Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sc-20(2)

secure name/address resolution service (authoritative source)  | data origin / data integrity

assessment objective:

Determine if the information system provides data origin and integrity protection artifacts for internal name/address resolution queries.

potential assessment methods and objects:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing secure name/address resolution service (authoritative source); information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [select from: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with responsibilities for managing DNS].

Test: [select from: Automated mechanisms supporting and/or implementing data origin and integrity protection for internal name/address resolution service queries].

Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sc-21

secure name / address resolution service (recursive or caching resolver)

assessment objective:

Determine if the information system:

sc-21[1]

requests data origin authentication on the name/address resolution responses the system receives from authoritative sources;

sc-21[2]

requests data integrity verification on the name/address resolution responses the system receives from authoritative sources;

sc-21[3]

performs data origin authentication on the name/address resolution responses the system receives from authoritative sources; and

sc-21[4]

performs data integrity verification on the name/address resolution responses the system receives from authoritative sources.

potential assessment methods and objects:

Examine: [select from: System and communications protection policy; procedures addressing secure name/address resolution service (recursive or caching resolver); information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records].

Interview: [select from: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with responsibilities for managing DNS].

Test: [select from: Automated mechanisms supporting and/or implementing data origin authentication and data integrity verification for name/address resolution services].