1. INTRODUCTION 5
1. INTRODUCTION 5
2. PURPOSE 6
2. PURPOSE 6
3. ROLES/PERSONNEL SECURITY 7
3. ROLES/PERSONNEL SECURITY 7
4. DETAILED SYSTEM DESCRIPTION/TECHNICAL OVERVIEW 8
4. DETAILED SYSTEM DESCRIPTION/TECHNICAL OVERVIEW 8
5. IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES 9
5. IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES 9
5.1 USER IDENTIFICATION AND AUTHENTICATION 9
5.2 DEVICE IDENTIFICATION AND AUTHENTICATION 10
5.3 IDENTIFIER MANAGEMENT 10
5.4 AUTHENTICATOR MANAGEMENT 10
5.5 ACCESS CONTROL POLICY AND PROCEDURES 11
5.7 ACCESS ENFORCEMENT 12
5.8 INFORMATION FLOW ENFORCEMENT 13
5.9 SEPARATION OF DUTIES 13
5.10 LEAST PRIVILEGE 14
5.11 UNSUCCESSFUL LOGIN ATTEMPTS 14
5.12 SYSTEM USE NOTIFICATION 14
5.13 SESSION LOCK 15
5.15 SUPERVISION AND REVIEW — ACCESS CONTROL 16
5.16 REMOTE ACCESS 16
5.17 USE OF EXTERNAL INFORMATION SYSTEMS 17
6. SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES 18
6. SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES 18
6.1 SECURITY TRAINING 19
7. AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES 19
7. AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES 19
7.1 AUDITABLE EVENTS 19
7.2 CONTENT OF AUDIT RECORDS 20
7.3 AUDIT STORAGE CAPACITY 20
7.4 AUDIT MONITORING, ANALYSIS, AND REPORTING 20
7.5 TIME STAMPS 21
7.6 PROTECTION OF AUDIT INFORMATION 21
7.7 CONTINUOUS MONITORING 21
8. CONFIGURATION MANAGEMENT POLICY AND PROCEDURES 22
8. CONFIGURATION MANAGEMENT POLICY AND PROCEDURES 22
8.1 MONITORING CONFIGURATION CHANGES 22
8.2 ACCESS RESTRICTIONS FOR CHANGE 23
8.3 LEAST FUNCTIONALITY 23
9. INCIDENT RESPONSE 23
9. INCIDENT RESPONSE 23
9.1 INCIDENT RESPONSE POLICY AND PROCEDURES 23
9.2 INCIDENT RESPONSE TRAINING 24
9.3 INCIDENT RESPONSE TESTING AND EXERCISES 24
9.4 INCIDENT HANDLING 24
9.5 INCIDENT MONITORING 25
9.6 INCIDENT REPORTING 25
9.7 INCIDENT RESPONSE ASSISTANCE 26
10. PHYSICAL AND ENVIRONMENTAL PROTECTION 26
10. PHYSICAL AND ENVIRONMENTAL PROTECTION 26
10.1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES 26
10.2 PHYSICAL ACCESS AUTHORIZATIONS 26
10.3 PHYSICAL ACCESS CONTROL 27
10.4 MONITORING PHYSICAL ACCESS 27
11. CONTINGENCY PLANNING AND OPERATION 28
11. CONTINGENCY PLANNING AND OPERATION 28
11.1 CONTINGENCY PLANNING POLICY AND PROCEDURES 28
11.2 CONTINGENCY PLAN 28
11.3 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION 29
12. SYSTEM AND COMMUNICATIONS PROTECTIONS 29
12. SYSTEM AND COMMUNICATIONS PROTECTIONS 29
12.1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES 29
13. APPLICATION PARTITIONING (IF APPLICABLE) 30
13. APPLICATION PARTITIONING (IF APPLICABLE) 30
13.1 INFORMATION REMNANCE 31
13.2 DENIAL OF SERVICE PROTECTION 31
13.3 BOUNDARY PROTECTION 32
13.4 TRANSMISSION INTEGRITY 32
13.5 TRANSMISSION CONFIDENTIALITY 33
13.6 NETWORK DISCONNECT 33
13.7 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT 33
13.8 COLLABORATIVE COMPUTING 33
13.9 MOBILE CODE 33
13.10 VOICE OVER INTERNET PROTOCOL 34
13.12 ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE 34
13.13 SESSION AUTHENTICITY 35
13.14 MALICIOUS CODE PROTECTION 35
13.15 INFORMATION SYSTEM MONITORING TOOLS AND TECHNIQUES 36
14. MAINTENANCE 37
14. MAINTENANCE 37
14.1 SYSTEM MAINTENANCE POLICY AND PROCEDURES 37
14.2 CONTROLLED MAINTENANCE 38
14.3 MAINTENANCE TOOLS 38
14.4 REMOTE MAINTENANCE 39
14.5 MAINTENANCE PERSONNEL 40
15. MEDIA PROTECTION 40
15. MEDIA PROTECTION 40
15.1 MEDIA PROTECTION POLICY AND PROCEDURES 40
15.2 MEDIA ACCESS 40
15.3 MEDIA SANITIZATION AND DISPOSAL 41
16. EXPORT CONTROL PROCEDURES 41
16. EXPORT CONTROL PROCEDURES 41
17. ADDITIONAL FOCI PROCEDURES 43
17. ADDITIONAL FOCI PROCEDURES 43
17.1 TELEPHONE PROCEDURES 43
17.2 FACSIMILE PROCEDURES 44
17.3 COMPUTER COMMUNICATIONS 45
Additional ODAA recommendations 50
Additional ODAA recommendations 50
ATTACHMENT 2 – EXPORT RELEASE FORMS 52
ATTACHMENT 2 – EXPORT RELEASE FORMS 52
ATTACHMENT 4 – ECP REVISION LOG 54
ATTACHMENT 4 – ECP REVISION LOG 54