00 | Periodic Media Destruction Policy | 1. Documented policies and procedures related to Media Destruction which includes: - Hard-copy materials must be crosscut shredded, incarcerated, or pulped such that they cannot be reconstructed. - Storage containers used for storing media awaiting destruction must be secured. - Potentially Sensitive data stored on electronic media must be disposed of in such a way that it is unrecoverable such as secure deletion or physical destruction of media in accordance with industry standards. |
DCF-406 | AU-07-00, AC-02-04, AU-03-01 | Audit Trails Enabled and Active | 1. Screenshots showing that audit trails are enabled and active for systems within the environment. |
DCF-407 | AC-02-11 | System Access Linked to Users | 1. System user access lists from systems in the environment showing that access is linked to individual users. |
DCF-409 | AC-06-05, SI-04-20 | Audit Trail for Root Admin Privilege Access | 1. Screenshots of audit log settings showing that all actions taken by root/admin users will be logged. 2. Screenshots of an example log showing that these log settings are functioning correctly. |
DCF-410 | AU-03-01 | Audit Trail Access | 1. Screenshots of audit log settings showing that all access to audit trails/logs is logged. 2. Screenshots of an example log showing that these log settings are functioning correctly. |
DCF-411 | AC-02-11, AC-02-12 | Invalid Logical Access Attempts | 1. Screenshots of audit log settings showing that invalid/failed login attempts are logged. 2. Screenshots of an example log showing that these log settings are functioning correctly. |
DCF-412 | AC-02-04 | Audit Trail for Identification and Authentication Mechanism Changes | 1. Screenshots of audit log settings showing that the use of identification and authentication mechanisms are logged, elevation of privileges are logged, and that changes (addition, modification, or deletion) to accounts with administrator or root privileges are logged. 2. Screenshots of example logs showing that these log settings are functioning correctly. |
DCF-413 | AU-09-00, CM-05-01 | Audit Trail of Changes to Audit Logs | 1. Screenshots of audit log settings showing that the initialization of logging and stopping or pausing of logging are logged. 2. Screenshots showing that these log settings are functioning correctly. |
DCF-415 | AU-03-00 | Audit Trail Entries: User Identification | 1. Screenshots of an example log showing that user IDs are captured within log entries. |
DCF-416 | AU-03-00, AU-07-01 | Audit Trail Entries: Event Type | 1. Screenshots of an example log showing that the type of event which occurred is captured within log entries. |
DCF-417 | AU-03-00, AU-08-00 | Audit Trail Entries: Date and Time | 1. Screenshots of an example log showing that a date and time are associated with log entries. |
DCF-419 | AU-03-00, AU-07-00, AU-07-01 | Audit Trail Entries: Origination | 1. Screenshots of an example log showing that the source of the event (IP address or similar source) are captured within log entries. |
DCF-420 | AU-03-00 | Audit Trail Entries: Affected Item Name | 1. Screenshots of an example log showing that affected item/resource ID or name is captured within log entries. |
DCF-421 | AU-08-00, AU-12-01 | Critical Clock Synchronization and Update | 1. Documented procedures for synchronizing time across system components within the environment which includes the following elements: - Only the designated central time server may receive time signals from the designated external time source. - Time signals are received in UTC or International Atomic Time. - When there is more than one central time server, these time servers are configured to peer with one another. - Systems may only receive synchronization information from designated central time server(s). |
DCF-425 | AC-02-11 | Need-to-Know Access to Time Data | 1. System user access lists and time settings showing that time data is restricted to only those users with a business need for access. |
DCF-428 | AU-09-00 | Secured Audit Trails | 1. Screenshots from the logging system showing that audit trails are secured so that they cannot be altered. |
DCF-429 | AU-09-00, AU-09-04 | Limited Access to Audit Trails | 1. Screenshots from the logging system or system user access lists showing that audit trails can only be accessed by individuals with a business need to access them. |
DCF-430 | AU-07-00 | Audit Trail Files Protected | 1. Screenshots or pictures showing that audit trails are protected from unauthorized access/modification/deletion through access control mechanisms, physical segregation, and/or logical network segregation. |
DCF-433 | SI-07-00 | FIM on Logs | 1. Screenshots showing that File Integrity Monitoring Software or other change detection software is configured to generate alerts if logs are altered. Screenshots should show: - System settings - Which files are monitored - Logs/Alerts from the FIM or Change Detection Software |
DCF-434 | CP-02-01, PE-06-00, PE-06-04 | Policy for Critical Systems Daily Log Review | 1. Documented policy related to Log Review which states that the following items will be reviewed at least daily: - All security events. - Logs of all system components that store, process, or transmit potentially sensitive data. - Logs from all critical system components. - Logs of all servers and system components that perform security functions. |
DCF-440 | AU-11-00 | Policy for Audit Log Retention | 1. Documented policy related to Audit Log Retention. |
DCF-442 | AU-07-00, AU-06-03 | Audit Logs Available for Analysis | 1. Documented policy related to Audit Log Retention which states a requirement that at least 3 months of logs must be available at all times for immediate analysis. 2. Screenshots showing that 3 months of logs are immediately available for analysis. |
DCF-443 | AU-05-00, AU-05-01, AU-05-02, SC-07-18, SI-02-02 | Critical Security Control System Failure Detection and Reporting | 1. Documented policies and procedures related to detecting and reporting failures in security controls which cover: - Firewalls - IDS/IPS - FIM - Anti-virus - Physical access controls - Logical access controls - Audit logging mechanisms - Segmentation controls (if used) |
DCF-444 | AU-05-00, AU-05-01, AU-05-02, SI-02-02 | Critical Security Control System Failure Alert | 1. Screenshots showing how alerts are configured for the following systems: - Firewalls - IDS/IPS - FIM - Anti-virus - Physical access controls - Logical access controls - Audit logging mechanisms - Segmentation controls (if used) |
DCF-445 | AU-05-00, AU-05-01, AU-05-02, SC-24-00, SI-02-02 | Critical Security Control System Failure Response | 1. Documented policies and procedures for responding to the failure of security controls which cover the following items: - Restoring security functions - Identifying and documenting the duration (date and time start to end) of the failure - Identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause. - Identifying and addressing any security issues that arose during the failure. - Performing a risk assessment to determine whether further actions are required as a result of the security failure. - Implementing controls to prevent cause of failure from reoccurring. - Resuming monitoring of security controls. |
DCF-446 | SI-02-02 | Critical Security Control System Failure Documentation | 1. Documented records showing that security control failures were documented and that they include the following elements: - Identification of causes(s) of the failure, including root cause. - Duration (date and time start to end) of the security failure. - Details of the remediation required to address the root cause. |
DCF-447 | AC-06-03, CA-07-04 | Policy for Network Access Monitoring Documented and Accessible | 1. Documented policies and procedures related to monitoring all access to network resources and potentially sensitive data. 2. Screenshots showing where these policies and procedures are stored and available to employees/contractors. |
DCF-448 | AC-18-05 | Wireless Access Point Detection and Identification | 1. Documented policies and procedures related to detecting and identifying authorized and unauthorized wireless access points on at least a quarterly basis. |
DCF-449 | AC-18-05, CM-08-03, SC-15-00 | Unauthorized Wireless Access Points Detected and Identified | 1. Documented policies and procedures related to detecting and identifying any unauthorized wireless access points on at least a quarterly basis which includes at least the following devices will be detected: - WLAN cards inserted into system components - Portable or mobile devices attached to system components to create a wireless access point - Wireless devices attached to a network port or network device |
DCF-451 | AC-17-03, AC-18-05, SI-04-14 | Wireless Access Point Automated Monitoring Alerts | 1. If automated monitoring is utilized to detect unauthorized wireless access points (for example, Wireless IDS/IPS, NAC, etc.) screenshots of the alerting configuration showing that alerts will be generated and sent to personnel. |
DCF-452 | AC-17-03 | Inventory of Authorized Wireless Access Points | 1. Documented inventory of authorized wireless devices including business justification for each wireless access point. |
DCF-454 | AC-17-03, AC-18-05 | Actions Against Unauthorized Wireless Access Points | 1. Recent wireless access point identification scan from the past 3 months. 2. Response documentation verifying that any identified unauthorized wireless access points were appropriately responded to according to the Incident Response Plan. |
DCF-464 | CA-08-00 | Penetration Testing Methodology | 1. Documentation which defines the methodology used for conducting penetration tests which must include: - Being based on an industry-accepted penetration testing approach (such as the MITRE attack framework, Cyber Kill Chain, etc.) - Includes coverage for the entire organizational system perimeter and critical systems. - Includes testing from both inside and outside the network. - Includes testing to validate any segmentation and scope reduction controls. - Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in PCI DSS Requirement 6.5. - Defines network-layer penetration tests to include components that support network functions as well as operating systems. - Includes review and consideration of threats and vulnerabilities experienced in the past 12 months. - Specifies retention of penetration testing results and remediation activities. |
DCF-465 | CA-08-01 | External Penetration Testing Scope | 1. Scope of Work from the most recent external penetration test which defines: - That the test will be completed using the approved methodology. - Will be conducted at least annually. - Will be conducted after any significant changes to the environment. - Documented penetration test report from the most recent external penetration test. |
DCF-467 | CA-08-00 | Internal Penetration Testing Scope | 1. Scope of Work from the most recent internal penetration test which defines: - That the test will be completed using the approved methodology. - Will be conducted at least annually. - Will be conducted after any significant changes to the environment. - Documented penetration test report from the most recent internal penetration test. |
DCF-478 | AU-09-00, CM-03-01, CM-06-00, CM-06-02, SI-07-00, CA-07-04 | Change Detection Mechanism in Place | 1. Screenshots from the change detection solution (such as File Integrity Monitoring) and relevant change detection system configurations showing what is monitored. 2. Documented list of files which are monitored by the change detection solution. |
DCF-479 | SI-07-02, SI-07-07 | Change Detection Mechanism Alerts | 1. Screenshots of the alerting configuration for the change detection solution, including who is alerted. 2. Screenshots of the change detection system configuration settings showing that critical file comparisons are carried out at least weekly. |
DCF-480 | SI-07-05, SI-07-07 | Change Detection Mechanism Alert Response | 1. Documented procedures for responding to alerts generated by the change detection system. |
DCF-481 | AC-02-04, CA-07-04 | Policy for Security Monitoring and Testing Documented and Accessible | 1. Documented policies and procedures related to security monitoring and testing. 2. Screenshots showing where these policies and procedures are stored and available to employees/contractors. |
DCF-488 | AC-12-00, AC-17-00, AC-17-01, SC-10-00 | Automatic Disconnect of Inactive Remote-Access | 1. Documented policies for acceptable use of critical technologies which states that remote access technologies will be disconnected after a specified period of inactivity. 2. Screenshots of remote access technology configurations showing that remote access sessions will be disconnected after a set period of inactivity. |
DCF-489 | AC-17-00 | 3rd Party Remote-Access Usage | 1. Documented policies for acceptable use of critical technologies which states that remote access technologies will only be enabled for vendors and business partners when required and deactivated immediately after. |
DCF-490 | AC-17-00 | Employee Remote-Access Usage | 1. Documented policies for acceptable use of critical technologies which states a requirement that employees are forbidden from copying, moving, or storing potentially sensitive data onto local hard drives and removable media when accessing data remotely. |
DCF-503 | AT-01-00, AT-02-00, AT-02-03, AT-03-00, AT-03-05 | Multiple Methods for Security Awareness | 1. Formally documented Data Handling & Security Awareness Training Program which documents that multiple methods will be used to communicate awareness and educate personnel. Example methods include: - Posters - Memos - Letters - Web-based Training - Meetings - Other types of promotions |
DCF-511 | IR-04-04, IR-06-03, IR-01-00, IR-04-11, IR-05-00, IR-05-01, IR-06-00, IR-06-01 | Incident Response Management | 1. Documented Incident Response Plan that addresses the roles, responsibilities, and communication/contact strategies used in the event of a security incident. This should also include a notification of payment brands, at a minimum. |
DCF-516 | AT-02-02 | Security Breach Response Training | 1. Documented policies or procedures related to Incident Response or Training which include a requirement to train staff with Incident Response roles on a periodic basis. |
DCF-517 | CM-08-03, AC-06-01 | Security Monitoring System Alerts | 1. Documented policies or procedures for Incident Response which cover responding to alerts from security monitoring systems including but not limited to intrusion-detection, intrusion-preventions, firewalls, and file-integrity monitoring systems. |
DCF-518 | CP-02-01 | Incident Response Plan Review and Update | 1. Documented Incident Response Plan which includes procedures for incorporating lessons learned and industry developments into the Incident Response Plan. |
DCF-526 | PM-18-00, SA-08-33, PM-22-00 | Scope of Privacy Program | 1. Documentation that summarizes the information you’ve collected for DCF-536. Be sure to include Control Activities 1-3. |
DCF-527 | PM-19-00, PM-22-00 | Designated Data Protection Officer | 1. Screenshot or documentation that designates a DPO. See Control Activities for additional guidance on the requirements and expectations of the DPO. |
DCF-528 | PM-22-00 | Management of Sensitive Information | 1. Data Classification Policy as long as it includes: - Classification for PII - Handling procedures for PII - Any Security Awareness Training materials that include information about handling PII and inform end users how to report security issues. |
DCF-529 | PT-04-00 | Data Subject Consent | 1. Documentation that details how consent is obtained from Data Subjects prior to processing their PII. 2. Screenshots of automated consent mechanisms that are built into processes that collect PII, such as a consent checkbox on a marketing webinar registration form. 3. Records of where/how consent was obtained, such as records in the CRM system used by marketing and sales. |
DCF-536 | PM-21-00, PM-22-00 | Record of Processing Activity (ROPA) | 1. Completed ROPA documentation that includes the elements described in Control Activities A-G (Please see Appendix A of Drata’s latest Data Protection Policy template for more information on ROPAs). - Be sure to consider your processing activities across different Personas, such as Marketing and Sales Prospects, Customers, Website Visitors, Employees, etc. It can be helpful to complete a separate ROPA per Persona. - Further guidance on ROPAs can be found here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/documentation/how-do-we-document-our-processing-activities/ - ROPAs are only required in certain circumstances. The Control Activity Note details which circumstances trigger this requirement. |
DCF-537 | SC-07-24 | Data Processing Agreements in Place | 1. DPA templates used when sharing PII with third parties (an example DPA has been included in Appendix A of Drata’s latest Vendor Management Policy Template, for reference). 2. Copies of fully executed contracts with third parties that include DPAs. |
DCF-538 | RA-08-00 | Data Protection Impact Assessment (DPIA) | 1. Completed DPIA documentation (see Control Activity 1 for information on what needs to be included in the DPIA) - DPIAs are only required in certain circumstances. Control Activity 2 details which circumstances trigger this requirement. - Note that DPIAs must be completed prior to processing PII. - Depending on the complexity of your personal data processing, it can be helpful to conduct separate DPIAs on separate use cases.
An example DPIA can be reviewed here: https://iapp.org/resources/article/template-for-data-protection-impact-assessment-dpia/ and https://gdpr.eu/wp-content/uploads/2019/03/dpia-template-v1.pdf |
DCF-539 | PT-07-00, PT-07-01, PT-07-02 | Collection of PII from Special Categories | 1. Completed ROPA (see DCF-536 for more information on ROPAs) documentation that includes: - Whether or not Special Categories of PII are collected (see Control Activity 1 for details on what PII is considered Special Categories). - Which allowable conditions are used for collection (see Control Activity 2 for details on which allowable conditions are available). |
DCF-540 | SI-18-04, PM-26-00 | Tracking and Response to Data Subject Requests | 1. Records of Data Subject Requests (DSRs) received and the actions taken to resolve them. |
DCF-557 | IA-02-05 | Shared Account Management | 1. Link your System Access Control Policy to this control |
DCF-558 | CM-07-00, CM-07-02, CM-07-05, CM-11-00, SC-07-05 | Allow-by-Exception Rule for Authorized Applications | Note: Can be marked out of scope if DCF-559 is implemented. 1. Screenshots from an MDM tool or endpoint device configurations showing that software applications are whitelisted (explicitly allowed). 2. Screenshot showing that installation of an application not on the approved whitelist has failed for an example endpoint device. |
DCF-559 | CM-07-00, CM-07-02, CM-11-00 | Deny-by-Exception Rule for Unauthorized Applications | Note: Can be marked out of scope if DCF-558 is implemented. 1. Screenshots from an MDM tool or endpoint device configurations showing that software applications are blacklisted (explicitly denied). 2. Screenshot showing that installation of an application on the approved blacklist has failed for an example endpoint device. |
DCF-560 | CM-08-03, SI-04-22, CM-02-02 | Baselines for Detecting Anomalous Behavior | 1. Screenshots from your monitoring system showing that alerts are configured to detect suspicious or anomalous activity. 2. Screenshots showing who gets notified when these alerts trigger. 3. An example alert that was sent either as a test or from one of the alerts triggering. |
DCF-565 | PM-25-00 | Managing Test Information | 1. Screenshots showing that test information is used within test environments. 2. Formally documented approvals if Production information has been copied to the test environment. 3. Link your SDLC Policy |
DCF-567 | CM-06-01, PM-04-00, CM-02-02, CM-03-01, CM-02-03, CM-03-02 | Change Management Policy | 1. Link your Change Management Policy to the control as evidence. Drata provides a template in your Policy Center. |
DCF-568 | AT-04-00 | Records of Competence | 1. Records showing that all personnel listed in the ISMS Skills Matrix have the qualifications listed such as Resumes, LinkedIn Profiles, Copies of Certifications, etc. |
DCF-575 | MA-01-00, MA-03-02, MA-03-00, MA-02-02, MA-04-03, MA-04-00, MA-05-01 | Maintenance Management Policy | 1. Link the Maintenance Management Policy to the control as evidence. Drata provides a template in your Policy Center. |
DCF-576 | SI-01-00, SC-20-00, SC-21-00, SC-22-00 | System Information and Integrity Policy | 1. Link the System Information and Integrity Policy to the control as evidence. Drata provides a template in your Policy Center. |
DCF-577 | AC-12-00, AC-06-03, AC-17-04, AC-20-00, PL-02-00, PL-01-00, PM-07-00, PM-08-00 | System Security Planning Policy | 1. Link the System Security Planning Policy to the control as evidence. Drata provides a template in your Policy Center. |
DCF-578 | SA-01-00, SA-04-05, SR-05-00, SR-10-00, SR-11-00 | System and Services Acquisition Policy | 1. Link the System and Services Acquisition Policy to the control as evidence. Drata provides a template in your Policy Center. |
DCF-579 | AC-02-01, AC-02-00 | Automated Access Management System in Place | 1. Screenshot of the admin console used to manage system accounts and enforce identification and authentication (e.g. Identity Access Management, Privileged Access Management, and/or Password Manager solutions) |
DCF-580 | AC-02-13 | Disabling High Risk User Accounts | 1. Link the System Access Control Policy. Template to create a process for Disabling High Risk User Accounts is covered and outlined in Appendix A |
DCF-581 | AC-04-04 | Encrypted Information Flow Control | 1. Screenshots of the rules set on your boundary protection devices that establishes filtering based on packet/header or message information (e.g. Network Access Control system, Intrusion Prevention System, Packet Filtering Firewalls, Content Filtering Gateways, etc.) |
DCF-582 | AC-07-00 | Accounts Unlocked by Admin | 1. Screenshot of documented procedure which states that only authorized administrators are allowed to unlock locked accounts 2. Screenshot of Administrative Permissions that shows only administrators have permission to unlock locked accounts |
DCF-583 | AC-08-00 | System Use Notification | 1. Screenshot of the notification message or banner that outlines usage conditions prior to logging into the system (Note: Notification banner is not required if human interface do not exist) |
DCF-584 | AC-10-00 | Limited Concurrent Sessions | 1. Link the System Information and Integrity Policy to the control as evidence. This is discussed under the Concurrent Sessions section |
DCF-585 | AC-14-00 | Permitted Actions Without Identification or Authentication | 1. List of permissible user actions in the system without having to authenticate (e.g. accessing publicly available company resources, such as the public website, company public knowledge base, etc.) (Note: Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication. If this is the case, link your System Access Control Policy) |
DCF-586 | AC-17-04 | Remote Access to Security Information and Privileged Commands | 1. List or logs of authorized remote execution of privileged commands to security-relevant information 2. Screenshot of Remote Access control configurations |
DCF-587 | AC-18-04 | Wireless Configuration Authorization | 1. Screenshot of configuration settings from the network configuration management system that shows the appropriate restrictions to only authorized users |
DCF-588 | AC-18-05 | Wireless Transmission Power Levels Reduced | 1. Upload a copy of a wireless signal survey report |
DCF-589 | AC-20-01 | Verified External Systems Controls | 1. Link the Data Protection Policy to the control as evidence. This is discussed under the Information Exchange section |
DCF-590 | AC-21-00 | Information Sharing | 1. Screenshot of Data Loss Prevention (DLP) system’s configuration and rule set 2. Screenshot of user roles and permissions within the DLP system |
DCF-591 | AC-22-00 | Management of Publicly Accessible Content | 1. Document that outlines procedures for receiving proper authorizations prior to content being published publicly (e.g. Review and Approval process via ticketing system or embedded within the document) |
DCF-592 | AU-03-03 | Limit Personally Identifiable Information in Audit Records | 1. Link the Data Protection Policy to the control as evidence. This is discussed in the third bullet under the section Log Elements: “Identifiers (as many as available) for the subject..” 2. Screenshot of log management tools’ configuration setting showing rules, filters, and/or regular expressions identifying, masking, or removing Personal Identifiable Information PII elements in the log 3. Screenshot of log management tools or other technologies that shows Personal Identifiable Information (PII) is redacted |
DCF-593 | AU-06-05, AU-06-06 | Correlate Log Records | 1. Screenshot of a SIEM tool or company-developed scripts used to correlate and analyze collected audit record information |
DCF-594 | AU-09-03 | Protect Audit Information | 1. Evidence of measures to protect integrity of audit tools, such as digital signatures or code signing certificates, either through policy or documentation of procedures |
DCF-595 | AU-10-00 | Non-repudiation Actions | 1. Link the Data Protection Policy to the control as evidence. This is discussed in the Logged Activities subsection of the Event Logs section |
DCF-596 | AU-12-03 | Authorized to Modify Logs | 1. Link the Data Protection Policy to the control as evidence. This is discussed in the Administrators and Operator Logs subsection of the Event Logs section |
DCF-597 | CM-02-02 | Baseline Configurations | 1. Link the Change Management Policy to the control as evidence 2. Screenshot of the Baseline Configuration Files or Templates that defines the desired state of a system |
DCF-598 | CM-02-03 | Previous Baseline Configuration Versions Retained | 1. Link the Change Management Policy to the control as evidence. |
DCF-599 | CM-02-07 | High Risk Area System Configuration | 1. Documented procedures to secure systems and system components traveling to company-defined high-risk locations |
DCF-600 | CM-03-01 | Automated Configuration Change Management | 1. Link the Change Management Policy to the control as evidence 2. Screenshot of the Configuration Management Tool utilized to automate deployment and maintenance of system configurations (e.g. Ansible, Puppet, Chef, etc.) |
DCF-601 | CM-03-06 | Management of Cryptographic Mechanisms | 1. Documentation that demonstrates the inclusion of cryptographic mechanisms within the organization’s configuration management process |
DCF-602 | CP-03-00, PM-13-00, PM-14-00 | Role-Based Contingency Training | 1. Reviewed, approved, and up-to-date training materials presented to individuals based on their roles and responsibilities 2. Training records showing that all personnel have received training upon hire and at defined intervals |
DCF-603 | CP-07-04 | Alternate Processing Site | 1. Link Disaster Recovery Plan and Business Continuity Plan 2. Documentation or records of the configuration settings that should be maintained at the alternate processing site (e.g. power supply, network connectivity, telecommunications, etc.) |
DCF-604 | CP-10-02 | Transaction Recovery Procedures | 1. Documented procedures to perform transaction journaling and rollback techniques to recover from transaction failures or errors on identified transaction-based systems |
DCF-605 | IA-02-12, IA-08-01 | PIV Credentials Acceptance | 1. Link the System and Services Acquisition Policy to the control as evidence. This is discussed in the Security Controls section |
DCF-606 | IA-03-00 | Device Identification and Authentication | 1. Documented procedures to ensure devices are identified and authenticated prior to establishing connection (e.g. network access control, certificate-based authentication, etc.) |
DCF-607 | IA-04-00 | System Identifier Management | 1. Documented procedure that defines the personnel involved in selecting, assigning, and authorizing the use of an identifier 2. Screenshot of the tool used to manage assignment of unique identifiers to accounts (e.g. Identity and Access Management (IAM) for individuals, groups, and roles, and Enterprise Asset Management System for devices) |
DCF-608 | IA-05-01 | Management of At-risk Passwords | 1. Link the Password Policy to the control as evidence 2. List of commonly used, expected, or compromised passwords (e.g. tools like Thycotic Password Security and Enzoic for Active Directory maintains and regularly updates their list of unsafe passwords) 3. In lieu of a list, Password Managers have built-in security challenge that evaluates password strength (e.g. Keeper Password Manager, LastPass, etc.) |
DCF-609 | IA-05-02 | Public Key Authentication | 1. Documented procedures implemented to validate Public Key used for authentication (e.g. mechanisms to check revocation status of certificates used in public key-based authentication) |
DCF-610 | IA-05-06 | Authenticators Protected | 1. Documented procedures implemented to protect authenticators (e.g. implemented password requirements, use of MFA, etc.) |
DCF-611 | IA-06-00 | Obscured Authentication Feedback | 1. Screenshot of user interface during the authentication process to show authentication feedback is hidden (e.g. password entry fields displaying asterisks or limited visibility feedback) |
DCF-612 | IA-08-00 | Non-organizational User Authentication | 1. Link the System Access Control Policy to the control as evidence. This is discussed in the Unique User Identification section |
DCF-613 | IA-12-03 | Identity Evidence Validation and Verification Methods | 1. Link the System Access Control Policy to the control as evidence. This is discussed in the Access Establishment and Modification - Role-Based section |
DCF-614 | MA-02-02 | Automated Maintenance Activities | 1. Tools that demonstrate the automated means of managing system maintenance, repair, and replacement (e.g. enterprise asset management system, configuration management databases, IT ticketing system, etc.) |
DCF-615 | MA-03-00, MA-02-00, MA-03-01, MA-03-03 | Managed Use of Maintenance Tools | 1. Link the Maintenance Management Policy to the control as evidence. Drata provides a template in your Policy Center. |
DCF-616 | MA-04-00, MA-04-03 | Remote Maintenance | 1. Records or logs demonstrating proper authorization process for maintenance and diagnostic activities 2. Screenshot showing the use of secure connection during non-local maintenance sessions (e.g. VPN |
DCF-617 | MA-05-00, MA-05-01 | Maintenance Personnel Authorization | 1. Link the Maintenance Management Policy to the control as evidence. |
DCF-618 | MA-06-00 | Timely Maintenance Support | 1. Link the Maintenance Management Policy to the control as evidence. |
DCF-619 | MP-06-01, SR-12-00 | Media Sanitization | 1. Link the Maintenance Management Policy to the control as evidence. 2. Link the Asset Management Policy to the control as evidence. |
DCF-620 | PM-03-00 | Security/Privacy Resource Planning | 1. Documentation showing the resources needed to implement the information security and privacy programs for capital planning and investment requests. |
DCF-621 | MP-06-01 | Test Sanitization | 1. Link the Asset Management Policy to the control as evidence. 2. Documented procedures for testing media sanitization equipment and procedures. |
DCF-622 | PE-05-00 | Access Control for Output Devices | 1. Link the Asset Management Policy to the control as evidence. 2. Link the Physical Security Policy to the control as evidence. |
DCF-623 | PM-18-00 | Privacy Program Plan | 1. Provide your company’s Privacy Program Plan. |
DCF-624 | PM-24-00 | Data Integrity Board | 1. List of members of the Data Integrity Board. 2. Bios of each member of the Data Integrity Board. |
DCF-625 | PE-06-01 | Monitoring Physical Access | 1. Link the Physical Security Policy. |
DCF-626 | PM-27-00 | Privacy Reporting | 1. Privacy Program Plan. 2. Provide a sample of one Privacy Report. 3. Documentation showing the dissemination of reports to oversight bodies and officials responsible for monitoring privacy program compliance |
DCF-627 | PL-04-01 | Social Media Rules | 1. Documented rules of behavior for restricting social media, social networking sites, and external sites/application use (may be found in the Acceptable Use Policy or Code of Conduct). |
DCF-628 | PS-02-00 | Risk Designation for Roles | 1. Documented procedures for assigning, reviewing, and updating position risk designations (e.g documentation showing the level of risk assigned to each position at your organization). |
DCF-629 | PT-05-02, PT-06-00, PT-06-01, PT-06-02 | Privacy Act Statements | 1. Documentation detailing organizational processes for including Privacy Act statements on forms that collect information or on separate forms that can be retained by individuals. |
DCF-630 | PT-07-01 | Restricted Use of Social Security Number | 1. Documented procedures for identifying, reviewing, and taking action to control the unnecessary use of Social Security numbers. |
DCF-631 | PT-08-00 | Matching Program | 1. Documented procedures for processing information for the purpose of conducting a matching program. 2. Evidence of approval from the Data Integrity Board to conduct the matching program. 3. Computer Matching Agreement template (or sample of one computer matching agreement). 4. Screenshot showing a matching notice published in the Federal Register. |
DCF-632 | RA-03-01 | Supply Chain Risk Assessment | 1. Link the Vendor Management Policy to the control as evidence. 2. Screenshots from the vendor directory showing that vendors are categorized based on impact /risk. 3. Review documents showing that vendors' SOC2 reports were reviewed (Drata can provide a review template for this). |
DCF-633 | RA-05-04 | Corrective Actions for Discoverable Information | 1. Link the Vulnerability Management Policy to the control as evidence. 2. Link the Incident Response Plan to the control as evidence. |
DCF-634 | SA-02-00 | Security and Privacy Resource Planning and Allocation | 1. Documented procedures for allocating resources for security and privacy programs. |
DCF-635 | SA-04-10, IA-08-02 | Approved PIV Products | 1. Documented procedures for selecting and employing only FIPS 201-approved products. |
DCF-636 | SA-05-00 | System Documentation Maintained | 1. Architecture Diagram 2. System description documentation. |
DCF-637 | SA-15-00 | Secure Development Process | 1. Link the Software Development Lifecycle Policy to the control as evidence. |
DCF-638 | SC-02-00 | Separation of User and System Management Functions | 1. System documentation (including system components and services) 2. Documented procedures for obtaining, protecting, and distributing system documentation. |
DCF-639 | SC-04-00 | Shared System Information Security | 1. Link the Data Protection Policy to the control as evidence. 2. Copy of the System Security Plan. |
DCF-640 | SC-07-03 | Limit External Connections | 1. Link the System Security Planning Policy to the control as evidence. 2. Formal documented network diagram. |
DCF-641 | SC-07-08 | Proxy Server | 1. Formal documented Network Diagram 2. Evidence of mechanisms implementing traffic management through authenticated proxy servers at managed interfaces |
DCF-642 | SC-07-18 | Fail Secure for Boundary Protection Devices | 1. Link the Incident Response Plan to the control as evidence. 2. Link the Disaster Recovery Policy to the control as evidence. 3. Link the System Security Planning Policy to the control as evidence. |
DCF-643 | SC-15-00 | Remote Activation of Collaborative Devices Prohibited | 1. Screenshot(s) showing the mechanisms in place to prohibit remote activation of collaborative computing devices and applications. |
DCF-644 | SC-18-00 | Mobile Code Management | 1. Link the System and Information Integrity Policy as evidence. |
DCF-645 | SC-23-00 | Session Authentication Management | 1. Link the Encryption Policy to the control as evidence. |
DCF-646 | SC-39-00 | Separate Execution Domain | 1. Formal documented architecture diagram 2. Link the Software Development Lifecycle Policy to the control as evidence. |
DCF-647 | SI-04-10 | System Monitoring Tools | 1. Link the Data Protection to the control as evidence. 2. Screenshots from AWS GuardDuty, Azure Sentinel, GCP Security Command Center or equivalent monitoring tool showing that the service is enabled. |
DCF-648 | SI-04-22 | Unauthorized Network Services Monitoring and Alert | 1. Screenshots from AWS GuardDuty, Azure Sentinel, GCP Security Command Center or equivalent monitoring tool showing that the service is enabled. 2. Screenshots from the mentioned applications/tools/services showing the types of threats that would be detected. 3. Screenshots from the mentioned applications/tools/services showing how personnel would be alerted and who would be alerted when threats are detected. |
DCF-649 | SI-06-00 | Security and Privacy Function Verification | 1. Link the System and Information Integrity Policy to the control as evidence. 2. Link the System Security Planning Policy to the control as evidence. |
DCF-650 | SI-07-01 | Integrity Checks (System and Software) | 1. Link the System and Information Integrity Policy to the control as evidence. 2. Screenshots of FIM software. 3. Examples of FIM detecting changes. |
DCF-651 | SI-07-05 | Integrity Violation Automated Response | 1. Link the System and Information Integrity Policy to the control as evidence. 2. Example of FIM detecting changes and automatically sending out an alert notifying the appropriate personnel of the suspicious activity. |
DCF-652 | SI-07-15 | Mechanisms for Code Authentication | 1. Link the System and Information Integrity Policy to the control as evidence. 2. Screenshots of the cryptographic mechanisms (such as digital signing using trusted certificates) that are in place to authenticate software prior to installation. |
DCF-653 | SI-08-00 | Spam Protection | 1. Link the System and Information Integrity Policy to the control as evidence. 2. Screenshot of mechanism(s) in place to protect against spam. |
DCF-654 | SI-16-00 | System Memory Protection | 1. Link the System and Information Integrity Policy to the control as evidence. 2. Screenshot(s) of the mechanisms in place to protect system memory from unauthorized code execution. |
DCF-655 | SR-09-00 | Tamper Protection Procedures | 1. Link the System and Information Integrity Policy to the control as evidence. 2. Link the Physical Security Policy to the control as evidence. |
DCF-656 | SC-20-00 | Authoritative Source Information | 1. Link the System and Information Integrity Policy to the control as evidence. 2. Screenshot(s) showing the mechanisms supporting and/or implementing secure name/address resolution services. |