├── LICENSE
├── README.md
├── ac_low_impact_pri1.md
├── ac_low_impact_pri1.yaml
├── at_low_impact_pri1.md
├── at_low_impact_pri1.yaml
├── au_low_impact_pri1.md
├── au_low_impact_pri1.yaml
├── au_low_impact_pri3.md
├── au_low_impact_pri3.yaml
├── cm_low_impact_pri1.md
├── cm_low_impact_pri1.yaml
├── cp_low_impact_pri1.md
├── cp_low_impact_pri1.yaml
├── ia_low_impact_pri1.md
├── ia_low_impact_pri1.yaml
├── makemd.py
├── pl_low_impact_pri1.md
├── pl_low_impact_pri1.yaml
└── template.yaml


/LICENSE:
--------------------------------------------------------------------------------
  1 |                     GNU GENERAL PUBLIC LICENSE
  2 |                        Version 2, June 1991
  3 | 
  4 |  Copyright (C) 1989, 1991 Free Software Foundation, Inc., <http://fsf.org/>
  5 |  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  6 |  Everyone is permitted to copy and distribute verbatim copies
  7 |  of this license document, but changing it is not allowed.
  8 | 
  9 |                             Preamble
 10 | 
 11 |   The licenses for most software are designed to take away your
 12 | freedom to share and change it.  By contrast, the GNU General Public
 13 | License is intended to guarantee your freedom to share and change free
 14 | software--to make sure the software is free for all its users.  This
 15 | General Public License applies to most of the Free Software
 16 | Foundation's software and to any other program whose authors commit to
 17 | using it.  (Some other Free Software Foundation software is covered by
 18 | the GNU Lesser General Public License instead.)  You can apply it to
 19 | your programs, too.
 20 | 
 21 |   When we speak of free software, we are referring to freedom, not
 22 | price.  Our General Public Licenses are designed to make sure that you
 23 | have the freedom to distribute copies of free software (and charge for
 24 | this service if you wish), that you receive source code or can get it
 25 | if you want it, that you can change the software or use pieces of it
 26 | in new free programs; and that you know you can do these things.
 27 | 
 28 |   To protect your rights, we need to make restrictions that forbid
 29 | anyone to deny you these rights or to ask you to surrender the rights.
 30 | These restrictions translate to certain responsibilities for you if you
 31 | distribute copies of the software, or if you modify it.
 32 | 
 33 |   For example, if you distribute copies of such a program, whether
 34 | gratis or for a fee, you must give the recipients all the rights that
 35 | you have.  You must make sure that they, too, receive or can get the
 36 | source code.  And you must show them these terms so they know their
 37 | rights.
 38 | 
 39 |   We protect your rights with two steps: (1) copyright the software, and
 40 | (2) offer you this license which gives you legal permission to copy,
 41 | distribute and/or modify the software.
 42 | 
 43 |   Also, for each author's protection and ours, we want to make certain
 44 | that everyone understands that there is no warranty for this free
 45 | software.  If the software is modified by someone else and passed on, we
 46 | want its recipients to know that what they have is not the original, so
 47 | that any problems introduced by others will not reflect on the original
 48 | authors' reputations.
 49 | 
 50 |   Finally, any free program is threatened constantly by software
 51 | patents.  We wish to avoid the danger that redistributors of a free
 52 | program will individually obtain patent licenses, in effect making the
 53 | program proprietary.  To prevent this, we have made it clear that any
 54 | patent must be licensed for everyone's free use or not licensed at all.
 55 | 
 56 |   The precise terms and conditions for copying, distribution and
 57 | modification follow.
 58 | 
 59 |                     GNU GENERAL PUBLIC LICENSE
 60 |    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
 61 | 
 62 |   0. This License applies to any program or other work which contains
 63 | a notice placed by the copyright holder saying it may be distributed
 64 | under the terms of this General Public License.  The "Program", below,
 65 | refers to any such program or work, and a "work based on the Program"
 66 | means either the Program or any derivative work under copyright law:
 67 | that is to say, a work containing the Program or a portion of it,
 68 | either verbatim or with modifications and/or translated into another
 69 | language.  (Hereinafter, translation is included without limitation in
 70 | the term "modification".)  Each licensee is addressed as "you".
 71 | 
 72 | Activities other than copying, distribution and modification are not
 73 | covered by this License; they are outside its scope.  The act of
 74 | running the Program is not restricted, and the output from the Program
 75 | is covered only if its contents constitute a work based on the
 76 | Program (independent of having been made by running the Program).
 77 | Whether that is true depends on what the Program does.
 78 | 
 79 |   1. You may copy and distribute verbatim copies of the Program's
 80 | source code as you receive it, in any medium, provided that you
 81 | conspicuously and appropriately publish on each copy an appropriate
 82 | copyright notice and disclaimer of warranty; keep intact all the
 83 | notices that refer to this License and to the absence of any warranty;
 84 | and give any other recipients of the Program a copy of this License
 85 | along with the Program.
 86 | 
 87 | You may charge a fee for the physical act of transferring a copy, and
 88 | you may at your option offer warranty protection in exchange for a fee.
 89 | 
 90 |   2. You may modify your copy or copies of the Program or any portion
 91 | of it, thus forming a work based on the Program, and copy and
 92 | distribute such modifications or work under the terms of Section 1
 93 | above, provided that you also meet all of these conditions:
 94 | 
 95 |     a) You must cause the modified files to carry prominent notices
 96 |     stating that you changed the files and the date of any change.
 97 | 
 98 |     b) You must cause any work that you distribute or publish, that in
 99 |     whole or in part contains or is derived from the Program or any
100 |     part thereof, to be licensed as a whole at no charge to all third
101 |     parties under the terms of this License.
102 | 
103 |     c) If the modified program normally reads commands interactively
104 |     when run, you must cause it, when started running for such
105 |     interactive use in the most ordinary way, to print or display an
106 |     announcement including an appropriate copyright notice and a
107 |     notice that there is no warranty (or else, saying that you provide
108 |     a warranty) and that users may redistribute the program under
109 |     these conditions, and telling the user how to view a copy of this
110 |     License.  (Exception: if the Program itself is interactive but
111 |     does not normally print such an announcement, your work based on
112 |     the Program is not required to print an announcement.)
113 | 
114 | These requirements apply to the modified work as a whole.  If
115 | identifiable sections of that work are not derived from the Program,
116 | and can be reasonably considered independent and separate works in
117 | themselves, then this License, and its terms, do not apply to those
118 | sections when you distribute them as separate works.  But when you
119 | distribute the same sections as part of a whole which is a work based
120 | on the Program, the distribution of the whole must be on the terms of
121 | this License, whose permissions for other licensees extend to the
122 | entire whole, and thus to each and every part regardless of who wrote it.
123 | 
124 | Thus, it is not the intent of this section to claim rights or contest
125 | your rights to work written entirely by you; rather, the intent is to
126 | exercise the right to control the distribution of derivative or
127 | collective works based on the Program.
128 | 
129 | In addition, mere aggregation of another work not based on the Program
130 | with the Program (or with a work based on the Program) on a volume of
131 | a storage or distribution medium does not bring the other work under
132 | the scope of this License.
133 | 
134 |   3. You may copy and distribute the Program (or a work based on it,
135 | under Section 2) in object code or executable form under the terms of
136 | Sections 1 and 2 above provided that you also do one of the following:
137 | 
138 |     a) Accompany it with the complete corresponding machine-readable
139 |     source code, which must be distributed under the terms of Sections
140 |     1 and 2 above on a medium customarily used for software interchange; or,
141 | 
142 |     b) Accompany it with a written offer, valid for at least three
143 |     years, to give any third party, for a charge no more than your
144 |     cost of physically performing source distribution, a complete
145 |     machine-readable copy of the corresponding source code, to be
146 |     distributed under the terms of Sections 1 and 2 above on a medium
147 |     customarily used for software interchange; or,
148 | 
149 |     c) Accompany it with the information you received as to the offer
150 |     to distribute corresponding source code.  (This alternative is
151 |     allowed only for noncommercial distribution and only if you
152 |     received the program in object code or executable form with such
153 |     an offer, in accord with Subsection b above.)
154 | 
155 | The source code for a work means the preferred form of the work for
156 | making modifications to it.  For an executable work, complete source
157 | code means all the source code for all modules it contains, plus any
158 | associated interface definition files, plus the scripts used to
159 | control compilation and installation of the executable.  However, as a
160 | special exception, the source code distributed need not include
161 | anything that is normally distributed (in either source or binary
162 | form) with the major components (compiler, kernel, and so on) of the
163 | operating system on which the executable runs, unless that component
164 | itself accompanies the executable.
165 | 
166 | If distribution of executable or object code is made by offering
167 | access to copy from a designated place, then offering equivalent
168 | access to copy the source code from the same place counts as
169 | distribution of the source code, even though third parties are not
170 | compelled to copy the source along with the object code.
171 | 
172 |   4. You may not copy, modify, sublicense, or distribute the Program
173 | except as expressly provided under this License.  Any attempt
174 | otherwise to copy, modify, sublicense or distribute the Program is
175 | void, and will automatically terminate your rights under this License.
176 | However, parties who have received copies, or rights, from you under
177 | this License will not have their licenses terminated so long as such
178 | parties remain in full compliance.
179 | 
180 |   5. You are not required to accept this License, since you have not
181 | signed it.  However, nothing else grants you permission to modify or
182 | distribute the Program or its derivative works.  These actions are
183 | prohibited by law if you do not accept this License.  Therefore, by
184 | modifying or distributing the Program (or any work based on the
185 | Program), you indicate your acceptance of this License to do so, and
186 | all its terms and conditions for copying, distributing or modifying
187 | the Program or works based on it.
188 | 
189 |   6. Each time you redistribute the Program (or any work based on the
190 | Program), the recipient automatically receives a license from the
191 | original licensor to copy, distribute or modify the Program subject to
192 | these terms and conditions.  You may not impose any further
193 | restrictions on the recipients' exercise of the rights granted herein.
194 | You are not responsible for enforcing compliance by third parties to
195 | this License.
196 | 
197 |   7. If, as a consequence of a court judgment or allegation of patent
198 | infringement or for any other reason (not limited to patent issues),
199 | conditions are imposed on you (whether by court order, agreement or
200 | otherwise) that contradict the conditions of this License, they do not
201 | excuse you from the conditions of this License.  If you cannot
202 | distribute so as to satisfy simultaneously your obligations under this
203 | License and any other pertinent obligations, then as a consequence you
204 | may not distribute the Program at all.  For example, if a patent
205 | license would not permit royalty-free redistribution of the Program by
206 | all those who receive copies directly or indirectly through you, then
207 | the only way you could satisfy both it and this License would be to
208 | refrain entirely from distribution of the Program.
209 | 
210 | If any portion of this section is held invalid or unenforceable under
211 | any particular circumstance, the balance of the section is intended to
212 | apply and the section as a whole is intended to apply in other
213 | circumstances.
214 | 
215 | It is not the purpose of this section to induce you to infringe any
216 | patents or other property right claims or to contest validity of any
217 | such claims; this section has the sole purpose of protecting the
218 | integrity of the free software distribution system, which is
219 | implemented by public license practices.  Many people have made
220 | generous contributions to the wide range of software distributed
221 | through that system in reliance on consistent application of that
222 | system; it is up to the author/donor to decide if he or she is willing
223 | to distribute software through any other system and a licensee cannot
224 | impose that choice.
225 | 
226 | This section is intended to make thoroughly clear what is believed to
227 | be a consequence of the rest of this License.
228 | 
229 |   8. If the distribution and/or use of the Program is restricted in
230 | certain countries either by patents or by copyrighted interfaces, the
231 | original copyright holder who places the Program under this License
232 | may add an explicit geographical distribution limitation excluding
233 | those countries, so that distribution is permitted only in or among
234 | countries not thus excluded.  In such case, this License incorporates
235 | the limitation as if written in the body of this License.
236 | 
237 |   9. The Free Software Foundation may publish revised and/or new versions
238 | of the General Public License from time to time.  Such new versions will
239 | be similar in spirit to the present version, but may differ in detail to
240 | address new problems or concerns.
241 | 
242 | Each version is given a distinguishing version number.  If the Program
243 | specifies a version number of this License which applies to it and "any
244 | later version", you have the option of following the terms and conditions
245 | either of that version or of any later version published by the Free
246 | Software Foundation.  If the Program does not specify a version number of
247 | this License, you may choose any version ever published by the Free Software
248 | Foundation.
249 | 
250 |   10. If you wish to incorporate parts of the Program into other free
251 | programs whose distribution conditions are different, write to the author
252 | to ask for permission.  For software which is copyrighted by the Free
253 | Software Foundation, write to the Free Software Foundation; we sometimes
254 | make exceptions for this.  Our decision will be guided by the two goals
255 | of preserving the free status of all derivatives of our free software and
256 | of promoting the sharing and reuse of software generally.
257 | 
258 |                             NO WARRANTY
259 | 
260 |   11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
268 | REPAIR OR CORRECTION.
269 | 
270 |   12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
278 | POSSIBILITY OF SUCH DAMAGES.
279 | 
280 |                      END OF TERMS AND CONDITIONS
281 | 
282 |             How to Apply These Terms to Your New Programs
283 | 
284 |   If you develop a new program, and you want it to be of the greatest
285 | possible use to the public, the best way to achieve this is to make it
286 | free software which everyone can redistribute and change under these terms.
287 | 
288 |   To do so, attach the following notices to the program.  It is safest
289 | to attach them to the start of each source file to most effectively
290 | convey the exclusion of warranty; and each file should have at least
291 | the "copyright" line and a pointer to where the full notice is found.
292 | 
293 |     {description}
294 |     Copyright (C) {year}  {fullname}
295 | 
296 |     This program is free software; you can redistribute it and/or modify
297 |     it under the terms of the GNU General Public License as published by
298 |     the Free Software Foundation; either version 2 of the License, or
299 |     (at your option) any later version.
300 | 
301 |     This program is distributed in the hope that it will be useful,
302 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
303 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
304 |     GNU General Public License for more details.
305 | 
306 |     You should have received a copy of the GNU General Public License along
307 |     with this program; if not, write to the Free Software Foundation, Inc.,
308 |     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
309 | 
310 | Also add information on how to contact you by electronic and paper mail.
311 | 
312 | If the program is interactive, make it output a short notice like this
313 | when it starts in an interactive mode:
314 | 
315 |     Gnomovision version 69, Copyright (C) year name of author
316 |     Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
317 |     This is free software, and you are welcome to redistribute it
318 |     under certain conditions; type `show c' for details.
319 | 
320 | The hypothetical commands `show w' and `show c' should show the appropriate
321 | parts of the General Public License.  Of course, the commands you use may
322 | be called something other than `show w' and `show c'; they could even be
323 | mouse-clicks or menu items--whatever suits your program.
324 | 
325 | You should also get your employer (if you work as a programmer) or your
326 | school, if any, to sign a "copyright disclaimer" for the program, if
327 | necessary.  Here is a sample; alter the names:
328 | 
329 |   Yoyodyne, Inc., hereby disclaims all copyright interest in the program
330 |   `Gnomovision' (which makes passes at compilers) written by James Hacker.
331 | 
332 |   {signature of Ty Coon}, 1 April 1989
333 |   Ty Coon, President of Vice
334 | 
335 | This General Public License does not permit incorporating your program into
336 | proprietary programs.  If your program is a subroutine library, you may
337 | consider it more useful to permit linking proprietary applications with the
338 | library.  If this is what you want to do, use the GNU Lesser General
339 | Public License instead of this License.
340 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # security-stories-nist800-53
 2 | 
 3 | A collection of security related user stories compatible with NIST Special Publication 800-53
 4 | 
 5 | # Motivation
 6 | 
 7 | It's hard to bake-in security and compliance into software projects when security and compliance are not part of the day to day agile work of software developers.
 8 | 
 9 | Now you can start every project with vetted, security-related user stories to make sure your IT system is built to be compliant.
10 | 
11 | Add these some or all of these stories to your agile backlog. Then add two or three to each sprint. As you build your system you will be making it secure, compliant, and your acceptance criteria will be evidence for your assessor!
12 | 
13 | You're security team will love you for treating them as a customer!
14 | 
15 | 
16 | # User Stories
17 | 
18 | As of March 2017, the list of user stories is still under development.
19 | 
20 | User stories are grouped by NIST SP 800-53 control family, system impact, and priority rating.
21 | 
22 | * [AC - Access Control Low Impact P-1](ac_low_impact_pri1.md)
23 | * [AT - Awareness and Training Low Impact P-1](at_low_impact_pri1.md)
24 | * [AU - Audit and Accountability Low Impact P-1](au_low_impact_pri1.md)
25 | * [AU - Audit and Accountability Low Impact P-3](au_low_impact_pri3.md)
26 | * [CM - Configuration Management Low Impact P-1](cm_low_impact_pri1.md)
27 | * [CP - Contigency Planning Low Impact P-1](cp_low_impact_pri1.md)
28 | * [IA - Identification and Authentication Low Impact P-1](ia_low_impact_pri1.md)
29 | * [PL - Planning Low Impact P-1](pl_low_impact_pri1.md)
30 | 
31 | 
32 | # Contributing
33 | 
34 | To contribute, fork the repository and make pull requests.
35 | 
36 | See `template.yaml` file for format and existing `YAML` files for reference examples.


--------------------------------------------------------------------------------
/ac_low_impact_pri1.md:
--------------------------------------------------------------------------------
  1 | # NIST 800-53 AC Low Impact Priority 1
  2 | 
  3 | This file is generated by a script. To modify, update source file [./ac_low_impact_pri1.yaml](./ac_low_impact_pri1.yaml).
  4 | 
  5 | ## As the CIO, I want to document and communicate our organization's approach to managing access control mechanisms in our IT systems.
  6 | 
  7 | *Why:*
  8 | 
  9 | Access control is central to security compliance, and maintaining sensible rules for what classes of users have access to what types of systems will ensure lasting security for organizational systems.
 10 | 
 11 | *How:*
 12 | * Define roles in addition to ISSO or ISSM that the access control policy is to be disseminated to. (State if there are no additional roles)
 13 | * Define roles in addition to ISSO or ISSM that the access control procedures are to be disseminated to. (State if there are no additional roles)
 14 | * Ensure that the access control policy and procedures are disseminated
 15 | * Define frequency at which to review and update the access control policy and procedures (Annually).
 16 | * Maintain audit trail of reviews and updates.
 17 | 
 18 | *Acceptance Criteria / Evidence:*
 19 | * List of personnel to whom access control policy and procedures are to be disseminated
 20 | * Access control policy
 21 | * Access control policy version update page
 22 | * Access control policy audit trail of reviews and updates
 23 | 
 24 | *Links:*
 25 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-1
 26 | 
 27 | *Labels:*
 28 | * AC
 29 | * AC-1
 30 | * security
 31 | * compliance
 32 | ## As the CIO, I want to ensure system accounts are identified, approved, assigned, monitored, and reviewed in accordance with organizational policy.
 33 | 
 34 | *Why:*
 35 | Having a robust process for the creation and review of IT system accounts ensures that users, and their privileges, are appropriately segmented in the organization.  
 36 | 
 37 | *How:* 
 38 | * Define types of accounts that exist within an organizational structure (eg. individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service).
 39 | * Nominate account managers for existing/future IT system accounts.
 40 | * Define conditions for group and role membership.
 41 | * Assign appropriate access and roles to existing accounts..
 42 | * Define roles to approve new IT system accounts.
 43 | * Manage existing and new accounts with defined policy (create, enable, modify, disable, and remove).
 44 | * Monitor account access across IT systems.
 45 | * Notify account managers when accounts are outdated, when users are no longer in the organization, or when system requirements change.
 46 | * Authorize access in accordance with authorization, intended use, and associated organizational goals.
 47 | * Review accounts at a defined frequency and evaluate compliance with account requirements.
 48 | * Define process for issuing group based credentials when individual accounts 
 49 | 
 50 | *Acceptance Criteria / Evidence:*
 51 | * List of types of accounts within an organization
 52 | * List of account managers for each IT system
 53 | * List of conditions for membership in each group and role
 54 | * Logs of the process in which existing accounts have been assigned roles
 55 | * List of personnel who approve new accounts for each system
 56 | * Logs of IT system account access
 57 | * Logs of communication with account managers when account roles and requirements change
 58 | * Logs of process to allow access or a new account to IT systems
 59 | * Logs of existing account review
 60 | * Documented process for re-issuance of group-based credentials upon member change
 61 | 
 62 | 
 63 | *Links:*
 64 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-2
 65 | 
 66 | *Labels:*
 67 | * AC
 68 | * AC-2
 69 | * security
 70 | * compliance
 71 | ## As the CIO, I want to not only enforce access control policies for IT systems, but also apply them to applications and services that exist on those systems.
 72 | 
 73 | *Why:*
 74 | Applications and services that run on IT systems present an equal, if not greater, danger to organizational security if left unexamined.
 75 | 
 76 | *How:* 
 77 | * Apply access control policies to applications and services that run on IT systems.
 78 | 
 79 | *Acceptance Criteria / Evidence:*
 80 | * Retain equivalent documentation of access control methods for individual applications that you do for IT systems themselves.  
 81 | 
 82 | 
 83 | *Links:*
 84 | https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-3
 85 | 
 86 | *Labels:*
 87 | * AC
 88 | * AC-3
 89 | * security
 90 | * compliance
 91 | ## As the CIO, I want to ensure that users are notified of privacy and security concerns when they are logging into or using U.S. Government systems.
 92 | 
 93 | *Why:*
 94 | Users interacting with U.S. Government systems should be aware of potential privacy and security concerns.
 95 | 
 96 | *How:* 
 97 | * Display in notice or banner that users are accessing a U.S. Government system
 98 | * Display in notice or banner that usage may be monitored, recorded, and subject to audit
 99 | * Display in notice or banner that unauthorized usage may incur civil and criminal charges
100 | * Display in notice or banner that system usage implies consent to these policies
101 | * If the system is publicly accessible, inform user of the acceptable uses and potential for monitoring, audits, etc. 
102 | * Display the notice or banner until the user acknowledges it
103 | 
104 | *Acceptance Criteria / Evidence:*
105 | * List of systems and their user privacy and security concerns
106 | * Notice or banner alerts user of relevant information
107 | * Notice or banner continues to display until user acknowledges it
108 | 
109 | *Links:*
110 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-8
111 | 
112 | *Labels:*
113 | * AC
114 | * AC-8
115 | * security
116 | * compliance
117 | ## As the CIO, I want to create guidelines for different types of remote connections to IT systems and authorize the granting of those connections.
118 | 
119 | *Why:*
120 | Different types of remote access present unique security concerns.  Documenting the individual requirements for each type, and ensuring that authorization is granted accordingly, is key in maintaining organizational security.
121 | 
122 | *How:* 
123 | * Define acceptable types of remote access
124 | * Define restriction, configuration and implementation details for each type of access
125 | * Authorize the granting of remote connection access
126 | 
127 | *Acceptance Criteria / Evidence:*
128 | * List of organization approved remote access types
129 | * Remote access policy
130 | * Remote access authorization policy
131 | 
132 | *Links:*
133 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-17
134 | 
135 | *Labels:*
136 | * AC
137 | * AC-17
138 | * security
139 | * compliance
140 | ## As the CIO, I want to create guidelines for wireless access to IT systems and authorize the granting of those connections.
141 | 
142 | *Why:*
143 | Wireless access to IT systems by definition can be intercepted, and as a result, present security concerns.  Documenting the requirements for wireless access, and ensuring that authorization is granted accordingly, is key in maintaining organizational security.
144 | 
145 | *How:* 
146 | * Define restriction, configuration and implementation details of wireless access
147 | * Authorize the granting of wireless access to IT systems
148 | 
149 | *Acceptance Criteria / Evidence:*
150 | * Wireless access policy
151 | * Wireless access authorization policy
152 | 
153 | *Links:*
154 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-18
155 | 
156 | *Labels:*
157 | * AC
158 | * AC-18
159 | * security
160 | * compliance
161 | ## As the CIO, I want to create guidelines for organizational mobile devices and authorize the connection of said mobile devices to IT systems.
162 | 
163 | *Why:*
164 | The distribution of mobile devices within an organization is increasingly common, and as such, having an organizational policy controlling how those devices are used, updated, authenticated and tracked is now a critical task. 
165 | 
166 | *How:* 
167 | * Define restriction, configuration, connection and implementation details for organization mobile devices
168 | * Policy points that may be considered:
169 |   * Acceptable types of mobile devices (embedded systems, smartphones, tablets)
170 |   * Acceptable software on mobile devices (Apple iOS, Android, Blackberry, Windows)
171 |   * Required security applications
172 |   * Integrity / version checks
173 | * Authorize the connection of mobile devices to IT systems
174 | 
175 | *Acceptance Criteria / Evidence:*
176 | * Mobile device policy
177 | * Mobile device connection authorization policy
178 | 
179 | *Links:*
180 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-19
181 | 
182 | *Labels:*
183 | * AC
184 | * AC-19
185 | * security
186 | * compliance
187 | ## As the CIO, I want to document terms and conditions regarding external access to IT systems and the use of external systems by our organization.
188 | 
189 | *Why:*
190 | External access to IT systems by contractors, other agencies, etc will inevitably be required in some situations and, similarly, organizational information will need to be dealt with on IT systems external to the organization.  Drafting policies governing these cases is a critical step in maintaining strong security.
191 | 
192 | *How:* 
193 | * Document terms and conditions regarding access from external systems/devices.  May include: 
194 |   * Personally owned systems/devices
195 |   * Contractor owned systems/devices
196 |   * Federal agency owned systems/devices
197 | * Document terms and conditions regarding the use of external systems/devices.  May include:
198 |   * Software/Platform as a service 
199 |   * Cloud-based hosting
200 | * Document agencies/entities that may be trusted without additional terms and conditions
201 | 
202 | *Acceptance Criteria / Evidence:*
203 | * External access policy
204 | * External systems policy
205 | * List of exempt agencies/entities (if any)
206 | 
207 | *Links:*
208 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-20
209 | 
210 | *Labels:*
211 | * AC
212 | * AC-20
213 | * security
214 | * compliance
215 | 


--------------------------------------------------------------------------------
/ac_low_impact_pri1.yaml:
--------------------------------------------------------------------------------
  1 | id: ac_low_impact_pri1
  2 | name: NIST 800-53 AC Low Impact Priority 1
  3 | milestone: Access Control
  4 | issues:
  5 |   - title: As the CIO, I want to document and communicate our organization's approach to managing access control mechanisms in our IT systems.
  6 | 
  7 |     body: |
  8 | 
  9 |       *Why:*
 10 | 
 11 |       Access control is central to security compliance, and maintaining sensible rules for what classes of users have access to what types of systems will ensure lasting security for organizational systems.
 12 | 
 13 |       *How:*
 14 |       * Define roles in addition to ISSO or ISSM that the access control policy is to be disseminated to. (State if there are no additional roles)
 15 |       * Define roles in addition to ISSO or ISSM that the access control procedures are to be disseminated to. (State if there are no additional roles)
 16 |       * Ensure that the access control policy and procedures are disseminated
 17 |       * Define frequency at which to review and update the access control policy and procedures (Annually).
 18 |       * Maintain audit trail of reviews and updates.
 19 | 
 20 |       *Acceptance Criteria / Evidence:*
 21 |       * List of personnel to whom access control policy and procedures are to be disseminated
 22 |       * Access control policy
 23 |       * Access control policy version update page
 24 |       * Access control policy audit trail of reviews and updates
 25 | 
 26 |       *Links:*
 27 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-1
 28 | 
 29 |     labels:
 30 |       - AC
 31 |       - AC-1
 32 |       - security
 33 |       - compliance
 34 | 
 35 |   - title: As the CIO, I want to ensure system accounts are identified, approved, assigned, monitored, and reviewed in accordance with organizational policy. 
 36 | 
 37 |     body: |
 38 | 
 39 |       *Why:*
 40 |       Having a robust process for the creation and review of IT system accounts ensures that users, and their privileges, are appropriately segmented in the organization.  
 41 | 
 42 |       *How:* 
 43 |       * Define types of accounts that exist within an organizational structure (eg. individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service).
 44 |       * Nominate account managers for existing/future IT system accounts.
 45 |       * Define conditions for group and role membership.
 46 |       * Assign appropriate access and roles to existing accounts..
 47 |       * Define roles to approve new IT system accounts.
 48 |       * Manage existing and new accounts with defined policy (create, enable, modify, disable, and remove).
 49 |       * Monitor account access across IT systems.
 50 |       * Notify account managers when accounts are outdated, when users are no longer in the organization, or when system requirements change.
 51 |       * Authorize access in accordance with authorization, intended use, and associated organizational goals.
 52 |       * Review accounts at a defined frequency and evaluate compliance with account requirements.
 53 |       * Define process for issuing group based credentials when individual accounts 
 54 | 
 55 |       *Acceptance Criteria / Evidence:*
 56 |       * List of types of accounts within an organization
 57 |       * List of account managers for each IT system
 58 |       * List of conditions for membership in each group and role
 59 |       * Logs of the process in which existing accounts have been assigned roles
 60 |       * List of personnel who approve new accounts for each system
 61 |       * Logs of IT system account access
 62 |       * Logs of communication with account managers when account roles and requirements change
 63 |       * Logs of process to allow access or a new account to IT systems
 64 |       * Logs of existing account review
 65 |       * Documented process for re-issuance of group-based credentials upon member change
 66 | 
 67 | 
 68 |       *Links:*
 69 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-2
 70 | 
 71 |     labels:
 72 |       - AC
 73 |       - AC-2
 74 |       - security
 75 |       - compliance
 76 | 
 77 |   - title: As the CIO, I want to not only enforce access control policies for IT systems, but also apply them to applications and services that exist on those systems. 
 78 | 
 79 |     body: |
 80 | 
 81 |       *Why:*
 82 |       Applications and services that run on IT systems present an equal, if not greater, danger to organizational security if left unexamined.
 83 | 
 84 |       *How:* 
 85 |       * Apply access control policies to applications and services that run on IT systems.
 86 | 
 87 |       *Acceptance Criteria / Evidence:*
 88 |       * Retain equivalent documentation of access control methods for individual applications that you do for IT systems themselves.  
 89 | 
 90 | 
 91 |       *Links:*
 92 |       https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-3
 93 | 
 94 |     labels:
 95 |       - AC
 96 |       - AC-3
 97 |       - security
 98 |       - compliance
 99 | 
100 |   - title: As the CIO, I want to ensure that users are notified of privacy and security concerns when they are logging into or using U.S. Government systems. 
101 | 
102 |     body: |
103 | 
104 |       *Why:*
105 |       Users interacting with U.S. Government systems should be aware of potential privacy and security concerns.
106 | 
107 |       *How:* 
108 |       * Display in notice or banner that users are accessing a U.S. Government system
109 |       * Display in notice or banner that usage may be monitored, recorded, and subject to audit
110 |       * Display in notice or banner that unauthorized usage may incur civil and criminal charges
111 |       * Display in notice or banner that system usage implies consent to these policies
112 |       * If the system is publicly accessible, inform user of the acceptable uses and potential for monitoring, audits, etc. 
113 |       * Display the notice or banner until the user acknowledges it
114 | 
115 |       *Acceptance Criteria / Evidence:*
116 |       * List of systems and their user privacy and security concerns
117 |       * Notice or banner alerts user of relevant information
118 |       * Notice or banner continues to display until user acknowledges it
119 | 
120 |       *Links:*
121 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-8
122 | 
123 |     labels:
124 |       - AC
125 |       - AC-8
126 |       - security
127 |       - compliance
128 | 
129 |   - title: As the CIO, I want to create guidelines for different types of remote connections to IT systems and authorize the granting of those connections.
130 | 
131 |     body: |
132 | 
133 |       *Why:*
134 |       Different types of remote access present unique security concerns.  Documenting the individual requirements for each type, and ensuring that authorization is granted accordingly, is key in maintaining organizational security.
135 | 
136 |       *How:* 
137 |       * Define acceptable types of remote access
138 |       * Define restriction, configuration and implementation details for each type of access
139 |       * Authorize the granting of remote connection access
140 | 
141 |       *Acceptance Criteria / Evidence:*
142 |       * List of organization approved remote access types
143 |       * Remote access policy
144 |       * Remote access authorization policy
145 | 
146 |       *Links:*
147 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-17
148 | 
149 |     labels:
150 |       - AC
151 |       - AC-17
152 |       - security
153 |       - compliance
154 | 
155 |   - title: As the CIO, I want to create guidelines for wireless access to IT systems and authorize the granting of those connections.
156 | 
157 |     body: |
158 | 
159 |       *Why:*
160 |       Wireless access to IT systems by definition can be intercepted, and as a result, present security concerns.  Documenting the requirements for wireless access, and ensuring that authorization is granted accordingly, is key in maintaining organizational security.
161 | 
162 |       *How:* 
163 |       * Define restriction, configuration and implementation details of wireless access
164 |       * Authorize the granting of wireless access to IT systems
165 | 
166 |       *Acceptance Criteria / Evidence:*
167 |       * Wireless access policy
168 |       * Wireless access authorization policy
169 | 
170 |       *Links:*
171 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-18
172 | 
173 |     labels:
174 |       - AC
175 |       - AC-18
176 |       - security
177 |       - compliance
178 | 
179 |   - title: As the CIO, I want to create guidelines for organizational mobile devices and authorize the connection of said mobile devices to IT systems.
180 | 
181 |     body: |
182 | 
183 |       *Why:*
184 |       The distribution of mobile devices within an organization is increasingly common, and as such, having an organizational policy controlling how those devices are used, updated, authenticated and tracked is now a critical task. 
185 | 
186 |       *How:* 
187 |       * Define restriction, configuration, connection and implementation details for organization mobile devices
188 |       * Policy points that may be considered:
189 |         * Acceptable types of mobile devices (embedded systems, smartphones, tablets)
190 |         * Acceptable software on mobile devices (Apple iOS, Android, Blackberry, Windows)
191 |         * Required security applications
192 |         * Integrity / version checks
193 |       * Authorize the connection of mobile devices to IT systems
194 | 
195 |       *Acceptance Criteria / Evidence:*
196 |       * Mobile device policy
197 |       * Mobile device connection authorization policy
198 | 
199 |       *Links:*
200 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-19
201 | 
202 |     labels:
203 |       - AC
204 |       - AC-19
205 |       - security
206 |       - compliance
207 | 
208 |   - title: As the CIO, I want to document terms and conditions regarding external access to IT systems and the use of external systems by our organization.
209 | 
210 |     body: |
211 | 
212 |       *Why:*
213 |       External access to IT systems by contractors, other agencies, etc will inevitably be required in some situations and, similarly, organizational information will need to be dealt with on IT systems external to the organization.  Drafting policies governing these cases is a critical step in maintaining strong security.
214 | 
215 |       *How:* 
216 |       * Document terms and conditions regarding access from external systems/devices.  May include: 
217 |         * Personally owned systems/devices
218 |         * Contractor owned systems/devices
219 |         * Federal agency owned systems/devices
220 |       * Document terms and conditions regarding the use of external systems/devices.  May include:
221 |         * Software/Platform as a service 
222 |         * Cloud-based hosting
223 |       * Document agencies/entities that may be trusted without additional terms and conditions
224 | 
225 |       *Acceptance Criteria / Evidence:*
226 |       * External access policy
227 |       * External systems policy
228 |       * List of exempt agencies/entities (if any)
229 | 
230 |       *Links:*
231 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AC-20
232 | 
233 |     labels:
234 |       - AC
235 |       - AC-20
236 |       - security
237 |       - compliance


--------------------------------------------------------------------------------
/at_low_impact_pri1.md:
--------------------------------------------------------------------------------
 1 | # NIST 800-53 AT Low Impact Priority 1
 2 | 
 3 | This file is generated by a script. To modify, update source file [./at_low_impact_pri1.yaml](./at_low_impact_pri1.yaml).
 4 | 
 5 | ## As the CIO, I want to document and communicate our organization's security awareness and training policies and procedures.
 6 | 
 7 | *Why:*
 8 | To maintain compliance, it is essential to have an effective security training and awareness program, and upper-management must be aware of the program and involved its design.
 9 | 
10 | *How:* 
11 | * Define roles in addition to ISSO or ISSM that the security awareness and training policies is to be disseminated to. (State if there are no additional roles)
12 | * Ensure that the security awareness and training policies are disseminated
13 | * Define frequency at which to review and update the security awareness and training policies (Annually).
14 | 
15 | *Acceptance Criteria / Evidence:*
16 | * List of personnel to whom security awareness and training policies and procedures are to be disseminated
17 | * Security awareness and training policies and procedures
18 | * Security awareness and training policies and procedures update page
19 | * Security awareness and training policies and procedures audit trail of reviews and updates
20 | 
21 | *Links:*
22 | https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AT-1
23 | 
24 | *Labels:*
25 | * AT
26 | * AT-1
27 | * security
28 | * training
29 | * awareness
30 | ## As the CISO, I need to ensure that that an effective security awareness and training program is in place.
31 | 
32 | *Why:*
33 | Our security protocol is only as strong as the weakest link, and oftentimes the most effective security strategy begins with ensuring that all personnel are aware of the importance of taking IT security seriously.
34 | 
35 | 
36 | *How:* 
37 | * Create a security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
38 | * Define the frequency with which the security training policy will be reviewed and updated.
39 | * Provide basic security awareness training to all IT system users:
40 |   * As part of the initial training for new users
41 |   * After IT system changes
42 |   * In regular frequencies
43 | * Trainings can include:
44 |   * Displaying posters
45 |   * Offering supplies inscribed with security reminders
46 |   * Sending emails from senior officials
47 |   * Displaying login screen messages
48 |   * Holding training and security awareness events
49 | * Conduct role-based training for users with additional privileges before authorizing additional access and in regular frequencies.
50 | 
51 | 
52 | *Acceptance Criteria / Evidence:*
53 | * Security awareness and training policy
54 | * Security training event curriculum
55 | * Additional security-related posters, supplies, and messages
56 | 
57 | 
58 | *Links:*
59 | * https://www.pcisecuritystandards.org/documents/PCI_DSS_V1.0_Best_Practices_for_Implementing_Security_Awareness_Program.pdf
60 | * http://iacis.org/iis/2010/410-416_LV2010_1363.pdf
61 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AT-2
62 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AT-3
63 | 
64 | *Labels:*
65 | * AT
66 | * AT-2
67 | * AT-3
68 | * training
69 | * awareness
70 | * security
71 | 


--------------------------------------------------------------------------------
/at_low_impact_pri1.yaml:
--------------------------------------------------------------------------------
 1 | id: at_low_impact_pri1
 2 | name: NIST 800-53 AT Low Impact Priority 1
 3 | milestone: Awareness and Training
 4 | issues:
 5 | 
 6 |   - title: As the CIO, I want to document and communicate our organization's security awareness and training policies and procedures.
 7 | 
 8 |     body: |
 9 | 
10 |       *Why:*
11 |       To maintain compliance, it is essential to have an effective security training and awareness program, and upper-management must be aware of the program and involved its design.
12 | 
13 |       *How:* 
14 |       * Define roles in addition to ISSO or ISSM that the security awareness and training policies is to be disseminated to. (State if there are no additional roles)
15 |       * Ensure that the security awareness and training policies are disseminated
16 |       * Define frequency at which to review and update the security awareness and training policies (Annually).
17 | 
18 |       *Acceptance Criteria / Evidence:*
19 |       * List of personnel to whom security awareness and training policies and procedures are to be disseminated
20 |       * Security awareness and training policies and procedures
21 |       * Security awareness and training policies and procedures update page
22 |       * Security awareness and training policies and procedures audit trail of reviews and updates
23 | 
24 |       *Links:*
25 |       https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AT-1
26 | 
27 |     labels:
28 |       - AT
29 |       - AT-1
30 |       - security
31 |       - training
32 |       - awareness
33 | 
34 |   - title: As the CISO, I need to ensure that that an effective security awareness and training program is in place.
35 | 
36 |     body: |
37 | 
38 |       *Why:*
39 |       Our security protocol is only as strong as the weakest link, and oftentimes the most effective security strategy begins with ensuring that all personnel are aware of the importance of taking IT security seriously.
40 | 
41 | 
42 |       *How:* 
43 |       * Create a security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
44 |       * Define the frequency with which the security training policy will be reviewed and updated.
45 |       * Provide basic security awareness training to all IT system users:
46 |         * As part of the initial training for new users
47 |         * After IT system changes
48 |         * In regular frequencies
49 |       * Trainings can include:
50 |         * Displaying posters
51 |         * Offering supplies inscribed with security reminders
52 |         * Sending emails from senior officials
53 |         * Displaying login screen messages
54 |         * Holding training and security awareness events
55 |       * Conduct role-based training for users with additional privileges before authorizing additional access and in regular frequencies.
56 | 
57 | 
58 |       *Acceptance Criteria / Evidence:*
59 |       * Security awareness and training policy
60 |       * Security training event curriculum
61 |       * Additional security-related posters, supplies, and messages
62 | 
63 | 
64 |       *Links:*
65 |       * https://www.pcisecuritystandards.org/documents/PCI_DSS_V1.0_Best_Practices_for_Implementing_Security_Awareness_Program.pdf
66 |       * http://iacis.org/iis/2010/410-416_LV2010_1363.pdf
67 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AT-2
68 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AT-3
69 | 
70 |     labels:
71 |       - AT
72 |       - AT-2
73 |       - AT-3
74 |       - training
75 |       - awareness
76 |       - security
77 | 
78 | questions: []


--------------------------------------------------------------------------------
/au_low_impact_pri1.md:
--------------------------------------------------------------------------------
  1 | # NIST 800-53 AU Low Impact Priority 1
  2 | 
  3 | This file is generated by a script. To modify, update source file [./au_low_impact_pri1.yaml](./au_low_impact_pri1.yaml).
  4 | 
  5 | ## As the CIO, I want to document and communicate our organization's approach and priorities for having a reliable audit trail of transactions in our IT systems.
  6 | 
  7 | *Why:*
  8 | Logging various transactions in our IT systems is how we can later audit activity for things that went wrong and for malicious actions. Without audit trail we won't have a record of interactions with the system.
  9 | 
 10 | *How:* 
 11 | * Define roles in addition to ISSO or ISSM that the audit and accountability policy is to be disseminated to. (State if there are no additional roles)
 12 | * Define roles in addition to ISSO or ISSM that the audit and accountability procedures are to be disseminated to. (State if there are no additional roles)
 13 | * Ensure that the audit accountability policy and procedures are disseminated
 14 | * Define frequency at which to review and update the audit and accountability policy and procedures (Annually).
 15 | * Maintain audit trail of reviews and updates.
 16 | 
 17 | *Acceptance Criteria / Evidence:*
 18 | * List of personnel to whom accountability policy and procedures are to be disseminated
 19 | * Audit and accountability policy
 20 | * Audit and accountability policy version update page
 21 | * Audit and accountability policy audit trail of reviews and updates
 22 | 
 23 | *Links:*
 24 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-1
 25 | 
 26 | *Labels:*
 27 | * AU
 28 | * AU-1
 29 | * security
 30 | * compliance
 31 | ## As the CISO, I need to know that our there is a reliable systems for collecting audit trail information, and I need to periodically review these audit trails to ensure that the systems are working properly.
 32 | 
 33 | *Why:*
 34 | In the event of a security incidents, we need to be able to investigate the source and potential scope of the breach.
 35 | 
 36 | *How:* 
 37 | * Work across organizations to develop a list of audit events.  Examples include:
 38 |   * Password changes
 39 |   * Successful and unsuccessful login attempts
 40 |   * Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information
 41 |   * Administrative privilege usage or other system level access
 42 |   * Starting and ending time for user access to the system
 43 |   * Concurrent logins from different workstations
 44 |   * Account creations, modifications, disabling, and terminations
 45 |   * Kernel module load, unload, and restart
 46 |   * Third-party credential usage
 47 | * Define the frequency of (or situation requiring) auditing for each audit event.
 48 | * Develop a rationale for why the list of audit events is deemed to be adequate to support after-the-fact investigations of security incidents.
 49 | 
 50 | 
 51 | *Acceptance Criteria / Evidence:*
 52 | * List of audit events
 53 | * Frequency that each event will be audited to ensure data is being properly collected
 54 | * Rationale for why the list of audit events is complete
 55 | 
 56 | 
 57 | *Links:*
 58 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-2
 59 | 
 60 | *Labels:*
 61 | * AU
 62 | * AU-2
 63 | * security
 64 | * compliance
 65 | ## As the CISO, I need to know that our audit records are complete.
 66 | 
 67 | *Why:*
 68 | If our audit records do not contain all of the necessary content, we will not be able to properly investigate a potential breach.
 69 | 
 70 | *How:* 
 71 | * Review each audit trail record to ensure that it contains all necessary information.
 72 | 
 73 | *Acceptance Criteria / Evidence:*
 74 | * What type of event occurred
 75 | * When the event occurred
 76 | * Where the event occurred
 77 | * The source of the event
 78 | * The outcome of the event
 79 | * The identity of any individuals or subjects associated with the event
 80 | 
 81 | *Links:*
 82 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-3
 83 | 
 84 | *Labels:*
 85 | * AU
 86 | * AU-3
 87 | * security
 88 | * compliance
 89 | ## As the CIO, I want there to be sufficient server storage for audit records.
 90 | 
 91 | *Why:*
 92 | We don’t want to lose critical audit records because storage capacity was exceeded.
 93 | 
 94 | *How:* 
 95 | * Check organization Audit Policy for time range of audit records to be saved (e.g., 6 month, 1 year, etc.)
 96 | * Estimate the storage required for the information system to store the required time period of logs
 97 | * Allocate the storage for the logs. One strategy is to copy audit records from system to secondary storage system to avoid loss of critical information
 98 | * Set up a notification when maximum storage is approached (e.g., 80%)
 99 | 
100 | *Acceptance Criteria / Evidence:*
101 | * Copy of section of audit policy specifying audit retention requirements
102 | * Copy of section of STIG or SRG that indicates audit retention requirements
103 | * Demonstration of allocated storage (screenshot, service documentation, or configuration code
104 | * Demonstration of notification as max storage approached (screenshot or inspection)
105 | 
106 | *Links:*
107 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-4
108 | * http://800-53.govready.com/control?id=AU-4
109 | 
110 | *Labels:*
111 | * AU
112 | * AU-4
113 | * security
114 | * compliance
115 | ## As the CIO, I need my team alerted whenever the information system's logging subsystem fails so steps can be taken to avoid further loss of audit data.
116 | 
117 | *Why*
118 | We don’t want to lose critical audit records because of errors in the auditing system.
119 | 
120 | 
121 | *How*
122 | * Set up monitoring to detect issues with the audit system. Examples:
123 |   * Pingdom
124 |   * Amazon CloudWatch
125 |   * New Relic
126 | * A custom script monitoring updated timestamps
127 | * Decide who should receive alerts.
128 | * Determine an effective test frequency and alert method (text, email, Slack).
129 | * Check the audit system monitors every two months to ensure they are working properly.
130 | 
131 | *Acceptance Criteria / Evidence*
132 | * List of the people and method to alert when there are issues with the audit system.
133 | 
134 | *Links*
135 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-5
136 | 
137 | *Labels:*
138 | * AU
139 | * AU-5
140 | * security
141 | * compliance
142 | ## As the CISO, I need to review all log files regularly bi-weekly for unusual activities.
143 | 
144 | *Why:*
145 | We don’t want to lose critical audit records because of errors in the auditing system.
146 | 
147 | *How:* 
148 | * Determine what the important log files are (webserver error log, webserver access log, database access log, system error log) and where on the server they are located.
149 | * Decide which patterns we should be looking for: errors, suspicious access records, database access from an unexpected IP range.
150 | * Approve the workflow (who to contact and how to contact them) for reporting any abnormalities.
151 | 
152 | *Acceptance Criteria / Evidence:*
153 | * Copy of document listing log files and their locations.
154 | * List of known vulnerability patterns we looking for.
155 | * Document outlining workflow for reporting unusual activity.
156 | 
157 | *Links:*
158 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-6
159 | 
160 | *Labels:*
161 | * AU
162 | * AU-6
163 | * security
164 | * compliance
165 | ## As the CISO, I want transactions in logs to clearly use a UTC timestamps so data can be synchronized with less processing.
166 | *Why*
167 | Reports need to be timestamped with an universally understood format to assist in analysis of events and system/data recovery.
168 | When different logs use different timezones and/or non-standard formats, it is harder to collate and compare events across different logs.
169 | 
170 | *How*
171 | * Create organization standard for transaction record timestamp granularity of least 1 second
172 | * Create record timestamping mechanism that timestamps transactions with defined granularity in UTC or GMT
173 | * Timestamp with a system’s clock
174 | 
175 | *Acceptance Criteria / Evidence*
176 | * Excerpt from STIG or SRG in use that defines timestamp granularity standard
177 | * Show example of logged events are being timestamped or configuration that forces timestamps
178 | 
179 | *Links*
180 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-8
181 | 
182 | *Labels:*
183 | * AU
184 | * AU-8
185 | * security
186 | * compliance
187 | ## As the CISO, I want to prevent unauthorized access to logs and audit reports and the systems that create them.
188 | 
189 | *Why:*
190 | Audit information can contain system information that would be dangerous in the wrong hands.  By the same token, the systems that create reports could be manipulated by an unauthorized party to provide misleading information.
191 | 
192 | *How:* 
193 | * Determine list of privileged users that will have access to log generation, reduction reports and report-creating systems
194 | * Ensure log-related information are read-only and write-only to authorized users
195 | * Ensure report creation systems have permissions and or log-in credentials that bar access to unauthorized users
196 | 
197 | *Acceptance Criteria / Evidence:*
198 | * Provide list of privileged users with access to log generation, reduction reports and report-creating systems
199 | 
200 | *Links:*
201 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-9
202 | 
203 | *Labels:*
204 | * AU
205 | * AU-9
206 | * security
207 | * compliance
208 | ## As the developer, I want the components of the system to generate required logs with required content.
209 | 
210 | *Why:*
211 | The organization needs certain information for audit purposes
212 | 
213 | *How:* 
214 | * Check AU-2 for a list of auditable events and figure out which components provide the logs for those events
215 | * Work with security and business to confirm events and components
216 | * Check AU-3 for necessary log content and modify log templates and content accordingly
217 | 
218 | *Acceptance Criteria / Evidence:*
219 | * URL to audit and accountability policy
220 | * List of system components that generate logs and log retention
221 | * Excerpt from STIG or SRG in use that automatically sets or specifies log settings
222 | 
223 | *Links:*
224 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-12
225 | 
226 | *Labels:*
227 | * AU
228 | * AU-12
229 | * security
230 | * compliance
231 | 


--------------------------------------------------------------------------------
/au_low_impact_pri1.yaml:
--------------------------------------------------------------------------------
  1 | id: au_low_impact_pri1
  2 | name: NIST 800-53 AU Low Impact Priority 1
  3 | milestone: Audit and Accountability
  4 | issues:
  5 |   - title: As the CIO, I want to document and communicate our organization's approach and priorities for having a reliable audit trail of transactions in our IT systems.
  6 | 
  7 |     body: |
  8 | 
  9 |       *Why:*
 10 |       Logging various transactions in our IT systems is how we can later audit activity for things that went wrong and for malicious actions. Without audit trail we won't have a record of interactions with the system.
 11 | 
 12 |       *How:* 
 13 |       * Define roles in addition to ISSO or ISSM that the audit and accountability policy is to be disseminated to. (State if there are no additional roles)
 14 |       * Define roles in addition to ISSO or ISSM that the audit and accountability procedures are to be disseminated to. (State if there are no additional roles)
 15 |       * Ensure that the audit accountability policy and procedures are disseminated
 16 |       * Define frequency at which to review and update the audit and accountability policy and procedures (Annually).
 17 |       * Maintain audit trail of reviews and updates.
 18 | 
 19 |       *Acceptance Criteria / Evidence:*
 20 |       * List of personnel to whom accountability policy and procedures are to be disseminated
 21 |       * Audit and accountability policy
 22 |       * Audit and accountability policy version update page
 23 |       * Audit and accountability policy audit trail of reviews and updates
 24 | 
 25 |       *Links:*
 26 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-1
 27 | 
 28 |     labels:
 29 |       - AU
 30 |       - AU-1
 31 |       - security
 32 |       - compliance
 33 | 
 34 |   - title: As the CISO, I need to know that our there is a reliable systems for collecting audit trail information, and I need to periodically review these audit trails to ensure that the systems are working properly.
 35 | 
 36 |     body: |
 37 | 
 38 |       *Why:*
 39 |       In the event of a security incidents, we need to be able to investigate the source and potential scope of the breach.
 40 | 
 41 |       *How:* 
 42 |       * Work across organizations to develop a list of audit events.  Examples include:
 43 |         * Password changes
 44 |         * Successful and unsuccessful login attempts
 45 |         * Successful and unsuccessful attempts to access, modify, or delete privileges, security objects, security levels, or categories of information
 46 |         * Administrative privilege usage or other system level access
 47 |         * Starting and ending time for user access to the system
 48 |         * Concurrent logins from different workstations
 49 |         * Account creations, modifications, disabling, and terminations
 50 |         * Kernel module load, unload, and restart
 51 |         * Third-party credential usage
 52 |       * Define the frequency of (or situation requiring) auditing for each audit event.
 53 |       * Develop a rationale for why the list of audit events is deemed to be adequate to support after-the-fact investigations of security incidents.
 54 | 
 55 | 
 56 |       *Acceptance Criteria / Evidence:*
 57 |       * List of audit events
 58 |       * Frequency that each event will be audited to ensure data is being properly collected
 59 |       * Rationale for why the list of audit events is complete
 60 | 
 61 | 
 62 |       *Links:*
 63 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-2
 64 | 
 65 |     labels:
 66 |       - AU
 67 |       - AU-2
 68 |       - security
 69 |       - compliance
 70 | 
 71 |   - title: As the CISO, I need to know that our audit records are complete.
 72 | 
 73 |     body: |
 74 | 
 75 |       *Why:*
 76 |       If our audit records do not contain all of the necessary content, we will not be able to properly investigate a potential breach.
 77 | 
 78 |       *How:* 
 79 |       * Review each audit trail record to ensure that it contains all necessary information.
 80 | 
 81 |       *Acceptance Criteria / Evidence:*
 82 |       * What type of event occurred
 83 |       * When the event occurred
 84 |       * Where the event occurred
 85 |       * The source of the event
 86 |       * The outcome of the event
 87 |       * The identity of any individuals or subjects associated with the event
 88 | 
 89 |       *Links:*
 90 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-3
 91 | 
 92 |     labels:
 93 |       - AU
 94 |       - AU-3
 95 |       - security
 96 |       - compliance
 97 | 
 98 |   - title: As the CIO, I want there to be sufficient server storage for audit records.
 99 | 
100 |     body: |
101 | 
102 |       *Why:*
103 |       We don’t want to lose critical audit records because storage capacity was exceeded.
104 | 
105 |       *How:* 
106 |       * Check organization Audit Policy for time range of audit records to be saved (e.g., 6 month, 1 year, etc.)
107 |       * Estimate the storage required for the information system to store the required time period of logs
108 |       * Allocate the storage for the logs. One strategy is to copy audit records from system to secondary storage system to avoid loss of critical information
109 |       * Set up a notification when maximum storage is approached (e.g., 80%)
110 | 
111 |       *Acceptance Criteria / Evidence:*
112 |       * Copy of section of audit policy specifying audit retention requirements
113 |       * Copy of section of STIG or SRG that indicates audit retention requirements
114 |       * Demonstration of allocated storage (screenshot, service documentation, or configuration code
115 |       * Demonstration of notification as max storage approached (screenshot or inspection)
116 | 
117 |       *Links:*
118 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-4
119 |       * http://800-53.govready.com/control?id=AU-4
120 | 
121 |     labels:
122 |       - AU
123 |       - AU-4
124 |       - security
125 |       - compliance
126 | 
127 |   - title: As the CIO, I need my team alerted whenever the information system's logging subsystem fails so steps can be taken to avoid further loss of audit data.
128 |     body: |
129 | 
130 |       *Why*
131 |       We don’t want to lose critical audit records because of errors in the auditing system.
132 | 
133 | 
134 |       *How*
135 |       * Set up monitoring to detect issues with the audit system. Examples:
136 |         * Pingdom
137 |         * Amazon CloudWatch
138 |         * New Relic
139 |       * A custom script monitoring updated timestamps
140 |       * Decide who should receive alerts.
141 |       * Determine an effective test frequency and alert method (text, email, Slack).
142 |       * Check the audit system monitors every two months to ensure they are working properly.
143 | 
144 |       *Acceptance Criteria / Evidence*
145 |       * List of the people and method to alert when there are issues with the audit system.
146 | 
147 |       *Links*
148 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-5
149 | 
150 |     labels:
151 |       - AU
152 |       - AU-5
153 |       - security
154 |       - compliance
155 | 
156 |   - title: As the CISO, I need to review all log files regularly bi-weekly for unusual activities.
157 | 
158 |     body: |
159 | 
160 |       *Why:*
161 |       We don’t want to lose critical audit records because of errors in the auditing system.
162 | 
163 |       *How:* 
164 |       * Determine what the important log files are (webserver error log, webserver access log, database access log, system error log) and where on the server they are located.
165 |       * Decide which patterns we should be looking for: errors, suspicious access records, database access from an unexpected IP range.
166 |       * Approve the workflow (who to contact and how to contact them) for reporting any abnormalities.
167 | 
168 |       *Acceptance Criteria / Evidence:*
169 |       * Copy of document listing log files and their locations.
170 |       * List of known vulnerability patterns we looking for.
171 |       * Document outlining workflow for reporting unusual activity.
172 | 
173 |       *Links:*
174 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-6
175 | 
176 |     labels:
177 |       - AU
178 |       - AU-6
179 |       - security
180 |       - compliance
181 | 
182 |   - title: As the CISO, I want transactions in logs to clearly use a UTC timestamps so data can be synchronized with less processing.
183 | 
184 |     body: |
185 |       *Why*
186 |       Reports need to be timestamped with an universally understood format to assist in analysis of events and system/data recovery.
187 |       When different logs use different timezones and/or non-standard formats, it is harder to collate and compare events across different logs.
188 | 
189 |       *How*
190 |       * Create organization standard for transaction record timestamp granularity of least 1 second
191 |       * Create record timestamping mechanism that timestamps transactions with defined granularity in UTC or GMT
192 |       * Timestamp with a system’s clock
193 | 
194 |       *Acceptance Criteria / Evidence*
195 |       * Excerpt from STIG or SRG in use that defines timestamp granularity standard
196 |       * Show example of logged events are being timestamped or configuration that forces timestamps
197 | 
198 |       *Links*
199 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-8
200 | 
201 |     labels:
202 |       - AU
203 |       - AU-8
204 |       - security
205 |       - compliance
206 | 
207 |   - title: As the CISO, I want to prevent unauthorized access to logs and audit reports and the systems that create them.
208 | 
209 |     body: |
210 | 
211 |       *Why:*
212 |       Audit information can contain system information that would be dangerous in the wrong hands.  By the same token, the systems that create reports could be manipulated by an unauthorized party to provide misleading information.
213 | 
214 |       *How:* 
215 |       * Determine list of privileged users that will have access to log generation, reduction reports and report-creating systems
216 |       * Ensure log-related information are read-only and write-only to authorized users
217 |       * Ensure report creation systems have permissions and or log-in credentials that bar access to unauthorized users
218 | 
219 |       *Acceptance Criteria / Evidence:*
220 |       * Provide list of privileged users with access to log generation, reduction reports and report-creating systems
221 | 
222 |       *Links:*
223 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-9
224 | 
225 |     labels:
226 |       - AU
227 |       - AU-9
228 |       - security
229 |       - compliance
230 | 
231 |   - title: As the developer, I want the components of the system to generate required logs with required content.
232 | 
233 |     body: |
234 | 
235 |       *Why:*
236 |       The organization needs certain information for audit purposes
237 | 
238 |       *How:* 
239 |       * Check AU-2 for a list of auditable events and figure out which components provide the logs for those events
240 |       * Work with security and business to confirm events and components
241 |       * Check AU-3 for necessary log content and modify log templates and content accordingly
242 | 
243 |       *Acceptance Criteria / Evidence:*
244 |       * URL to audit and accountability policy
245 |       * List of system components that generate logs and log retention
246 |       * Excerpt from STIG or SRG in use that automatically sets or specifies log settings
247 | 
248 |       *Links:*
249 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-12
250 | 
251 |     labels:
252 |       - AU
253 |       - AU-12
254 |       - security
255 |       - compliance
256 | 


--------------------------------------------------------------------------------
/au_low_impact_pri3.md:
--------------------------------------------------------------------------------
 1 | # NIST 800-53 AU Low Impact Priority 3
 2 | 
 3 | This file is generated by a script. To modify, update source file [./au_low_impact_pri3.yaml](./au_low_impact_pri3.yaml).
 4 | 
 5 | ## As the CISO, I want to retain log files long enough to investigate security incidents that happened weeks or months ago.
 6 | 
 7 | *Why*
 8 | We may not learn of a penetration or security incident when it happens. Also, there may be regulatory requirements for retaining audit records.
 9 | 
10 | *How*
11 | Determine the official retention periods for different types of audit records (e.g., check organization policy and pertinent regulations)
12 | Make sure system is configured to either not delete log files too soon, or logs are transferred to a service or separate storage for retention
13 | 
14 | *Acceptance Criteria / Evidence*
15 | * Excerpt of audit and accountability policy specifying retention periods of audit logs
16 | * Copy of an after action report which includes audit log information
17 | * Excerpt from STIG or SRG in use that automatically sets or specifies audit retention periods
18 | 
19 | *Links*
20 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-11
21 | 
22 | *Labels:*
23 | * AU
24 | * AU-11
25 | * security
26 | * compliance
27 | 


--------------------------------------------------------------------------------
/au_low_impact_pri3.yaml:
--------------------------------------------------------------------------------
 1 | id: au_low_impact_pri3
 2 | name: NIST 800-53 AU Low Impact Priority 3
 3 | milestone: Audit and Accountability
 4 | issues:
 5 |   - title: As the CISO, I want to retain log files long enough to investigate security incidents that happened weeks or months ago.
 6 | 
 7 |     body: |
 8 | 
 9 |       *Why*
10 |       We may not learn of a penetration or security incident when it happens. Also, there may be regulatory requirements for retaining audit records.
11 | 
12 |       *How*
13 |       Determine the official retention periods for different types of audit records (e.g., check organization policy and pertinent regulations)
14 |       Make sure system is configured to either not delete log files too soon, or logs are transferred to a service or separate storage for retention
15 | 
16 |       *Acceptance Criteria / Evidence*
17 |       * Excerpt of audit and accountability policy specifying retention periods of audit logs
18 |       * Copy of an after action report which includes audit log information
19 |       * Excerpt from STIG or SRG in use that automatically sets or specifies audit retention periods
20 | 
21 |       *Links*
22 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-11
23 | 
24 |     labels:
25 |       - AU
26 |       - AU-11
27 |       - security
28 |       - compliance
29 | 
30 | 


--------------------------------------------------------------------------------
/cm_low_impact_pri1.md:
--------------------------------------------------------------------------------
  1 | # NIST 800-53 CM Low Impact Priority 1
  2 | 
  3 | This file is generated by a script. To modify, update source file [./cm_low_impact_pri1.yaml](./cm_low_impact_pri1.yaml).
  4 | 
  5 | ## As the CIO, I want to document and communicate our configuration management policy.
  6 | 
  7 | *Why:*
  8 | How we configure our systems oftentimes determines how secure the system will be. Ensuring that we have a well-constructed, properly disseminated configuration management policy will help ensure that are systems are built and maintained securely.
  9 | 
 10 | *How:* 
 11 | * Define roles in addition to ISSO or ISSM that the configuration management policy is to be disseminated to. (State if there are no additional roles)
 12 | * Define roles in addition to ISSO or ISSM that the configuration management procedures are to be disseminated to. (State if there are no additional roles)
 13 | * Ensure that the configuration management policy and procedures are disseminated
 14 | * Define frequency at which to review and update the configuration management policy and procedures (Annually).
 15 | * Maintain audit trail of reviews and updates.
 16 | 
 17 | *Acceptance Criteria / Evidence:*
 18 | * List of personnel to whom configuration management policy and procedures are to be disseminated
 19 | * Access control policy
 20 | * Access control policy version update page
 21 | * Access control policy audit trail of reviews and updates
 22 | 
 23 | *Links:*
 24 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-1
 25 | 
 26 | *Labels:*
 27 | * CM
 28 | * CM-1
 29 | * security
 30 | * configuration
 31 | ## As the CISO, I want to ensure that our IT system configuration settings are the most restrictive possible that meets our functionality requirements.
 32 | 
 33 | *Why:*
 34 | Establishing and maintaining a standard set of locked-down configurations is the most effective way to avoid security breaches.  Documenting the configuration settings is essential for personnel changes and can help us spot overlooked issues.  Sharing the documentation further helps us catch security holes.
 35 | 
 36 | *How:* 
 37 | * Develop and formally review a baseline configuration that can serve as a basis for future builds (CM-2).
 38 | * Establish and document the configuration used for all products used by the IT system. This configuration should provide only essential capabilities, and should restrict access to unused functions, ports and protocols (CM-7).
 39 | * Identify and document deviations from the established configuration settings.
 40 | * Monitor and control changes to the configuration settings.
 41 | 
 42 | *Acceptance Criteria / Evidence:*
 43 | * Baseline configuration
 44 | * Configuration documentation for all products used by the IT system, including:
 45 |   * Standard software packages installed on workstations, notebooks, mobile devices, and servers
 46 |   * Current version numbers and patch information for the OS and applications
 47 |   * Configuration settings/parameters
 48 |   * Network arrangement
 49 | * Deviations from the established configuration settings
 50 | * Frequency with which the configuration settings will be reviewed.
 51 | 
 52 | *Links:*
 53 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-2
 54 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-6
 55 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-7
 56 | 
 57 | *Labels:*
 58 | * CM
 59 | * CM-2
 60 | * CM-6
 61 | * CM-7
 62 | * security
 63 | * configuration
 64 | * baseline
 65 | ## As the Developer, I need to ensure that I am configuring my systems in a manner that is compliant with my organization's access control policy.
 66 | 
 67 | *Why:*
 68 | The security of my application and related systems is paramount to my project's success.
 69 | 
 70 | *How:* 
 71 |   * Build all systems from my organization's baseline configuration (CM-2).
 72 |   * Document all configuration settings and deviations from the established configuration settings.  The configuration should provide only essential capabilities, and should restrict access to unused functions, ports and protocols (CM-7).
 73 |   * Monitor and control changes to the configuration settings.
 74 |   
 75 | *Acceptance Criteria / Evidence:*
 76 |   * Document the system's security configuration, including: 
 77 |     * Steps to install the application
 78 |     * Steps to run the application
 79 |     * Steps to test the application
 80 |     * The use of the baseline configuration
 81 |     * All deviations from the established configuration settings
 82 | 
 83 | *Links:*
 84 |   * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-2
 85 |   * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-6
 86 |   * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-7
 87 | 
 88 | *Labels:*
 89 | * CM
 90 | * CM-2
 91 | * CM-6
 92 | * CM-7
 93 | * security
 94 | * configuration
 95 | * baseline
 96 | * developer
 97 | ## As the CISO, I want to maintain a centralized inventory of IT system components such as hardware, software licenses, and their respective owners.
 98 | 
 99 | *Why:*
100 | Maintaining an inventory helps ensure that components are up-to-date and helps in addressing security vulnerability alerts.
101 | 
102 | *How:* 
103 | * Determine the necessary information to collect.
104 | * Collect an initial inventory of IT system components.
105 | * Review the inventory in a predetermined frequency.
106 | 
107 | *Acceptance Criteria / Evidence:*
108 | * Inventory specifications. Examples:
109 |   * Manufacturer
110 |   * Device type
111 |   * Model
112 |   * Serial number 
113 |   * Physical location
114 |   * Personnel responsible
115 | * Frequency that inventory will be reviewed
116 | * Inventory of components, including:
117 |   * Hardware
118 |   * Software license information
119 |   * Software version numbers
120 |   * Machine names and network addresses for networked components or devices
121 | 
122 | *Links:*
123 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-8
124 | 
125 | *Labels:*
126 | * CM
127 | * CM-8
128 | * security
129 | * inventory
130 | ## As the CISO, I need to ensure that we are not opening ourselves up to security vulnerabilities with the software individual personal install on their systems.
131 | 
132 | *Why:*
133 | Oftentimes employees are unaware of the potential security risks of installing third party software packages, or are in such need to a specific feature that they quickly install a package without properly evaluating its security ramifications.  
134 | 
135 | *How:* 
136 | * Establish permitted and prohibited actions regarding software installation. Permitted actions may include:
137 |   * Updates and security patches to existing software
138 |   * Downloading applications from organization-approved app stores
139 | Example prohibited actions:
140 |   * Software with unknown or suspect pedigrees
141 |   * Software that organizations consider potentially malicious.
142 | * Enforce the software installation policies.
143 | * Frequently monitor the policies to ensure compliance.
144 | 
145 | *Acceptance Criteria / Evidence:*
146 | * Software installation policy
147 | * Software policy enforcement plan
148 | * Frequency with with the software policy will be monitored
149 | 
150 | *Links:*
151 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-11
152 | 
153 | *Labels:*
154 | * CM
155 | * CM-11
156 | * security
157 | * software
158 | * policy
159 | ## As an employee, I need to ensure that my personal devices are secure.
160 | 
161 | *Why:*
162 | I need to ensure that it is impossible for outsiders to gain access to sensitive or confidential information on my personal computer or mobile devices, especially in the case that one of these devices is lost.
163 | 
164 | *How:* 
165 | * Follow the organization's guidelines on permitted and prohibited actions regarding software installation.
166 | * Frequently monitor all local devices using organization-approved guidelines and scanners.
167 | 
168 | *Acceptance Criteria / Evidence:*
169 | * Properly configure all computers and devices
170 | * Log of security scanners running on all devices
171 | 
172 | *Links:*
173 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-11
174 | 
175 | *Labels:*
176 | * CM
177 | * CM-11
178 | * security
179 | * software
180 | * policy
181 | * developer
182 | 


--------------------------------------------------------------------------------
/cm_low_impact_pri1.yaml:
--------------------------------------------------------------------------------
  1 | id: cm_low_impact_pri1
  2 | name: NIST 800-53 CM Low Impact Priority 1
  3 | milestone: Configuration Management
  4 | issues:
  5 | 
  6 |   - title: As the CIO, I want to document and communicate our configuration management policy.
  7 | 
  8 |     body: |
  9 | 
 10 |       *Why:*
 11 |       How we configure our systems oftentimes determines how secure the system will be. Ensuring that we have a well-constructed, properly disseminated configuration management policy will help ensure that are systems are built and maintained securely.
 12 | 
 13 |       *How:* 
 14 |       * Define roles in addition to ISSO or ISSM that the configuration management policy is to be disseminated to. (State if there are no additional roles)
 15 |       * Define roles in addition to ISSO or ISSM that the configuration management procedures are to be disseminated to. (State if there are no additional roles)
 16 |       * Ensure that the configuration management policy and procedures are disseminated
 17 |       * Define frequency at which to review and update the configuration management policy and procedures (Annually).
 18 |       * Maintain audit trail of reviews and updates.
 19 | 
 20 |       *Acceptance Criteria / Evidence:*
 21 |       * List of personnel to whom configuration management policy and procedures are to be disseminated
 22 |       * Access control policy
 23 |       * Access control policy version update page
 24 |       * Access control policy audit trail of reviews and updates
 25 | 
 26 |       *Links:*
 27 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-1
 28 | 
 29 |     labels:
 30 |       - CM
 31 |       - CM-1
 32 |       - security
 33 |       - configuration
 34 | 
 35 |   - title: As the CISO, I want to ensure that our IT system configuration settings are the most restrictive possible that meets our functionality requirements.
 36 | 
 37 |     body: |
 38 | 
 39 |       *Why:*
 40 |       Establishing and maintaining a standard set of locked-down configurations is the most effective way to avoid security breaches.  Documenting the configuration settings is essential for personnel changes and can help us spot overlooked issues.  Sharing the documentation further helps us catch security holes.
 41 | 
 42 |       *How:* 
 43 |       * Develop and formally review a baseline configuration that can serve as a basis for future builds (CM-2).
 44 |       * Establish and document the configuration used for all products used by the IT system. This configuration should provide only essential capabilities, and should restrict access to unused functions, ports and protocols (CM-7).
 45 |       * Identify and document deviations from the established configuration settings.
 46 |       * Monitor and control changes to the configuration settings.
 47 | 
 48 |       *Acceptance Criteria / Evidence:*
 49 |       * Baseline configuration
 50 |       * Configuration documentation for all products used by the IT system, including:
 51 |         * Standard software packages installed on workstations, notebooks, mobile devices, and servers
 52 |         * Current version numbers and patch information for the OS and applications
 53 |         * Configuration settings/parameters
 54 |         * Network arrangement
 55 |       * Deviations from the established configuration settings
 56 |       * Frequency with which the configuration settings will be reviewed.
 57 | 
 58 |       *Links:*
 59 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-2
 60 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-6
 61 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-7
 62 | 
 63 |     labels:
 64 |       - CM
 65 |       - CM-2
 66 |       - CM-6
 67 |       - CM-7
 68 |       - security
 69 |       - configuration
 70 |       - baseline
 71 | 
 72 |   - title: As the Developer, I need to ensure that I am configuring my systems in a manner that is compliant with my organization's access control policy. 
 73 | 
 74 |     body: |
 75 | 
 76 |       *Why:*
 77 |       The security of my application and related systems is paramount to my project's success.
 78 | 
 79 |       *How:* 
 80 |         * Build all systems from my organization's baseline configuration (CM-2).
 81 |         * Document all configuration settings and deviations from the established configuration settings.  The configuration should provide only essential capabilities, and should restrict access to unused functions, ports and protocols (CM-7).
 82 |         * Monitor and control changes to the configuration settings.
 83 |         
 84 |       *Acceptance Criteria / Evidence:*
 85 |         * Document the system's security configuration, including: 
 86 |           * Steps to install the application
 87 |           * Steps to run the application
 88 |           * Steps to test the application
 89 |           * The use of the baseline configuration
 90 |           * All deviations from the established configuration settings
 91 | 
 92 |       *Links:*
 93 |         * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-2
 94 |         * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-6
 95 |         * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-7
 96 | 
 97 |     labels:
 98 |       - CM
 99 |       - CM-2
100 |       - CM-6
101 |       - CM-7
102 |       - security
103 |       - configuration
104 |       - baseline
105 |       - developer
106 | 
107 |   - title: As the CISO, I want to maintain a centralized inventory of IT system components such as hardware, software licenses, and their respective owners.
108 | 
109 |     body: |
110 | 
111 |       *Why:*
112 |       Maintaining an inventory helps ensure that components are up-to-date and helps in addressing security vulnerability alerts.
113 | 
114 |       *How:* 
115 |       * Determine the necessary information to collect.
116 |       * Collect an initial inventory of IT system components.
117 |       * Review the inventory in a predetermined frequency.
118 | 
119 |       *Acceptance Criteria / Evidence:*
120 |       * Inventory specifications. Examples:
121 |         * Manufacturer
122 |         * Device type
123 |         * Model
124 |         * Serial number 
125 |         * Physical location
126 |         * Personnel responsible
127 |       * Frequency that inventory will be reviewed
128 |       * Inventory of components, including:
129 |         * Hardware
130 |         * Software license information
131 |         * Software version numbers
132 |         * Machine names and network addresses for networked components or devices
133 | 
134 |       *Links:*
135 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-8
136 | 
137 |     labels:
138 |       - CM
139 |       - CM-8
140 |       - security
141 |       - inventory
142 | 
143 |   - title: As the CISO, I need to ensure that we are not opening ourselves up to security vulnerabilities with the software individual personal install on their systems.
144 | 
145 |     body: |
146 | 
147 |       *Why:*
148 |       Oftentimes employees are unaware of the potential security risks of installing third party software packages, or are in such need to a specific feature that they quickly install a package without properly evaluating its security ramifications.  
149 | 
150 |       *How:* 
151 |       * Establish permitted and prohibited actions regarding software installation. Permitted actions may include:
152 |         * Updates and security patches to existing software
153 |         * Downloading applications from organization-approved app stores
154 |       Example prohibited actions:
155 |         * Software with unknown or suspect pedigrees
156 |         * Software that organizations consider potentially malicious.
157 |       * Enforce the software installation policies.
158 |       * Frequently monitor the policies to ensure compliance.
159 | 
160 |       *Acceptance Criteria / Evidence:*
161 |       * Software installation policy
162 |       * Software policy enforcement plan
163 |       * Frequency with with the software policy will be monitored
164 | 
165 |       *Links:*
166 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-11
167 | 
168 |     labels:
169 |       - CM
170 |       - CM-11
171 |       - security
172 |       - software
173 |       - policy
174 | 
175 |   - title: As an employee, I need to ensure that my personal devices are secure.
176 | 
177 |     body: |
178 | 
179 |       *Why:*
180 |       I need to ensure that it is impossible for outsiders to gain access to sensitive or confidential information on my personal computer or mobile devices, especially in the case that one of these devices is lost.
181 | 
182 |       *How:* 
183 |       * Follow the organization's guidelines on permitted and prohibited actions regarding software installation.
184 |       * Frequently monitor all local devices using organization-approved guidelines and scanners.
185 | 
186 |       *Acceptance Criteria / Evidence:*
187 |       * Properly configure all computers and devices
188 |       * Log of security scanners running on all devices
189 | 
190 |       *Links:*
191 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CM-11
192 | 
193 |     labels:
194 |       - CM
195 |       - CM-11
196 |       - security
197 |       - software
198 |       - policy
199 |       - developer
200 | questions: []
201 | 
202 | 
203 | 


--------------------------------------------------------------------------------
/cp_low_impact_pri1.md:
--------------------------------------------------------------------------------
  1 | # NIST 800-53 CP Low Impact Priority 1
  2 | 
  3 | This file is generated by a script. To modify, update source file [./cp_low_impact_pri1.yaml](./cp_low_impact_pri1.yaml).
  4 | 
  5 | ## As the CIO, I want to document and communicate our organization's approach to contingency planning and process for our IT systems.
  6 | 
  7 | *Why:*
  8 | Plans for system compromise or failure is the first bastion of defense against catastrophe in IT systems. 
  9 | 
 10 | *How:* 
 11 | * Define roles in addition to ISSO or ISSM that the contingency planning policy is to be disseminated to. (State if there are no additional roles)
 12 | * Define roles in addition to ISSO or ISSM that the contingency planningprocedures are to be disseminated to. (State if there are no additional roles)
 13 | * Ensure that the contingency planning policy and procedures are disseminated
 14 | * Define frequency at which to review and update the contingency planning policy and procedures (Annually).
 15 | * Maintain audit trail of reviews and updates.
 16 | 
 17 | *Acceptance Criteria / Evidence:*
 18 | * List of personnel to whom contingency planning policy and procedures are to be disseminated
 19 | * Contingency planning policy
 20 | * Contingency planning policy version update page
 21 | * Contingency planning policy audit trail of reviews and updates
 22 | 
 23 | 
 24 | *Links:*
 25 | https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CP-1
 26 | 
 27 | *Labels:*
 28 | * CP
 29 | * CP-1
 30 | * security
 31 | * compliance
 32 | ## As the CIO, I want to ensure each IT system is covered by a contingency plan.
 33 | 
 34 | *Why:*
 35 | Having a robust contingency plan in the event of system compromise or failure helps ensure limited damage to, or suspension of, organizational processes.  
 36 | 
 37 | *How:* 
 38 | * Define essential missions and functions for each IT system
 39 | * Identify recovery objectives, restoration priorities, and metrics for each IT system
 40 | * Define and assign roles and responsibilities, with contact information, for each IT system
 41 | * Identify strategies for how each IT system’s core mission may be continued in the case of compromise or failure.  For example:
 42 |   * orderly/graceful degradation
 43 |   * information system shutdown
 44 |   * fallback to a manual mode
 45 |   * alternate information flows
 46 |   * operating in modes reserved for when systems are under attack
 47 | * Catalog a path from incident to the full restoration of functionality for each IT system, whilst maintaining planned safeguards
 48 | * Distribute copies of the relevant contingency policy to those responsible for its implementation and oversight
 49 | * Coordinate the implementation of the policy by those handling incident response
 50 | * Review each IT system’s contingency plan at a defined frequency, and update the policy if required by new information or organizational goals 
 51 | * Alert stakeholders of IT system contingency policy changes
 52 | * Protect the contingency plan from unauthorized changes or access
 53 | 
 54 | *Acceptance Criteria / Evidence:*
 55 | * Contingency plan for each IT system that:
 56 |   * Lists essential missions and functions
 57 |   * Lists recovery objectives and priorities
 58 |   * Contains roles and responsibilities that are assigned with contact information
 59 |   * Lists strategies for the continued running or functionality under duress
 60 |   * Lists steps for the full restoration of functionality
 61 | * Logs of the contingency plan distribution to IT system stakeholders
 62 | * Defined frequency for review of IT system contingency plan
 63 | * Logs of the review of IT system contingency plan
 64 | * Logs of communication for IT system contingency plan updates
 65 | * Documented approach for the protection of contingency plan from unauthorized access
 66 | 
 67 | *Links:*
 68 | https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CP-2
 69 | 
 70 | *Labels:*
 71 | * CP
 72 | * CP-2
 73 | * security
 74 | * compliance
 75 | ## As developer, I want to stay appraised of the contingency plan for an IT system I work on.
 76 | 
 77 | *Why:*
 78 | Contingency plans for IT system compromise or failure only are effective so far as they can be implemented, and as such, each stakeholder should be aware of the tasks they are responsible for.  
 79 | 
 80 | *How:* 
 81 | * Know is responsible for the restoration of IT system components in case of incident
 82 | * Stay apprised of updates to the contingency plan for a IT system I work on
 83 | * Keep relevant individual updated with contact information changes and personal availability
 84 | 
 85 | *Links:*
 86 | https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CP-2
 87 | 
 88 | *Labels:*
 89 | * CP
 90 | * CP-2
 91 | * security
 92 | * compliance
 93 | * developer
 94 | ## As the CIO, I want to ensure backups of IT user-level and system-level data are being being created and stored for each IT system.
 95 | 
 96 | *Why:*
 97 | Proper backup policy is a core component of contingency response, and the only real guard against data loss.
 98 | 
 99 | *How:* 
100 | * Develop system, and frequency, for the routine backup of system-level information for each IT system.  May include:
101 |   * System-state information
102 |   * Operating system and application software
103 |   * Licenses
104 | * Develop system, and frequency, for the routine backup of user-level information for each IT system.  Includes:
105 |   * Any critical information not covered by system level backups
106 | * Develop system, and frequency, for the routine backup of technical documentation for each IT system
107 | * Employ measures for the confidentiality, integrity, and availability of backup information. For example:
108 |   * Digital signatures
109 |   * Cryptographic hashes
110 | 
111 | *Acceptance Criteria / Evidence:*
112 | * Backup policy and frequency for each IT system
113 | * Documented security approach for backup information in storage
114 | 
115 | *Links:*
116 | https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CP-9
117 | 
118 | *Labels:*
119 | * CP
120 | * CP-9
121 | * security
122 | * compliance
123 | ## As a developer, I want to monitor that IT system backups are being created without issue.
124 | 
125 | *Why:*
126 | Proper backup policy is a core component of contingency response, and the only real guard against data loss.
127 | 
128 | *How:* 
129 | * Monitor system logs for errors that indicate system backups are failing or incomplete
130 | * Alert appropriate individuals of changes in an IT system or application that may require additional information backups
131 | 
132 | *Links:*
133 | https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CP-9
134 | 
135 | *Labels:*
136 | * CP
137 | * CP-9
138 | * security
139 | * compliance
140 | * developer
141 | ## As the CIO, I want to ensure IT systems are recovered are reconstituted to a known state after a disruption, compromise, or failure
142 | 
143 | *Why:*
144 | IT system resiliency is only as effective as the recovery process implementation after an incident.
145 | 
146 | *How:* 
147 | * After an IT system incident, recover an IT system to core missions/business functions.  May include:
148 |   * Contacting stakeholders
149 |   * Taking systems offline and restarting them
150 |   * Analyzing logs for the system
151 |   * Restoring backups
152 | * Following IT system recovery, reconstitute the IT system.  This may include:
153 |   * Deactivation of any interim information system capabilities from recovery
154 |   * Assessments of fully restored information system capabilities
155 |   * Reestablishment of continuous monitoring activities
156 |   * Potential information system reauthorizations
157 | * Investigate strategies to prepare the IT system against future disruptions, compromises, or failures
158 | 
159 | *Acceptance Criteria / Evidence:*
160 | * Logs of system incident communication
161 | * Documented reconstitution activities
162 | * List of strategies for future IT system hardening
163 | 
164 | *Links:*
165 | https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CP-10
166 | 
167 | *Labels:*
168 | * CP
169 | * CP-10
170 | * security
171 | * compliance
172 | 


--------------------------------------------------------------------------------
/cp_low_impact_pri1.yaml:
--------------------------------------------------------------------------------
  1 | id: cp_low_impact_pri1
  2 | name: NIST 800-53 CP Low Impact Priority 1
  3 | milestone: Contingency Planning Policy and Procedures
  4 | issues:
  5 | 
  6 |   - title: As the CIO, I want to document and communicate our organization's approach to contingency planning and process for our IT systems.
  7 | 
  8 |     body: |
  9 | 
 10 |       *Why:*
 11 |       Plans for system compromise or failure is the first bastion of defense against catastrophe in IT systems. 
 12 | 
 13 |       *How:* 
 14 |       * Define roles in addition to ISSO or ISSM that the contingency planning policy is to be disseminated to. (State if there are no additional roles)
 15 |       * Define roles in addition to ISSO or ISSM that the contingency planningprocedures are to be disseminated to. (State if there are no additional roles)
 16 |       * Ensure that the contingency planning policy and procedures are disseminated
 17 |       * Define frequency at which to review and update the contingency planning policy and procedures (Annually).
 18 |       * Maintain audit trail of reviews and updates.
 19 | 
 20 |       *Acceptance Criteria / Evidence:*
 21 |       * List of personnel to whom contingency planning policy and procedures are to be disseminated
 22 |       * Contingency planning policy
 23 |       * Contingency planning policy version update page
 24 |       * Contingency planning policy audit trail of reviews and updates
 25 | 
 26 | 
 27 |       *Links:*
 28 |       https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CP-1
 29 | 
 30 |     labels:
 31 |       - CP
 32 |       - CP-1
 33 |       - security
 34 |       - compliance
 35 | 
 36 |   - title: As the CIO, I want to ensure each IT system is covered by a contingency plan.
 37 | 
 38 |     body: |
 39 | 
 40 |       *Why:*
 41 |       Having a robust contingency plan in the event of system compromise or failure helps ensure limited damage to, or suspension of, organizational processes.  
 42 | 
 43 |       *How:* 
 44 |       * Define essential missions and functions for each IT system
 45 |       * Identify recovery objectives, restoration priorities, and metrics for each IT system
 46 |       * Define and assign roles and responsibilities, with contact information, for each IT system
 47 |       * Identify strategies for how each IT system’s core mission may be continued in the case of compromise or failure.  For example:
 48 |         * orderly/graceful degradation
 49 |         * information system shutdown
 50 |         * fallback to a manual mode
 51 |         * alternate information flows
 52 |         * operating in modes reserved for when systems are under attack
 53 |       * Catalog a path from incident to the full restoration of functionality for each IT system, whilst maintaining planned safeguards
 54 |       * Distribute copies of the relevant contingency policy to those responsible for its implementation and oversight
 55 |       * Coordinate the implementation of the policy by those handling incident response
 56 |       * Review each IT system’s contingency plan at a defined frequency, and update the policy if required by new information or organizational goals 
 57 |       * Alert stakeholders of IT system contingency policy changes
 58 |       * Protect the contingency plan from unauthorized changes or access
 59 | 
 60 |       *Acceptance Criteria / Evidence:*
 61 |       * Contingency plan for each IT system that:
 62 |         * Lists essential missions and functions
 63 |         * Lists recovery objectives and priorities
 64 |         * Contains roles and responsibilities that are assigned with contact information
 65 |         * Lists strategies for the continued running or functionality under duress
 66 |         * Lists steps for the full restoration of functionality
 67 |       * Logs of the contingency plan distribution to IT system stakeholders
 68 |       * Defined frequency for review of IT system contingency plan
 69 |       * Logs of the review of IT system contingency plan
 70 |       * Logs of communication for IT system contingency plan updates
 71 |       * Documented approach for the protection of contingency plan from unauthorized access
 72 | 
 73 |       *Links:*
 74 |       https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CP-2
 75 | 
 76 |     labels:
 77 |       - CP
 78 |       - CP-2
 79 |       - security
 80 |       - compliance
 81 | 
 82 |   - title: As developer, I want to stay appraised of the contingency plan for an IT system I work on.
 83 | 
 84 |     body: |
 85 | 
 86 |       *Why:*
 87 |       Contingency plans for IT system compromise or failure only are effective so far as they can be implemented, and as such, each stakeholder should be aware of the tasks they are responsible for.  
 88 | 
 89 |       *How:* 
 90 |       * Know is responsible for the restoration of IT system components in case of incident
 91 |       * Stay apprised of updates to the contingency plan for a IT system I work on
 92 |       * Keep relevant individual updated with contact information changes and personal availability
 93 | 
 94 |       *Links:*
 95 |       https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CP-2
 96 | 
 97 |     labels:
 98 |       - CP
 99 |       - CP-2
100 |       - security
101 |       - compliance
102 |       - developer
103 | 
104 |   - title: As the CIO, I want to ensure backups of IT user-level and system-level data are being being created and stored for each IT system.
105 | 
106 |     body: |
107 | 
108 |       *Why:*
109 |       Proper backup policy is a core component of contingency response, and the only real guard against data loss.
110 | 
111 |       *How:* 
112 |       * Develop system, and frequency, for the routine backup of system-level information for each IT system.  May include:
113 |         * System-state information
114 |         * Operating system and application software
115 |         * Licenses
116 |       * Develop system, and frequency, for the routine backup of user-level information for each IT system.  Includes:
117 |         * Any critical information not covered by system level backups
118 |       * Develop system, and frequency, for the routine backup of technical documentation for each IT system
119 |       * Employ measures for the confidentiality, integrity, and availability of backup information. For example:
120 |         * Digital signatures
121 |         * Cryptographic hashes
122 | 
123 |       *Acceptance Criteria / Evidence:*
124 |       * Backup policy and frequency for each IT system
125 |       * Documented security approach for backup information in storage
126 | 
127 |       *Links:*
128 |       https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CP-9
129 | 
130 |     labels:
131 |       - CP
132 |       - CP-9
133 |       - security
134 |       - compliance
135 | 
136 |   - title: As a developer, I want to monitor that IT system backups are being created without issue.
137 | 
138 |     body: |
139 | 
140 |       *Why:*
141 |       Proper backup policy is a core component of contingency response, and the only real guard against data loss.
142 | 
143 |       *How:* 
144 |       * Monitor system logs for errors that indicate system backups are failing or incomplete
145 |       * Alert appropriate individuals of changes in an IT system or application that may require additional information backups
146 | 
147 |       *Links:*
148 |       https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CP-9
149 | 
150 |     labels:
151 |       - CP
152 |       - CP-9
153 |       - security
154 |       - compliance
155 |       - developer
156 | 
157 |   - title: As the CIO, I want to ensure IT systems are recovered are reconstituted to a known state after a disruption, compromise, or failure
158 | 
159 |     body: |
160 | 
161 |       *Why:*
162 |       IT system resiliency is only as effective as the recovery process implementation after an incident.
163 | 
164 |       *How:* 
165 |       * After an IT system incident, recover an IT system to core missions/business functions.  May include:
166 |         * Contacting stakeholders
167 |         * Taking systems offline and restarting them
168 |         * Analyzing logs for the system
169 |         * Restoring backups
170 |       * Following IT system recovery, reconstitute the IT system.  This may include:
171 |         * Deactivation of any interim information system capabilities from recovery
172 |         * Assessments of fully restored information system capabilities
173 |         * Reestablishment of continuous monitoring activities
174 |         * Potential information system reauthorizations
175 |       * Investigate strategies to prepare the IT system against future disruptions, compromises, or failures
176 | 
177 |       *Acceptance Criteria / Evidence:*
178 |       * Logs of system incident communication
179 |       * Documented reconstitution activities
180 |       * List of strategies for future IT system hardening
181 | 
182 |       *Links:*
183 |       https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CP-10
184 | 
185 |     labels:
186 |       - CP
187 |       - CP-10
188 |       - security
189 |       - compliance
190 | 


--------------------------------------------------------------------------------
/ia_low_impact_pri1.md:
--------------------------------------------------------------------------------
  1 | # NIST 800-53 IA Low Impact Priority 1
  2 | 
  3 | This file is generated by a script. To modify, update source file [./ia_low_impact_pri1.yaml](./ia_low_impact_pri1.yaml).
  4 | 
  5 | ## As the CIO, I want to document and communicate our organization's identification and authentication policy.
  6 | 
  7 | *Why:*
  8 | Defining and properly-sharing an identification and authentication policy is essential to ensuring that privileged information remains secure.
  9 | 
 10 | 
 11 | *How:* 
 12 | * Define roles in addition to ISSO or ISSM that the identification and authentication policy is to be disseminated to. (State if there are no additional roles)
 13 | * Ensure that the identification and authentication policy and procedures are disseminated
 14 | * Define frequency at which to review and update the identification and authentication policy and procedures (Annually).
 15 | * Maintain audit trail of reviews and updates.
 16 | 
 17 | 
 18 | *Acceptance Criteria / Evidence:*
 19 | * List of personnel to whom identification and authentication policy and procedures are to be disseminated
 20 | * Authentication policy
 21 | * Authentication policy version update page
 22 | * Authentication policy audit trail of reviews and updates
 23 | 
 24 | 
 25 | *Links:*
 26 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=IA-1
 27 | ## As the CISO, I need to ensure that accounts for all employees, contractors, guest researchers, etc are properly secured.
 28 | 
 29 | *Why:*
 30 | To prevent unwanted access to secure data, we need to ensure that all network and local access to privileged accounts are secure.
 31 | 
 32 | 
 33 | *How:* 
 34 | * Use multifactor authentication for all employee-level accounts.
 35 | * If this is a federal agency, use inter-operable credentials that comply with HSPD-12 and FIPS-201.
 36 | 
 37 | 
 38 | 
 39 | *Acceptance Criteria / Evidence:*
 40 | * Documentation of multifactor authentication system in organization's identification and authentication policy.
 41 | * Proof of HSPD-12 compliance.
 42 | 
 43 | 
 44 | *Links:*
 45 | * [HSPD-12 program](https://cio.gov/protect/identity-management-hspd-12/)
 46 | * [Federal Identity Resources](https://www.idmanagement.gov/IDM/s/)
 47 | * [FIPS-201 WikiPedia article](https://en.wikipedia.org/wiki/FIPS_201)
 48 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=IA-2
 49 | 
 50 | *Labels:*
 51 | * IA
 52 | * IA-2
 53 | * security
 54 | * accounts
 55 | ## As the CISO, I want to ensure that all employee-level account creations and configuration is done according to an approved workflow.
 56 | 
 57 | *Why:*
 58 | To prevent unwanted access to secure data, we need to ensure that all network and local access to privileged accounts are secure.
 59 | 
 60 | *How:* 
 61 | * Define an employee registration process that requires:
 62 |   * Unique personal identifiers that are applied to specific devices or roles
 63 |   * Supervisor authorization
 64 |   * Multiple forms of certification of individual identification be presented to the registration authority
 65 |   * Periodic (monthly) review and disabling of inactive accounts
 66 | * Define an employee registration authority that:
 67 |   * Follows the registration process
 68 |   * Co-ordinates with external organizations for cross-organization management of identifiers
 69 | * Define and enforce a password policy (IA-5):
 70 |   * Minimum password complexity (length, minimum number of upper/lowercase/number/special characters)
 71 |   * Unique passwords with at least x characters changed when new passwords are created
 72 |   * Encrypt all passwords for transmission and storage using a cryptographic module that meets the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication (IA-7)
 73 |   * Minimum and maximum password lifetime
 74 |   * Use temporary passwords that can be immediately changed to a permanent password for password resets.
 75 | 
 76 | *Acceptance Criteria / Evidence:*
 77 | * Documented registration process are part of the organization's identification and authentication policy.
 78 | * A role within the organization's IT operations that will act as the organization's registration authority.
 79 | * Password policy included in the organization's identification and authentication policy
 80 | 
 81 | *Links:*
 82 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=IA-4
 83 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=IA-6
 84 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=IA-7
 85 | 
 86 | *Labels:*
 87 | * IA
 88 | * IA-4
 89 | * IA-5
 90 | * IA-7
 91 | * security
 92 | * accounts
 93 | ## As the CISO of a federal agency, I need to ensure that all non-employee access follows federal guidelines.
 94 | 
 95 | *Why:*
 96 | All outside access, 3rd party integrations, or API connects to our organization's IT systems need to be secure to ensure the safety of privileged information.
 97 | 
 98 | *How:* 
 99 | * Accept and electronically verify Personal Identity Verification (PIV) credentials from other federal agencies.
100 | * Only use FICAM-approved third-party credentials.
101 | 
102 | 
103 | *Acceptance Criteria / Evidence:*
104 | * Non-employee access guidelines are part of the organization's identification and authentication policy
105 | * Docuentation of all third-party credentials and proof of FICAM approval.
106 | 
107 | *Links:*
108 | * [FICAM Guidance](http://info.idmanagement.gov/2012/04/federation-ficam-and-guidance.html)
109 | * [List of FICAM TFS Approved Identity Services](https://www.idmanagement.gov/IDM/s/article_detail?link=approved-identity-services)
110 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=IA-8
111 | 
112 | *Labels:*
113 | * IA
114 | * IA-8
115 | * federal
116 | * security
117 | * accounts
118 | 


--------------------------------------------------------------------------------
/ia_low_impact_pri1.yaml:
--------------------------------------------------------------------------------
  1 | id: ia_low_impact_pri1
  2 | name: NIST 800-53 IA Low Impact Priority 1
  3 | milestone: identification and authentication policy and Procedures
  4 | issues:
  5 | 
  6 |   - title: As the CIO, I want to document and communicate our organization's identification and authentication policy.
  7 | 
  8 |     body: |
  9 | 
 10 |       *Why:*
 11 |       Defining and properly-sharing an identification and authentication policy is essential to ensuring that privileged information remains secure.
 12 | 
 13 | 
 14 |       *How:* 
 15 |       * Define roles in addition to ISSO or ISSM that the identification and authentication policy is to be disseminated to. (State if there are no additional roles)
 16 |       * Ensure that the identification and authentication policy and procedures are disseminated
 17 |       * Define frequency at which to review and update the identification and authentication policy and procedures (Annually).
 18 |       * Maintain audit trail of reviews and updates.
 19 | 
 20 | 
 21 |       *Acceptance Criteria / Evidence:*
 22 |       * List of personnel to whom identification and authentication policy and procedures are to be disseminated
 23 |       * Authentication policy
 24 |       * Authentication policy version update page
 25 |       * Authentication policy audit trail of reviews and updates
 26 | 
 27 | 
 28 |       *Links:*
 29 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=IA-1
 30 | 
 31 |   - title: As the CISO, I need to ensure that accounts for all employees, contractors, guest researchers, etc are properly secured.
 32 | 
 33 |     body: |
 34 | 
 35 |       *Why:*
 36 |       To prevent unwanted access to secure data, we need to ensure that all network and local access to privileged accounts are secure.
 37 | 
 38 | 
 39 |       *How:* 
 40 |       * Use multifactor authentication for all employee-level accounts.
 41 |       * If this is a federal agency, use inter-operable credentials that comply with HSPD-12 and FIPS-201.
 42 | 
 43 | 
 44 | 
 45 |       *Acceptance Criteria / Evidence:*
 46 |       * Documentation of multifactor authentication system in organization's identification and authentication policy.
 47 |       * Proof of HSPD-12 compliance.
 48 | 
 49 | 
 50 |       *Links:*
 51 |       * [HSPD-12 program](https://cio.gov/protect/identity-management-hspd-12/)
 52 |       * [Federal Identity Resources](https://www.idmanagement.gov/IDM/s/)
 53 |       * [FIPS-201 WikiPedia article](https://en.wikipedia.org/wiki/FIPS_201)
 54 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=IA-2
 55 | 
 56 |     labels:
 57 |       - IA
 58 |       - IA-2
 59 |       - security
 60 |       - accounts
 61 | 
 62 |   - title: As the CISO, I want to ensure that all employee-level account creations and configuration is done according to an approved workflow.
 63 | 
 64 |     body: |
 65 | 
 66 |       *Why:*
 67 |       To prevent unwanted access to secure data, we need to ensure that all network and local access to privileged accounts are secure.
 68 | 
 69 |       *How:* 
 70 |       * Define an employee registration process that requires:
 71 |         * Unique personal identifiers that are applied to specific devices or roles
 72 |         * Supervisor authorization
 73 |         * Multiple forms of certification of individual identification be presented to the registration authority
 74 |         * Periodic (monthly) review and disabling of inactive accounts
 75 |       * Define an employee registration authority that:
 76 |         * Follows the registration process
 77 |         * Co-ordinates with external organizations for cross-organization management of identifiers
 78 |       * Define and enforce a password policy (IA-5):
 79 |         * Minimum password complexity (length, minimum number of upper/lowercase/number/special characters)
 80 |         * Unique passwords with at least x characters changed when new passwords are created
 81 |         * Encrypt all passwords for transmission and storage using a cryptographic module that meets the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication (IA-7)
 82 |         * Minimum and maximum password lifetime
 83 |         * Use temporary passwords that can be immediately changed to a permanent password for password resets.
 84 | 
 85 |       *Acceptance Criteria / Evidence:*
 86 |       * Documented registration process are part of the organization's identification and authentication policy.
 87 |       * A role within the organization's IT operations that will act as the organization's registration authority.
 88 |       * Password policy included in the organization's identification and authentication policy
 89 | 
 90 |       *Links:*
 91 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=IA-4
 92 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=IA-6
 93 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=IA-7
 94 | 
 95 |     labels:
 96 |       - IA
 97 |       - IA-4
 98 |       - IA-5
 99 |       - IA-7
100 |       - security
101 |       - accounts
102 | 
103 |   - title: As the CISO of a federal agency, I need to ensure that all non-employee access follows federal guidelines.
104 | 
105 |     body: |
106 | 
107 |       *Why:*
108 |       All outside access, 3rd party integrations, or API connects to our organization's IT systems need to be secure to ensure the safety of privileged information.
109 | 
110 |       *How:* 
111 |       * Accept and electronically verify Personal Identity Verification (PIV) credentials from other federal agencies.
112 |       * Only use FICAM-approved third-party credentials.
113 |     
114 | 
115 |       *Acceptance Criteria / Evidence:*
116 |       * Non-employee access guidelines are part of the organization's identification and authentication policy
117 |       * Docuentation of all third-party credentials and proof of FICAM approval.
118 | 
119 |       *Links:*
120 |       * [FICAM Guidance](http://info.idmanagement.gov/2012/04/federation-ficam-and-guidance.html)
121 |       * [List of FICAM TFS Approved Identity Services](https://www.idmanagement.gov/IDM/s/article_detail?link=approved-identity-services)
122 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=IA-8
123 | 
124 |     labels:
125 |       - IA
126 |       - IA-8
127 |       - federal
128 |       - security
129 |       - accounts
130 | 


--------------------------------------------------------------------------------
/makemd.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | # -*- coding: utf-8 -*-
  3 | """Make markdown file versions of issue-pack user story files
  4 | 
  5 | LICENSE
  6 | 
  7 | ComplianceLib SystemCompliance is a class for representing compliance as code for an information system.
  8 | Copyright (C) 2016  GovReady PBC.
  9 | 
 10 | This program is free software: you can redistribute it and/or modify
 11 | it under the terms of the GNU General Public License as published by
 12 | the Free Software Foundation, either version 3 of the License, or
 13 | (at your option) any later version.
 14 | 
 15 | This program is distributed in the hope that it will be useful,
 16 | but WITHOUT ANY WARRANTY; without even the implied warranty of
 17 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 18 | GNU General Public License for more details.
 19 | 
 20 | You should have received a copy of the GNU General Public License
 21 | along with this program.  If not, see <http://www.gnu.org/licenses/>.
 22 | 
 23 | 
 24 | Example python CLI
 25 | ------------------
 26 | 
 27 | python makemd.py
 28 | 
 29 | 
 30 | """
 31 | 
 32 | __author__ = "Greg Elin (gregelin@govready.com)"
 33 | __version__ = "$Revision: 0.1.0 $"
 34 | __date__ = "$Date: 2017/03/14 20:13:00 $"
 35 | __copyright__ = "Copyright (c) 2017 GovReady PBC"
 36 | __license__ = "GNU General Public License v3 (GPLv3)"
 37 | 
 38 | import os
 39 | import json
 40 | import yaml
 41 | import re
 42 | import sys
 43 | import glob
 44 | 
 45 | if sys.version_info >= (3, 0):
 46 |     from urllib.parse import urlparse
 47 |     from urllib.request import urlopen
 48 | if sys.version_info < (3, 0) and sys.version_info >= (2, 5):
 49 |     from urlparse import urlparse
 50 |     from urllib2 import urlopen
 51 | 
 52 | print ("Generating markdown files from source Issue Pack YAML files")
 53 | 
 54 | # read all yaml files
 55 | path = "./"
 56 | 
 57 | # for each yaml file
 58 | for yaml_file in glob.glob( os.path.join(path, '*.yaml') ):
 59 | 
 60 |     # ignore template.yaml
 61 |     if yaml_file == "{}template.yaml".format(path):
 62 |         continue
 63 | 
 64 |     # log file working on
 65 |     print("processing {}".format(yaml_file.strip(".yaml")))
 66 | 
 67 |     # read yaml file
 68 |     yaml_stories = yaml.load(open(yaml_file,"r"))
 69 | 
 70 |     # start document with name of issue pack
 71 |     md_text = "# {}\n\n".format(yaml_stories['name'])
 72 | 
 73 |     # append reminder this file is generated by a script and not to edit
 74 |     md_text += "This file is generated by a script. To modify, update source file [{}]({}).\n\n".format(yaml_file, yaml_file)
 75 | 
 76 |     # for each story in yaml file
 77 |     for issue in yaml_stories['issues']:
 78 | 
 79 |         # append title as markdown to md_text
 80 |         # print(issue['title'][0:30])
 81 |         md_text += "## {}\n".format(issue['title'])
 82 | 
 83 |         # append body as markdown to md_text
 84 |         # print(issue['body'][0:30])
 85 |         md_text += "{}".format(issue['body'].encode('utf-8','ignore'))
 86 | 
 87 |         # append labels
 88 |         if 'labels' in issue:
 89 |             md_text += "\n*Labels:*\n"
 90 |             for label in issue['labels']:
 91 |                 md_text += "* {}\n".format(label.encode('utf-8','ignore'))
 92 | 
 93 |     # write md_text to file
 94 |     with open("{}{}.md".format(path, yaml_file.strip(".yaml")), "w") as md_file:
 95 |         md_file.write(md_text)
 96 | 
 97 | print("Whew! Done")
 98 | 
 99 | 
100 | 
101 | 
102 | 
103 | 


--------------------------------------------------------------------------------
/pl_low_impact_pri1.md:
--------------------------------------------------------------------------------
 1 | # NIST 800-53 PL Low Impact Priority 1
 2 | 
 3 | This file is generated by a script. To modify, update source file [./pl_low_impact_pri1.yaml](./pl_low_impact_pri1.yaml).
 4 | 
 5 | ## As the CIO, I want to document and communicate our organization's security plan and define assessment procedures.
 6 | 
 7 | *Why:*
 8 | We need to ensure that all relevant policies are conversant in our security plan to maintain compliance.
 9 | 
10 | 
11 | *How:* 
12 | * Define roles in addition to ISSO or ISSM that the security plan is to be disseminated to. (State if there are no additional roles)
13 | * Define roles in addition to ISSO or ISSM that the security assessment procedures are to be disseminated to. (State if there are no additional roles)
14 | * Ensure that the security plan and assessment procedures are disseminated.
15 | * Define frequency at which to assess and update the security plan (Annually).
16 | * Maintain audit trail of reviews and updates.
17 | 
18 | 
19 | *Acceptance Criteria / Evidence:*
20 | * List of personnel to whom the security plan is to be disseminated
21 | * Security plan
22 | * Security plan version update page
23 | * Security plan audit trail of reviews and updates
24 | 
25 | 
26 | *Links:*
27 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=PL-1
28 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CA-1
29 | 
30 | *Labels:*
31 | * PL
32 | * CA
33 | * PL-1
34 | * CA-1
35 | * security
36 | * planning
37 | * assessment
38 | * dissemination
39 | ## As the CIO, I want to document and communicate our organization's security plan and define assessment procedures.
40 | 
41 | *Why:*
42 | A complete and coherent security plan is essential to share with new employees, outside organizations, or security auditors.
43 | 
44 | 
45 | *How:* 
46 | * Create a security plan that:
47 |   * Is consistent with the organization's enterprise architecture
48 |   * Explicitly defines the authorization boundary for the system
49 |   * Describes the operational context of the system in terms of missions and business processes
50 |   * Provides the security categorization of the system including supporting rationale
51 |   * Describes the operational environment for the system and relationships with or connections to other systems
52 |   * Provides an overview of the security requirements for the system
53 |   * Identifies any relevant overlays, if applicable
54 |   * Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions
55 |   * Uses and documents Interconnection Security Agreements for system interconnections (CA-3)
56 | * Have plan approved by the authorizing official prior to implementation.
57 | * Frequently review security plan, including system interconnections.
58 | 
59 | 
60 | *Acceptance Criteria / Evidence:*
61 | * Security plan
62 | * Security approval documentation
63 | * Secuirty plan audit log
64 | 
65 | 
66 | *Links:*
67 | * [NIST Special Publication 800-18](http://csrc.nist.gov/publications/PubsSPs.html#800-18)
68 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=PL-2
69 | * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CA-3
70 | 
71 | *Labels:*
72 | * PL
73 | * CA
74 | * PL-2
75 | * CA-3
76 | * security
77 | * planning
78 | * assessment
79 | 


--------------------------------------------------------------------------------
/pl_low_impact_pri1.yaml:
--------------------------------------------------------------------------------
 1 | id: pl_low_impact_pri1
 2 | name: NIST 800-53 PL Low Impact Priority 1
 3 | milestone: Security Plan, Assessment and Authorization
 4 | issues:
 5 | 
 6 |   - title: As the CIO, I want to document and communicate our organization's security plan and define assessment procedures.
 7 | 
 8 |     body: |
 9 | 
10 |       *Why:*
11 |       We need to ensure that all relevant policies are conversant in our security plan to maintain compliance.
12 | 
13 | 
14 |       *How:* 
15 |       * Define roles in addition to ISSO or ISSM that the security plan is to be disseminated to. (State if there are no additional roles)
16 |       * Define roles in addition to ISSO or ISSM that the security assessment procedures are to be disseminated to. (State if there are no additional roles)
17 |       * Ensure that the security plan and assessment procedures are disseminated.
18 |       * Define frequency at which to assess and update the security plan (Annually).
19 |       * Maintain audit trail of reviews and updates.
20 | 
21 | 
22 |       *Acceptance Criteria / Evidence:*
23 |       * List of personnel to whom the security plan is to be disseminated
24 |       * Security plan
25 |       * Security plan version update page
26 |       * Security plan audit trail of reviews and updates
27 | 
28 | 
29 |       *Links:*
30 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=PL-1
31 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CA-1
32 | 
33 | 
34 |     labels:
35 |       - PL
36 |       - CA
37 |       - PL-1
38 |       - CA-1
39 |       - security
40 |       - planning
41 |       - assessment
42 |       - dissemination
43 | 
44 |   - title: As the CIO, I want to document and communicate our organization's security plan and define assessment procedures.
45 | 
46 |     body: |
47 | 
48 |       *Why:*
49 |       A complete and coherent security plan is essential to share with new employees, outside organizations, or security auditors.
50 | 
51 | 
52 |       *How:* 
53 |       * Create a security plan that:
54 |         * Is consistent with the organization's enterprise architecture
55 |         * Explicitly defines the authorization boundary for the system
56 |         * Describes the operational context of the system in terms of missions and business processes
57 |         * Provides the security categorization of the system including supporting rationale
58 |         * Describes the operational environment for the system and relationships with or connections to other systems
59 |         * Provides an overview of the security requirements for the system
60 |         * Identifies any relevant overlays, if applicable
61 |         * Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions
62 |         * Uses and documents Interconnection Security Agreements for system interconnections (CA-3)
63 |       * Have plan approved by the authorizing official prior to implementation.
64 |       * Frequently review security plan, including system interconnections.
65 | 
66 | 
67 |       *Acceptance Criteria / Evidence:*
68 |       * Security plan
69 |       * Security approval documentation
70 |       * Secuirty plan audit log
71 | 
72 | 
73 |       *Links:*
74 |       * [NIST Special Publication 800-18](http://csrc.nist.gov/publications/PubsSPs.html#800-18)
75 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=PL-2
76 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=CA-3
77 | 
78 |     labels:
79 |       - PL
80 |       - CA
81 |       - PL-2
82 |       - CA-3
83 |       - security
84 |       - planning
85 |       - assessment
86 | 
87 | questions: []


--------------------------------------------------------------------------------
/template.yaml:
--------------------------------------------------------------------------------
 1 | id: au_low_impact_pri1
 2 | name: NIST 800-53 AU Low Impact Priority 1
 3 | milestone: Audit and Accountability
 4 | issues:
 5 | 
 6 |   - title: 
 7 | 
 8 |     body: |
 9 | 
10 |       *Why:*
11 | 
12 |       *How:* 
13 |       * 
14 | 
15 | 
16 |       *Acceptance Criteria / Evidence:*
17 |       * 
18 | 
19 | 
20 |       *Links:*
21 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-1
22 | 
23 |     labels:
24 |       - AU
25 |       - AU-3
26 |       - security
27 |       - compliance
28 | 
29 |   - title: 
30 | 
31 |     body: |
32 | 
33 |       *Why:*
34 | 
35 |       *How:* 
36 |       * 
37 | 
38 | 
39 |       *Acceptance Criteria / Evidence:*
40 |       * 
41 | 
42 | 
43 |       *Links:*
44 |       * https://web.nvd.nist.gov/view/800-53/Rev4/control?controlName=AU-1
45 | 
46 |     labels:
47 |       - AU
48 |       - AU-3
49 |       - security
50 |       - compliance
51 | 


--------------------------------------------------------------------------------