Guidance for NIST 800-171 Assessment & Compliance
Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
###
si-6 |
security function verification |
|||
|
assessment objective: Determine if: |
|||
si-6(a) |
si-6(a)[1] |
the organization defines security functions to be verified for correct operation; |
||
si-6(a)[2] |
the information system verifies the correct operation of organization-defined security functions; |
|||
si-6(b) |
si-6(b)[1] |
the organization defines system transitional states requiring verification of organization-defined security functions; |
||
si-6(b)[2] |
the organization defines a frequency to verify the correct operation of organization-defined security functions; |
|||
si-6(b)[3] |
the information system performs this verification one or more of the following: |
|||
si-6(b)[3][a] |
at organization-defined system transitional states; |
|||
si-6(b)[3][b] |
upon command by user with appropriate privilege; and/or |
|||
si-6(b)[3][c] |
with the organization-defined frequency; |
|||
si-6(c) |
si-6(c)[1] |
the organization defines personnel or roles to be notified of failed security verification tests; |
||
si-6(c)[2] |
the information system notifies organization-defined personnel or roles of failed security verification tests; |
|||
si-6(d) |
si-6(d)[1] |
the organization defines alternative action(s) to be performed when anomalies are discovered; |
||
si-6(d)[2] |
the information system performs one or more of the following actions when anomalies are discovered: |
|||
si-6(d)[2][a] |
shuts the information system down; |
|||
si-6(d)[2][b] |
restarts the information system; and/or |
|||
si-6(d)[2][c] |
performs organization-defined alternative action(s). |
|||
potential assessment methods and objects: Examine: [select from: System and information integrity policy; procedures addressing security function verification; information system design documentation; information system configuration settings and associated documentation; alerts/notifications of failed security verification tests; list of system transition states requiring security functionality verification; information system audit records; other relevant documents or records]. Interview: [select from: Organizational personnel with security function verification responsibilities; organizational personnel implementing, operating, and maintaining the information system; system/network administrators; organizational personnel with information security responsibilities; system developer]. Test: [select from: Organizational processes for security function verification; automated mechanisms supporting and/or implementing security function verification capability]. |
||||
