openshift compliance guide€¦ · openshift compliance guide release 1.0 beta red hat national...
TRANSCRIPT
OpenShift Compliance GuideRelease 1.0 beta
Red Hat National Security Programs Team
Jul 15, 2020
Contents
1 The OpenShift Compliance Guide 31.1 Deprecation Notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.2 About . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.3 Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.4 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.5 Contributing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Security CONOPS 52.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.2 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3 Security Controls 253.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253.2 AC-1 - Access Control Policy And Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263.3 AC-12 - Session Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273.4 AC-14 - Permitted Actions Without Identification Or Authentication . . . . . . . . . . . . . . . . . . 283.5 AC-17 - Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293.6 AC-18 - Wireless Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303.7 AC-18(5) - Wireless Access | Antennas / Transmission Power Levels . . . . . . . . . . . . . . . . . 303.8 AC-19 - Access Control For Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313.9 AC-19(5) - Access Control For Mobile Devices | Full Device / Container-based Encryption . . . . . 323.10 AC-2 - Account Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323.11 AC-2(1) - Account Management | Automated System Account Management . . . . . . . . . . . . . 363.12 AC-2(11) - Account Management | Usage Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . 373.13 AC-2(2) - Account Management | Removal Of Temporary / Emergency Accounts . . . . . . . . . . . 383.14 AC-2(3) - Account Management | Disable Inactive Accounts . . . . . . . . . . . . . . . . . . . . . . 383.15 AC-20 - Use Of External Information Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393.16 AC-21 - Information Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403.17 AC-22 - Publicly Accessible Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403.18 AC-3 - Access Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423.19 AC-4 - Information Flow Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423.20 AC-6(3) - Least Privilege | Network Access To Privileged Commands . . . . . . . . . . . . . . . . . 433.21 AC-7 - Unsuccessful Logon Attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433.22 AC-8 - System Use Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443.23 AP-1 - Authority To Collect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473.24 AP-2 - Purpose Specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473.25 AR-1 - Governance And Privacy Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
i
3.26 AR-2 - Privacy Impact And Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503.27 AR-3 - Privacy Requirements For Contractors And Service Providers . . . . . . . . . . . . . . . . . 513.28 AR-4 - Privacy Monitoring And Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523.29 AR-5 - Privacy Awareness And Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533.30 AR-6 - Privacy Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543.31 AR-7 - Privacy-enhanced System Design And Development . . . . . . . . . . . . . . . . . . . . . . 553.32 AR-8 - Accounting Of Disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553.33 AT-1 - Security Awareness And Training Policy And Procedures . . . . . . . . . . . . . . . . . . . . 573.34 AT-2 - Security Awareness Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583.35 AT-3 - Role-based Security Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593.36 AT-4 - Security Training Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603.37 AU-1 - Audit And Accountability Policy And Procedures . . . . . . . . . . . . . . . . . . . . . . . 613.38 AU-11 - Audit Record Retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623.39 AU-12 - Audit Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633.40 AU-2 - Audit Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643.41 AU-3 - Content Of Audit Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663.42 AU-3(2) - Content Of Audit Records | Centralized Management Of Planned Audit Record Content . . 663.43 AU-4 - Audit Storage Capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673.44 AU-5 - Response To Audit Processing Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673.45 AU-5(2) - Response To Audit Processing Failures | Real-time Alerts . . . . . . . . . . . . . . . . . . 683.46 AU-6 - Audit Review, Analysis, And Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693.47 AU-6(5) - Audit Review, Analysis, And Reporting | Integration / Scanning And Monitoring Capabilities 703.48 AU-6(6) - Audit Review, Analysis, And Reporting | Correlation With Physical Monitoring . . . . . . 703.49 AU-7 - Audit Reduction And Report Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713.50 AU-7(1) - Audit Reduction And Report Generation | Automatic Processing . . . . . . . . . . . . . . 723.51 AU-8 - Time Stamps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723.52 AU-9 - Protection Of Audit Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 733.53 AU-9(2) - Protection Of Audit Information | Audit Backup On Separate Physical Systems / Components 733.54 AU-9(3) - Protection Of Audit Information | Cryptographic Protection . . . . . . . . . . . . . . . . . 743.55 CA-1 - Security Assessment And Authorization Policy And Procedures . . . . . . . . . . . . . . . . 753.56 CA-2 - Security Assessments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763.57 CA-2(2) - Security Assessments | Specialized Assessments . . . . . . . . . . . . . . . . . . . . . . . 783.58 CA-3 - System Interconnections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793.59 CA-5 - Plan Of Action And Milestones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803.60 CA-6 - Security Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 813.61 CA-7 - Continuous Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 823.62 CA-7(1) - Continuous Monitoring | Independent Assessment . . . . . . . . . . . . . . . . . . . . . . 843.63 CA-8 - Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 853.64 CA-9 - Internal System Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 853.65 CM-1 - Configuration Management Policy And Procedures . . . . . . . . . . . . . . . . . . . . . . 863.66 CM-10 - Software Usage Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883.67 CM-11 - User-installed Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 893.68 CM-2 - Baseline Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 903.69 CM-2(2) - Baseline Configuration | Automation Support For Accuracy / Currency . . . . . . . . . . 903.70 CM-2(3) - Baseline Configuration | Retention Of Previous Configurations . . . . . . . . . . . . . . . 913.71 CM-2(7) - Baseline Configuration | Configure Systems, Components, Or Devices For High-risk Areas 913.72 CM-3(1) - Configuration Change Control | Automated Document / Notification / Prohibition Of Changes 923.73 CM-3(2) - Configuration Change Control | Test / Validate / Document Changes . . . . . . . . . . . . 943.74 CM-4 - Security Impact Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 943.75 CM-5(3) - Access Restrictions For Change | Signed Components . . . . . . . . . . . . . . . . . . . 953.76 CM-6 - Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963.77 CM-6(2) - Configuration Settings | Respond To Unauthorized Changes . . . . . . . . . . . . . . . . 973.78 CM-7 - Least Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 983.79 CM-7(4) - Least Functionality | Unauthorized Software / Blacklisting . . . . . . . . . . . . . . . . . 99
ii
3.80 CM-8 - Information System Component Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . 1003.81 CM-8(1) - Information System Component Inventory | Updates During Installations / Removals . . . 1023.82 CM-8(4) - Information System Component Inventory | Accountability Information . . . . . . . . . . 1023.83 CM-8(5) - Information System Component Inventory | No Duplicate Accounting Of Components . . 1033.84 CP-1 - Contingency Planning Policy And Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . 1043.85 CP-10 - Information System Recovery And Reconstitution . . . . . . . . . . . . . . . . . . . . . . . 1053.86 CP-10(2) - Information System Recovery And Reconstitution | Transaction Recovery . . . . . . . . . 1063.87 CP-10(4) - Information System Recovery And Reconstitution | Restore Within Time Period . . . . . 1063.88 CP-2 - Contingency Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1073.89 CP-2(1) - Contingency Plan | Coordinate With Related Plans . . . . . . . . . . . . . . . . . . . . . . 1103.90 CP-2(2) - Contingency Plan | Capacity Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1113.91 CP-2(3) - Contingency Plan | Resume Essential Missions / Business Functions . . . . . . . . . . . . 1113.92 CP-2(4) - Contingency Plan | Resume All Missions / Business Functions . . . . . . . . . . . . . . . 1123.93 CP-2(5) - Contingency Plan | Continue Essential Missions / Business Functions . . . . . . . . . . . . 1133.94 CP-2(8) - Contingency Plan | Identify Critical Assets . . . . . . . . . . . . . . . . . . . . . . . . . . 1133.95 CP-3 - Contingency Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1143.96 CP-3(1) - Contingency Training | Simulated Events . . . . . . . . . . . . . . . . . . . . . . . . . . . 1153.97 CP-4 - Contingency Plan Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1153.98 CP-4(1) - Contingency Plan Testing | Coordinate With Related Plans . . . . . . . . . . . . . . . . . 1173.99 CP-4(2) - Contingency Plan Testing | Alternate Processing Site . . . . . . . . . . . . . . . . . . . . 1173.100 CP-6 - Alternate Storage Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1183.101 CP-6(1) - Alternate Storage Site | Separation From Primary Site . . . . . . . . . . . . . . . . . . . . 1193.102 CP-6(2) - Alternate Storage Site | Recovery Time / Point Objectives . . . . . . . . . . . . . . . . . . 1193.103 CP-6(3) - Alternate Storage Site | Accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1203.104 CP-7 - Alternate Processing Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1213.105 CP-7(1) - Alternate Processing Site | Separation From Primary Site . . . . . . . . . . . . . . . . . . 1223.106 CP-7(2) - Alternate Processing Site | Accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . 1223.107 CP-7(3) - Alternate Processing Site | Priority Of Service . . . . . . . . . . . . . . . . . . . . . . . . 1233.108 CP-7(4) - Alternate Processing Site | Preparation For Use . . . . . . . . . . . . . . . . . . . . . . . 1243.109 CP-8 - Telecommunications Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1243.110 CP-8(1) - Telecommunications Services | Priority Of Service Provisions . . . . . . . . . . . . . . . . 1253.111 CP-8(2) - Telecommunications Services | Single Points Of Failure . . . . . . . . . . . . . . . . . . . 1263.112 CP-8(3) - Telecommunications Services | Separation Of Primary / Alternate Providers . . . . . . . . 1263.113 CP-8(4) - Telecommunications Services | Provider Contingency Plan . . . . . . . . . . . . . . . . . 1273.114 CP-9 - Information System Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1283.115 CP-9(1) - Information System Backup | Testing For Reliability / Integrity . . . . . . . . . . . . . . . 1293.116 CP-9(2) - Information System Backup | Test Restoration Using Sampling . . . . . . . . . . . . . . . 1303.117 CP-9(3) - Information System Backup | Separate Storage For Critical Information . . . . . . . . . . 1313.118 DI-1 - Data Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1313.119 DI-1(1) - Data Quality | Validate Pii . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1333.120 DI-1(2) - Data Quality | Re-validate Pii . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1333.121 DI-2 - Data Integrity And Data Integrity Board . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1343.122 DI-2(1) - Data Integrity And Data Integrity Board | Publish Agreements On Website . . . . . . . . . 1353.123 DM-1 - Minimization Of Personally Identifiable Information . . . . . . . . . . . . . . . . . . . . . . 1353.124 DM-1(1) - Minimization Of Personally Identifiable Information | Locate / Remove / Redact /
Anonymize Pii . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1373.125 DM-2 - Data Retention And Disposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1373.126 DM-2(1) - Data Retention And Disposal | System Configuration . . . . . . . . . . . . . . . . . . . . 1393.127 DM-3 - Minimization Of Pii Used In Testing, Training, And Research . . . . . . . . . . . . . . . . . 1393.128 DM-3(1) - Minimization Of Pii Used In Testing, Training, And Research | Risk Minimization Tech-
niques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1403.129 IA-1 - Identification And Authentication Policy And Procedures . . . . . . . . . . . . . . . . . . . . 1413.130 IA-2 - Identification And Authentication (organizational Users) . . . . . . . . . . . . . . . . . . . . 1423.131 IA-2(1) - Identification And Authentication | Network Access To Privileged Accounts . . . . . . . . 143
iii
3.132 IA-2(12) - Identification And Authentication | Acceptance Of Piv Credentials . . . . . . . . . . . . . 1433.133 IA-2(3) - Identification And Authentication | Local Access To Privileged Accounts . . . . . . . . . . 1443.134 IA-4 - Identifier Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1443.135 IA-5 - Authenticator Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1463.136 IA-5(1) - Authenticator Management | Password-based Authentication . . . . . . . . . . . . . . . . 1493.137 IA-5(11) - Authenticator Management | Hardware Token-based Authentication . . . . . . . . . . . . 1513.138 IA-5(2) - Authenticator Management | Pki-based Authentication . . . . . . . . . . . . . . . . . . . . 1523.139 IA-5(3) - Authenticator Management | In-person Or Trusted Third-party Registration . . . . . . . . . 1533.140 IA-6 - Authenticator Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1533.141 IA-7 - Cryptographic Module Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1543.142 IA-8 - Identification And Authentication (non-organizational Users) . . . . . . . . . . . . . . . . . . 1553.143 IA-8(1) - Identification And Authentication | Acceptance Of Piv Credentials From Other Agencies . . 1553.144 IA-8(2) - Identification And Authentication | Acceptance Of Third-party Credentials . . . . . . . . . 1563.145 IA-8(3) - Identification And Authentication | Use Of Ficam-approved Products . . . . . . . . . . . . 1563.146 IA-8(4) - Identification And Authentication | Use Of Ficam-issued Profiles . . . . . . . . . . . . . . 1573.147 IP-1 - Consent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1583.148 IP-1(1) - Consent | Mechanisms Supporting Itemized Or Tiered Consent . . . . . . . . . . . . . . . . 1593.149 IP-2 - Individual Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1603.150 IP-3 - Redress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1613.151 IP-4 - Complaint Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1623.152 IP-4(1) - Complaint Management | Response Times . . . . . . . . . . . . . . . . . . . . . . . . . . 1633.153 IR-1 - Incident Response Policy And Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1633.154 IR-2 - Incident Response Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1653.155 IR-2(1) - Incident Response Training | Simulated Events . . . . . . . . . . . . . . . . . . . . . . . . 1663.156 IR-2(2) - Incident Response Training | Automated Training Environments . . . . . . . . . . . . . . . 1663.157 IR-3(2) - Incident Response Testing | Coordination With Related Plans . . . . . . . . . . . . . . . . 1673.158 IR-4 - Incident Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1673.159 IR-4(1) - Incident Handling | Automated Incident Handling Processes . . . . . . . . . . . . . . . . . 1693.160 IR-5 - Incidentmonitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1693.161 IR-5(1) - Incident Monitoring | Automated Tracking / Data Collection / Analysis . . . . . . . . . . . 1703.162 IR-6 - Incident Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1703.163 IR-6(1) - Incident Reporting | Automated Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . 1713.164 IR-7 - Incident Response Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1723.165 IR-7(1) - Incident Response Assistance | Automation Support For Availability Of Information / Support1723.166 IR-8 - Incident Response Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1733.167 MA-1 - System Maintenance Policy And Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . 1773.168 MA-2 - Controlled Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1783.169 MA-2(2) - Controlled Maintenance | Automated Maintenance Activities . . . . . . . . . . . . . . . . 1803.170 MA-3(1) - Maintenance Tools | Inspect Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1813.171 MA-4 - Nonlocal Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1813.172 MA-4(2) - Nonlocal Maintenance | Document Nonlocal Maintenance . . . . . . . . . . . . . . . . . 1833.173 MA-5 - Maintenance Personnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1843.174 MA-5(1) - Maintenance Personnel | Individuals Without Appropriate Access . . . . . . . . . . . . . 1853.175 MA-6 - Timely Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1863.176 MP-1 - Media Protection Policy And Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1863.177 MP-2 - Media Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1883.178 MP-3 - Media Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1883.179 MP-4 - Media Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1893.180 MP-5 - Media Transport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1903.181 MP-5(4) - Media Transport | Cryptographic Protection . . . . . . . . . . . . . . . . . . . . . . . . . 1913.182 MP-6 - Media Sanitization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1923.183 MP-6(1) - Media Sanitization | Review / Approve / Track / Document / Verify . . . . . . . . . . . . . 1933.184 MP-6(2) - Media Sanitization | Equipment Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . 1933.185 MP-6(3) - Media Sanitization | Nondestructive Techniques . . . . . . . . . . . . . . . . . . . . . . . 194
iv
3.186 MP-7 - Media Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1953.187 PE-1 - Physical And Environmental Protection Policy And Procedures . . . . . . . . . . . . . . . . 1953.188 PE-10 - Emergency Shutoff . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1973.189 PE-11 - Emergency Power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1983.190 PE-11(1) - Emergency Power | Long-term Alternate Power Supply - Minimal Operational Capability 1983.191 PE-12 - Emergency Lighting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1993.192 PE-13 - Fire Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1993.193 PE-13(1) - Fire Protection | Detection Devices / Systems . . . . . . . . . . . . . . . . . . . . . . . . 2003.194 PE-13(2) - Fire Protection | Suppression Devices / Systems . . . . . . . . . . . . . . . . . . . . . . . 2003.195 PE-13(3) - Fire Protection | Automatic Fire Suppression . . . . . . . . . . . . . . . . . . . . . . . . 2013.196 PE-14 - Temperature And Humidity Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2023.197 PE-15 - Water Damage Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2023.198 PE-15(1) - Water Damage Protection | Automation Support . . . . . . . . . . . . . . . . . . . . . . 2033.199 PE-16 - Delivery And Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2033.200 PE-17 - Alternate Work Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2043.201 PE-18 - Location Of Information System Components . . . . . . . . . . . . . . . . . . . . . . . . . 2053.202 PE-2 - Physical Access Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2063.203 PE-3 - Physical Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2073.204 PE-4 - Access Control For Transmission Medium . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2103.205 PE-5 - Access Control For Output Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2103.206 PE-6 - Monitoring Physical Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2113.207 PE-6(1) - Monitoring Physical Access | Intrusion Alarms / Surveillance Equipment . . . . . . . . . . 2123.208 PE-6(4) - Monitoring Physical Access | Monitoring Physical Access To Information Systems . . . . . 2123.209 PE-8 - Visitor Access Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2133.210 PE-8(1) - Visitor Access Records | Automated Records Maintenance / Review . . . . . . . . . . . . 2143.211 PE-9 - Power Equipment And Cabling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2143.212 PL-1 - Security Planning Policy And Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2153.213 PL-2 - System Security Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2163.214 PL-2(3) - System Security Plan | Plan / Coordinate With Other Organizational Entities . . . . . . . . 2203.215 PL-4 - Rules Of Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2203.216 PL-4(1) - Rules Of Behavior | Social Media And Networking Restrictions . . . . . . . . . . . . . . . 2223.217 PS-1 - Personnel Security Policy And Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2223.218 PS-2 - Position Risk Designation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2243.219 PS-3 - Personnel Screening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2253.220 PS-4 - Personnel Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2263.221 PS-4(2) - Personnel Termination | Automated Notification . . . . . . . . . . . . . . . . . . . . . . . 2273.222 PS-5 - Personnel Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2283.223 PS-6 - Access Agreements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2293.224 PS-7 - Third-party Personnel Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2303.225 PS-8 - Personnel Sanctions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2323.226 RA-1 - Risk Assessment Policy And Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2333.227 RA-2 - Security Categorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2343.228 RA-3 - Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2363.229 RA-5 - Vulnerability Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2373.230 SA-1 - System And Services Acquisition Policy And Procedures . . . . . . . . . . . . . . . . . . . . 2403.231 SA-11 - Developer Security Testing And Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . 2413.232 SA-16 - Developer-provided Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2433.233 SA-17 - Developer Security Architecture And Design . . . . . . . . . . . . . . . . . . . . . . . . . 2433.234 SA-2 - Allocation Of Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2443.235 SA-3 - System Development Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2463.236 SA-4 - Acquisition Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2473.237 SA-4(1) - Acquisition Process | Functional Properties Of Security Controls . . . . . . . . . . . . . . 2493.238 SA-4(10) - Acquisition Process | Use Of Approved Piv Products . . . . . . . . . . . . . . . . . . . . 2503.239 SA-4(2) - Acquisition Process | Design / Implementation Information For Security Controls . . . . . 250
v
3.240 SA-5 - Information System Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2513.241 SA-9 - External Information System Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2543.242 SC-1 - System And Communications Protection Policy And Procedures . . . . . . . . . . . . . . . . 2553.243 SC-10 - Network Disconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2563.244 SC-12 - Cryptographic Key Establishment And Management . . . . . . . . . . . . . . . . . . . . . 2573.245 SC-12(1) - Cryptographic Key Establishment And Management | Availability . . . . . . . . . . . . . 2573.246 SC-13 - Cryptographic Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2583.247 SC-15 - Collaborative Computing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2593.248 SC-2 - Application Partitioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2593.249 SC-20 - Secure Name / Address Resolution Service (authoritative Source) . . . . . . . . . . . . . . . 2603.250 SC-21 - Secure Name / Address Resolution Service (recursive Or Caching Resolver) . . . . . . . . . 2613.251 SC-22 - Architecture And Provisioning For Name / Address Resolution Service . . . . . . . . . . . . 2613.252 SC-24 - Fail In Known State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2623.253 SC-3 - Security Function Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2633.254 SC-39 - Process Isolation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2633.255 SC-4 - Information In Shared Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2643.256 SC-42 - Sensor Capability And Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2643.257 SC-42(3) - Sensor Capability And Data | Prohibit Use Of Devices . . . . . . . . . . . . . . . . . . . 2653.258 SC-5 - Denial Of Service Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2653.259 SC-7 - Boundary Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2663.260 SC-7(18) - Boundary Protection | Fail Secure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2673.261 SC-7(21) - Boundary Protection | Isolation Of Information System Components . . . . . . . . . . . . 2683.262 SE-1 - Inventory Of Personally Identifiable Information . . . . . . . . . . . . . . . . . . . . . . . . 2683.263 SE-2 - Privacy Incident Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2693.264 SI-1 - System And Information Integrity Policy And Procedures . . . . . . . . . . . . . . . . . . . . 2703.265 SI-12 - Information Handling And Retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2723.266 SI-16 - Memory Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2723.267 SI-2 - Flaw Remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2733.268 SI-3 - Malicious Code Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2743.269 SI-4 - Information System Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2763.270 SI-4(2) - Information System Monitoring | Automated Tools For Real-time Analysis . . . . . . . . . 2783.271 SI-5 - Security Alerts, Advisories, And Directives . . . . . . . . . . . . . . . . . . . . . . . . . . . 2793.272 SI-5(1) - Security Alerts, Advisories, And Directives | Automated Alerts And Advisories . . . . . . . 2803.273 SI-6 - Security Function Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2813.274 SI-7 - Software, Firmware, And Information Integrity . . . . . . . . . . . . . . . . . . . . . . . . . 2823.275 SI-7(1) - Software, Firmware, And Information Integrity | Integrity Checks . . . . . . . . . . . . . . 2833.276 SI-7(2) - Software, Firmware, And Information Integrity | Automated Notifications Of Integrity Vio-
lations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2843.277 SI-7(5) - Software, Firmware, And Information Integrity | Automated Response To Integrity Violations 2843.278 SI-7(7) - Software, Firmware, And Information Integrity | Integration Of Detection And Response . . 2853.279 SI-8 - Spam Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2853.280 SI-8(1) - Spam Protection | Central Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2863.281 SI-8(2) - Spam Protection | Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2873.282 TR-1 - Privacy Notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2873.283 TR-1(1) - Privacy Notice | Real-time Or Layered Notice . . . . . . . . . . . . . . . . . . . . . . . . 2893.284 TR-2 - System Of Records Notices And Privacy Act Statements . . . . . . . . . . . . . . . . . . . . 2893.285 TR-2(1) - System Of Records Notices And Privacy Act Statements | Public Website Publication . . . 2913.286 TR-3 - Dissemination Of Privacy Program Information . . . . . . . . . . . . . . . . . . . . . . . . . 2913.287 UL-1 - Internal Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2923.288 UL-2 - Information Sharing With Third Parties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
4 Customer Responsibility Matrix 2954.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2954.2 CM-8(4) - Information System Component Inventory | Accountability Information . . . . . . . . . . 295
vi
4.3 CP-10(2) - Information System Recovery And Reconstitution | Transaction Recovery . . . . . . . . . 2964.4 DI-1 - Data Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2974.5 DI-1(1) - Data Quality | Validate Pii . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2984.6 DI-1(2) - Data Quality | Re-validate Pii . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2994.7 DI-2 - Data Integrity And Data Integrity Board . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2994.8 DM-1 - Minimization Of Personally Identifiable Information . . . . . . . . . . . . . . . . . . . . . . 3004.9 DM-2 - Data Retention And Disposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3014.10 DM-2(1) - Data Retention And Disposal | System Configuration . . . . . . . . . . . . . . . . . . . . 3034.11 DM-3 - Minimization Of Pii Used In Testing, Training, And Research . . . . . . . . . . . . . . . . . 3034.12 IP-1 - Consent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3044.13 IP-1(1) - Consent | Mechanisms Supporting Itemized Or Tiered Consent . . . . . . . . . . . . . . . . 3064.14 IP-2 - Individual Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3064.15 IP-3 - Redress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3084.16 IP-4 - Complaint Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3094.17 IP-4(1) - Complaint Management | Response Times . . . . . . . . . . . . . . . . . . . . . . . . . . 3094.18 MA-1 - System Maintenance Policy And Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . 3104.19 PL-2 - System Security Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3114.20 RA-1 - Risk Assessment Policy And Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3154.21 RA-3 - Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3164.22 SA-11 - Developer Security Testing And Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . 3184.23 SA-3 - System Development Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3204.24 SA-4(1) - Acquisition Process | Functional Properties Of Security Controls . . . . . . . . . . . . . . 3214.25 SA-4(2) - Acquisition Process | Design / Implementation Information For Security Controls . . . . . 3224.26 SE-1 - Inventory Of Personally Identifiable Information . . . . . . . . . . . . . . . . . . . . . . . . 3224.27 SI-1 - System And Information Integrity Policy And Procedures . . . . . . . . . . . . . . . . . . . . 3234.28 TR-1 - Privacy Notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3254.29 TR-1(1) - Privacy Notice | Real-time Or Layered Notice . . . . . . . . . . . . . . . . . . . . . . . . 3264.30 TR-2 - System Of Records Notices And Privacy Act Statements . . . . . . . . . . . . . . . . . . . . 3274.31 TR-2(1) - System Of Records Notices And Privacy Act Statements | Public Website Publication . . . 3284.32 TR-3 - Dissemination Of Privacy Program Information . . . . . . . . . . . . . . . . . . . . . . . . . 3284.33 UL-1 - Internal Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3294.34 UL-2 - Information Sharing With Third Parties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
5 Ansible 3335.1 Reference Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3335.2 Manual Workarounds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
6 Frequently Asked Questions 3396.1 Is this guide complete? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3396.2 Has OpenShift been accredited anywhere? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3396.3 How can I help? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3396.4 X is wrong, what’s up? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3396.5 Who can I talk to about this? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
7 Indices and tables 341
vii
viii
OpenShift Compliance Guide, Release 1.0 beta
Contents:
Contents 1
OpenShift Compliance Guide, Release 1.0 beta
2 Contents
CHAPTER 1
The OpenShift Compliance Guide
1.1 Deprecation Notice
This project is deprecated. Please see ATO Pathways.
1.2 About
OpenShift is a container management platform based on Docker containers and the Kubernetes container cluster man-ager. OpenShift adds developer and operational centric tools to enable rapid application development, easy deploymentand scaling, and long-term lifecycle maintenance for small and large teams and applications.
Built atop Red Hat Enterprise Linux (RHEL), OpenShift is very secure. For users who must comply with the FederalInformation Security Management Act (FISMA), there is additional configuration burden.
This guide can help you secure your OpenShift cluster to comply with the FISMA moderate confidentiality, integrity,and availability requirements.
While the configurations and Security Control Traceability Matrix (SCTM) documented in this guide could be imple-mented in any environment, the reference architecture is Amazon Web Services.
1.3 Table of Contents
1. Security CONOPS
2. Security Controls
3. Customer Responsibility Matrix
4. Ansible
3
OpenShift Compliance Guide, Release 1.0 beta
1.4 Frequently Asked Questions
Have questions? Visit our Frequently Asked Questions.
1.5 Contributing
Security is an ongoing effort, and we appreciate any feedback or recommendations that you may have. Please use thisproject’s GitHub page to submit issues or pull requests.
1.5.1 Authors
• Nick Sabine
• Ken Evensen
• Mark Shoger
• Mike Epley
• Durell Willoughby
• Tiffany Gray
• Matt Bagnara
• Jason Callaway
4 Chapter 1. The OpenShift Compliance Guide
CHAPTER 2
Security CONOPS
2.1 Introduction
The Security Concept of Operations (CONOPS) details, at various levels of abstraction, a deployment of Red Hat’sOpenShift Container Platform (OCP) deployed on Amazon Web Services (AWS). The NIST Definition of CloudComputing (NIST 800-145) succinctly describes different cloud service models and the attributes of a cloud platform.The architecture described herein follows the definitions found in the NIST 800-145. For example, Red Hat’s OCP isa Platform as a Service (PaaS) under NIST 800-145. Similarly, AWS is an Infrastructure as a Service (IaaS) per theNIST definition.
2.1.1 Security Standards
The Fedral Information Security Modernization Act (FISMA), originally enacted in 2002, directs United States Fed-eral Agencies to develop and implement programs to implement information and information systems security. Thisreference architecture aims to describe an OCP deployment on AWS as FISMA high: high confidentiality, high in-tegrity, high availability.
In order to demonstrate FISMA high, this architecture is traced to NIST 800-53 Security and Privacy Controls forFederal Information Systems and Organizations. The NIST 800-53 provides a catalog of controls accross multiplecategories. Many controls relate to organizational processes. These controls will be mapped as appropriate. Thecontrols that are technical in nature are addressed by this architecture.
2.2 Architecture
This architecture is divided into architectural views loosely mapped to the NIST 800-145 Definition of Cloud Comput-ing. The nature of cloud computing affords the adoption of a Landlord/Tenant model. This model allows the Landlordto take responsibility for a set of controls under NIST 800-53, relieving the tenant of the need to address those controls.The following table lists lists the relationship of Landlord to Tenant in this reference architecture.
5
OpenShift Compliance Guide, Release 1.0 beta
Landlord TenantAWS OCPOCP Applications
As stated prviously, the IaaS in this architecture is AWS. Red Hat’s OCP is the PaaS. Tenant applications are deployedin containers, managed by OCP.
2.2.1 Infrastructure View
The infrastructure view describes the OCP components at the infrastructure level. These components are necessary toserve OCP in AWS and achieving FISMA high.
IaaS Definition - NIST 800-145
The capability provided to the consumer is to provision processing, storage, networks, and other fun-damental computing resources where the consumer is able to deploy and run arbitrary software, whichcan include operating systems and applications. The consumer does not manage or control the underly-ing cloud infrastructure but has control over operating systems, storage, and deployed applications; andpossibly limited control of select networking components (e.g., host firewalls).
Description
AWS provides this capability. Amazon provides the underlying hardware infastructure that supports the self-serviceprovisioning into the cloud of what has traditionaly been based in hardware. This includes, but is not limited tocompute, storage, and networking services.
Stakeholders
Cluster Administrators require AWS console access and the ability to deploy and/or configure the following AWScomponents.
• VPC
• Elastic IP
• Elastic Cloud Compute (EC2)
• VPC Peering
• Route Tables
Application Developers do not have a role at the infrastructure level.
Application Consumers do not have a role at the infrastructure level.
6 Chapter 2. Security CONOPS
OpenShift Compliance Guide, Release 1.0 beta
Diagram
The following diagram illustrates the high level deployment of OCP in AWS and the necessary AWS components to
support OCP.
Components
The following table describes each AWS component and relates it to the implementation in the OCP reference archi-tecture.
2.2. Architecture 7
OpenShift Compliance Guide, Release 1.0 beta
AWSCompo-nent
Description OCP Component
VPC A logically isolated section of AWS in which resources are connected via avirtual networking environment.
Red Hat VPC1..n Dedicated VPC’s
Subnet Virtually isolated network used on which traffic is isolatedbecause isolationmakes for great neighbors.
Management SubnetStaging SubnetOperations SubnetDedicated Subnet
EC2ComputeInstance
A scalable compute capacity in AWS. Compute instances are instantiatedfrom cloud images with pre-installed operating systems, for example RedHat Enterprise Linux.
All OCP Platformcomponents.
Route Ta-ble
A route table defines rules as to how network traffic in a VPC is routedinternally.
Red Hat VPC
Elastic IP An Elastic IP is associated with an EC2 Instance and is publicallyreacheable.
Staging HA ProxyStaging Authentica-tionStaging App. TrafficBastionAnsible Tower
VPCPeering
A VPC peering connection is a networking connection between two VPCsthat enables traffic to be routed between them using private IP addresses.
Between the Red HatVPC and any Dedi-cated VPC
ElasticLoadBalancer
An ELB automatically distributes traffic among EC2 instances. Operations APIOperations Applica-tionDedicated APIDedicated Application
Network Architecture
The network views below assume that OCP is deployed on to an air-gapped network that is unable to route to theInternet.
The Staging Subnet provides an isolated area for platform administrators to apply regular patches and test configura-tion changes before applying these to the operations cluster. One cluster of OCP is deployed in this VPC.
The Operations Subnet contains a single deployment of OpenShift where tenants will deploy applications. OCPNodes will be labled and functionally grouped to support development, test, and production deployments of an appli-cation. This is described in detail in the Platform View.
The Management Subnet contains the Trusted Container Repository as well as the Package Repository. A routetable allows the Managent Subnet to communicate to the Staging Subnet, Operations Subnet. The Staging Subnetand Operations Subnet are not permitted to communicate with each other. A VPC peering connection allows theManagement Subnet in the Red Hat VPC to communicate with any Dedicated VPC’s.
Dedicated VPC’s are VPC’s that are deployed to support specific isolation needs of a particular tenant. These may becreated and destroyed per organizational needs.
The bastion host allows OCP Administrators and only OCP Administrators the ability to access the underlying hostsin each VPC.
Application Developers interact with OCP via a command line interface (CLI) and web user interface (WebUI). Anapplication router, internal to OCP, handles application traffic. Therefore certain ports in a security group must be
8 Chapter 2. Security CONOPS
OpenShift Compliance Guide, Release 1.0 beta
exposed on the Red Hat VPC to allow ths traffic. The same is true of any Dedicated VPC’s. The following tabledetails this information.
VPC Port VPC/Subnet Exposed Component443/TCP Red Hat/Operations ELB - API Traffic
ELB - Application TrafficRed Hat/Staging Elastic IP - API HA Proxy
Elastic IP - Application TrafficRed Hat/Management Elastic IP - Ansible TowerDedicated/Dedicated ELB - API Traffic
ELB - Application Traffic4444/TCP Red Hat/Operations ELB - API Traffic - Authentication
Red Hat/Staging Elastic IP - API Traffic - AuthenticationDedicated/Dedicated ELB - API Traffic - Authentication
22/TCP Red Hat/Management Elastic IP - SSH Bastion
Communications internal to the nodes occur in the network address space defined by VPC subnets.
2.2.2 Platform View
The platform view describes the OCP architecture at the platform level. This view abstracts out the AWS componentsand focuses primarily on the functional components of OCP.
PaaS Definition - NIST 800-145
The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created oracquired applications created using programming languages, libraries, services, and tools supported bythe provider. The consumer does not manage or control the underlying cloud infrastructure including net-work, servers, operating systems, or storage, but has control over the deployed applications and possiblyconfiguration settings for the application-hosting environment.
Description
The OpenShift Container Platform provides application developer’s the ability to rappidly deploy applications in avariety of application frameworks.
Stakeholders
Cluster Administrators are responsible for the operations and proper function of the platform. They have the abilityto affect OCP security policies surrounding developer interaction and container function.
Application Developers have access to the OCP WebUI and CLI to deploy applications.
Application Users do not have a role at the platform level.
2.2. Architecture 9
OpenShift Compliance Guide, Release 1.0 beta
Roles
Name DescriptionCluster Administrator Full administrative control over the OpenShift clusterCluster Auditor Read-only access to all objects on the clusterProject Administrator Full administrative access to a projectProject Auditor Read-only access to a projectApplication Devel-oper
Full access to build, deploy and terminate applications. Cannot modify access to theproject.
Diagram
The following diagram details the minimum highly-available configuration of OCP to meet FISMA high at the platformlevel.
10 Chapter 2. Security CONOPS
OpenShift Compliance Guide, Release 1.0 beta
2.2. Architecture 11
OpenShift Compliance Guide, Release 1.0 beta
Components
Com-po-nent
Description
Mas-ter
The OCP Master provides the API and WebUI entry points for Application Developers and OCP admin-istrators. The OCP Master is also responsible for scheduling containers on each node.
ETCD The ETCD servers are key-value stores used for maintaining information about the state of the OCPcluster.
Appli-cationNode
The Application Nodes handle executing application containers.
Infras-truc-tureNode
In an OCP cluster, a containerized HA proxy routes application traffic. A containerized integrated con-tainer registry in OCP is a mechanism in the automated build and deployment flow. Both the applicationrouter and integrated container registry and only these components run on the Infrastructure Node.
Network Architecture
The network architecture in the platform view is broken into two parts. The first is the internal networking frombetween the EC2 instances supporting the platorm. The second is the software defined networking layer enablingmulti-tenant deployment of container based applications.
The following diagram illustrates the internetworking of the platform components of OCP.
12 Chapter 2. Security CONOPS
OpenShift Compliance Guide, Release 1.0 beta
The following table describes the port information of the internal platform components.
2.2. Architecture 13
OpenShift Compliance Guide, Release 1.0 beta
From To Port NotesAppli-cationTrafficELB
OCPInfras-tructureNode
443/TCP
API Traf-fic ELB
HA andAuthen-ticationProxy
8443/TCP
HA andAuthen-ticationProxy
OCPMaster
8443/TCP
OCPMaster
OCPMasterand Loop
8053/TCPRequired for DNS resolution of clustered services.
OCPMaster
OCPMasterand Loop
8053/UDPRequired for DNS resolution of clustered services.
OCPMaster
OCPMaster
2379/TCPUsed for standalone etcd (clustered) to accept changes in state.
OCPMaster
OCPMaster
2380/TCPetcd requires this port be open between masters for leader election and peeringconnections when using standalone etcd (clustered).
OCPMaster
OCPNode
4789/UDPRequired for SDN communication between pods on separate hosts.
OCPMaster
OCPNode
10250/TCPThe master proxies to node hosts via the Kubelet for oc commands.
OCPNode
OCPMaster
4789/UDPRequired for SDN communication between pods on separate hosts.
OCPNode
OCPMaster
8053/TCPRequired for DNS resolution of clustered services.
OCPNode
OCPMaster
8053/UDPRequired for DNS resolution of clustered services.
OCPNode
OCPMaster
8443/TCP
All PackageReposi-tory
443/TCP
OCPNode
TrustedContainerReposi-tory
443/TCP
Bastion All 22/TCP SSHAnsibleTower
All 22/TCP SSH used during Ansible Plays
OCPNode
GlusterNode
49152-49251/TCP
For client communication with Red Hat Gluster Storage 2.1 and for brick pro-cesses depending on the availability of the ports. The total number of portsrequired to be open depends on the total number of bricks exported on the ma-chine.
GlusterNode
GlusterNode
24007/TCPFor glusterd (for management).
14 Chapter 2. Security CONOPS
OpenShift Compliance Guide, Release 1.0 beta
In order to achieve network traffic isolation between containers owned by different tenants running on the same node,the traffic must be encapsulated. This capability is provided by OpenVSwitch which encapsulates the OSI L2 trafficfrom the containers in the L3 traffic between the nodes. The packets are then tagged by an 24 bit value known asa VXLan Network Identifier (VNID). A VNID corresponds to a project space in OCP and is transparent to both theApplication Developer and Application User. In order to utilize this option the redhat/openshift-ovs-multitenantmust be selected during the installation.
The L3 traffic between nodes is sent as UDP packets to port 4789.
More information on the software defined network in OCP can be found in the online documentation.
Platform Security - Platform Users
Regardless of the user role, all users are subject to authorization policies managed in the OCP cluster. Authorizationpolcies dictate what a user can and cannot do. Policies are enforce at the project (local) level, and separately at thecluster level.
The following table describes the elements comprising an authorization role.
Rules Sets of permitted verbs on a set of objects. For example, whether something can create pods.Roles Collections of rules. Users and groups can be associated with, or bound to, multiple roles at the same
time.Bind-ings
Associations between users and/or groups with a role.
Platform Security - Container Security
Container security occurs at multiple levels. At the platform level, OCP applies security context constraints (SCC’s)to manage what a container can and cannot do. OCP provides a number of SCC’s out of the box. The default SCC ishighly restrictive to unprivileged containers.
Unprivileged containers are containers deployed in a tenant application. Specific action is required on the part of theCluster Administrator to allow an Application Developer the ability to deploy a container with escallated privileges.
A notable attribute of SCC’s is the user ID enforcement. When a container executes, the entry process runs in thecontainer as a specified user ID. The restricted SCC forces the container to be run as a very high UID. This prevents acontainer from being deployed where the internal user ID is set to 0 (root).
Storage Architecture
Managing storage is a distinct problem from managing compute resources. OpenShift Container Platform leveragesthe Kubernetes persistent volume (PV) framework to allow administrators to provision persistent storage for a cluster.Using persistent volume claims (PVCs), developers can request PV resources without having specific knowledge ofthe underlying storage infrastructure.
In this reference architecture, storage services are provided through a managed storage tier, implemented by Red HatGluster Storage (Gluster). Gluster provides a fault-tolerant and highly available network storage resource, efficientlyrationed to tenant applications as PVs. Since the storage interface to developers is managed by the Kubernetes PVCresource, the details of the underlying storage implementation are abstracted.
PVCs are specific to a project and are created and used by developers as a means to use a PV. PV resources on theirown are not scoped to any single project; they can be shared across the entire OpenShift Container Platform cluster andclaimed from any project. After a PV has been bound to a PVC, however, that PV cannot then be bound to additionalPVCs. This has the effect of scoping a bound PV to a single namespace (that of the binding project).
2.2. Architecture 15
OpenShift Compliance Guide, Release 1.0 beta
The Gluster storage services are provided through a dedicated cluster of AWS instances within the scope of the plat-form VPC. Administrators allocate storage resources, creating a pool of available PVs in standard sizes, and monitorthe capacity of the underlying storage resources. As PVs are released, administrators ensure the deletion and reclama-tion of storage resources, returning capacity to the pool of available PVs.
Platform Security - Storage Security
Gluster complies with data protection requirements through secure configuration of the storage resources and transportprotocols. At rest, data is protected by LUKS encryption of the of the AWS EBS devices. This ensures that access toEBS volumes or snapshots by unauthorized mechanisms are unable to extract any usable information from the storagetier. Configuration of LUKS encryption in Red Hat Enterprise Linux 7 is configured according to the Encryptionchapter of the RHEL 7 Security Guide.
During transit, information is protected through configuration of SSL connections, and enforcement of mutually au-thenticated TLS connections. For more information, refer to Configuring Network Encryption in Red Hat GlusterStorage.
Diagram
The following diagram depicts the mapping of storage devices to application resources within OCP. The LUKS en-cryption is enabled at the EBS device, ensuring that all data is encrypted prior to writing to disk. This architecture isdesigned to be compatible with the OCP and Kubernetes roadmaps, specifically with reference to upcoming dynamicprovisioning features.
16 Chapter 2. Security CONOPS
OpenShift Compliance Guide, Release 1.0 beta
In this view, the synchronous replication is shown between availability zones of the IaaS tier. This ensures highavailability and integrity of data stored within the platform.
2.2. Architecture 17
OpenShift Compliance Guide, Release 1.0 beta
2.2.3 Application View
Definition
The application view describes the OCP architecture at the application level. This view focuses on the services andinterfaces available to project tenants within the platform.
Description
Actors
Application Developers
OCP Administrators are responsible for the creation of tenant projects and assignment of proper roles of projectadministrators.
Project Administrators are responsible for assignment of proper roles within the scope of a single tenant project.They have the ability to affect security policies surrounding developer interaction and container function, includingthe ability to grant privileges to administer, edit, or view project level resources.
Application Developers have access to the OCP WebUI and CLI to create, build, deploy, and delete applicationswithin the scope of a project, subject to the roles and privileges assigned by the Project Administrators.
Application Users do not have a role at the application level.
18 Chapter 2. Security CONOPS
OpenShift Compliance Guide, Release 1.0 beta
Application Security - Sensitive Configuration Data
There is often a need to provide sensitive data for the proper configuration of the application or service component.For instance, it may be necessary to provide encryption keys, passwords, configuration files, private source repositorycredentials, and other data considered sensitive. This data often varies between environments, such as database pass-words or SSL server certificates. Secrets provide a mechanism to decouple sensitive content from the pods that useit, removing the necessity of storing this data on the filesystem or within the container image itself. This mechanismpromotes best practices for abstracting environment-specific configuration data away from the build process, as wellas provides an encrypted storage mechanism. For more information on this topic, refer to the Secrets documentation.
Diagram
The following diagram details the conceptual use of project resources to build and deploy applications within a project.
2.2. Architecture 19
OpenShift Compliance Guide, Release 1.0 beta
Components
Com-po-nentDev Application Developers interact with the platform by creating project resource definitions, and by pushing
application code revisions to the enterprise hosted git service.AppCode
The source code artifacts implementing the business logic of an application service or component.
git The source code configuration management system. For this architecture, the git service is assumed to beprovided externally, as a corporate or project team resource.
BuildCon-fig
A build configuration describes a single build definition and a set of triggers for when a new build should becreated. For in depth description of builds and OCP build configurations, refer to the Build documentation
In-te-gratedReg-istry
The OCP integrated registry is a controlled container image registry for storing OCP container images andcompleted application builds. For more information regarding the integrated registry, refer to the ImageRegistry documentation.
BuilderIm-age
A builder image is a pre-defined container image that stores the build process for compilation and assemblyof application source code. It houses the compiler binaries required for interpretation of source code, andthe tools necessary for building application images.
builder The builder is a container derived from the builder image. It produces an application image using the definedbuild process using the compiler binaries.
AppIm-age
An Application Image is produced as a result of the application build process. It is composed of a certifiedbase image, application server components, required configurations, and finally, the compiled applicationsource code.
De-ploy-mentCon-fig
The deployment config defines the requirements and configuration of resources necessary for operations ofthe application component. For more information regarding the deployment config, refer to the Deploymentdocumentation.
De-ployer
The deployer is container responsible for setting up the operational environment of the application container.
Pod OpenShift Container Platform leverages the Kubernetes concept of a pod, which is one or more containersdeployed together on one host, and the smallest compute unit that can be defined, deployed, and managed.For more information regarding Pods, refer to the Pod documentation
AppCon-tainer
The application container is the running instance of an application image, as defined by the deploymentconfiguration.
etcd EtcD is the key-value database for OCP state and configuration information.Se-crets
Secrets provide a mechanism to hold information such as encryption keys, passwords, config files, privatesource repository credentials, and other data considered sensitive. Secrets decouple sensitive content fromthe pods that use it and can be mounted into containers using a volume plug-in or used by the system toperform actions on behalf of a pod. For more information regarding Secrets, refer to the Secrets documen-tation.
Per-sis-tentVol-ume
A Persistent Volume is a storage resource in OCP. Storage is provisioned by the cluster administrators bycreating PersistentVolume objects from the storage infrastructure system. Application Developers utilizePersistent Volumes by creating a Persistent Volume Claim within the scope of the project. For more infor-mation regarding persistent storage, refer to the Storage documentation.
LogAg-gre-ga-tion
In OCP, Log Aggregation is implemented as the integrated deployment of Elastic Search, FluentD, andKibana (EFK). This stack aggregates logs for a range of OCP services, including project resources deployedon the platform. Application developers can view the logs of the projects for which they have view access.The EFK stack aggregates logs from hosts and applications, whether coming from multiple containers oreven deleted pods. For more information regarding log aggregation in OCP, refer to the Aggregate Loggingdocumentation.
Repli-ca-tionCon-troller
A replication controller ensures that a specified number of replicas of a pod are running at all times. If podsexit or are deleted, the replication controller acts to instantiate more up to the defined number. Likewise, ifthere are more running than desired, it deletes as many as necessary to match the defined amount. For moreinformation regarding replication controllers, refer to the Replication Controller documentation.
Ser-vices
A service serves as an internal load balancer. It identifies a set of replicated pods in order to proxy theconnections it receives to them. Backing pods can be added to or removed from a service arbitrarily whilethe service remains consistently available, enabling anything that depends on the service to refer to it at aconsistent internal address. For more information regarding services, refer to the Services documentation.
Routes An OpenShift Container Platform route exposes a service at a host name, like www.example.com, so thatexternal clients can reach it by name. For more information regarding routes, refer to the Routes documen-tation.
Router Routers enable routes created by developers to be used by external clients. A router uses the service selectorto find the service and the endpoints backing the service. When both router and service provide loadbalancing, OCP uses the router load balancing. A routers detects relevant changes in the IP addresses ofits services, and adapts its configuration accordingly. For more information regarding routers, refer to theRouters documentation.
User In this context, a user is the entity attempting to access the application deployed within the platform. Theyare assigned no special roles or permissions within the platform, and only have access to the resourcesexposed via routes by the application developers.
20 Chapter 2. Security CONOPS
OpenShift Compliance Guide, Release 1.0 beta
2.2.4 Container View
Definition
A container in the context of an information system is an operating system level virtualization method, provided bykernel constructs, for isolating prcesses using a single kernel.
Due to the value of containers to the information technology field, the definition for both the container image specifi-cation and runtime are managed by a community of interested parties: Open Container Initiative (OCI). The technicaldefinition is divided into an Image Specification (image-spec) and Runtime Specification (runtime-spec).
Description
The container view describes the constructs used in OCIF and runc process isolation. This view addresses a singlecontainer regardless of being run in the OCP cluster.
Actors
Platform Administrators are responsible for two specific container processes in the OCP cluster. The first is anintegrated container registry. The second is an application traffic HAProxy router, running in a container. Whilethese nominally operate without intervention, their continued operation falls under the responsibility of the PlatformAdministrators.
Application Developers do not necessarily need to be aware of the container construct in OCP. An ApplicationDeveloper can deploy a containerized application inside OCP simply by providing OCP a source code repository. Atthis point OCP automatically builds the source into and deploys a containerized application.
Container Filesystem
A single container as it exists on the host’s filesystem is actually a multi-layer filesystem: UnionFS. Each containerimage consists of a Kernel library layer, bootfs, and Base Image. Additional layers may contain application librariesand binaries. Once this container image is built, it is immutable. This has implications:
1. Any patches to a lower layer of the container (e.g. the base image) require the container to be rebuild from thatlevel up.
2. Without an externally mounted persistent storage share, any data written to the container’s file system is lostwhen that container is destroyed.
The following graphic presents a simplified view of a layered container image.
2.2. Architecture 21
OpenShift Compliance Guide, Release 1.0 beta
External storage can be provided to the container and mounted as a file system in the container for data persistence.The platform layer abstracts the Persistent Volume from the container. The container has no knowledge of the natureof the underlying storage share; only that it has a file system to which it can write.
Kernel Components
A container is constructed using Linux kernel mechanisms, some of which have existed for over 10 years. Thefollowing table describes these kernel mechanisms and their role in isolating processes.
Compo-nent
Purpose
SELinux SELinux, a core component of Red Hat Enterprise Linux, labels processes and filesystems, enforcingmandatory access control. Each containerized process receives a unique SELinux category.
CGroups CGroups provide resource constraints preventing run-away processes.KernelNames-paces
Namespaces allow resources to have identical names in the context of that resource, but unique namesfrom perspective of the host. For example, the PID namespace allows for PID 0 in each container, butbe PID N on the host.
KernelCapabil-ities
Capabilities are process permission controls that group system calls in different categories. By default,all capabilities are removed for unprivileged containers.
Secomp Secure computing assists with creating sandboxes by defining which system calls should be blocked.
22 Chapter 2. Security CONOPS
OpenShift Compliance Guide, Release 1.0 beta
SELinux
The criticality of protecting the platform in a multi-tenant environment cannot be understated. As a result, the pro-tection offered by SELinux Multi-Category Security (MCS) as an integral component of the layered security modelwithin the Red Hat Enterprise Linux Docker Security Policy is indispensable. RHEL’s Container MCS policy is de-rived and extended from sVirt, the SELinux policy for isolating virtual machine hypervisor processes. sVirt policy hasbeen developed, refined, and continuously tested since 2009, and offers a mature and validated model for infrastructureprotection. It is the gold standard of preventing a compromised process from gaining additional privileges or access tocomponents of the system that have not been specifically allowed by policy.
In a SELinux-labeled file or process, there multiple fields that affect how the policy is evaluated. Most critical forinterpretation of the container MCS policy are the type and category fields. In the case of a container process, the typewill be svirt_lxc_net_t. This indicates that the process will only be allowed to invoke system actions that have beenexplicitly whitelisted in the policy. On the other hand, the category fields will be uniquely assigned for each process.This ensures that container processes on the same physical system are not permitted to interact at the system level, andthat tenants in the multi-tenant system are unable to access or affect other tenants.
2.2. Architecture 23
OpenShift Compliance Guide, Release 1.0 beta
24 Chapter 2. Security CONOPS
CHAPTER 3
Security Controls
3.1 Overview
These security controls comply with FISMA Low, Moderate, and High requirements as defined by NIST SP800-53r4.
Each control indicates the role responsible for implementing that control. The defined roles are based on those identi-fied in the FedRAMP SSP Template, but have been modified to make sense in the context of Security CONOPS.
Role Description NumberRespon-sible
Organiza-tion
A control that is satisfied by the hosting organization. This includes enterprise servicessuch as LDAP, the Audit and Logging solution, etc.
423
IaaS A control that is satisfied by the Organization’s Infrastructure as a Service implemen-tation. In the Security CONOPS reference architecture, this is AWS, or the Landlord’sLandlord.
11
Open-ShiftLandlord
Container Platform’s implementation. This includes tools such as Ansible Tower andOpenSCAP.
187
Open-ShiftTenant
Controls that need to be implemented by the programs hosted on the OpenShift Con-tainer Platform. These controls are listed in the Customer Responsibility Matrix.
73
Totaluniquecontrols
All unique technical controls tracked by this guide. 658
3.1.1 Procedural Generation
This chapter is automatically generated from the master_sctm.xlsx spreadsheet on this project’s GitHub. Do not editit directly. If you’d like to change how this chapter is rendered, refer to the following:
25
OpenShift Compliance Guide, Release 1.0 beta
File Descriptionmas-ter_sctm_parser.py
Python program that parses the master_sctm.xlsx spreadsheet using the openpyxl module. Whe editingthis sheet do not change the existing column headers. Column order does not matter. New columnscan be added. Only visible rows are processed, so auto-filters can be used to modify which controls arerendered.
secu-rity_control.j2
Jinja2 template that is used to render this chapter.
crm.j2 Jinja2 template that is used to generate the Customer Responsibility Matrix.
3.2 AC-1 - Access Control Policy And Procedures
Requirement ACCESS CONTROL POLICY AND PROCEDURES Control: The organization: a. De-velops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1.An access control policy that addresses purpose, scope, roles, responsibilities, management commit-ment, coordination among organizational entities, and compliance; and 2. Procedures to facilitatethe implementation of the access control policy and associated access controls; and b. Reviews andupdates the current: 1. Access control policy [Assignment: organization-defined frequency]; and 2.Access control procedures [Assignment: organization-defined frequency].
3.2.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.2.2 AC-1 What is the solution and how is it implemented?
Part a
Requirement ACCESS CONTROL POLICY AND PROCEDURES Control: The organization: a. De-velops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1.An access control policy that addresses purpose, scope, roles, responsibilities, management commit-ment, coordination among organizational entities, and compliance; and
Role Organization
Status Inherited
Details Developed and maintained by the Organization. OCP framework admistrators with the policy aspublished.
References SP 800-12; SP 800-100;
Part b
Requirement
2. Procedures to facilitate the implementation of the access control policy and associated accesscontrols; and
Role Organization
26 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Status Inherited
Details Developed and maintained by the Organization. OCP framework admistrators with the policy aspublished.
References SP 800-12; SP 800-100;
Part c
Requirement
b. Reviews and updates the current: 1. Access control policy [Assignment: organization-definedfrequency]; and
Role Organization
Status Inherited
Details Developed and maintained by the Organization. OCP framework admistrators with the policy aspublished.
References SP 800-12; SP 800-100;
Part d
Requirement
2. Access control procedures [Assignment: organization-defined frequency].
Role Organization
Status Inherited
Details Developed and maintained by the Organization. OCP framework admistrators with the policy aspublished.
References SP 800-12; SP 800-100;
3.3 AC-12 - Session Termination
Requirement SESSION TERMINATION Control: The information system automatically terminates auser session after [Assignment: organization-defined conditions or trigger events requiring sessiondisconnect].
3.3.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.3. AC-12 - Session Termination 27
OpenShift Compliance Guide, Release 1.0 beta
3.3.2 AC-12 What is the solution and how is it implemented?
Part a
Requirement SESSION TERMINATION Control: The information system automatically terminates auser session after [Assignment: organization-defined conditions or trigger events requiring sessiondisconnect].
Role OpenShift Landlord
Status Planned
Details Access to the OpenShift API endpoints is granted via token that can only be acquired by a userwith an X.509 certificate who’s DN is in the proper OU. The tokens expire at the organizationallydefined interval.
3.4 AC-14 - Permitted Actions Without Identification Or Authentica-tion
Requirement PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION Con-trol: The organization: a. Identifies [Assignment: organization-defined user actions] that can beperformed on the information system without identification or authentication consistent with orga-nizational missions/business functions; and b. Documents and provides supporting rationale in thesecurity plan for the information system, user actions not requiring identification or authentication.
3.4.1 Control Summary Information
Role Organization, OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.4.2 AC-14 What is the solution and how is it implemented?
Part a
Requirement PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION Con-trol: The organization: a. Identifies [Assignment: organization-defined user actions] that can beperformed on the information system without identification or authentication consistent with orga-nizational missions/business functions; and
Role Organization, OpenShift Landlord
Status Implemented
Details All actions (OpenShift user & admins) require prior authentication and authorization
Part b
Requirement
28 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
b. Documents and provides supporting rationale in the security plan for the information system,user actions not requiring identification or authentication.
Role Organization, OpenShift Landlord
Status Implemented
Details See AC-14a
3.5 AC-17 - Remote Access
Requirement REMOTE ACCESS Control: The organization: a. Establishes and documents usage re-strictions, configuration/connection requirements, and implementation guidance for each type ofremote access allowed; and b. Authorizes remote access to the information system prior to allowingsuch connections.
3.5.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.5.2 AC-17 What is the solution and how is it implemented?
Part a
Requirement REMOTE ACCESS Control: The organization: a. Establishes and documents usage re-strictions, configuration/connection requirements, and implementation guidance for each type ofremote access allowed; and
Role Organization
Status Inherited
Details Inherited from organizational policies.
References SP 800-46; SP 800-77; SP 800-113; SP 800-114; SP 800-121;
Part b
Requirement
b. Authorizes remote access to the information system prior to allowing such connections.
Role Organization
Status Inherited
Details All users must be authorized via organizational request which requires staff approval for accessto the system.
References SP 800-46; SP 800-77; SP 800-113; SP 800-114; SP 800-121;
3.5. AC-17 - Remote Access 29
OpenShift Compliance Guide, Release 1.0 beta
3.6 AC-18 - Wireless Access
Requirement WIRELESS ACCESS Control: The organization: a. Establishes usage restrictions, con-figuration/connection requirements, and implementation guidance for wireless access; and b. Au-thorizes wireless access to the information system prior to allowing such connections.
3.6.1 Control Summary Information
Role OpenShift Landlord
Status Not implemented
Origin OpenShift Landlord SSP
3.6.2 AC-18 What is the solution and how is it implemented?
Part a
Requirement WIRELESS ACCESS Control: The organization: a. Establishes usage restrictions, con-figuration/connection requirements, and implementation guidance for wireless access; and
Role OpenShift Landlord
Status Not implemented
Details Tailored out - there are no wireless components to the system.
References SP 800-48; SP 800-94; SP 800-97;
Part b
Requirement
b. Authorizes wireless access to the information system prior to allowing such connections.
Role OpenShift Landlord
Status Not implemented
Details See AC-18a
References SP 800-48; SP 800-94; SP 800-97;
3.7 AC-18(5) - Wireless Access | Antennas / Transmission Power Lev-els
Requirement WIRELESS ACCESS | ANTENNAS / TRANSMISSION POWER LEVELS The organi-zation selects radio antennas and calibrates transmission power levels to reduce the probability thatusable signals can be received outside of organization-controlled boundaries.
30 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.7.1 Control Summary Information
Role OpenShift Landlord
Status Not implemented
Origin OpenShift Landlord SSP
3.7.2 AC-18(5) What is the solution and how is it implemented?
Part a
Requirement WIRELESS ACCESS | ANTENNAS / TRANSMISSION POWER LEVELS The organi-zation selects radio antennas and calibrates transmission power levels to reduce the probability thatusable signals can be received outside of organization-controlled boundaries.
Role OpenShift Landlord
Status Not implemented
Details See AC-18a
3.8 AC-19 - Access Control For Mobile Devices
Requirement ACCESS CONTROL FOR MOBILE DEVICES Control: The organization: a. Establishesusage restrictions, configuration requirements, connection requirements, and implementation guid-ance for organization-controlled mobile devices; and b. Authorizes the connection of mobile devicesto organizational information systems.
3.8.1 Control Summary Information
Role OpenShift Landlord
Status Not implemented
Origin OpenShift Landlord SSP
3.8.2 AC-19 What is the solution and how is it implemented?
Part a
Requirement ACCESS CONTROL FOR MOBILE DEVICES Control: The organization: a. Estab-lishes usage restrictions, configuration requirements, connection requirements, and implementationguidance for organization-controlled mobile devices; and
Role OpenShift Landlord
Status Not implemented
Details Tailored out - there are no Mobile components to the system.
References OMB M-06-16; SP 800-114; SP 800-124; SP 800-164;
3.8. AC-19 - Access Control For Mobile Devices 31
OpenShift Compliance Guide, Release 1.0 beta
Part b
Requirement
b. Authorizes the connection of mobile devices to organizational information systems.
Role OpenShift Landlord
Status Not implemented
Details Reference AC-19a
References OMB M-06-16; SP 800-114; SP 800-124; SP 800-164;
3.9 AC-19(5) - Access Control For Mobile Devices | Full Device /Container-based Encryption
Requirement ACCESS CONTROL FOR MOBILE DEVICES | FULL DEVICE / CONTAINER-BASED ENCRYPTION The organization employs [Selection: full-device encryption; containerencryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices].
3.9.1 Control Summary Information
Role OpenShift Landlord
Status Not implemented
Origin OpenShift Landlord SSP
3.9.2 AC-19(5) What is the solution and how is it implemented?
Part a
Requirement ACCESS CONTROL FOR MOBILE DEVICES | FULL DEVICE / CONTAINER-BASED ENCRYPTION The organization employs [Selection: full-device encryption; containerencryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices].
Role OpenShift Landlord
Status Not implemented
Details Reference AC-19a
3.10 AC-2 - Account Management
Requirement ACCOUNT MANAGEMENT Control: The organization: a. Identifies and selects the fol-lowing types of information system accounts to support organizational missions/business functions:[Assignment: organization-defined information system account types]; b. Assigns account man-agers for information system accounts; c. Establishes conditions for group and role membership;d. Specifies authorized users of the information system, group and role membership, and access
32 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
authorizations (i.e., privileges) and other attributes (as required) for each account; e. Requires ap-provals by [Assignment: organization-defined personnel or roles] for requests to create informationsystem accounts; f. Creates, enables, modifies, disables, and removes information system accountsin accordance with [Assignment: organization-defined procedures or conditions]; g. Monitors theuse of, information system accounts; h. Notifies account managers: 1. When accounts are no longerrequired; 2. When users are terminated or transferred; and 3. When individual information systemusage or need-to-know changes; i. Authorizes access to the information system based on: 1. Avalid access authorization; 2. Intended system usage; and 3. Other attributes as required by theorganization or associated missions/business functions; j. Reviews accounts for compliance with ac-count management requirements [Assignment: organization-defined frequency]; and k. Establishesa process for reissuing shared/group account credentials (if deployed) when individuals are removedfrom the group.
3.10.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.10.2 AC-2 What is the solution and how is it implemented?
Part a
Requirement ACCOUNT MANAGEMENT Control: The organization: a. Identifies and selects the fol-lowing types of information system accounts to support organizational missions/business functions:[Assignment: organization-defined information system account types];
Role Organization
Status Inherited
Details Developed and maintained by the Organization. OCP framework admistrators with the policy aspublished.
Part b
Requirement
b. Assigns account managers for information system accounts;
Role Organization
Status Inherited
Details Developed and maintained by the Organization. OCP framework admistrators with the policy aspublished.
Part c
Requirement
c. Establishes conditions for group and role membership;
Role Organization
3.10. AC-2 - Account Management 33
OpenShift Compliance Guide, Release 1.0 beta
Status Inherited
Details Developed and maintained by the Organization. OCP framework admistrators with the policy aspublished.
Part d
Requirement
d. Specifies authorized users of the information system, group and role membership, and accessauthorizations (i.e., privileges) and other attributes (as required) for each account;
Role Organization, OpenShift Landlord
Status Implemented
Details Users - delegated to enterprise Admins - user credentials deployed via Ansible Tower
Part e
Requirement
e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests tocreate information system accounts;
Role IaaS
Status Inherited
Details Inherited from IaaS user policy.
Part f
Requirement
f. Creates, enables, modifies, disables, and removes information system accounts in accordancewith [Assignment: organization-defined procedures or conditions];
Role IaaS
Status Inherited
Details Inherited from IaaS user policy.
Part g
Requirement
g. Monitors the use of, information system accounts;
Role Organization, IaaS
Status Inherited
Details Inherited from organization desktop policy and IaaS user policy.
34 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Part h
Requirement
h. Notifies account managers: 1. When accounts are no longer required;
Role Organization
Status Inherited
Details Inherited from organizational policy and user directory. OpenShift authenticates against X.509certificates, and is configured to check the corporate OCSP responder.
Part i
Requirement
2. When users are terminated or transferred; and
Role Organization
Status Inherited
Details Inherited from organizational policy and user directory. OpenShift authenticates against X.509certificates, and is configured to check the corporate OCSP responder.
Part j
Requirement
3. When individual information system usage or need-to-know changes;
Role Organization, OpenShift Landlord
Status Implemented
Details Access to OpenShift is controled by the user’s X.509 DN being in an Organizational Unit in theuser directory. If the user no longer requires access, the organization removes the user’s DN fromthe OU. Cluster admin access is managed by SSH keys via Ansible Tower and can be easily removedfrom all systems when employees leave or when directed to do so by the COR.
Part k
Requirement
i. Authorizes access to the information system based on: 1. A valid access authorization;
Role Organization, OpenShift Landlord
Status Implemented
Details Inherited from organizational policy and user directory. OpenShift authenticates against X.509certificates, and is configured to check the corporate OCSP responder.
3.10. AC-2 - Account Management 35
OpenShift Compliance Guide, Release 1.0 beta
Part l
Requirement
2. Intended system usage; and
Role Organization, OpenShift Landlord
Status Implemented
Details Inherited from organizational policy and user directory. OpenShift authenticates against X.509certificates, and is configured to check the corporate OCSP responder.
Part m
Requirement
3. Other attributes as required by the organization or associated missions/business functions;
Role Organization, OpenShift Landlord
Status Implemented
Details Inherited from organizational policy and user directory. OpenShift authenticates against X.509certificates, and is configured to check the corporate OCSP responder.
Part n
Requirement
j. Reviews accounts for compliance with account management requirements [Assignment:organization-defined frequency]; and
Role Organization, OpenShift Landlord
Status Implemented
Details Users - inherited from to organization user directory Admins - continuous CM by Ansible Tower
Part o
Requirement
k. Establishes a process for reissuing shared/group account credentials (if deployed) when indi-viduals are removed from the group.
Role OpenShift Landlord
Status Not implemented
Details No shared credentials
3.11 AC-2(1) - Account Management | Automated System AccountManagement
Requirement ACCOUNT MANAGEMENT | AUTOMATED SYSTEM ACCOUNT MANAGEMENTThe organization employs automated mechanisms to support the management of information systemaccounts.
36 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.11.1 Control Summary Information
Role Organization, OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.11.2 AC-2(1) What is the solution and how is it implemented?
Part a
Requirement ACCOUNT MANAGEMENT | AUTOMATED SYSTEM ACCOUNT MANAGEMENTThe organization employs automated mechanisms to support the management of information systemaccounts.
Role Organization, OpenShift Landlord
Status Implemented
Details Users - delegated to enterprise Admins - user credentials deployed via puppet/ansible
3.12 AC-2(11) - Account Management | Usage Conditions
Requirement ACCOUNT MANAGEMENT | USAGE CONDITIONS The information system en-forces [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment:organization-defined information system accounts].
3.12.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.12.2 AC-2(11) What is the solution and how is it implemented?
Part a
Requirement ACCOUNT MANAGEMENT | USAGE CONDITIONS The information system en-forces [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment:organization-defined information system accounts].
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.12. AC-2(11) - Account Management | Usage Conditions 37
OpenShift Compliance Guide, Release 1.0 beta
3.13 AC-2(2) - Account Management | Removal Of Temporary / Emer-gency Accounts
Requirement ACCOUNT MANAGEMENT | REMOVAL OF TEMPORARY / EMERGENCY AC-COUNTS The information system automatically [Selection: removes; disables] temporary andemergency accounts after [Assignment: organization-defined time period for each type of account].
3.13.1 Control Summary Information
Role OpenShift Landlord
Status Not implemented
Origin OpenShift Landlord SSP
3.13.2 AC-2(2) What is the solution and how is it implemented?
Part a
Requirement ACCOUNT MANAGEMENT | REMOVAL OF TEMPORARY / EMERGENCY AC-COUNTS The information system automatically [Selection: removes; disables] temporary andemergency accounts after [Assignment: organization-defined time period for each type of account].
Role OpenShift Landlord
Status Not implemented
Details No emergency accounts
3.14 AC-2(3) - Account Management | Disable Inactive Accounts
Requirement ACCOUNT MANAGEMENT | DISABLE INACTIVE ACCOUNTS The information sys-tem automatically disables inactive accounts after [Assignment: organization-defined time period].
3.14.1 Control Summary Information
Role Organization, OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.14.2 AC-2(3) What is the solution and how is it implemented?
Part a
Requirement ACCOUNT MANAGEMENT | DISABLE INACTIVE ACCOUNTS The information sys-tem automatically disables inactive accounts after [Assignment: organization-defined time period].
Role Organization, OpenShift Landlord
Status Implemented
38 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Details Users - delegated to enterprise Admins - not subject to automatic disabling, accounts which areno longer necessary will be detected during review detailed in AC-2j
3.15 AC-20 - Use Of External Information Systems
Requirement USE OF EXTERNAL INFORMATION SYSTEMS Control: The organization establishesterms and conditions, consistent with any trust relationships established with other organizationsowning, operating, and/or maintaining external information systems, allowing authorized individu-als to: a. Access the information system from external information systems; and b. Process, store,or transmit organization-controlled information using external information systems.
3.15.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from a pre-existing ATO
3.15.2 AC-20 What is the solution and how is it implemented?
Part a
Requirement USE OF EXTERNAL INFORMATION SYSTEMS Control: The organization establishesterms and conditions, consistent with any trust relationships established with other organizationsowning, operating, and/or maintaining external information systems, allowing authorized individu-als to: a. Access the information system from external information systems; and
Role Organization
Status Inherited
Details undefined
References FIPS Pub 199;
Part b
Requirement
b. Process, store, or transmit organization-controlled information using external information sys-tems.
Role Organization
Status Inherited
Details undefined
References FIPS Pub 199;
3.15. AC-20 - Use Of External Information Systems 39
OpenShift Compliance Guide, Release 1.0 beta
3.16 AC-21 - Information Sharing
Requirement INFORMATION SHARING Control: The organization: a. Facilitates information shar-ing by enabling authorized users to determine whether access authorizations assigned to the sharingpartner match the access restrictions on the information for [Assignment: organization-defined in-formation sharing circumstances where user discretion is required]; and b. Employs [Assignment:organization-defined automated mechanisms or manual processes] to assist users in making infor-mation sharing/collaboration decisions.
3.16.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from a pre-existing ATO
3.16.2 AC-21 What is the solution and how is it implemented?
Part a
Requirement INFORMATION SHARING Control: The organization: a. Facilitates information shar-ing by enabling authorized users to determine whether access authorizations assigned to the sharingpartner match the access restrictions on the information for [Assignment: organization-defined in-formation sharing circumstances where user discretion is required]; and
Role Organization
Status Inherited
Details undefined
Part b
Requirement
b. Employs [Assignment: organization-defined automated mechanisms or manual processes] toassist users in making information sharing/collaboration decisions.
Role Organization
Status Inherited
Details undefined
3.17 AC-22 - Publicly Accessible Content
Requirement PUBLICLY ACCESSIBLE CONTENT Control: The organization: a. Designates indi-viduals authorized to post information onto a publicly accessible information system; b. Trainsauthorized individuals to ensure that publicly accessible information does not contain nonpublicinformation; c. Reviews the proposed content of information prior to posting onto the publicly ac-cessible information system to ensure that nonpublic information is not included; and d. Reviewsthe content on the publicly accessible information system for nonpublic information [Assignment:organization-defined frequency] and removes such information, if discovered.
40 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.17.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from a pre-existing ATO
3.17.2 AC-22 What is the solution and how is it implemented?
Part a
Requirement PUBLICLY ACCESSIBLE CONTENT Control: The organization: a. Designates individ-uals authorized to post information onto a publicly accessible information system;
Role Organization
Status Inherited
Details Not responsible
Part b
Requirement
b. Trains authorized individuals to ensure that publicly accessible information does not containnonpublic information;
Role Organization
Status Inherited
Details Not responsible
Part c
Requirement
c. Reviews the proposed content of information prior to posting onto the publicly accessible in-formation system to ensure that nonpublic information is not included; and
Role Organization
Status Inherited
Details Not responsible
Part d
Requirement
d. Reviews the content on the publicly accessible information system for nonpublic information[Assignment: organization-defined frequency] and removes such information, if discovered.
Role Organization
Status Inherited
Details Not responsible
3.17. AC-22 - Publicly Accessible Content 41
OpenShift Compliance Guide, Release 1.0 beta
3.18 AC-3 - Access Enforcement
Requirement ACCESS ENFORCEMENT Control: The information system enforces approved autho-rizations for logical access to information and system resources in accordance with applicable accesscontrol policies.
3.18.1 Control Summary Information
Role Organization, OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.18.2 AC-3 What is the solution and how is it implemented?
Part a
Requirement ACCESS ENFORCEMENT Control: The information system enforces approved autho-rizations for logical access to information and system resources in accordance with applicable accesscontrol policies.
Role Organization, OpenShift Landlord
Status Implemented
Details Users - Access control capabilities implemented through OpenShift tenant applications. Admin-istrators - access control to virtual machines implemented via ssh with key deployment controlledvia Ansible Tower.
3.19 AC-4 - Information Flow Enforcement
Requirement INFORMATION FLOW ENFORCEMENT Control: The information system enforces ap-proved authorizations for controlling the flow of information within the system and between inter-connected systems based on [Assignment: organization-defined information flow control policies].
3.19.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.19.2 AC-4 What is the solution and how is it implemented?
Part a
Requirement INFORMATION FLOW ENFORCEMENT Control: The information system enforces ap-proved authorizations for controlling the flow of information within the system and between inter-connected systems based on [Assignment: organization-defined information flow control policies].
42 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Role OpenShift Landlord
Status Implemented
Details All OpenShift infrastructure resources (ie: user database, message bus, Ansible Tower) arehoused within a VPC which can only be externally accessed through a tightly controlled bastionhost which will be configured to be compliant with organization specified controls.
References Web: ucdmo.gov;
3.20 AC-6(3) - Least Privilege | Network Access To Privileged Com-mands
Requirement LEAST PRIVILEGE | NETWORK ACCESS TO PRIVILEGED COMMANDS The or-ganization authorizes network access to [Assignment: organization-defined privileged commands]only for [Assignment: organization-defined compelling operational needs] and documents the ratio-nale for such access in the security plan for the information system.
3.20.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.20.2 AC-6(3) What is the solution and how is it implemented?
Part a
Requirement LEAST PRIVILEGE | NETWORK ACCESS TO PRIVILEGED COMMANDS The or-ganization authorizes network access to [Assignment: organization-defined privileged commands]only for [Assignment: organization-defined compelling operational needs] and documents the ratio-nale for such access in the security plan for the information system.
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.21 AC-7 - Unsuccessful Logon Attempts
Requirement UNSUCCESSFUL LOGON ATTEMPTS Control: The information system: a. Enforcesa limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a userduring a [Assignment: organization-defined time period]; and b. Automatically [Selection: locks theaccount/node for an [Assignment: organization-defined time period]; locks the account/node untilreleased by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded.
3.20. AC-6(3) - Least Privilege | Network Access To Privileged Commands 43
OpenShift Compliance Guide, Release 1.0 beta
3.21.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.21.2 AC-7 What is the solution and how is it implemented?
Part a
Requirement UNSUCCESSFUL LOGON ATTEMPTS Control: The information system: a. Enforcesa limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a userduring a [Assignment: organization-defined time period]; and
Role OpenShift Landlord
Status Implemented
Details Logins are done via PKI certificates and/or SSH keys. Invalid logins consist of the user not beingauthorized to login to the target gear, system or console and result in a rejected connection attempt.All rejected attempts are logged for review and provided to the continuous monitoring branch forreview.
Part b
Requirement
b. Automatically [Selection: locks the account/node for an [Assignment: organization-definedtime period]; locks the account/node until released by an administrator; delays next logonprompt according to [Assignment: organization-defined delay algorithm]] when the maximumnumber of unsuccessful attempts is exceeded.
Role OpenShift Landlord
Status Implemented
Details See AC-7a
3.22 AC-8 - System Use Notification
Requirement SYSTEM USE NOTIFICATION Control: The information system: a. Displays to users[Assignment: organization-defined system use notification message or banner] before granting ac-cess to the system that provides privacy and security notices consistent with applicable federal laws,Executive Orders, directives, policies, regulations, standards, and guidance and states that: 1. Usersare accessing a U.S. Government information system; 2. Information system usage may be moni-tored, recorded, and subject to audit; 3. Unauthorized use of the information system is prohibitedand subject to criminal and civil penalties; and 4. Use of the information system indicates con-sent to monitoring and recording; b. Retains the notification message or banner on the screen untilusers acknowledge the usage conditions and take explicit actions to log on to or further access theinformation system; and c. For publicly accessible systems: 1. Displays system use information [As-signment: organization-defined conditions], before granting further access; 2. Displays references,if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for
44 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
such systems that generally prohibit those activities; and 3. Includes a description of the authorizeduses of the system.
3.22.1 Control Summary Information
Role Organization, OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.22.2 AC-8 What is the solution and how is it implemented?
Part a
Requirement SYSTEM USE NOTIFICATION Control: The information system: a. Displays to users[Assignment: organization-defined system use notification message or banner] before granting ac-cess to the system that provides privacy and security notices consistent with applicable federal laws,Executive Orders, directives, policies, regulations, standards, and guidance and states that: 1. Usersare accessing a U.S. Government information system;
Role Organization, OpenShift Landlord
Status Implemented
Details For non-priviliged access the user has already acknowledged the required banner upon loginto the organization’s workstation. A non-priviliged user cannot escalate priviliges in the WebGUIcontext. For administrators or priviliged access, only SSH login is supported and a banner will bepresented in compliance with organizational policy.
Part b
Requirement
2. Information system usage may be monitored, recorded, and subject to audit;
Role Organization, OpenShift Landlord
Status Implemented
Details see AC-8a
Part c
Requirement
3. Unauthorized use of the information system is prohibited and subject to criminal and civil penal-ties; and
Role Organization, OpenShift Landlord
Status Implemented
Details see AC-8a
3.22. AC-8 - System Use Notification 45
OpenShift Compliance Guide, Release 1.0 beta
Part d
Requirement
4. Use of the information system indicates consent to monitoring and recording;
Role Organization, OpenShift Landlord
Status Implemented
Details see AC-8a
Part e
Requirement
b. Retains the notification message or banner on the screen until users acknowledge the usageconditions and take explicit actions to log on to or further access the information system; and
Role Organization, OpenShift Landlord
Status Implemented
Details see AC-8a
Part f
Requirement
c. For publicly accessible systems: 1. Displays system use information [Assignment:organization-defined conditions], before granting further access;
Role Organization, OpenShift Landlord
Status Implemented
Details see AC-8a
Part g
Requirement
2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacyaccommodations for such systems that generally prohibit those activities; and
Role Organization, OpenShift Landlord
Status Implemented
Details see AC-8a
Part h
Requirement
3. Includes a description of the authorized uses of the system.
Role Organization, OpenShift Landlord
Status Implemented
46 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Details see AC-8a
3.23 AP-1 - Authority To Collect
Requirement AUTHORITY TO COLLECT Control: The organization determines and documents thelegal authority that permits the collection, use, maintenance, and sharing of personally identifiableinformation (PII), either generally or in support of a specific program or information system need.
3.23.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.23.2 AP-1 What is the solution and how is it implemented?
Part a
Requirement AUTHORITY TO COLLECT Control: The organization determines and documents thelegal authority that permits the collection, use, maintenance, and sharing of personally identifiableinformation (PII), either generally or in support of a specific program or information system need.
Role Organization
Status Inherited
Details Inherited from organizational policies.
References The Privacy Act of 1974, 5 U.S.C. § 552a (e); Section 208(c), E-Government Act of 2002(P.L. 107-347); OMB Circular A-130, Appendix I;
3.24 AP-2 - Purpose Specification
Requirement PURPOSE SPECIFICATION Control: The organization describes the purpose(s) forwhich personally identifiable information (PII) is collected, used, maintained, and shared in its pri-vacy notices.
3.24.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.23. AP-1 - Authority To Collect 47
OpenShift Compliance Guide, Release 1.0 beta
3.24.2 AP-2 What is the solution and how is it implemented?
Part a
Requirement PURPOSE SPECIFICATION Control: The organization describes the purpose(s) forwhich personally identifiable information (PII) is collected, used, maintained, and shared in its pri-vacy notices.
Role Organization
Status Inherited
Details Inherited from organizational policies.
References The Privacy Act of 1974, 5 U.S.C. § 552a (e)(3)(A)-(B); Sections 208(b), (c), E-GovernmentAct of 2002 (P.L. 107-347);
3.25 AR-1 - Governance And Privacy Program
Requirement GOVERNANCE AND PRIVACY PROGRAM Control: The organization: a. Appoints aSenior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for develop-ing, implementing, and maintaining an organization-wide governance and privacy program to ensurecompliance with all applicable laws and regulations regarding the collection, use, maintenance, shar-ing, and disposal of personally identifiable information (PII) by programs and information systems;b. Monitors federal privacy laws and policy for changes that affect the privacy program; c. Allocates[Assignment: organization-defined allocation of budget and staffing] sufficient resources to imple-ment and operate the organization-wide privacy program; d. Develops a strategic organizationalprivacy plan for implementing applicable privacy controls, policies, and procedures; e. Develops,disseminates, and implements operational privacy policies and procedures that govern the appropri-ate privacy and security controls for programs, information systems, or technologies involving PII;and f. Updates privacy plan, policies, and procedures [Assignment: organization-defined frequency,at least biennially].
3.25.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.25.2 AR-1 What is the solution and how is it implemented?
Part a
Requirement GOVERNANCE AND PRIVACY PROGRAM Control: The organization: a. Appoints aSenior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) accountable for develop-ing, implementing, and maintaining an organization-wide governance and privacy program to ensurecompliance with all applicable laws and regulations regarding the collection, use, maintenance, shar-ing, and disposal of personally identifiable information (PII) by programs and information systems;
Role Organization
Status Inherited
48 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Details Inherited from organizational policies.
References The Privacy Act of 1974, 5 U.S.C. § 552a; E-Government Act of 2002 (P.L. 107-347); Fed-eral Information Security Management Act (FISMA) of 2002, 44 U.S.C. § 3541; OMB M-03-22;OMB M-05-08; OMB M-07-16; OMB Circular A-130; Federal Enterprise Architecture Securityand Privacy Profile;
Part b
Requirement
b. Monitors federal privacy laws and policy for changes that affect the privacy program;
Role Organization
Status Inherited
Details Inherited from organizational policies.
References The Privacy Act of 1974, 5 U.S.C. § 552a; E-Government Act of 2002 (P.L. 107-347); Fed-eral Information Security Management Act (FISMA) of 2002, 44 U.S.C. § 3541; OMB M-03-22;OMB M-05-08; OMB M-07-16; OMB Circular A-130; Federal Enterprise Architecture Securityand Privacy Profile;
Part c
Requirement
c. Allocates [Assignment: organization-defined allocation of budget and staffing] sufficient re-sources to implement and operate the organization-wide privacy program;
Role Organization
Status Inherited
Details Inherited from organizational policies.
References The Privacy Act of 1974, 5 U.S.C. § 552a; E-Government Act of 2002 (P.L. 107-347); Fed-eral Information Security Management Act (FISMA) of 2002, 44 U.S.C. § 3541; OMB M-03-22;OMB M-05-08; OMB M-07-16; OMB Circular A-130; Federal Enterprise Architecture Securityand Privacy Profile;
Part d
Requirement
d. Develops a strategic organizational privacy plan for implementing applicable privacy controls,policies, and procedures;
Role Organization
Status Inherited
Details Inherited from organizational policies.
References The Privacy Act of 1974, 5 U.S.C. § 552a; E-Government Act of 2002 (P.L. 107-347); Fed-eral Information Security Management Act (FISMA) of 2002, 44 U.S.C. § 3541; OMB M-03-22;OMB M-05-08; OMB M-07-16; OMB Circular A-130; Federal Enterprise Architecture Securityand Privacy Profile;
3.25. AR-1 - Governance And Privacy Program 49
OpenShift Compliance Guide, Release 1.0 beta
Part e
Requirement
e. Develops, disseminates, and implements operational privacy policies and procedures that gov-ern the appropriate privacy and security controls for programs, information systems, or tech-nologies involving PII; and
Role Organization
Status Inherited
Details Inherited from organizational policies.
References The Privacy Act of 1974, 5 U.S.C. § 552a; E-Government Act of 2002 (P.L. 107-347); Fed-eral Information Security Management Act (FISMA) of 2002, 44 U.S.C. § 3541; OMB M-03-22;OMB M-05-08; OMB M-07-16; OMB Circular A-130; Federal Enterprise Architecture Securityand Privacy Profile;
Part f
Requirement
f. Updates privacy plan, policies, and procedures [Assignment: organization-defined frequency,at least biennially].
Role Organization
Status Inherited
Details Inherited from organizational policies.
References The Privacy Act of 1974, 5 U.S.C. § 552a; E-Government Act of 2002 (P.L. 107-347); Fed-eral Information Security Management Act (FISMA) of 2002, 44 U.S.C. § 3541; OMB M-03-22;OMB M-05-08; OMB M-07-16; OMB Circular A-130; Federal Enterprise Architecture Securityand Privacy Profile;
3.26 AR-2 - Privacy Impact And Risk Assessment
Requirement PRIVACY IMPACT AND RISK ASSESSMENT Control: The organization: a. Docu-ments and implements a privacy risk management process that assesses privacy risk to individualsresulting from the collection, sharing, storing, transmitting, use, and disposal of personally identifi-able information (PII); and b. Conducts Privacy Impact Assessments (PIAs) for information systems,programs, or other activities that pose a privacy risk in accordance with applicable law, OMB policy,or any existing organizational policies and procedures.
3.26.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
50 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.26.2 AR-2 What is the solution and how is it implemented?
Part a
Requirement PRIVACY IMPACT AND RISK ASSESSMENT Control: The organization: a. Docu-ments and implements a privacy risk management process that assesses privacy risk to individualsresulting from the collection, sharing, storing, transmitting, use, and disposal of personally identifi-able information (PII); and
Role Organization
Status Inherited
Details Inherited from organizational policies.
References Section 208, E-Government Act of 2002 (P.L. 107-347); Federal Information Security Man-agement Act (FISMA) of 2002, 44 U.S.C. § 3541; OMB M-03-22; OMB M-05-08; OMB M-10-23;
Part b
Requirement
b. Conducts Privacy Impact Assessments (PIAs) for information systems, programs, or other ac-tivities that pose a privacy risk in accordance with applicable law, OMB policy, or any existingorganizational policies and procedures.
Role Organization
Status Inherited
Details Inherited from organizational policies.
References Section 208, E-Government Act of 2002 (P.L. 107-347); Federal Information Security Man-agement Act (FISMA) of 2002, 44 U.S.C. § 3541; OMB M-03-22; OMB M-05-08; OMB M-10-23;
3.27 AR-3 - Privacy Requirements For Contractors And ServiceProviders
Requirement PRIVACY REQUIREMENTS FOR CONTRACTORS AND SERVICE PROVIDERSControl: The organization: a. Establishes privacy roles, responsibilities, and access requirementsfor contractors and service providers; and b. Includes privacy requirements in contracts and otheracquisition-related documents.
3.27.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.27. AR-3 - Privacy Requirements For Contractors And Service Providers 51
OpenShift Compliance Guide, Release 1.0 beta
3.27.2 AR-3 What is the solution and how is it implemented?
Part a
Requirement PRIVACY REQUIREMENTS FOR CONTRACTORS AND SERVICE PROVIDERSControl: The organization: a. Establishes privacy roles, responsibilities, and access requirementsfor contractors and service providers; and
Role Organization
Status Inherited
Details Inherited from organizational policies.
References The Privacy Act of 1974, 5 U.S.C. § 552a(m); Federal Acquisition Regulation, 48 C.F.R.Part 24; OMB Circular A-130;
Part b
Requirement
b. Includes privacy requirements in contracts and other acquisition-related documents.
Role Organization
Status Inherited
Details Inherited from organizational policies.
References The Privacy Act of 1974, 5 U.S.C. § 552a(m); Federal Acquisition Regulation, 48 C.F.R.Part 24; OMB Circular A-130;
3.28 AR-4 - Privacy Monitoring And Auditing
Requirement PRIVACY MONITORING AND AUDITING Control: The organization monitors andaudits privacy controls and internal privacy policy [Assignment: organization-defined frequency] toensure effective implementation.
3.28.1 Control Summary Information
Role Organization, OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.28.2 AR-4 What is the solution and how is it implemented?
Part a
Requirement PRIVACY MONITORING AND AUDITING Control: The organization monitors andaudits privacy controls and internal privacy policy [Assignment: organization-defined frequency] toensure effective implementation.
Role Organization, OpenShift Landlord
52 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Status Implemented
Details Partly inherited; information system auditing satisfied by OpenSCAP scans and Ansible config-uration/compliance management.
References The Privacy Act of 1974, 5 U.S.C. § 552a; Federal Information Security Management Act(FISMA) of 2002, 44 U.S.C. § 3541; Section 208, E-Government Act of 2002 (P.L. 107-347); OMBM-03-22; OMB M-05-08; OMB M-06-16; OMB M-07-16; OMB Circular A-130;
3.29 AR-5 - Privacy Awareness And Training
Requirement PRIVACY AWARENESS AND TRAINING Control: The organization: a. Develops,implements, and updates a comprehensive training and awareness strategy aimed at ensuring thatpersonnel understand privacy responsibilities and procedures; b. Administers basic privacy train-ing [Assignment: organization-defined frequency, at least annually] and targeted, role-based privacytraining for personnel having responsibility for personally identifiable information (PII) or for activ-ities that involve PII [Assignment: organization-defined frequency, at least annually]; and c. Ensuresthat personnel certify (manually or electronically) acceptance of responsibilities for privacy require-ments [Assignment: organization-defined frequency, at least annually].
3.29.1 Control Summary Information
Role Organization, OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.29.2 AR-5 What is the solution and how is it implemented?
Part a
Requirement PRIVACY AWARENESS AND TRAINING Control: The organization: a. Develops,implements, and updates a comprehensive training and awareness strategy aimed at ensuring thatpersonnel understand privacy responsibilities and procedures;
Role Organization, OpenShift Landlord
Status Implemented
Details Partly inherited; role based training provided by training template required prior to access.
References The Privacy Act of 1974, 5 U.S.C. § 552a(e); Section 208, E-Government Act of 2002 (P.L.107-347); OMB M-03-22; OMB M-07-16;
Part b
Requirement
b. Administers basic privacy training [Assignment: organization-defined frequency, at least annu-ally] and targeted, role-based privacy training for personnel having responsibility for person-ally identifiable information (PII) or for activities that involve PII [Assignment: organization-defined frequency, at least annually]; and
Role Organization, OpenShift Landlord
3.29. AR-5 - Privacy Awareness And Training 53
OpenShift Compliance Guide, Release 1.0 beta
Status Implemented
Details See AR-5a
References The Privacy Act of 1974, 5 U.S.C. § 552a(e); Section 208, E-Government Act of 2002 (P.L.107-347); OMB M-03-22; OMB M-07-16;
Part c
Requirement
c. Ensures that personnel certify (manually or electronically) acceptance of responsibilities forprivacy requirements [Assignment: organization-defined frequency, at least annually].
Role Organization
Status Inherited
Details Inherited from organizational policies. Landlord can provide training template but the organiza-tion must provide acceptance and tracking methods.
References The Privacy Act of 1974, 5 U.S.C. § 552a(e); Section 208, E-Government Act of 2002 (P.L.107-347); OMB M-03-22; OMB M-07-16;
3.30 AR-6 - Privacy Reporting
Requirement PRIVACY REPORTING Control: The organization develops, disseminates, and updatesreports to the Office of Management and Budget (OMB), Congress, and other oversight bodies, asappropriate, to demonstrate accountability with specific statutory and regulatory privacy programmandates, and to senior management and other personnel with responsibility for monitoring privacyprogram progress and compliance.
3.30.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.30.2 AR-6 What is the solution and how is it implemented?
Part a
Requirement PRIVACY REPORTING Control: The organization develops, disseminates, and updatesreports to the Office of Management and Budget (OMB), Congress, and other oversight bodies, asappropriate, to demonstrate accountability with specific statutory and regulatory privacy programmandates, and to senior management and other personnel with responsibility for monitoring privacyprogram progress and compliance.
Role Organization
Status Inherited
Details Inherited from organizational policies.
54 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
References The Privacy Act of 1974, 5 U.S.C. § 552a; Section 208, E-Government Act of 2002 (P.L.107-347); Federal Information Security Management Act (FISMA) of 2002, 44 U.S.C. § 3541;Section 803, 9/11 Commission Act, 42 U.S.C. § 2000ee-1; Section 804, 9/11 Commission Act, 42U.S.C. § 2000ee-3; Section 522, Consolidated Appropriations Act of 2005 (P.L. 108-447); OMBM-03-22; OMB Circular A-130;
3.31 AR-7 - Privacy-enhanced System Design And Development
Requirement PRIVACY-ENHANCED SYSTEM DESIGN AND DEVELOPMENT Control: The orga-nization designs information systems to support privacy by automating privacy controls.
3.31.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.31.2 AR-7 What is the solution and how is it implemented?
Part a
Requirement PRIVACY-ENHANCED SYSTEM DESIGN AND DEVELOPMENT Control: The orga-nization designs information systems to support privacy by automating privacy controls.
Role OpenShift Landlord
Status Implemented
Details We will implement related controls with OpenSCAP and Ansible.
References The Privacy Act of 1974, 5 U.S.C. § 552a(e)(10); Sections 208(b) and(c), E-Government Actof 2002 (P.L. 107-347); OMB M-03-22;
3.32 AR-8 - Accounting Of Disclosures
Requirement ACCOUNTING OF DISCLOSURES Control: The organization: a. Keeps an accurateaccounting of disclosures of information held in each system of records under its control, including:(1) Date, nature, and purpose of each disclosure of a record; and (2) Name and address of the personor agency to which the disclosure was made; b. Retains the accounting of disclosures for the lifeof the record or five years after the disclosure is made, whichever is longer; and c. Makes theaccounting of disclosures available to the person named in the record upon request.
3.32.1 Control Summary Information
Role Organization, OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.31. AR-7 - Privacy-enhanced System Design And Development 55
OpenShift Compliance Guide, Release 1.0 beta
3.32.2 AR-8 What is the solution and how is it implemented?
Part a
Requirement ACCOUNTING OF DISCLOSURES Control: The organization: a. Keeps an accurateaccounting of disclosures of information held in each system of records under its control, including:(1) Date, nature, and purpose of each disclosure of a record; and
Role Organization, OpenShift Landlord
Status Implemented
Details Partly inherited; fulfilled by OpenShift logging subsystem and the submission of those logs toorganizationally required entities and organizational enterprise A&L services.
References The Privacy Act of 1974, 5 U.S.C. § 552a (c)(1), (c)(3), (j), (k);
Part b
Requirement
(2) Name and address of the person or agency to which the disclosure was made;
Role Organization
Status Inherited
Details See AR-8a
References The Privacy Act of 1974, 5 U.S.C. § 552a (c)(1), (c)(3), (j), (k);
Part c
Requirement
b. Retains the accounting of disclosures for the life of the record or five years after the disclosureis made, whichever is longer; and
Role Organization
Status Inherited
Details See AR-8a
References The Privacy Act of 1974, 5 U.S.C. § 552a (c)(1), (c)(3), (j), (k);
Part d
Requirement
c. Makes the accounting of disclosures available to the person named in the record upon request.
Role Organization
Status Inherited
Details See AR-8a
References The Privacy Act of 1974, 5 U.S.C. § 552a (c)(1), (c)(3), (j), (k);
56 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.33 AT-1 - Security Awareness And Training Policy And Procedures
Requirement SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES Control:The organization: a. Develops, documents, and disseminates to [Assignment: organization-definedpersonnel or roles]: 1. A security awareness and training policy that addresses purpose, scope,roles, responsibilities, management commitment, coordination among organizational entities, andcompliance; and 2. Procedures to facilitate the implementation of the security awareness and trainingpolicy and associated security awareness and training controls; and b. Reviews and updates thecurrent: 1. Security awareness and training policy [Assignment: organization-defined frequency];and 2. Security awareness and training procedures [Assignment: organization-defined frequency].
3.33.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.33.2 AT-1 What is the solution and how is it implemented?
Part a
Requirement SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES Control:The organization: a. Develops, documents, and disseminates to [Assignment: organization-definedpersonnel or roles]: 1. A security awareness and training policy that addresses purpose, scope,roles, responsibilities, management commitment, coordination among organizational entities, andcompliance; and
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
References SP 800-12; SP 800-16; SP 800-50; SP 800-100;
Part b
Requirement
2. Procedures to facilitate the implementation of the security awareness and training policy andassociated security awareness and training controls; and
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
References SP 800-12; SP 800-16; SP 800-50; SP 800-100;
3.33. AT-1 - Security Awareness And Training Policy And Procedures 57
OpenShift Compliance Guide, Release 1.0 beta
Part c
Requirement
b. Reviews and updates the current: 1. Security awareness and training policy [Assignment:organization-defined frequency]; and
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
References SP 800-12; SP 800-16; SP 800-50; SP 800-100;
Part d
Requirement
2. Security awareness and training procedures [Assignment: organization-defined frequency].
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
References SP 800-12; SP 800-16; SP 800-50; SP 800-100;
3.34 AT-2 - Security Awareness Training
Requirement SECURITY AWARENESS TRAINING Control: The organization provides basic securityawareness training to information system users (including managers, senior executives, and contrac-tors): a. As part of initial training for new users; b. When required by information system changes;and c. [Assignment: organization-defined frequency] thereafter.
3.34.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.34.2 AT-2 What is the solution and how is it implemented?
Part a
Requirement SECURITY AWARENESS TRAINING Control: The organization provides basic securityawareness training to information system users (including managers, senior executives, and contrac-tors): a. As part of initial training for new users;
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
58 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
References C.F.R. Part 5 Subpart C (5 C.F.R. 930.301); EO 13587; SP 800-50;
Part b
Requirement
b. When required by information system changes; and
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
References C.F.R. Part 5 Subpart C (5 C.F.R. 930.301); EO 13587; SP 800-50;
Part c
Requirement
c. [Assignment: organization-defined frequency] thereafter.
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
References C.F.R. Part 5 Subpart C (5 C.F.R. 930.301); EO 13587; SP 800-50;
3.35 AT-3 - Role-based Security Training
Requirement ROLE-BASED SECURITY TRAINING Control: The organization provides role-basedsecurity training to personnel with assigned security roles and responsibilities: a. Before authorizingaccess to the information system or performing assigned duties; b. When required by informationsystem changes; and c. [Assignment: organization-defined frequency] thereafter.
3.35.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.35.2 AT-3 What is the solution and how is it implemented?
Part a
Requirement ROLE-BASED SECURITY TRAINING Control: The organization provides role-basedsecurity training to personnel with assigned security roles and responsibilities: a. Before authorizingaccess to the information system or performing assigned duties;
Role OpenShift Landlord
Status Planned
3.35. AT-3 - Role-based Security Training 59
OpenShift Compliance Guide, Release 1.0 beta
Details NEED TO ADDRESS
References C.F.R. Part Subpart C (C.F.R. 930.301); SP 800-16; SP 800-50;
Part b
Requirement
b. When required by information system changes; and
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
References C.F.R. Part Subpart C (C.F.R. 930.301); SP 800-16; SP 800-50;
Part c
Requirement
c. [Assignment: organization-defined frequency] thereafter.
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
References C.F.R. Part Subpart C (C.F.R. 930.301); SP 800-16; SP 800-50;
3.36 AT-4 - Security Training Records
Requirement SECURITY TRAINING RECORDS Control: The organization: a. Documents and mon-itors individual information system security training activities including basic security awarenesstraining and specific information system security training; and b. Retains individual training recordsfor [Assignment: organization-defined time period].
3.36.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.36.2 AT-4 What is the solution and how is it implemented?
Part a
Requirement SECURITY TRAINING RECORDS Control: The organization: a. Documents and mon-itors individual information system security training activities including basic security awarenesstraining and specific information system security training; and
Role OpenShift Landlord
60 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Status Planned
Details NEED TO ADDRESS
Part b
Requirement
b. Retains individual training records for [Assignment: organization-defined time period].
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
3.37 AU-1 - Audit And Accountability Policy And Procedures
Requirement AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES Control: The organi-zation: a. Develops, documents, and disseminates to [Assignment: organization-defined personnelor roles]: 1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities,management commitment, coordination among organizational entities, and compliance; and 2. Pro-cedures to facilitate the implementation of the audit and accountability policy and associated auditand accountability controls; and b. Reviews and updates the current: 1. Audit and accountabilitypolicy [Assignment: organization-defined frequency]; and 2. Audit and accountability procedures[Assignment: organization-defined frequency].
3.37.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.37.2 AU-1 What is the solution and how is it implemented?
Part a
Requirement AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES Control: The organi-zation: a. Develops, documents, and disseminates to [Assignment: organization-defined personnelor roles]: 1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities,management commitment, coordination among organizational entities, and compliance; and
Role Organization
Status Inherited
Details Inherited from organizational audit policies.
References SP 800-12; SP 800-100;
3.37. AU-1 - Audit And Accountability Policy And Procedures 61
OpenShift Compliance Guide, Release 1.0 beta
Part b
Requirement
2. Procedures to facilitate the implementation of the audit and accountability policy and associatedaudit and accountability controls; and
Role Organization
Status Inherited
Details See AU-1a
References SP 800-12; SP 800-100;
Part c
Requirement
b. Reviews and updates the current: 1. Audit and accountability policy [Assignment:organization-defined frequency]; and
Role Organization
Status Inherited
Details See AU-1a
References SP 800-12; SP 800-100;
Part d
Requirement
2. Audit and accountability procedures [Assignment: organization-defined frequency].
Role Organization
Status Inherited
Details See AU-1a
References SP 800-12; SP 800-100;
3.38 AU-11 - Audit Record Retention
Requirement AUDIT RECORD RETENTION Control: The organization retains audit records for [As-signment: organization-defined time period consistent with records retention policy] to provide sup-port for after-the-fact investigations of security incidents and to meet regulatory and organizationalinformation retention requirements.
3.38.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
62 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.38.2 AU-11 What is the solution and how is it implemented?
Part a
Requirement AUDIT RECORD RETENTION Control: The organization retains audit records for [As-signment: organization-defined time period consistent with records retention policy] to provide sup-port for after-the-fact investigations of security incidents and to meet regulatory and organizationalinformation retention requirements.
Role Organization
Status Inherited
Details Inherited from organizational A&L service
3.39 AU-12 - Audit Generation
Requirement AUDIT GENERATION Control: The information system: a. Provides audit record gen-eration capability for the auditable events defined in AU-2 a. at [Assignment: organization-definedinformation system components]; b. Allows [Assignment: organization-defined personnel or roles]to select which auditable events are to be audited by specific components of the information system;and c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.
3.39.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.39.2 AU-12 What is the solution and how is it implemented?
Part a
Requirement AUDIT GENERATION Control: The information system: a. Provides audit record gen-eration capability for the auditable events defined in AU-2 a. at [Assignment: organization-definedinformation system components];
Role OpenShift Landlord
Status Implemented
Details Generation of audit records for events described in AU-2 is handled by two separate subsystems.Audit records related to administrative actions are generated by auditd and related system tools whilegeneration of user audit events is performed by the OpenShift software.
Part b
Requirement
b. Allows [Assignment: organization-defined personnel or roles] to select which auditable eventsare to be audited by specific components of the information system; and
3.39. AU-12 - Audit Generation 63
OpenShift Compliance Guide, Release 1.0 beta
Role OpenShift Landlord
Status Implemented
Details delegate - AU4
Part c
Requirement
c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.
Role OpenShift Landlord
Status Implemented
Details See response to AU-3
3.40 AU-2 - Audit Events
Requirement AUDIT EVENTS Control: The organization: a. Determines that the information systemis capable of auditing the following events: [Assignment: organization-defined auditable events];b. Coordinates the security audit function with other organizational entities requiring audit-relatedinformation to enhance mutual support and to help guide the selection of auditable events; c. Pro-vides a rationale for why the auditable events are deemed to be adequate to support after-the-factinvestigations of security incidents; and d. Determines that the following events are to be auditedwithin the information system: [Assignment: organization-defined audited events (the subset of theauditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing foreach identified event].
3.40.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.40.2 AU-2 What is the solution and how is it implemented?
Part a
Requirement AUDIT EVENTS Control: The organization: a. Determines that the information systemis capable of auditing the following events: [Assignment: organization-defined auditable events];
Role Organization
Status Inherited
Details Auditable events are split into two compartments based on their source: (1) administrative eventsperformed by system administrators and (2) user events performed by application developers.
A wide variety of administrative events are captured including user logins via ssh and all actionsperformed as a super-user.
64 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
User events include actions taken through the OpenShift API and audited events include: the cre-ation, update and destruction of applications and component gears.
References SP 800-92; Web: csrc.nist.gov/pcig/cig.html, idmanagement.gov;
Part b
Requirement
b. Coordinates the security audit function with other organizational entities requiring audit-relatedinformation to enhance mutual support and to help guide the selection of auditable events;
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
References SP 800-92; Web: csrc.nist.gov/pcig/cig.html, idmanagement.gov;
Part c
Requirement
c. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
Role Organization
Status Inherited
Details Auditing of administrative events is designed to capture all actions taken by superusers on thesystems housing the OSO environment. This is intended to capture any attempt to modify the oper-ating environment for hosted applications.
Likewise auditing of application developers is designed to capture all “change” events committedthrough the OSO API.
References SP 800-92; Web: csrc.nist.gov/pcig/cig.html, idmanagement.gov;
Part d
Requirement
d. Determines that the following events are to be audited within the information system: [Assign-ment: organization-defined audited events (the subset of the auditable events defined in AU-2a.) along with the frequency of (or situation requiring) auditing for each identified event].
Role Organization
Status Inherited
Details Auditable events documented in section AU-2a are captured in near-real-time and shared withappropriate stakeholders.
References SP 800-92; Web: csrc.nist.gov/pcig/cig.html, idmanagement.gov;
3.40. AU-2 - Audit Events 65
OpenShift Compliance Guide, Release 1.0 beta
3.41 AU-3 - Content Of Audit Records
Requirement CONTENT OF AUDIT RECORDS Control: The information system generates auditrecords containing information that establishes what type of event occurred, when the event oc-curred, where the event occurred, the source of the event, the outcome of the event, and the identityof any individuals or subjects associated with the event.
3.41.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.41.2 AU-3 What is the solution and how is it implemented?
Part a
Requirement CONTENT OF AUDIT RECORDS Control: The information system generates auditrecords containing information that establishes what type of event occurred, when the event oc-curred, where the event occurred, the source of the event, the outcome of the event, and the identityof any individuals or subjects associated with the event.
Role OpenShift Landlord
Status Implemented
Details Audit records collected for both administrative and user events follow standard, accepted formats.
In the case of administrative events we utilize auditd and capture information as documentedin https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html.
In the case of user events the data formats and standards provided by relevant stakeholders arefollowed.
3.42 AU-3(2) - Content Of Audit Records | Centralized ManagementOf Planned Audit Record Content
Requirement CONTENT OF AUDIT RECORDS | CENTRALIZED MANAGEMENT OF PLANNEDAUDIT RECORD CONTENT The information system provides centralized management and con-figuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components].
3.42.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
66 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.42.2 AU-3(2) What is the solution and how is it implemented?
Part a
Requirement CONTENT OF AUDIT RECORDS | CENTRALIZED MANAGEMENT OF PLANNEDAUDIT RECORD CONTENT The information system provides centralized management and con-figuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components].
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
3.43 AU-4 - Audit Storage Capacity
Requirement AUDIT STORAGE CAPACITY Control: The organization allocates audit record storagecapacity in accordance with [Assignment: organization-defined audit record storage requirements].
3.43.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.43.2 AU-4 What is the solution and how is it implemented?
Part a
Requirement AUDIT STORAGE CAPACITY Control: The organization allocates audit record storagecapacity in accordance with [Assignment: organization-defined audit record storage requirements].
Role OpenShift Landlord
Status Implemented
Details Implemented by auditing subsystem and stored on system storage for the organizationally man-dated length of time.
3.44 AU-5 - Response To Audit Processing Failures
Requirement RESPONSE TO AUDIT PROCESSING FAILURES Control: The information system: a.Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processingfailure; and b. Takes the following additional actions: [Assignment: organization-defined actions tobe taken (e.g., shut down information system, overwrite oldest audit records, stop generating auditrecords)].
3.43. AU-4 - Audit Storage Capacity 67
OpenShift Compliance Guide, Release 1.0 beta
3.44.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.44.2 AU-5 What is the solution and how is it implemented?
Part a
Requirement RESPONSE TO AUDIT PROCESSING FAILURES Control: The information system: a.Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processingfailure; and
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
Part b
Requirement
b. Takes the following additional actions: [Assignment: organization-defined actions to be taken(e.g., shut down information system, overwrite oldest audit records, stop generating auditrecords)].
Role OpenShift Landlord
Status Implemented
Details The system will archive the current log entries to alternate storage to create adequte storage forcurrent logs.
3.45 AU-5(2) - Response To Audit Processing Failures | Real-timeAlerts
Requirement RESPONSE TO AUDIT PROCESSING FAILURES | REAL-TIME ALERTS The infor-mation system provides an alert in [Assignment: organization-defined real-time period] to [As-signment: organization-defined personnel, roles, and/or locations] when the following audit failureevents occur: [Assignment: organization-defined audit failure events requiring real-time alerts].
3.45.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
68 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.45.2 AU-5(2) What is the solution and how is it implemented?
Part a
Requirement RESPONSE TO AUDIT PROCESSING FAILURES | REAL-TIME ALERTS The infor-mation system provides an alert in [Assignment: organization-defined real-time period] to [As-signment: organization-defined personnel, roles, and/or locations] when the following audit failureevents occur: [Assignment: organization-defined audit failure events requiring real-time alerts].
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
3.46 AU-6 - Audit Review, Analysis, And Reporting
Requirement AUDIT REVIEW, ANALYSIS, AND REPORTING Control: The organization: a. Re-views and analyzes information system audit records [Assignment: organization-defined frequency]for indications of [Assignment: organization-defined inappropriate or unusual activity]; and b. Re-ports findings to [Assignment: organization-defined personnel or roles].
3.46.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.46.2 AU-6 What is the solution and how is it implemented?
Part a
Requirement AUDIT REVIEW, ANALYSIS, AND REPORTING Control: The organization: a. Re-views and analyzes information system audit records [Assignment: organization-defined frequency]for indications of [Assignment: organization-defined inappropriate or unusual activity]; and
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
Part b
Requirement
b. Reports findings to [Assignment: organization-defined personnel or roles].
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
3.46. AU-6 - Audit Review, Analysis, And Reporting 69
OpenShift Compliance Guide, Release 1.0 beta
3.47 AU-6(5) - Audit Review, Analysis, And Reporting | Integration /Scanning And Monitoring Capabilities
Requirement AUDIT REVIEW, ANALYSIS, AND REPORTING | INTEGRATION / SCANNINGAND MONITORING CAPABILITIES The organization integrates analysis of audit records withanalysis of [Selection (one or more): vulnerability scanning information; performance data; informa-tion system monitoring information; [Assignment: organization-defined data/information collectedfrom other sources]] to further enhance the ability to identify inappropriate or unusual activity.
3.47.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.47.2 AU-6(5) What is the solution and how is it implemented?
Part a
Requirement AUDIT REVIEW, ANALYSIS, AND REPORTING | INTEGRATION / SCANNINGAND MONITORING CAPABILITIES The organization integrates analysis of audit records withanalysis of [Selection (one or more): vulnerability scanning information; performance data; informa-tion system monitoring information; [Assignment: organization-defined data/information collectedfrom other sources]] to further enhance the ability to identify inappropriate or unusual activity.
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
3.48 AU-6(6) - Audit Review, Analysis, And Reporting | CorrelationWith Physical Monitoring
Requirement AUDIT REVIEW, ANALYSIS, AND REPORTING | CORRELATION WITH PHYSI-CAL MONITORING The organization correlates information from audit records with informationobtained from monitoring physical access to further enhance the ability to identify suspicious, inap-propriate, unusual, or malevolent activity.
3.48.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
70 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.48.2 AU-6(6) What is the solution and how is it implemented?
Part a
Requirement AUDIT REVIEW, ANALYSIS, AND REPORTING | CORRELATION WITH PHYSI-CAL MONITORING The organization correlates information from audit records with informationobtained from monitoring physical access to further enhance the ability to identify suspicious, inap-propriate, unusual, or malevolent activity.
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
3.49 AU-7 - Audit Reduction And Report Generation
Requirement AUDIT REDUCTION AND REPORT GENERATION Control: The information systemprovides an audit reduction and report generation capability that: a. Supports on-demand auditreview, analysis, and reporting requirements and after-the-fact investigations of security incidents;and b. Does not alter the original content or time ordering of audit records.
3.49.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.49.2 AU-7 What is the solution and how is it implemented?
Part a
Requirement AUDIT REDUCTION AND REPORT GENERATION Control: The information systemprovides an audit reduction and report generation capability that: a. Supports on-demand auditreview, analysis, and reporting requirements and after-the-fact investigations of security incidents;and
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
Part b
Requirement
b. Does not alter the original content or time ordering of audit records.
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
3.49. AU-7 - Audit Reduction And Report Generation 71
OpenShift Compliance Guide, Release 1.0 beta
3.50 AU-7(1) - Audit Reduction And Report Generation | AutomaticProcessing
Requirement AUDIT REDUCTION AND REPORT GENERATION | AUTOMATIC PROCESSINGThe information system provides the capability to process audit records for events of interest basedon [Assignment: organization-defined audit fields within audit records].
3.50.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.50.2 AU-7(1) What is the solution and how is it implemented?
Part a
Requirement AUDIT REDUCTION AND REPORT GENERATION | AUTOMATIC PROCESSINGThe information system provides the capability to process audit records for events of interest basedon [Assignment: organization-defined audit fields within audit records].
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
3.51 AU-8 - Time Stamps
Requirement TIME STAMPS Control: The information system: a. Uses internal system clocks to gen-erate time stamps for audit records; and b. Records time stamps for audit records that can be mappedto Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment:organization-defined granularity of time measurement].
3.51.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.51.2 AU-8 What is the solution and how is it implemented?
Part a
Requirement TIME STAMPS Control: The information system: a. Uses internal system clocks togenerate time stamps for audit records; and
72 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Role OpenShift Landlord
Status Implemented
Details Both administrative and user audit events are timestamped based on the internal clock of themachine from which they were generated.
Part b
Requirement
b. Records time stamps for audit records that can be mapped to Coordinated Universal Time(UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granu-larity of time measurement].
Role OpenShift Landlord
Status Implemented
Details Timestamps are accurate to the millisecond and time zone information is recorded to supportconversion to UTC/GMT.
3.52 AU-9 - Protection Of Audit Information
Requirement PROTECTION OF AUDIT INFORMATION Control: The information system protectsaudit information and audit tools from unauthorized access, modification, and deletion.
3.52.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.52.2 AU-9 What is the solution and how is it implemented?
Part a
Requirement PROTECTION OF AUDIT INFORMATION Control: The information system protectsaudit information and audit tools from unauthorized access, modification, and deletion.
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
3.53 AU-9(2) - Protection Of Audit Information | Audit Backup On Sep-arate Physical Systems / Components
Requirement PROTECTION OF AUDIT INFORMATION | AUDIT BACKUP ON SEPARATE PHYS-ICAL SYSTEMS / COMPONENTS The information system backs up audit records [Assignment:
3.52. AU-9 - Protection Of Audit Information 73
OpenShift Compliance Guide, Release 1.0 beta
organization-defined frequency] onto a physically different system or system component than thesystem or component being audited.
3.53.1 Control Summary Information
Role Organization
Status Implemented
Origin Inherited from pre-existing ATO
3.53.2 AU-9(2) What is the solution and how is it implemented?
Part a
Requirement PROTECTION OF AUDIT INFORMATION | AUDIT BACKUP ON SEPARATE PHYS-ICAL SYSTEMS / COMPONENTS The information system backs up audit records [Assignment:organization-defined frequency] onto a physically different system or system component than thesystem or component being audited.
Role Organization
Status Implemented
Details undefined
3.54 AU-9(3) - Protection Of Audit Information | Cryptographic Pro-tection
Requirement PROTECTION OF AUDIT INFORMATION | CRYPTOGRAPHIC PROTECTION Theinformation system implements cryptographic mechanisms to protect the integrity of audit informa-tion and audit tools.
3.54.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.54.2 AU-9(3) What is the solution and how is it implemented?
Part a
Requirement PROTECTION OF AUDIT INFORMATION | CRYPTOGRAPHIC PROTECTION Theinformation system implements cryptographic mechanisms to protect the integrity of audit informa-tion and audit tools.
Role OpenShift Landlord
Status Planned
74 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Details NEED TO ADDRESS
3.55 CA-1 - Security Assessment And Authorization Policy And Pro-cedures
Requirement SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURESControl: The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security assessment and authorization policy that addresses pur-pose, scope, roles, responsibilities, management commitment, coordination among organizationalentities, and compliance; and 2. Procedures to facilitate the implementation of the security assess-ment and authorization policy and associated security assessment and authorization controls; andb. Reviews and updates the current: 1. Security assessment and authorization policy [Assignment:organization-defined frequency]; and 2. Security assessment and authorization procedures [Assign-ment: organization-defined frequency].
3.55.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.55.2 CA-1 What is the solution and how is it implemented?
Part a
Requirement SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURESControl: The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security assessment and authorization policy that addresses pur-pose, scope, roles, responsibilities, management commitment, coordination among organizationalentities, and compliance; and
Role Organization
Status Inherited
Details Inherited from organizational IA policy.
References SP 800-12; SP 800-37; SP 800-53A; SP 800-100;
Part b
Requirement
2. Procedures to facilitate the implementation of the security assessment and authorization policyand associated security assessment and authorization controls; and
Role Organization
Status Inherited
Details Inherited from organizational IA policy.
References SP 800-12; SP 800-37; SP 800-53A; SP 800-100;
3.55. CA-1 - Security Assessment And Authorization Policy And Procedures 75
OpenShift Compliance Guide, Release 1.0 beta
Part c
Requirement
b. Reviews and updates the current: 1. Security assessment and authorization policy [Assignment:organization-defined frequency]; and
Role Organization
Status Inherited
Details Inherited from organizational IA policy.
References SP 800-12; SP 800-37; SP 800-53A; SP 800-100;
Part d
Requirement
2. Security assessment and authorization procedures [Assignment: organization-defined fre-quency].
Role Organization
Status Inherited
Details Inherited from organizational IA policy.
References SP 800-12; SP 800-37; SP 800-53A; SP 800-100;
3.56 CA-2 - Security Assessments
Requirement SECURITY ASSESSMENTS Control: The organization: a. Develops a security assess-ment plan that describes the scope of the assessment including: 1. Security controls and controlenhancements under assessment; 2. Assessment procedures to be used to determine security controleffectiveness; and 3. Assessment environment, assessment team, and assessment roles and respon-sibilities; b. Assesses the security controls in the information system and its environment of oper-ation [Assignment: organization-defined frequency] to determine the extent to which the controlsare implemented correctly, operating as intended, and producing the desired outcome with respectto meeting established security requirements; c. Produces a security assessment report that docu-ments the results of the assessment; and d. Provides the results of the security control assessment to[Assignment: organization-defined individuals or roles].
3.56.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.56.2 CA-2 What is the solution and how is it implemented?
76 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Part a
Requirement SECURITY ASSESSMENTS Control: The organization: a. Develops a security assess-ment plan that describes the scope of the assessment including: 1. Security controls and controlenhancements under assessment;
Role Organization
Status Inherited
Details Inherited from organizational IA policy.
References EO 13587; FIPS Pub 199; SP 800-37; SP 800-39; SP 800-53A; SP 800-115; SP 800-137;
Part b
Requirement
2. Assessment procedures to be used to determine security control effectiveness; and
Role Organization
Status Inherited
Details Inherited from organizational IA policy.
References EO 13587; FIPS Pub 199; SP 800-37; SP 800-39; SP 800-53A; SP 800-115; SP 800-137;
Part c
Requirement
3. Assessment environment, assessment team, and assessment roles and responsibilities;
Role Organization
Status Inherited
Details Inherited from organizational IA policy.
References EO 13587; FIPS Pub 199; SP 800-37; SP 800-39; SP 800-53A; SP 800-115; SP 800-137;
Part d
Requirement
b. Assesses the security controls in the information system and its environment of operation [As-signment: organization-defined frequency] to determine the extent to which the controls areimplemented correctly, operating as intended, and producing the desired outcome with respectto meeting established security requirements;
Role Organization
Status Inherited
Details Inherited from organizational IA policy.
References EO 13587; FIPS Pub 199; SP 800-37; SP 800-39; SP 800-53A; SP 800-115; SP 800-137;
3.56. CA-2 - Security Assessments 77
OpenShift Compliance Guide, Release 1.0 beta
Part e
Requirement
c. Produces a security assessment report that documents the results of the assessment; and
Role Organization
Status Inherited
Details Inherited from organizational IA policy.
References EO 13587; FIPS Pub 199; SP 800-37; SP 800-39; SP 800-53A; SP 800-115; SP 800-137;
Part f
Requirement
d. Provides the results of the security control assessment to [Assignment: organization-definedindividuals or roles].
Role Organization
Status Inherited
Details Inherited from organizational IA policy.
References EO 13587; FIPS Pub 199; SP 800-37; SP 800-39; SP 800-53A; SP 800-115; SP 800-137;
3.57 CA-2(2) - Security Assessments | Specialized Assessments
Requirement SECURITY ASSESSMENTS | SPECIALIZED ASSESSMENTS The organization in-cludes as part of security control assessments, [Assignment: organization-defined frequency], [Se-lection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerabilityscanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment:organization-defined other forms of security assessment]].
3.57.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.57.2 CA-2(2) What is the solution and how is it implemented?
Part a
Requirement SECURITY ASSESSMENTS | SPECIALIZED ASSESSMENTS The organization in-cludes as part of security control assessments, [Assignment: organization-defined frequency], [Se-lection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerabilityscanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment:organization-defined other forms of security assessment]].
Role Organization
78 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Status Inherited
Details The framework will comply with the recommendations of the assessment by addressing thePoAMs created as a result of the assessment.
3.58 CA-3 - System Interconnections
Requirement SYSTEM INTERCONNECTIONS Control: The organization: a. Authorizes connectionsfrom the information system to other information systems through the use of Interconnection Se-curity Agreements; b. Documents, for each interconnection, the interface characteristics, securityrequirements, and the nature of the information communicated; and c. Reviews and updates Inter-connection Security Agreements [Assignment: organization-defined frequency].
3.58.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.58.2 CA-3 What is the solution and how is it implemented?
Part a
Requirement SYSTEM INTERCONNECTIONS Control: The organization: a. Authorizes connectionsfrom the information system to other information systems through the use of Interconnection Secu-rity Agreements;
Role OpenShift Landlord
Status Implemented
Details Interconnection Security Agreements (ISAs) are documented in the System Security Plan (SSP)for the OpenShift system and are updated as required or as changes, additions or deletions occur tothe ISAs.
References FIPS Pub 199; SP 800-47;
Part b
Requirement
b. Documents, for each interconnection, the interface characteristics, security requirements, andthe nature of the information communicated; and
Role OpenShift Landlord
Status Implemented
Details See CA-3a
References FIPS Pub 199; SP 800-47;
3.58. CA-3 - System Interconnections 79
OpenShift Compliance Guide, Release 1.0 beta
Part c
Requirement
c. Reviews and updates Interconnection Security Agreements [Assignment: organization-definedfrequency].
Role OpenShift Landlord
Status Implemented
Details See CA-3a
References FIPS Pub 199; SP 800-47;
3.59 CA-5 - Plan Of Action And Milestones
Requirement PLAN OF ACTION AND MILESTONES Control: The organization: a. Develops a planof action and milestones for the information system to document the organization’s planned remedialactions to correct weaknesses or deficiencies noted during the assessment of the security controls andto reduce or eliminate known vulnerabilities in the system; and b. Updates existing plan of actionand milestones [Assignment: organization-defined frequency] based on the findings from securitycontrols assessments, security impact analyses, and continuous monitoring activities.
3.59.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.59.2 CA-5 What is the solution and how is it implemented?
Part a
Requirement PLAN OF ACTION AND MILESTONES Control: The organization: a. Develops a planof action and milestones for the information system to document the organization’s planned remedialactions to correct weaknesses or deficiencies noted during the assessment of the security controlsand to reduce or eliminate known vulnerabilities in the system; and
Role OpenShift Landlord
Status Planned
Details Upon delivery of the report from the security assessor(s), a POA&M document will be createdand each item will be addressed with the: a) deficiency b) party responsible for remediation c) theestimated time to remediation and d) the current progress/status of the remediation.
References OMB M-02-01; SP 800-37;
80 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Part b
Requirement
b. Updates existing plan of action and milestones [Assignment: organization-defined frequency]based on the findings from security controls assessments, security impact analyses, and contin-uous monitoring activities.
Role OpenShift Landlord
Status Planned
Details The POAMs (as described in the response to CA-5a) will be updated as progress is made oron/before predetermined milestone.
References OMB M-02-01; SP 800-37;
3.60 CA-6 - Security Authorization
Requirement SECURITY AUTHORIZATION Control: The organization: a. Assigns a senior-levelexecutive or manager as the authorizing official for the information system; b. Ensures that theauthorizing official authorizes the information system for processing before commencing operations;and c. Updates the security authorization [Assignment: organization-defined frequency].
3.60.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.60.2 CA-6 What is the solution and how is it implemented?
Part a
Requirement SECURITY AUTHORIZATION Control: The organization: a. Assigns a senior-levelexecutive or manager as the authorizing official for the information system;
Role Organization
Status Inherited
Details Inherited from organizational IA policy.
References OMB Circular A-130; OMB M-11-33; SP 800-37; SP 800-137;
Part b
Requirement
b. Ensures that the authorizing official authorizes the information system for processing beforecommencing operations; and
Role Organization
Status Inherited
3.60. CA-6 - Security Authorization 81
OpenShift Compliance Guide, Release 1.0 beta
Details Inherited from organizational IA policy.
References OMB Circular A-130; OMB M-11-33; SP 800-37; SP 800-137;
Part c
Requirement
c. Updates the security authorization [Assignment: organization-defined frequency].
Role Organization
Status Inherited
Details Inherited from organizational IA policy.
References OMB Circular A-130; OMB M-11-33; SP 800-37; SP 800-137;
3.61 CA-7 - Continuous Monitoring
Requirement CONTINUOUS MONITORING Control: The organization develops a continuous mon-itoring strategy and implements a continuous monitoring program that includes: a. Establishmentof [Assignment: organization-defined metrics] to be monitored; b. Establishment of [Assignment:organization-defined frequencies] for monitoring and [Assignment: organization-defined frequen-cies] for assessments supporting such monitoring; c. Ongoing security control assessments in ac-cordance with the organizational continuous monitoring strategy; d. Ongoing security status moni-toring of organization-defined metrics in accordance with the organizational continuous monitoringstrategy; e. Correlation and analysis of security-related information generated by assessments andmonitoring; f. Response actions to address results of the analysis of security-related information;and g. Reporting the security status of organization and the information system to [Assignment:organization-defined personnel or roles] [Assignment: organization-defined frequency].
3.61.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.61.2 CA-7 What is the solution and how is it implemented?
Part a
Requirement CONTINUOUS MONITORING Control: The organization develops a continuous moni-toring strategy and implements a continuous monitoring program that includes: a. Establishment of[Assignment: organization-defined metrics] to be monitored;
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
References OMB M-11-33; SP 800-37; SP 800-39; SP 800-53A; SP 800-115; SP 800-137; US-CERTTechnical Cyber Security Alerts; DoD Information Assurance Vulnerability Alerts;
82 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Part b
Requirement
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assign-ment: organization-defined frequencies] for assessments supporting such monitoring;
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
References OMB M-11-33; SP 800-37; SP 800-39; SP 800-53A; SP 800-115; SP 800-137; US-CERTTechnical Cyber Security Alerts; DoD Information Assurance Vulnerability Alerts;
Part c
Requirement
c. Ongoing security control assessments in accordance with the organizational continuous moni-toring strategy;
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
References OMB M-11-33; SP 800-37; SP 800-39; SP 800-53A; SP 800-115; SP 800-137; US-CERTTechnical Cyber Security Alerts; DoD Information Assurance Vulnerability Alerts;
Part d
Requirement
d. Ongoing security status monitoring of organization-defined metrics in accordance with the or-ganizational continuous monitoring strategy;
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
References OMB M-11-33; SP 800-37; SP 800-39; SP 800-53A; SP 800-115; SP 800-137; US-CERTTechnical Cyber Security Alerts; DoD Information Assurance Vulnerability Alerts;
Part e
Requirement
e. Correlation and analysis of security-related information generated by assessments and monitor-ing;
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
3.61. CA-7 - Continuous Monitoring 83
OpenShift Compliance Guide, Release 1.0 beta
References OMB M-11-33; SP 800-37; SP 800-39; SP 800-53A; SP 800-115; SP 800-137; US-CERTTechnical Cyber Security Alerts; DoD Information Assurance Vulnerability Alerts;
Part f
Requirement
f. Response actions to address results of the analysis of security-related information; and
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
References OMB M-11-33; SP 800-37; SP 800-39; SP 800-53A; SP 800-115; SP 800-137; US-CERTTechnical Cyber Security Alerts; DoD Information Assurance Vulnerability Alerts;
Part g
Requirement
g. Reporting the security status of organization and the information system to [Assignment:organization-defined personnel or roles] [Assignment: organization-defined frequency].
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
References OMB M-11-33; SP 800-37; SP 800-39; SP 800-53A; SP 800-115; SP 800-137; US-CERTTechnical Cyber Security Alerts; DoD Information Assurance Vulnerability Alerts;
3.62 CA-7(1) - Continuous Monitoring | Independent Assessment
Requirement CONTINUOUS MONITORING | INDEPENDENT ASSESSMENT The organization em-ploys assessors or assessment teams with [Assignment: organization-defined level of independence]to monitor the security controls in the information system on an ongoing basis.
3.62.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.62.2 CA-7(1) What is the solution and how is it implemented?
Part a
Requirement CONTINUOUS MONITORING | INDEPENDENT ASSESSMENT The organization em-ploys assessors or assessment teams with [Assignment: organization-defined level of independence]to monitor the security controls in the information system on an ongoing basis.
84 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
3.63 CA-8 - Penetration Testing
Requirement PENETRATION TESTING Control: The organization conducts penetration testing [As-signment: organization-defined frequency] on [Assignment: organization-defined information sys-tems or system components].
3.63.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.63.2 CA-8 What is the solution and how is it implemented?
Part a
Requirement PENETRATION TESTING Control: The organization conducts penetration testing [As-signment: organization-defined frequency] on [Assignment: organization-defined information sys-tems or system components].
Role Organization
Status Inherited
Details Inherited from organizational IA team
3.64 CA-9 - Internal System Connections
Requirement INTERNAL SYSTEM CONNECTIONS Control: The organization: a. Authorizes inter-nal connections of [Assignment: organization-defined information system components or classesof components] to the information system; and b. Documents, for each internal connection, theinterface characteristics, security requirements, and the nature of the information communicated.
3.64.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.63. CA-8 - Penetration Testing 85
OpenShift Compliance Guide, Release 1.0 beta
3.64.2 CA-9 What is the solution and how is it implemented?
Part a
Requirement INTERNAL SYSTEM CONNECTIONS Control: The organization: a. Authorizes inter-nal connections of [Assignment: organization-defined information system components or classes ofcomponents] to the information system; and
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
Part b
Requirement
b. Documents, for each internal connection, the interface characteristics, security requirements,and the nature of the information communicated.
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
3.65 CM-1 - Configuration Management Policy And Procedures
Requirement CONFIGURATION MANAGEMENT POLICY AND PROCEDURES Control: The or-ganization: a. Develops, documents, and disseminates to [Assignment: organization-defined person-nel or roles]: 1. A configuration management policy that addresses purpose, scope, roles, respon-sibilities, management commitment, coordination among organizational entities, and compliance;and 2. Procedures to facilitate the implementation of the configuration management policy andassociated configuration management controls; and b. Reviews and updates the current: 1. Con-figuration management policy [Assignment: organization-defined frequency]; and 2. Configurationmanagement procedures [Assignment: organization-defined frequency].
3.65.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.65.2 CM-1 What is the solution and how is it implemented?
Part a
Requirement CONFIGURATION MANAGEMENT POLICY AND PROCEDURES Control: The or-ganization: a. Develops, documents, and disseminates to [Assignment: organization-defined person-nel or roles]: 1. A configuration management policy that addresses purpose, scope, roles, respon-
86 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
sibilities, management commitment, coordination among organizational entities, and compliance;and
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
References SP 800-12; SP 800-100;
Part b
Requirement
2. Procedures to facilitate the implementation of the configuration management policy and asso-ciated configuration management controls; and
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
References SP 800-12; SP 800-100;
Part c
Requirement
b. Reviews and updates the current: 1. Configuration management policy [Assignment:organization-defined frequency]; and
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
References SP 800-12; SP 800-100;
Part d
Requirement
2. Configuration management procedures [Assignment: organization-defined frequency].
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
References SP 800-12; SP 800-100;
3.65. CM-1 - Configuration Management Policy And Procedures 87
OpenShift Compliance Guide, Release 1.0 beta
3.66 CM-10 - Software Usage Restrictions
Requirement SOFTWARE USAGE RESTRICTIONS Control: The organization: a. Uses software andassociated documentation in accordance with contract agreements and copyright laws; b. Tracksthe use of software and associated documentation protected by quantity licenses to control copyingand distribution; and c. Controls and documents the use of peer-to-peer file sharing technology toensure that this capability is not used for the unauthorized distribution, display, performance, orreproduction of copyrighted work.
3.66.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.66.2 CM-10 What is the solution and how is it implemented?
Part a
Requirement SOFTWARE USAGE RESTRICTIONS Control: The organization: a. Uses software andassociated documentation in accordance with contract agreements and copyright laws;
Role Organization
Status Inherited
Details undefined
Part b
Requirement
b. Tracks the use of software and associated documentation protected by quantity licenses to con-trol copying and distribution; and
Role Organization
Status Inherited
Details undefined
Part c
Requirement
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this ca-pability is not used for the unauthorized distribution, display, performance, or reproduction ofcopyrighted work.
Role OpenShift Landlord
Status Not implemented
Details OCP does not user peer-to-peer file-sharing technology
88 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.67 CM-11 - User-installed Software
Requirement USER-INSTALLED SOFTWARE Control: The organization: a. Establishes [Assign-ment: organization-defined policies] governing the installation of software by users; b. Enforcessoftware installation policies through [Assignment: organization-defined methods]; and c. Monitorspolicy compliance at [Assignment: organization-defined frequency].
3.67.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.67.2 CM-11 What is the solution and how is it implemented?
Part a
Requirement USER-INSTALLED SOFTWARE Control: The organization: a. Establishes [Assign-ment: organization-defined policies] governing the installation of software by users;
Role Organization
Status Inherited
Details Dependent on implementing organization.
Part b
Requirement
b. Enforces software installation policies through [Assignment: organization-defined methods];and
Role Organization
Status Inherited
Details Dependent on implementing organization.
Part c
Requirement
c. Monitors policy compliance at [Assignment: organization-defined frequency].
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.67. CM-11 - User-installed Software 89
OpenShift Compliance Guide, Release 1.0 beta
3.68 CM-2 - Baseline Configuration
Requirement BASELINE CONFIGURATION Control: The organization develops, documents, andmaintains under configuration control, a current baseline configuration of the information system.
3.68.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.68.2 CM-2 What is the solution and how is it implemented?
Part a
Requirement BASELINE CONFIGURATION Control: The organization develops, documents, andmaintains under configuration control, a current baseline configuration of the information system.
Role OpenShift Landlord
Status Implemented
Details Configuration management enforced through Ansible playbooks.
References SP 800-128;
3.69 CM-2(2) - Baseline Configuration | Automation Support For Ac-curacy / Currency
Requirement BASELINE CONFIGURATION | AUTOMATION SUPPORT FOR ACCURACY / CUR-RENCY The organization employs automated mechanisms to maintain an up-to-date, complete,accurate, and readily available baseline configuration of the information system.
3.69.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.69.2 CM-2(2) What is the solution and how is it implemented?
Part a
Requirement BASELINE CONFIGURATION | AUTOMATION SUPPORT FOR ACCURACY / CUR-RENCY The organization employs automated mechanisms to maintain an up-to-date, complete,accurate, and readily available baseline configuration of the information system.
Role OpenShift Landlord
90 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Status Implemented
Details See CM-2
3.70 CM-2(3) - Baseline Configuration | Retention Of Previous Con-figurations
Requirement BASELINE CONFIGURATION | RETENTION OF PREVIOUS CONFIGURATIONSThe organization retains [Assignment: organization-defined previous versions of baseline configu-rations of the information system] to support rollback.
3.70.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.70.2 CM-2(3) What is the solution and how is it implemented?
Part a
Requirement BASELINE CONFIGURATION | RETENTION OF PREVIOUS CONFIGURATIONSThe organization retains [Assignment: organization-defined previous versions of baseline configu-rations of the information system] to support rollback.
Role OpenShift Landlord
Status Implemented
Details Ansible playbooks are revision controled through Git.
3.71 CM-2(7) - Baseline Configuration | Configure Systems, Compo-nents, Or Devices For High-risk Areas
Requirement BASELINE CONFIGURATION | CONFIGURE SYSTEMS, COMPONENTS, OR DE-VICES FOR HIGH-RISK AREAS The organization: (a) Issues [Assignment: organization-definedinformation systems, system components, or devices] with [Assignment: organization-defined con-figurations] to individuals traveling to locations that the organization deems to be of significant risk;and (b) Applies [Assignment: organization-defined security safeguards] to the devices when theindividuals return.
3.71.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.70. CM-2(3) - Baseline Configuration | Retention Of Previous Configurations 91
OpenShift Compliance Guide, Release 1.0 beta
3.71.2 CM-2(7) What is the solution and how is it implemented?
Part a
Requirement BASELINE CONFIGURATION | CONFIGURE SYSTEMS, COMPONENTS, OR DE-VICES FOR HIGH-RISK AREAS The organization: (a) Issues [Assignment: organization-definedinformation systems, system components, or devices] with [Assignment: organization-defined con-figurations] to individuals traveling to locations that the organization deems to be of significant risk;and
Role Organization
Status Inherited
Details Inherited from organizational policy.
Part b
Requirement
(b) Applies [Assignment: organization-defined security safeguards] to the devices when the indi-viduals return.
Role Organization
Status Inherited
Details See CM-2(7)
3.72 CM-3(1) - Configuration Change Control | Automated Document/ Notification / Prohibition Of Changes
Requirement CONFIGURATION CHANGE CONTROL | AUTOMATED DOCUMENT / NOTIFICA-TION / PROHIBITION OF CHANGES The organization employs automated mechanisms to: (a)Document proposed changes to the information system; (b) Notify [Assignment: organized-definedapproval authorities] of proposed changes to the information system and request change approval;(c) Highlight proposed changes to the information system that have not been approved or disap-proved by [Assignment: organization-defined time period]; (d) Prohibit changes to the informationsystem until designated approvals are received; (e) Document all changes to the information sys-tem; and (f) Notify [Assignment: organization-defined personnel] when approved changes to theinformation system are completed.
3.72.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
92 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.72.2 CM-3(1) What is the solution and how is it implemented?
Part a
Requirement CONFIGURATION CHANGE CONTROL | AUTOMATED DOCUMENT / NOTIFICA-TION / PROHIBITION OF CHANGES The organization employs automated mechanisms to: (a)Document proposed changes to the information system;
Role OpenShift Landlord
Status Implemented
Details Propsed changes to be submitted via the organization’s CRM tool.
Part b
Requirement
(b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the infor-mation system and request change approval;
Role OpenShift Landlord
Status Implemented
Details See CM-3(1)a
Part c
Requirement
(c) Highlight proposed changes to the information system that have not been approved or disap-proved by [Assignment: organization-defined time period];
Role OpenShift Landlord
Status Implemented
Details See CM-3(1)a
Part d
Requirement
(d) Prohibit changes to the information system until designated approvals are received;
Role OpenShift Landlord
Status Implemented
Details By policy and practice, administrators will not implement proposed changes without organiza-tional approval.
Part e
Requirement
(e) Document all changes to the information system; and
3.72. CM-3(1) - Configuration Change Control | Automated Document / Notification / Prohibition OfChanges
93
OpenShift Compliance Guide, Release 1.0 beta
Role OpenShift Landlord
Status Implemented
Details See CM-3(1)a
Part f
Requirement
(f) Notify [Assignment: organization-defined personnel] when approved changes to the informa-tion system are completed.
Role OpenShift Landlord
Status Implemented
Details See CM-3(1)a
3.73 CM-3(2) - Configuration Change Control | Test / Validate / Docu-ment Changes
Requirement CONFIGURATION CHANGE CONTROL | TEST / VALIDATE / DOCUMENTCHANGES The organization tests, validates, and documents changes to the information systembefore implementing the changes on the operational system.
3.73.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.73.2 CM-3(2) What is the solution and how is it implemented?
Part a
Requirement CONFIGURATION CHANGE CONTROL | TEST / VALIDATE / DOCUMENTCHANGES The organization tests, validates, and documents changes to the information systembefore implementing the changes on the operational system.
Role OpenShift Landlord
Status Implemented
Details See CM-3b
3.74 CM-4 - Security Impact Analysis
Requirement SECURITY IMPACT ANALYSIS Control: The organization analyzes changes to the in-formation system to determine potential security impacts prior to change implementation.
94 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.74.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.74.2 CM-4 What is the solution and how is it implemented?
Part a
Requirement SECURITY IMPACT ANALYSIS Control: The organization analyzes changes to the in-formation system to determine potential security impacts prior to change implementation.
Role OpenShift Landlord
Status Implemented
Details See CM-3(1)a
References SP 800-128;
3.75 CM-5(3) - Access Restrictions For Change | Signed Components
Requirement ACCESS RESTRICTIONS FOR CHANGE | SIGNED COMPONENTS The informationsystem prevents the installation of [Assignment: organization-defined software and firmware com-ponents] without verification that the component has been digitally signed using a certificate that isrecognized and approved by the organization.
3.75.1 Control Summary Information
Role IaaS
Status Inherited
Origin Inherited from pre-existing ATO
3.75.2 CM-5(3) What is the solution and how is it implemented?
Part a
Requirement ACCESS RESTRICTIONS FOR CHANGE | SIGNED COMPONENTS The informationsystem prevents the installation of [Assignment: organization-defined software and firmware com-ponents] without verification that the component has been digitally signed using a certificate that isrecognized and approved by the organization.
Role IaaS
Status Inherited
Details Inherited from IaaS - we are unable to impact lower level IaaS systems.
3.75. CM-5(3) - Access Restrictions For Change | Signed Components 95
OpenShift Compliance Guide, Release 1.0 beta
3.76 CM-6 - Configuration Settings
Requirement CONFIGURATION SETTINGS Control: The organization: a. Establishes and docu-ments configuration settings for information technology products employed within the informationsystem using [Assignment: organization-defined security configuration checklists] that reflect themost restrictive mode consistent with operational requirements; b. Implements the configurationsettings; c. Identifies, documents, and approves any deviations from established configuration set-tings for [Assignment: organization-defined information system components] based on [Assign-ment: organization-defined operational requirements]; and d. Monitors and controls changes to theconfiguration settings in accordance with organizational policies and procedures.
3.76.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.76.2 CM-6 What is the solution and how is it implemented?
Part a
Requirement CONFIGURATION SETTINGS Control: The organization: a. Establishes and documentsconfiguration settings for information technology products employed within the information systemusing [Assignment: organization-defined security configuration checklists] that reflect the most re-strictive mode consistent with operational requirements;
Role OpenShift Landlord
Status Implemented
Details Ansible and OpenSCAP enforce continuous security control compliance and auditing.
References OMB M-07-11; OMB M-07-18; OMB M-08-22; SP 800-70; SP 800-128; Web: nvd.nist.gov,checklists.nist.gov, www.nsa.gov;
Part b
Requirement
b. Implements the configuration settings;
Role OpenShift Landlord
Status Implemented
Details See CM-6a
References OMB M-07-11; OMB M-07-18; OMB M-08-22; SP 800-70; SP 800-128; Web: nvd.nist.gov,checklists.nist.gov, www.nsa.gov;
96 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Part c
Requirement
c. Identifies, documents, and approves any deviations from established configuration settings for[Assignment: organization-defined information system components] based on [Assignment:organization-defined operational requirements]; and
Role OpenShift Landlord
Status Implemented
Details See CM-3(1)a
References OMB M-07-11; OMB M-07-18; OMB M-08-22; SP 800-70; SP 800-128; Web: nvd.nist.gov,checklists.nist.gov, www.nsa.gov;
Part d
Requirement
d. Monitors and controls changes to the configuration settings in accordance with organizationalpolicies and procedures.
Role OpenShift Landlord
Status Implemented
Details See CM-3c
References OMB M-07-11; OMB M-07-18; OMB M-08-22; SP 800-70; SP 800-128; Web: nvd.nist.gov,checklists.nist.gov, www.nsa.gov;
3.77 CM-6(2) - Configuration Settings | Respond To UnauthorizedChanges
Requirement CONFIGURATION SETTINGS | RESPOND TO UNAUTHORIZED CHANGES The or-ganization employs [Assignment: organization-defined security safeguards] to respond to unautho-rized changes to [Assignment: organization-defined configuration settings].
3.77.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.77.2 CM-6(2) What is the solution and how is it implemented?
Part a
Requirement CONFIGURATION SETTINGS | RESPOND TO UNAUTHORIZED CHANGES The or-ganization employs [Assignment: organization-defined security safeguards] to respond to unautho-rized changes to [Assignment: organization-defined configuration settings].
3.77. CM-6(2) - Configuration Settings | Respond To Unauthorized Changes 97
OpenShift Compliance Guide, Release 1.0 beta
Role OpenShift Landlord
Status Implemented
Details Ansible Tower with email notification to the administrator users.
3.78 CM-7 - Least Functionality
Requirement LEAST FUNCTIONALITY Control: The organization: a. Configures the informationsystem to provide only essential capabilities; and b. Prohibits or restricts the use of the follow-ing functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited orrestricted functions, ports, protocols, and/or services].
3.78.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.78.2 CM-7 What is the solution and how is it implemented?
Part a
Requirement LEAST FUNCTIONALITY Control: The organization: a. Configures the informationsystem to provide only essential capabilities; and
Role OpenShift Landlord
Status Implemented
Details Dependent on the individual deployment / project / scope of the project.
References DoD Instruction 8551.01;
Part b
Requirement
b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [As-signment: organization-defined prohibited or restricted functions, ports, protocols, and/or ser-vices].
Role OpenShift Landlord
Status Implemented
Details OpenShift infrastructure components communicate with each other using ports, which are com-munication endpoints that are identifiable for specific processes or services. Ensure the followingports required by OpenShift are open between hosts, for example if you have a firewall in yourenvironment. Some ports are optional depending on your configuration and usage.
Node to Node - 4789 - Required for SDN communication between pods on separate hosts.
Nodes to Master - 53 - Required for SDN communication between pods on separate hosts. - 4789- Required for SDN communication between pods on separate hosts. - 443 or 8443 - Required for
98 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
node hosts to communicate to the master API, for the node hosts to post back status, to receive tasks,and so on.
Master to Node - 4789 - Required for SDN communication between pods on separate hosts. - 10250- The master proxies to node hosts via the Kubelet for oc commands.
Master to Master - 53 - Provides DNS services. - 2379 - Used for standalone etcd (clustered) toaccept changes in state. - 2380 - etcd requires this port be open between masters for leader electionand peering connections when using standalone etcd (clustered). - 4001 - Used for embedded etcd(non-clustered) to accept changes in state. - 4789 - Required for SDN communication between podson separate hosts.
External to Master - 443 or 8443 - Required for node hosts to communicate to the master API, fornode hosts to post back status, to receive tasks, and so on.
IaaS Deployments - 22 - Required for SSH by the installer or system administrator. - 53 - ForSkyDNS use. Only required to be internally open on master hosts. - 80 or 443 - For HTTP/HTTPSuse for the router. Required to be externally open on node hosts, especially on nodes running therouter. - 1936 - For router statistics use. Required to be open when running the template routerto access statistics, and can be open externally or internally to connections depending on if youwant the statistics to be expressed publicly. - 4001 - For embedded etcd (non-clustered) use. Onlyrequired to be internally open on the master host. 4001 is for server-client connections. - 2379 and2380 - For standalone etcd use. Only required to be internally open on the master host. 2379 is forserver-client connections. 2380 is for server-server connections, and is only required if you haveclustered etcd. - 4789 - For VxLAN use (OpenShift SDN). Required only internally on node hosts.- 8443 - For use by the OpenShift web console, shared with the API server. - 10250 - For use bythe Kubelet. Required to be externally open on nodes. - 24224 - For use by Fluentd. Required to beopen on master hosts for internal connections to node hosts.
References DoD Instruction 8551.01;
3.79 CM-7(4) - Least Functionality | Unauthorized Software / Black-listing
Requirement LEAST FUNCTIONALITY | UNAUTHORIZED SOFTWARE / BLACKLISTING Theorganization: (a) Identifies [Assignment: organization-defined software programs not authorized toexecute on the information system]; (b) Employs an allow-all, deny-by-exception policy to prohibitthe execution of unauthorized software programs on the information system; and (c) Reviews andupdates the list of unauthorized software programs [Assignment: organization-defined frequency].
3.79.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.79.2 CM-7(4) What is the solution and how is it implemented?
3.79. CM-7(4) - Least Functionality | Unauthorized Software / Blacklisting 99
OpenShift Compliance Guide, Release 1.0 beta
Part a
Requirement LEAST FUNCTIONALITY | UNAUTHORIZED SOFTWARE / BLACKLISTING Theorganization: (a) Identifies [Assignment: organization-defined software programs not authorized toexecute on the information system];
Role Organization
Status Inherited
Details undefined
Part b
Requirement
(b) Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized soft-ware programs on the information system; and
Role Organization
Status Inherited
Details undefined
Part c
Requirement
(c) Reviews and updates the list of unauthorized software programs [Assignment: organization-defined frequency].
Role Organization
Status Inherited
Details undefined
3.80 CM-8 - Information System Component Inventory
Requirement INFORMATION SYSTEM COMPONENT INVENTORY Control: The organization: a.Develops and documents an inventory of information system components that: 1. Accurately reflectsthe current information system; 2. Includes all components within the authorization boundary of theinformation system; 3. Is at the level of granularity deemed necessary for tracking and reporting; and4. Includes [Assignment: organization-defined information deemed necessary to achieve effectiveinformation system component accountability]; and b. Reviews and updates the information systemcomponent inventory [Assignment: organization-defined frequency].
3.80.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
100 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.80.2 CM-8 What is the solution and how is it implemented?
Part a
Requirement INFORMATION SYSTEM COMPONENT INVENTORY Control: The organization: a.Develops and documents an inventory of information system components that: 1. Accurately reflectsthe current information system;
Role OpenShift Landlord
Status Implemented
Details undefined
References SP 800-128;
Part b
Requirement
2. Includes all components within the authorization boundary of the information system;
Role OpenShift Landlord
Status Implemented
Details undefined
References SP 800-128;
Part c
Requirement
3. Is at the level of granularity deemed necessary for tracking and reporting; and
Role OpenShift Landlord
Status Implemented
Details undefined
References SP 800-128;
Part d
Requirement
4. Includes [Assignment: organization-defined information deemed necessary to achieve effectiveinformation system component accountability]; and
Role OpenShift Landlord
Status Implemented
Details undefined
References SP 800-128;
3.80. CM-8 - Information System Component Inventory 101
OpenShift Compliance Guide, Release 1.0 beta
Part e
Requirement
b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency].
Role OpenShift Landlord
Status Implemented
Details undefined
References SP 800-128;
3.81 CM-8(1) - Information System Component Inventory | UpdatesDuring Installations / Removals
Requirement INFORMATION SYSTEM COMPONENT INVENTORY | UPDATES DURING IN-STALLATIONS / REMOVALS The organization updates the inventory of information system com-ponents as an integral part of component installations, removals, and information system updates.
3.81.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.81.2 CM-8(1) What is the solution and how is it implemented?
Part a
Requirement INFORMATION SYSTEM COMPONENT INVENTORY | UPDATES DURING IN-STALLATIONS / REMOVALS The organization updates the inventory of information system com-ponents as an integral part of component installations, removals, and information system updates.
Role OpenShift Landlord
Status Implemented
Details undefined
3.82 CM-8(4) - Information System Component Inventory | Account-ability Information
Requirement INFORMATION SYSTEM COMPONENT INVENTORY | ACCOUNTABILITY IN-FORMATION The organization includes in the information system component inventory infor-mation, a means for identifying by [Selection (one or more): name; position; role], individualsresponsible/accountable for administering those components.
102 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.82.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
3.82.2 CM-8(4) What is the solution and how is it implemented?
Part a
Requirement INFORMATION SYSTEM COMPONENT INVENTORY | ACCOUNTABILITY IN-FORMATION The organization includes in the information system component inventory infor-mation, a means for identifying by [Selection (one or more): name; position; role], individualsresponsible/accountable for administering those components.
Role OpenShift Tenant
Status Planned
Details Specified in the individual project / program’s System Security Plan.
3.83 CM-8(5) - Information System Component Inventory | No Dupli-cate Accounting Of Components
Requirement INFORMATION SYSTEM COMPONENT INVENTORY | NO DUPLICATE AC-COUNTING OF COMPONENTS The organization verifies that all components within the autho-rization boundary of the information system are not duplicated in other information system invento-ries.
3.83.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.83.2 CM-8(5) What is the solution and how is it implemented?
Part a
Requirement INFORMATION SYSTEM COMPONENT INVENTORY | NO DUPLICATE AC-COUNTING OF COMPONENTS The organization verifies that all components within the autho-rization boundary of the information system are not duplicated in other information system invento-ries.
Role OpenShift Landlord
Status Implemented
Details undefined
3.83. CM-8(5) - Information System Component Inventory | No Duplicate Accounting OfComponents
103
OpenShift Compliance Guide, Release 1.0 beta
3.84 CP-1 - Contingency Planning Policy And Procedures
Requirement CONTINGENCY PLANNING POLICY AND PROCEDURES Control: The organiza-tion: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel orroles]: 1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, man-agement commitment, coordination among organizational entities, and compliance; and 2. Proce-dures to facilitate the implementation of the contingency planning policy and associated contingencyplanning controls; and b. Reviews and updates the current: 1. Contingency planning policy [As-signment: organization-defined frequency]; and 2. Contingency planning procedures [Assignment:organization-defined frequency].
3.84.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.84.2 CP-1 What is the solution and how is it implemented?
Part a
Requirement CONTINGENCY PLANNING POLICY AND PROCEDURES Control: The organiza-tion: a. Develops, documents, and disseminates to [Assignment: organization-defined personnelor roles]: 1. A contingency planning policy that addresses purpose, scope, roles, responsibilities,management commitment, coordination among organizational entities, and compliance; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References Federal Continuity Directive 1; SP 800-12; SP 800-34; SP 800-100;
Part b
Requirement
2. Procedures to facilitate the implementation of the contingency planning policy and associatedcontingency planning controls; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References Federal Continuity Directive 1; SP 800-12; SP 800-34; SP 800-100;
Part c
Requirement
104 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
b. Reviews and updates the current: 1. Contingency planning policy [Assignment: organization-defined frequency]; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References Federal Continuity Directive 1; SP 800-12; SP 800-34; SP 800-100;
Part d
Requirement
2. Contingency planning procedures [Assignment: organization-defined frequency].
Role Organization
Status Inherited
Details Dependent on implementing organization.
References Federal Continuity Directive 1; SP 800-12; SP 800-34; SP 800-100;
3.85 CP-10 - Information System Recovery And Reconstitution
Requirement INFORMATION SYSTEM RECOVERY AND RECONSTITUTION Control: The orga-nization provides for the recovery and reconstitution of the information system to a known state aftera disruption, compromise, or failure.
3.85.1 Control Summary Information
Role Organization
Status Implemented
Origin Inherited from pre-existing ATO
3.85.2 CP-10 What is the solution and how is it implemented?
Part a
Requirement INFORMATION SYSTEM RECOVERY AND RECONSTITUTION Control: The orga-nization provides for the recovery and reconstitution of the information system to a known state aftera disruption, compromise, or failure.
Role Organization
Status Implemented
Details Inherited from the organization’s enterprise backup service
References Federal Continuity Directive 1; SP 800-34;
3.85. CP-10 - Information System Recovery And Reconstitution 105
OpenShift Compliance Guide, Release 1.0 beta
3.86 CP-10(2) - Information System Recovery And Reconstitution |Transaction Recovery
Requirement INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | TRANSACTIONRECOVERY The information system implements transaction recovery for systems that aretransaction-based.
3.86.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin Tenant SSP
3.86.2 CP-10(2) What is the solution and how is it implemented?
Part a
Requirement INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | TRANSACTIONRECOVERY The information system implements transaction recovery for systems that aretransaction-based.
Role OpenShift Tenant
Status Planned
Details undefined
3.87 CP-10(4) - Information System Recovery And Reconstitution |Restore Within Time Period
Requirement INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | RESTOREWITHIN TIME PERIOD The organization provides the capability to restore information systemcomponents within [Assignment: organization-defined restoration time-periods] from configuration-controlled and integrity-protected information representing a known, operational state for the com-ponents.
3.87.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
106 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.87.2 CP-10(4) What is the solution and how is it implemented?
Part a
Requirement INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | RESTOREWITHIN TIME PERIOD The organization provides the capability to restore information systemcomponents within [Assignment: organization-defined restoration time-periods] from configuration-controlled and integrity-protected information representing a known, operational state for the com-ponents.
Role Organization
Status Inherited
Details undefined
3.88 CP-2 - Contingency Plan
Requirement CONTINGENCY PLAN Control: The organization: a. Develops a contingency plan forthe information system that: 1. Identifies essential missions and business functions and associ-ated contingency requirements; 2. Provides recovery objectives, restoration priorities, and metrics;3. Addresses contingency roles, responsibilities, assigned individuals with contact information; 4.Addresses maintaining essential missions and business functions despite an information system dis-ruption, compromise, or failure; 5. Addresses eventual, full information system restoration withoutdeterioration of the security safeguards originally planned and implemented; and 6. Is reviewedand approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies of thecontingency plan to [Assignment: organization-defined key contingency personnel (identified byname and/or by role) and organizational elements]; c. Coordinates contingency planning activitieswith incident handling activities; d. Reviews the contingency plan for the information system [As-signment: organization-defined frequency]; e. Updates the contingency plan to address changes tothe organization, information system, or environment of operation and problems encountered duringcontingency plan implementation, execution, or testing; f. Communicates contingency plan changesto [Assignment: organization-defined key contingency personnel (identified by name and/or by role)and organizational elements]; and g. Protects the contingency plan from unauthorized disclosure andmodification.
3.88.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.88.2 CP-2 What is the solution and how is it implemented?
Part a
Requirement CONTINGENCY PLAN Control: The organization: a. Develops a contingency plan forthe information system that: 1. Identifies essential missions and business functions and associatedcontingency requirements;
Role Organization
3.88. CP-2 - Contingency Plan 107
OpenShift Compliance Guide, Release 1.0 beta
Status Inherited
Details undefined
References Federal Continuity Directive 1; SP 800-34;
Part b
Requirement
2. Provides recovery objectives, restoration priorities, and metrics;
Role Organization
Status Inherited
Details undefined
References Federal Continuity Directive 1; SP 800-34;
Part c
Requirement
3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
Role Organization
Status Inherited
Details undefined
References Federal Continuity Directive 1; SP 800-34;
Part d
Requirement
4. Addresses maintaining essential missions and business functions despite an information systemdisruption, compromise, or failure;
Role Organization
Status Inherited
Details undefined
References Federal Continuity Directive 1; SP 800-34;
Part e
Requirement
5. Addresses eventual, full information system restoration without deterioration of the securitysafeguards originally planned and implemented; and
Role Organization
Status Inherited
Details undefined
108 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
References Federal Continuity Directive 1; SP 800-34;
Part f
Requirement
6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
Role Organization
Status Inherited
Details undefined
References Federal Continuity Directive 1; SP 800-34;
Part g
Requirement
b. Distributes copies of the contingency plan to [Assignment: organization-defined key contin-gency personnel (identified by name and/or by role) and organizational elements];
Role Organization
Status Inherited
Details undefined
References Federal Continuity Directive 1; SP 800-34;
Part h
Requirement
c. Coordinates contingency planning activities with incident handling activities;
Role Organization
Status Inherited
Details undefined
References Federal Continuity Directive 1; SP 800-34;
Part i
Requirement
d. Reviews the contingency plan for the information system [Assignment: organization-definedfrequency];
Role Organization
Status Inherited
Details undefined
References Federal Continuity Directive 1; SP 800-34;
3.88. CP-2 - Contingency Plan 109
OpenShift Compliance Guide, Release 1.0 beta
Part j
Requirement
e. Updates the contingency plan to address changes to the organization, information system, orenvironment of operation and problems encountered during contingency plan implementation,execution, or testing;
Role Organization
Status Inherited
Details undefined
References Federal Continuity Directive 1; SP 800-34;
Part k
Requirement
f. Communicates contingency plan changes to [Assignment: organization-defined key contin-gency personnel (identified by name and/or by role) and organizational elements]; and
Role Organization
Status Inherited
Details undefined
References Federal Continuity Directive 1; SP 800-34;
Part l
Requirement
g. Protects the contingency plan from unauthorized disclosure and modification.
Role Organization
Status Inherited
Details undefined
References Federal Continuity Directive 1; SP 800-34;
3.89 CP-2(1) - Contingency Plan | Coordinate With Related Plans
Requirement CONTINGENCY PLAN | COORDINATE WITH RELATED PLANS The organizationcoordinates contingency plan development with organizational elements responsible for relatedplans.
3.89.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
110 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.89.2 CP-2(1) What is the solution and how is it implemented?
Part a
Requirement CONTINGENCY PLAN | COORDINATE WITH RELATED PLANS The organizationcoordinates contingency plan development with organizational elements responsible for relatedplans.
Role Organization
Status Inherited
Details undefined
3.90 CP-2(2) - Contingency Plan | Capacity Planning
Requirement CONTINGENCY PLAN | CAPACITY PLANNING The organization conducts capacityplanning so that necessary capacity for information processing, telecommunications, and environ-mental support exists during contingency operations.
3.90.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.90.2 CP-2(2) What is the solution and how is it implemented?
Part a
Requirement CONTINGENCY PLAN | CAPACITY PLANNING The organization conducts capacityplanning so that necessary capacity for information processing, telecommunications, and environ-mental support exists during contingency operations.
Role Organization
Status Inherited
Details undefined
3.91 CP-2(3) - Contingency Plan | Resume Essential Missions / Busi-ness Functions
Requirement CONTINGENCY PLAN | RESUME ESSENTIAL MISSIONS / BUSINESS FUNC-TIONS The organization plans for the resumption of essential missions and business functionswithin [Assignment: organization-defined time period] of contingency plan activation.
3.90. CP-2(2) - Contingency Plan | Capacity Planning 111
OpenShift Compliance Guide, Release 1.0 beta
3.91.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.91.2 CP-2(3) What is the solution and how is it implemented?
Part a
Requirement CONTINGENCY PLAN | RESUME ESSENTIAL MISSIONS / BUSINESS FUNC-TIONS The organization plans for the resumption of essential missions and business functionswithin [Assignment: organization-defined time period] of contingency plan activation.
Role Organization
Status Inherited
Details undefined
3.92 CP-2(4) - Contingency Plan | Resume All Missions / BusinessFunctions
Requirement CONTINGENCY PLAN | RESUME ALL MISSIONS / BUSINESS FUNCTIONS Theorganization plans for the resumption of all missions and business functions within [Assignment:organization-defined time period] of contingency plan activation.
3.92.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.92.2 CP-2(4) What is the solution and how is it implemented?
Part a
Requirement CONTINGENCY PLAN | RESUME ALL MISSIONS / BUSINESS FUNCTIONS Theorganization plans for the resumption of all missions and business functions within [Assignment:organization-defined time period] of contingency plan activation.
Role Organization
Status Inherited
Details undefined
112 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.93 CP-2(5) - Contingency Plan | Continue Essential Missions / Busi-ness Functions
Requirement CONTINGENCY PLAN | CONTINUE ESSENTIAL MISSIONS / BUSINESS FUNC-TIONS The organization plans for the continuance of essential missions and business functions withlittle or no loss of operational continuity and sustains that continuity until full information systemrestoration at primary processing and/or storage sites.
3.93.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.93.2 CP-2(5) What is the solution and how is it implemented?
Part a
Requirement CONTINGENCY PLAN | CONTINUE ESSENTIAL MISSIONS / BUSINESS FUNC-TIONS The organization plans for the continuance of essential missions and business functions withlittle or no loss of operational continuity and sustains that continuity until full information systemrestoration at primary processing and/or storage sites.
Role Organization
Status Inherited
Details undefined
3.94 CP-2(8) - Contingency Plan | Identify Critical Assets
Requirement CONTINGENCY PLAN | IDENTIFY CRITICAL ASSETS The organization identifiescritical information system assets supporting essential missions and business functions.
3.94.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.94.2 CP-2(8) What is the solution and how is it implemented?
Part a
Requirement CONTINGENCY PLAN | IDENTIFY CRITICAL ASSETS The organization identifiescritical information system assets supporting essential missions and business functions.
3.93. CP-2(5) - Contingency Plan | Continue Essential Missions / Business Functions 113
OpenShift Compliance Guide, Release 1.0 beta
Role Organization
Status Inherited
Details undefined
3.95 CP-3 - Contingency Training
Requirement CONTINGENCY TRAINING Control: The organization provides contingency training toinformation system users consistent with assigned roles and responsibilities: a. Within [Assignment:organization-defined time period] of assuming a contingency role or responsibility; b. When re-quired by information system changes; and c. [Assignment: organization-defined frequency] there-after.
3.95.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.95.2 CP-3 What is the solution and how is it implemented?
Part a
Requirement CONTINGENCY TRAINING Control: The organization provides contingency training toinformation system users consistent with assigned roles and responsibilities: a. Within [Assignment:organization-defined time period] of assuming a contingency role or responsibility;
Role Organization
Status Inherited
Details undefined
References Federal Continuity Directive 1; SP 800-16; SP 800-50;
Part b
Requirement
b. When required by information system changes; and
Role Organization
Status Inherited
Details undefined
References Federal Continuity Directive 1; SP 800-16; SP 800-50;
114 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Part c
Requirement
c. [Assignment: organization-defined frequency] thereafter.
Role Organization
Status Inherited
Details undefined
References Federal Continuity Directive 1; SP 800-16; SP 800-50;
3.96 CP-3(1) - Contingency Training | Simulated Events
Requirement CONTINGENCY TRAINING | SIMULATED EVENTS The organization incorporatessimulated events into contingency training to facilitate effective response by personnel in crisis sit-uations.
3.96.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.96.2 CP-3(1) What is the solution and how is it implemented?
Part a
Requirement CONTINGENCY TRAINING | SIMULATED EVENTS The organization incorporatessimulated events into contingency training to facilitate effective response by personnel in crisis sit-uations.
Role Organization
Status Inherited
Details undefined
3.97 CP-4 - Contingency Plan Testing
Requirement CONTINGENCY PLAN TESTING Control: The organization: a. Tests the contingencyplan for the information system [Assignment: organization-defined frequency] using [Assignment:organization-defined tests] to determine the effectiveness of the plan and the organizational readinessto execute the plan; b. Reviews the contingency plan test results; and c. Initiates corrective actions,if needed.
3.96. CP-3(1) - Contingency Training | Simulated Events 115
OpenShift Compliance Guide, Release 1.0 beta
3.97.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.97.2 CP-4 What is the solution and how is it implemented?
Part a
Requirement CONTINGENCY PLAN TESTING Control: The organization: a. Tests the contingencyplan for the information system [Assignment: organization-defined frequency] using [Assignment:organization-defined tests] to determine the effectiveness of the plan and the organizational readinessto execute the plan;
Role Organization
Status Inherited
Details undefined
References Federal Continuity Directive 1; FIPS Pub 199; SP 800-34; SP 800-84;
Part b
Requirement
b. Reviews the contingency plan test results; and
Role Organization
Status Inherited
Details undefined
References Federal Continuity Directive 1; FIPS Pub 199; SP 800-34; SP 800-84;
Part c
Requirement
c. Initiates corrective actions, if needed.
Role Organization
Status Inherited
Details undefined
References Federal Continuity Directive 1; FIPS Pub 199; SP 800-34; SP 800-84;
116 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.98 CP-4(1) - Contingency Plan Testing | Coordinate With RelatedPlans
Requirement CONTINGENCY PLAN TESTING | COORDINATE WITH RELATED PLANS The or-ganization coordinates contingency plan testing with organizational elements responsible for relatedplans.
3.98.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.98.2 CP-4(1) What is the solution and how is it implemented?
Part a
Requirement CONTINGENCY PLAN TESTING | COORDINATE WITH RELATED PLANS The or-ganization coordinates contingency plan testing with organizational elements responsible for relatedplans.
Role Organization
Status Inherited
Details undefined
3.99 CP-4(2) - Contingency Plan Testing | Alternate Processing Site
Requirement CONTINGENCY PLAN TESTING | ALTERNATE PROCESSING SITE The organiza-tion tests the contingency plan at the alternate processing site: (a) To familiarize contingency per-sonnel with the facility and available resources; and (b) To evaluate the capabilities of the alternateprocessing site to support contingency operations.
3.99.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.99.2 CP-4(2) What is the solution and how is it implemented?
Part a
Requirement CONTINGENCY PLAN TESTING | ALTERNATE PROCESSING SITE The organiza-tion tests the contingency plan at the alternate processing site: (a) To familiarize contingency per-sonnel with the facility and available resources; and
3.98. CP-4(1) - Contingency Plan Testing | Coordinate With Related Plans 117
OpenShift Compliance Guide, Release 1.0 beta
Role Organization
Status Inherited
Details undefined
Part b
Requirement
(b) To evaluate the capabilities of the alternate processing site to support contingency operations.
Role Organization
Status Inherited
Details undefined
3.100 CP-6 - Alternate Storage Site
Requirement ALTERNATE STORAGE SITE Control: The organization: a. Establishes an alternatestorage site including necessary agreements to permit the storage and retrieval of information systembackup information; and b. Ensures that the alternate storage site provides information securitysafeguards equivalent to that of the primary site.
3.100.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.100.2 CP-6 What is the solution and how is it implemented?
Part a
Requirement ALTERNATE STORAGE SITE Control: The organization: a. Establishes an alternatestorage site including necessary agreements to permit the storage and retrieval of information systembackup information; and
Role Organization
Status Inherited
Details undefined
References SP 800-34;
Part b
Requirement
b. Ensures that the alternate storage site provides information security safeguards equivalent tothat of the primary site.
118 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Role Organization
Status Inherited
Details undefined
References SP 800-34;
3.101 CP-6(1) - Alternate Storage Site | Separation From Primary Site
Requirement ALTERNATE STORAGE SITE | SEPARATION FROM PRIMARY SITE The organiza-tion identifies an alternate storage site that is separated from the primary storage site to reducesusceptibility to the same threats. Supplemental Guidance: Threats that affect alternate storage sitesare typically defined in organizational assessments of risk and include, for example, natural dis-asters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizationsdetermine what is considered a sufficient degree of separation between primary and alternate storagesites based on the types of threats that are of concern. For one particular type of threat (i.e., hostilecyber attack), the degree of separation between sites is less relevant. Related control: RA-3.
3.101.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.101.2 CP-6(1) What is the solution and how is it implemented?
Part a
Requirement ALTERNATE STORAGE SITE | SEPARATION FROM PRIMARY SITE The organiza-tion identifies an alternate storage site that is separated from the primary storage site to reducesusceptibility to the same threats. Supplemental Guidance: Threats that affect alternate storage sitesare typically defined in organizational assessments of risk and include, for example, natural dis-asters, structural failures, hostile cyber attacks, and errors of omission/commission. Organizationsdetermine what is considered a sufficient degree of separation between primary and alternate storagesites based on the types of threats that are of concern. For one particular type of threat (i.e., hostilecyber attack), the degree of separation between sites is less relevant. Related control: RA-3.
Role Organization
Status Inherited
Details undefined
3.102 CP-6(2) - Alternate Storage Site | Recovery Time / Point Objec-tives
Requirement ALTERNATE STORAGE SITE | RECOVERY TIME / POINT OBJECTIVES The orga-nization configures the alternate storage site to facilitate recovery operations in accordance withrecovery time and recovery point objectives.
3.101. CP-6(1) - Alternate Storage Site | Separation From Primary Site 119
OpenShift Compliance Guide, Release 1.0 beta
3.102.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.102.2 CP-6(2) What is the solution and how is it implemented?
Part a
Requirement ALTERNATE STORAGE SITE | RECOVERY TIME / POINT OBJECTIVES The orga-nization configures the alternate storage site to facilitate recovery operations in accordance withrecovery time and recovery point objectives.
Role Organization
Status Inherited
Details undefined
3.103 CP-6(3) - Alternate Storage Site | Accessibility
Requirement ALTERNATE STORAGE SITE | ACCESSIBILITY The organization identifies potentialaccessibility problems to the alternate storage site in the event of an area-wide disruption or disasterand outlines explicit mitigation actions.
3.103.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.103.2 CP-6(3) What is the solution and how is it implemented?
Part a
Requirement ALTERNATE STORAGE SITE | ACCESSIBILITY The organization identifies potentialaccessibility problems to the alternate storage site in the event of an area-wide disruption or disasterand outlines explicit mitigation actions.
Role Organization
Status Inherited
Details undefined
120 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.104 CP-7 - Alternate Processing Site
Requirement ALTERNATE PROCESSING SITE Control: The organization: a. Establishes an alternateprocessing site including necessary agreements to permit the transfer and resumption of [Assign-ment: organization-defined information system operations] for essential missions/business functionswithin [Assignment: organization-defined time period consistent with recovery time and recoverypoint objectives] when the primary processing capabilities are unavailable; b. Ensures that equip-ment and supplies required to transfer and resume operations are available at the alternate processingsite or contracts are in place to support delivery to the site within the organization-defined time pe-riod for transfer/resumption; and c. Ensures that the alternate processing site provides informationsecurity safeguards equivalent to that of the primary site.
3.104.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.104.2 CP-7 What is the solution and how is it implemented?
Part a
Requirement ALTERNATE PROCESSING SITE Control: The organization: a. Establishes an alternateprocessing site including necessary agreements to permit the transfer and resumption of [Assign-ment: organization-defined information system operations] for essential missions/business functionswithin [Assignment: organization-defined time period consistent with recovery time and recoverypoint objectives] when the primary processing capabilities are unavailable;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-34;
Part b
Requirement
b. Ensures that equipment and supplies required to transfer and resume operations are available atthe alternate processing site or contracts are in place to support delivery to the site within theorganization-defined time period for transfer/resumption; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-34;
3.104. CP-7 - Alternate Processing Site 121
OpenShift Compliance Guide, Release 1.0 beta
Part c
Requirement
c. Ensures that the alternate processing site provides information security safeguards equivalent tothat of the primary site.
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-34;
3.105 CP-7(1) - Alternate Processing Site | Separation From PrimarySite
Requirement ALTERNATE PROCESSING SITE | SEPARATION FROM PRIMARY SITE The orga-nization identifies an alternate processing site that is separated from the primary processing site toreduce susceptibility to the same threats.
3.105.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.105.2 CP-7(1) What is the solution and how is it implemented?
Part a
Requirement ALTERNATE PROCESSING SITE | SEPARATION FROM PRIMARY SITE The orga-nization identifies an alternate processing site that is separated from the primary processing site toreduce susceptibility to the same threats.
Role Organization
Status Inherited
Details undefined
3.106 CP-7(2) - Alternate Processing Site | Accessibility
Requirement ALTERNATE PROCESSING SITE | ACCESSIBILITY The organization identifies poten-tial accessibility problems to the alternate processing site in the event of an area-wide disruption ordisaster and outlines explicit mitigation actions.
122 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.106.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.106.2 CP-7(2) What is the solution and how is it implemented?
Part a
Requirement ALTERNATE PROCESSING SITE | ACCESSIBILITY The organization identifies poten-tial accessibility problems to the alternate processing site in the event of an area-wide disruption ordisaster and outlines explicit mitigation actions.
Role Organization
Status Inherited
Details undefined
3.107 CP-7(3) - Alternate Processing Site | Priority Of Service
Requirement ALTERNATE PROCESSING SITE | PRIORITY OF SERVICE The organization developsalternate processing site agreements that contain priority-of-service provisions in accordance withorganizational availability requirements (including recovery time objectives).
3.107.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.107.2 CP-7(3) What is the solution and how is it implemented?
Part a
Requirement ALTERNATE PROCESSING SITE | PRIORITY OF SERVICE The organization developsalternate processing site agreements that contain priority-of-service provisions in accordance withorganizational availability requirements (including recovery time objectives).
Role Organization
Status Inherited
Details undefined
3.107. CP-7(3) - Alternate Processing Site | Priority Of Service 123
OpenShift Compliance Guide, Release 1.0 beta
3.108 CP-7(4) - Alternate Processing Site | Preparation For Use
Requirement ALTERNATE PROCESSING SITE | PREPARATION FOR USE The organization pre-pares the alternate processing site so that the site is ready to be used as the operational site supportingessential missions and business functions.
3.108.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.108.2 CP-7(4) What is the solution and how is it implemented?
Part a
Requirement ALTERNATE PROCESSING SITE | PREPARATION FOR USE The organization pre-pares the alternate processing site so that the site is ready to be used as the operational site supportingessential missions and business functions.
Role Organization
Status Inherited
Details undefined
3.109 CP-8 - Telecommunications Services
Requirement TELECOMMUNICATIONS SERVICES Control: The organization establishes alternatetelecommunications services including necessary agreements to permit the resumption of [Assign-ment: organization-defined information system operations] for essential missions and business func-tions within [Assignment: organization-defined time period] when the primary telecommunicationscapabilities are unavailable at either the primary or alternate processing or storage sites.
3.109.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.109.2 CP-8 What is the solution and how is it implemented?
Part a
Requirement TELECOMMUNICATIONS SERVICES Control: The organization establishes alternatetelecommunications services including necessary agreements to permit the resumption of [Assign-ment: organization-defined information system operations] for essential missions and business func-
124 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
tions within [Assignment: organization-defined time period] when the primary telecommunicationscapabilities are unavailable at either the primary or alternate processing or storage sites.
Role Organization
Status Inherited
Details undefined
References SP 800-34; National Communications Systems Directive 3-10; Web: tsp.ncs.gov;
3.110 CP-8(1) - Telecommunications Services | Priority Of ServiceProvisions
Requirement TELECOMMUNICATIONS SERVICES | PRIORITY OF SERVICE PROVISIONS Theorganization: (a) Develops primary and alternate telecommunications service agreements that con-tain priority-of-service provisions in accordance with organizational availability requirements (in-cluding recovery time objectives); and (b) Requests Telecommunications Service Priority for alltelecommunications services used for national security emergency preparedness in the event that theprimary and/or alternate telecommunications services are provided by a common carrier.
3.110.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.110.2 CP-8(1) What is the solution and how is it implemented?
Part a
Requirement TELECOMMUNICATIONS SERVICES | PRIORITY OF SERVICE PROVISIONS Theorganization: (a) Develops primary and alternate telecommunications service agreements that con-tain priority-of-service provisions in accordance with organizational availability requirements (in-cluding recovery time objectives); and
Role Organization
Status Inherited
Details undefined
Part b
Requirement
(b) Requests Telecommunications Service Priority for all telecommunications services used for na-tional security emergency preparedness in the event that the primary and/or alternate telecom-munications services are provided by a common carrier.
Role Organization
Status Inherited
3.110. CP-8(1) - Telecommunications Services | Priority Of Service Provisions 125
OpenShift Compliance Guide, Release 1.0 beta
Details undefined
3.111 CP-8(2) - Telecommunications Services | Single Points Of Fail-ure
Requirement TELECOMMUNICATIONS SERVICES | SINGLE POINTS OF FAILURE The organiza-tion obtains alternate telecommunications services to reduce the likelihood of sharing a single pointof failure with primary telecommunications services.
3.111.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.111.2 CP-8(2) What is the solution and how is it implemented?
Part a
Requirement TELECOMMUNICATIONS SERVICES | SINGLE POINTS OF FAILURE The organiza-tion obtains alternate telecommunications services to reduce the likelihood of sharing a single pointof failure with primary telecommunications services.
Role Organization
Status Inherited
Details undefined
3.112 CP-8(3) - Telecommunications Services | Separation Of Primary/ Alternate Providers
Requirement TELECOMMUNICATIONS SERVICES | SEPARATION OF PRIMARY / ALTERNATEPROVIDERS The organization obtains alternate telecommunications services from providers thatare separated from primary service providers to reduce susceptibility to the same threats.
3.112.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
126 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.112.2 CP-8(3) What is the solution and how is it implemented?
Part a
Requirement TELECOMMUNICATIONS SERVICES | SEPARATION OF PRIMARY / ALTERNATEPROVIDERS The organization obtains alternate telecommunications services from providers thatare separated from primary service providers to reduce susceptibility to the same threats.
Role Organization
Status Inherited
Details undefined
3.113 CP-8(4) - Telecommunications Services | Provider ContingencyPlan
Requirement TELECOMMUNICATIONS SERVICES | PROVIDER CONTINGENCY PLAN The or-ganization: (a) Requires primary and alternate telecommunications service providers to have con-tingency plans; (b) Reviews provider contingency plans to ensure that the plans meet organizationalcontingency requirements; and (c) Obtains evidence of contingency testing/training by providers[Assignment: organization-defined frequency].
3.113.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.113.2 CP-8(4) What is the solution and how is it implemented?
Part a
Requirement TELECOMMUNICATIONS SERVICES | PROVIDER CONTINGENCY PLAN The or-ganization: (a) Requires primary and alternate telecommunications service providers to have con-tingency plans;
Role Organization
Status Inherited
Details undefined
Part b
Requirement
(b) Reviews provider contingency plans to ensure that the plans meet organizational contingencyrequirements; and
Role Organization
3.113. CP-8(4) - Telecommunications Services | Provider Contingency Plan 127
OpenShift Compliance Guide, Release 1.0 beta
Status Inherited
Details undefined
Part c
Requirement
(c) Obtains evidence of contingency testing/training by providers [Assignment: organization-defined frequency].
Role Organization
Status Inherited
Details undefined
3.114 CP-9 - Information System Backup
Requirement INFORMATION SYSTEM BACKUP Control: The organization: a. Conducts back-ups of user-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; b. Conducts back-ups of system-level information contained in the information system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; c. Conducts back-ups of information system documentation including security-related documentation [Assignment:organization-defined frequency consistent with recovery time and recovery point objectives]; and d.Protects the confidentiality, integrity, and availability of backup information at storage locations.
3.114.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.114.2 CP-9 What is the solution and how is it implemented?
Part a
Requirement INFORMATION SYSTEM BACKUP Control: The organization: a. Conducts backupsof user-level information contained in the information system [Assignment: organization-definedfrequency consistent with recovery time and recovery point objectives];
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-34;
128 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Part b
Requirement
b. Conducts backups of system-level information contained in the information system [Assign-ment: organization-defined frequency consistent with recovery time and recovery point objec-tives];
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-34;
Part c
Requirement
c. Conducts backups of information system documentation including security-related documenta-tion [Assignment: organization-defined frequency consistent with recovery time and recoverypoint objectives]; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-34;
Part d
Requirement
d. Protects the confidentiality, integrity, and availability of backup information at storage locations.
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-34;
3.115 CP-9(1) - Information System Backup | Testing For Reliability /Integrity
Requirement INFORMATION SYSTEM BACKUP | TESTING FOR RELIABILITY / INTEGRITYThe organization tests backup information [Assignment: organization-defined frequency] to verifymedia reliability and information integrity.
3.115. CP-9(1) - Information System Backup | Testing For Reliability / Integrity 129
OpenShift Compliance Guide, Release 1.0 beta
3.115.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.115.2 CP-9(1) What is the solution and how is it implemented?
Part a
Requirement INFORMATION SYSTEM BACKUP | TESTING FOR RELIABILITY / INTEGRITYThe organization tests backup information [Assignment: organization-defined frequency] to verifymedia reliability and information integrity.
Role Organization
Status Inherited
Details undefined
3.116 CP-9(2) - Information System Backup | Test Restoration UsingSampling
Requirement INFORMATION SYSTEM BACKUP | TEST RESTORATION USING SAMPLING Theorganization uses a sample of backup information in the restoration of selected information systemfunctions as part of contingency plan testing.
3.116.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.116.2 CP-9(2) What is the solution and how is it implemented?
Part a
Requirement INFORMATION SYSTEM BACKUP | TEST RESTORATION USING SAMPLING Theorganization uses a sample of backup information in the restoration of selected information systemfunctions as part of contingency plan testing.
Role Organization
Status Inherited
Details undefined
130 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.117 CP-9(3) - Information System Backup | Separate Storage ForCritical Information
Requirement INFORMATION SYSTEM BACKUP | SEPARATE STORAGE FOR CRITICAL INFOR-MATION The organization stores backup copies of [Assignment: organization-defined critical infor-mation system software and other security-related information] in a separate facility or in a fire-ratedcontainer that is not collocated with the operational system.
3.117.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.117.2 CP-9(3) What is the solution and how is it implemented?
Part a
Requirement INFORMATION SYSTEM BACKUP | SEPARATE STORAGE FOR CRITICAL INFOR-MATION The organization stores backup copies of [Assignment: organization-defined critical infor-mation system software and other security-related information] in a separate facility or in a fire-ratedcontainer that is not collocated with the operational system.
Role Organization
Status Inherited
Details undefined
3.118 DI-1 - Data Quality
Requirement DATA QUALITY Control: The organization: a. Confirms to the greatest extent practicableupon collection or creation of personally identifiable information (PII), the accuracy, relevance,timeliness, and completeness of that information; b. Collects PII directly from the individual tothe greatest extent practicable; c. Checks for, and corrects as necessary, any inaccurate or outdatedPII used by its programs or systems [Assignment: organization-defined frequency]; and d. Issuesguidelines ensuring and maximizing the quality, utility, objectivity, and integrity of disseminatedinformation.
3.118.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
3.117. CP-9(3) - Information System Backup | Separate Storage For Critical Information 131
OpenShift Compliance Guide, Release 1.0 beta
3.118.2 DI-1 What is the solution and how is it implemented?
Part a
Requirement DATA QUALITY Control: The organization: a. Confirms to the greatest extent practicableupon collection or creation of personally identifiable information (PII), the accuracy, relevance,timeliness, and completeness of that information;
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (c) and (e); Treasury and General GovernmentAppropriations Act for Fiscal Year 2001 (P.L. 106-554), app C § 515, 114 Stat. 2763A-153-4;Paperwork Reduction Act, 44 U.S.C. § 3501; OMB Guidelines for Ensuring and Maximizing theQuality, Objectivity, Utility, and Integrity of Information Disseminated by Federal Agencies (Octo-ber 2001); OMB M-07-16;
Part b
Requirement
b. Collects PII directly from the individual to the greatest extent practicable;
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (c) and (e); Treasury and General GovernmentAppropriations Act for Fiscal Year 2001 (P.L. 106-554), app C § 515, 114 Stat. 2763A-153-4;Paperwork Reduction Act, 44 U.S.C. § 3501; OMB Guidelines for Ensuring and Maximizing theQuality, Objectivity, Utility, and Integrity of Information Disseminated by Federal Agencies (Octo-ber 2001); OMB M-07-16;
Part c
Requirement
c. Checks for, and corrects as necessary, any inaccurate or outdated PII used by its programs orsystems [Assignment: organization-defined frequency]; and
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (c) and (e); Treasury and General GovernmentAppropriations Act for Fiscal Year 2001 (P.L. 106-554), app C § 515, 114 Stat. 2763A-153-4;Paperwork Reduction Act, 44 U.S.C. § 3501; OMB Guidelines for Ensuring and Maximizing theQuality, Objectivity, Utility, and Integrity of Information Disseminated by Federal Agencies (Octo-ber 2001); OMB M-07-16;
132 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Part d
Requirement
d. Issues guidelines ensuring and maximizing the quality, utility, objectivity, and integrity of dis-seminated information.
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (c) and (e); Treasury and General GovernmentAppropriations Act for Fiscal Year 2001 (P.L. 106-554), app C § 515, 114 Stat. 2763A-153-4;Paperwork Reduction Act, 44 U.S.C. § 3501; OMB Guidelines for Ensuring and Maximizing theQuality, Objectivity, Utility, and Integrity of Information Disseminated by Federal Agencies (Octo-ber 2001); OMB M-07-16;
3.119 DI-1(1) - Data Quality | Validate Pii
Requirement DATA QUALITY | VALIDATE PII The organization requests that the individual or indi-vidual’s authorized representative validate PII during the collection process.
3.119.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
3.119.2 DI-1(1) What is the solution and how is it implemented?
Part a
Requirement DATA QUALITY | VALIDATE PII The organization requests that the individual or indi-vidual’s authorized representative validate PII during the collection process.
Role OpenShift Tenant
Status Planned
Details undefined
3.120 DI-1(2) - Data Quality | Re-validate Pii
Requirement DATA QUALITY | RE-VALIDATE PII The organization requests that the individual orindividual’s authorized representative revalidate that PII collected is still accurate [Assignment:organization-defined frequency].
3.119. DI-1(1) - Data Quality | Validate Pii 133
OpenShift Compliance Guide, Release 1.0 beta
3.120.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
3.120.2 DI-1(2) What is the solution and how is it implemented?
Part a
Requirement DATA QUALITY | RE-VALIDATE PII The organization requests that the individual orindividual’s authorized representative revalidate that PII collected is still accurate [Assignment:organization-defined frequency].
Role OpenShift Tenant
Status Planned
Details undefined
3.121 DI-2 - Data Integrity And Data Integrity Board
Requirement DATA INTEGRITY AND DATA INTEGRITY BOARD Control: The organization: a.Documents processes to ensure the integrity of personally identifiable information (PII) throughexisting security controls; and b. Establishes a Data Integrity Board when appropriate to overseeorganizational Computer Matching Agreements123 and to ensure that those agreements complywith the computer matching provisions of the Privacy Act.
3.121.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
3.121.2 DI-2 What is the solution and how is it implemented?
Part a
Requirement DATA INTEGRITY AND DATA INTEGRITY BOARD Control: The organization: a.Documents processes to ensure the integrity of personally identifiable information (PII) throughexisting security controls; and
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. §§ 552a (a)(8)(A), (o), (p), (u); OMB Circular A-130,Appendix I;
134 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Part b
Requirement
b. Establishes a Data Integrity Board when appropriate to oversee organizational Computer Match-ing Agreements123 and to ensure that those agreements comply with the computer matchingprovisions of the Privacy Act.
Role Organization
Status Inherited
Details undefined
References The Privacy Act of 1974, 5 U.S.C. §§ 552a (a)(8)(A), (o), (p), (u); OMB Circular A-130,Appendix I;
3.122 DI-2(1) - Data Integrity And Data Integrity Board | PublishAgreements On Website
Requirement DATA INTEGRITY AND DATA INTEGRITY BOARD | PUBLISH AGREEMENTS ONWEBSITE The organization publishes Computer Matching Agreements on its public website.
3.122.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.122.2 DI-2(1) What is the solution and how is it implemented?
Part a
Requirement DATA INTEGRITY AND DATA INTEGRITY BOARD | PUBLISH AGREEMENTS ONWEBSITE The organization publishes Computer Matching Agreements on its public website.
Role Organization
Status Inherited
Details undefined
3.123 DM-1 - Minimization Of Personally Identifiable Information
Requirement MINIMIZATION OF PERSONALLY IDENTIFIABLE INFORMATION Control: Theorganization: a. Identifies the minimum personally identifiable information (PII) elements that arerelevant and necessary to accomplish the legally authorized purpose of collection; b. Limits thecollection and retention of PII to the minimum elements identified for the purposes described in thenotice and for which the individual has provided consent; and c. Conducts an initial evaluation of PIIholdings and establishes and follows a schedule for regularly reviewing those holdings [Assignment:organization-defined frequency, at least annually] to ensure that only PII identified in the notice is
3.122. DI-2(1) - Data Integrity And Data Integrity Board | Publish Agreements On Website 135
OpenShift Compliance Guide, Release 1.0 beta
collected and retained, and that the PII continues to be necessary to accomplish the legally authorizedpurpose.
3.123.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.123.2 DM-1 What is the solution and how is it implemented?
Part a
Requirement MINIMIZATION OF PERSONALLY IDENTIFIABLE INFORMATION Control: Theorganization: a. Identifies the minimum personally identifiable information (PII) elements that arerelevant and necessary to accomplish the legally authorized purpose of collection;
Role Organization
Status Inherited
Details undefined
References The Privacy Act of 1974, 5 U.S.C. §552a (e); Section 208(b), E-Government Act of 2002(P.L. 107-347); OMB M-03-22; OMB M-07-16;
Part b
Requirement
b. Limits the collection and retention of PII to the minimum elements identified for the purposesdescribed in the notice and for which the individual has provided consent; and
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. §552a (e); Section 208(b), E-Government Act of 2002(P.L. 107-347); OMB M-03-22; OMB M-07-16;
Part c
Requirement
c. Conducts an initial evaluation of PII holdings and establishes and follows a schedule for regu-larly reviewing those holdings [Assignment: organization-defined frequency, at least annually]to ensure that only PII identified in the notice is collected and retained, and that the PII continuesto be necessary to accomplish the legally authorized purpose.
Role Organization
Status Inherited
Details undefined
136 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
References The Privacy Act of 1974, 5 U.S.C. §552a (e); Section 208(b), E-Government Act of 2002(P.L. 107-347); OMB M-03-22; OMB M-07-16;
3.124 DM-1(1) - Minimization Of Personally Identifiable Information |Locate / Remove / Redact / Anonymize Pii
Requirement MINIMIZATION OF PERSONALLY IDENTIFIABLE INFORMATION | LOCATE /REMOVE / REDACT / ANONYMIZE PII The organization, where feasible and within the lim-its of technology, locates and removes/redacts specified PII and/or uses anonymization and de-identification techniques to permit use of the retained information while reducing its sensitivity andreducing the risk resulting from disclosure.
3.124.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.124.2 DM-1(1) What is the solution and how is it implemented?
Part a
Requirement MINIMIZATION OF PERSONALLY IDENTIFIABLE INFORMATION | LOCATE /REMOVE / REDACT / ANONYMIZE PII The organization, where feasible and within the lim-its of technology, locates and removes/redacts specified PII and/or uses anonymization and de-identification techniques to permit use of the retained information while reducing its sensitivity andreducing the risk resulting from disclosure.
Role Organization
Status Inherited
Details undefined
3.125 DM-2 - Data Retention And Disposal
Requirement DATA RETENTION AND DISPOSAL Control: The organization: a. Retains each collec-tion of personally identifiable information (PII) for [Assignment: organization-defined time period]to fulfill the purpose(s) identified in the notice or as required by law; b. Disposes of, destroys,erases, and/or anonymizes the PII, regardless of the method of storage, in accordance with a NARA-approved record retention schedule and in a manner that prevents loss, theft, misuse, or unauthorizedaccess; and c. Uses [Assignment: organization-defined techniques or methods] to ensure securedeletion or destruction of PII (including originals, copies, and archived records).
3.125.1 Control Summary Information
Role OpenShift Tenant
3.124. DM-1(1) - Minimization Of Personally Identifiable Information | Locate / Remove / Redact /Anonymize Pii
137
OpenShift Compliance Guide, Release 1.0 beta
Status Planned
Origin OpenShift Tenant SSP
3.125.2 DM-2 What is the solution and how is it implemented?
Part a
Requirement DATA RETENTION AND DISPOSAL Control: The organization: a. Retains each collec-tion of personally identifiable information (PII) for [Assignment: organization-defined time period]to fulfill the purpose(s) identified in the notice or as required by law;
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (e)(1), (c)(2); Section 208 (e), E-Government Actof 2002 (P.L. 107-347); 44 U.S.C. Chapters 29, 31, 33; OMB M-07-16; OMB Circular A-130; SP800-88;
Part b
Requirement
b. Disposes of, destroys, erases, and/or anonymizes the PII, regardless of the method of storage,in accordance with a NARA-approved record retention schedule and in a manner that preventsloss, theft, misuse, or unauthorized access; and
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (e)(1), (c)(2); Section 208 (e), E-Government Actof 2002 (P.L. 107-347); 44 U.S.C. Chapters 29, 31, 33; OMB M-07-16; OMB Circular A-130; SP800-88;
Part c
Requirement
c. Uses [Assignment: organization-defined techniques or methods] to ensure secure deletion ordestruction of PII (including originals, copies, and archived records).
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (e)(1), (c)(2); Section 208 (e), E-Government Actof 2002 (P.L. 107-347); 44 U.S.C. Chapters 29, 31, 33; OMB M-07-16; OMB Circular A-130; SP800-88;
138 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.126 DM-2(1) - Data Retention And Disposal | System Configuration
Requirement DATA RETENTION AND DISPOSAL | SYSTEM CONFIGURATION The organization,where feasible, configures its information systems to record the date PII is collected, created, orupdated and when PII is to be deleted or archived under an approved record retention schedule.
3.126.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
3.126.2 DM-2(1) What is the solution and how is it implemented?
Part a
Requirement DATA RETENTION AND DISPOSAL | SYSTEM CONFIGURATION The organization,where feasible, configures its information systems to record the date PII is collected, created, orupdated and when PII is to be deleted or archived under an approved record retention schedule.
Role OpenShift Tenant
Status Planned
Details undefined
3.127 DM-3 - Minimization Of Pii Used In Testing, Training, And Re-search
Requirement MINIMIZATION OF PII USED IN TESTING, TRAINING, AND RESEARCH Control:The organization: a. Develops policies and procedures that minimize the use of personally identifi-able information (PII) for testing, training, and research; and b. Implements controls to protect PIIused for testing, training, and research.
3.127.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.127.2 DM-3 What is the solution and how is it implemented?
Part a
Requirement MINIMIZATION OF PII USED IN TESTING, TRAINING, AND RESEARCH Control:The organization: a. Develops policies and procedures that minimize the use of personally identifi-able information (PII) for testing, training, and research; and
3.126. DM-2(1) - Data Retention And Disposal | System Configuration 139
OpenShift Compliance Guide, Release 1.0 beta
Role Organization
Status Inherited
Details undefined
References SP 800-122
Part b
Requirement
b. Implements controls to protect PII used for testing, training, and research.
Role OpenShift Tenant
Status Planned
Details undefined
References SP 800-122
3.128 DM-3(1) - Minimization Of Pii Used In Testing, Training, AndResearch | Risk Minimization Techniques
Requirement MINIMIZATION OF PII USED IN TESTING, TRAINING, AND RESEARCH | RISKMINIMIZATION TECHNIQUES The organization, where feasible, uses techniques to minimizethe risk to privacy of using PII for research, testing, or training.
3.128.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.128.2 DM-3(1) What is the solution and how is it implemented?
Part a
Requirement MINIMIZATION OF PII USED IN TESTING, TRAINING, AND RESEARCH | RISKMINIMIZATION TECHNIQUES The organization, where feasible, uses techniques to minimizethe risk to privacy of using PII for research, testing, or training.
Role Organization
Status Inherited
Details undefined
140 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.129 IA-1 - Identification And Authentication Policy And Procedures
Requirement IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES Control:The organization: a. Develops, documents, and disseminates to [Assignment: organization-definedpersonnel or roles]: 1. An identification and authentication policy that addresses purpose, scope,roles, responsibilities, management commitment, coordination among organizational entities, andcompliance; and 2. Procedures to facilitate the implementation of the identification and authentica-tion policy and associated identification and authentication controls; and b. Reviews and updates thecurrent: 1. Identification and authentication policy [Assignment: organization-defined frequency];and 2. Identification and authentication procedures [Assignment: organization-defined frequency].
3.129.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.129.2 IA-1 What is the solution and how is it implemented?
Part a
Requirement IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES Control:The organization: a. Develops, documents, and disseminates to [Assignment: organization-definedpersonnel or roles]: 1. An identification and authentication policy that addresses purpose, scope,roles, responsibilities, management commitment, coordination among organizational entities, andcompliance; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 201; SP 800-12; SP 800-63; SP 800-73; SP 800-76; SP 800-78; SP 800-100;
Part b
Requirement
2. Procedures to facilitate the implementation of the identification and authentication policy andassociated identification and authentication controls; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 201; SP 800-12; SP 800-63; SP 800-73; SP 800-76; SP 800-78; SP 800-100;
3.129. IA-1 - Identification And Authentication Policy And Procedures 141
OpenShift Compliance Guide, Release 1.0 beta
Part c
Requirement
b. Reviews and updates the current: 1. Identification and authentication policy [Assignment:organization-defined frequency]; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 201; SP 800-12; SP 800-63; SP 800-73; SP 800-76; SP 800-78; SP 800-100;
Part d
Requirement
2. Identification and authentication procedures [Assignment: organization-defined frequency].
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 201; SP 800-12; SP 800-63; SP 800-73; SP 800-76; SP 800-78; SP 800-100;
3.130 IA-2 - Identification And Authentication (organizational Users)
Requirement IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) Control:The information system uniquely identifies and authenticates organizational users (or processes act-ing on behalf of organizational users).
3.130.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.130.2 IA-2 What is the solution and how is it implemented?
Part a
Requirement IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) Control:The information system uniquely identifies and authenticates organizational users (or processes act-ing on behalf of organizational users).
Role Organization
Status Inherited
142 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Details OpenShift has the ability to utilize 3rd party authentication sources such as LDAP and ActiveDirectory. These have the ability to fulfill this control, thus if used with OpenShift this control issatisfied.
References HSPD 12; OMB M-04-04; OMB M-06-16; OMB M-11-11; FIPS Pub 201; SP 800-63; SP800-73; SP 800-76; SP 800-78; FICAM Roadmap and Implementation Guidance; Web: idmanage-ment.gov;
3.131 IA-2(1) - Identification And Authentication | Network Access ToPrivileged Accounts
Requirement IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO PRIVI-LEGED ACCOUNTS The information system implements multifactor authentication for networkaccess to privileged accounts.
3.131.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.131.2 IA-2(1) What is the solution and how is it implemented?
Part a
Requirement IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO PRIVI-LEGED ACCOUNTS The information system implements multifactor authentication for networkaccess to privileged accounts.
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
3.132 IA-2(12) - Identification And Authentication | Acceptance Of PivCredentials
Requirement IDENTIFICATION AND AUTHENTICATION | ACCEPTANCE OF PIV CREDEN-TIALS The information system accepts and electronically verifies Personal Identity Verification(PIV) credentials.
3.132.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.131. IA-2(1) - Identification And Authentication | Network Access To Privileged Accounts 143
OpenShift Compliance Guide, Release 1.0 beta
3.132.2 IA-2(12) What is the solution and how is it implemented?
Part a
Requirement IDENTIFICATION AND AUTHENTICATION | ACCEPTANCE OF PIV CREDEN-TIALS The information system accepts and electronically verifies Personal Identity Verification(PIV) credentials.
Role Organization
Status Inherited
Details OpenShift has the ability to utilize 3rd party authentication sources such as LDAP and ActiveDirectory. These have the ability to fulfill this control, thus if used with OpenShift this control issatisfied.
3.133 IA-2(3) - Identification And Authentication | Local Access ToPrivileged Accounts
Requirement IDENTIFICATION AND AUTHENTICATION | LOCAL ACCESS TO PRIVILEGEDACCOUNTS The information system implements multifactor authentication for local access to priv-ileged accounts.
3.133.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.133.2 IA-2(3) What is the solution and how is it implemented?
Part a
Requirement IDENTIFICATION AND AUTHENTICATION | LOCAL ACCESS TO PRIVILEGEDACCOUNTS The information system implements multifactor authentication for local access to priv-ileged accounts.
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
3.134 IA-4 - Identifier Management
Requirement IDENTIFIER MANAGEMENT Control: The organization manages information systemidentifiers by: a. Receiving authorization from [Assignment: organization-defined personnel orroles] to assign an individual, group, role, or device identifier; b. Selecting an identifier that identifiesan individual, group, role, or device; c. Assigning the identifier to the intended individual, group,
144 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
role, or device; d. Preventing reuse of identifiers for [Assignment: organization-defined time period];and e. Disabling the identifier after [Assignment: organization-defined time period of inactivity].
3.134.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.134.2 IA-4 What is the solution and how is it implemented?
Part a
Requirement IDENTIFIER MANAGEMENT Control: The organization manages information systemidentifiers by: a. Receiving authorization from [Assignment: organization-defined personnel orroles] to assign an individual, group, role, or device identifier;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 201; SP 800-73; SP 800-76; SP 800-78;
Part b
Requirement
b. Selecting an identifier that identifies an individual, group, role, or device;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 201; SP 800-73; SP 800-76; SP 800-78;
Part c
Requirement
c. Assigning the identifier to the intended individual, group, role, or device;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 201; SP 800-73; SP 800-76; SP 800-78;
3.134. IA-4 - Identifier Management 145
OpenShift Compliance Guide, Release 1.0 beta
Part d
Requirement
d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 201; SP 800-73; SP 800-76; SP 800-78;
Part e
Requirement
e. Disabling the identifier after [Assignment: organization-defined time period of inactivity].
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 201; SP 800-73; SP 800-76; SP 800-78;
3.135 IA-5 - Authenticator Management
Requirement AUTHENTICATOR MANAGEMENT Control: The organization manages informationsystem authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity ofthe individual, group, role, or device receiving the authenticator; b. Establishing initial authenticatorcontent for authenticators defined by the organization; c. Ensuring that authenticators have suffi-cient strength of mechanism for their intended use; d. Establishing and implementing administrativeprocedures for initial authenticator distribution, for lost/compromised or damaged authenticators,and for revoking authenticators; e. Changing default content of authenticators prior to informationsystem installation; f. Establishing minimum and maximum lifetime restrictions and reuse condi-tions for authenticators; g. Changing/refreshing authenticators [Assignment: organization-definedtime period by authenticator type]; h. Protecting authenticator content from unauthorized disclosureand modification; i. Requiring individuals to take, and having devices implement, specific securitysafeguards to protect authenticators; and j. Changing authenticators for group/role accounts whenmembership to those accounts changes.
3.135.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
146 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.135.2 IA-5 What is the solution and how is it implemented?
Part a
Requirement AUTHENTICATOR MANAGEMENT Control: The organization manages informationsystem authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity ofthe individual, group, role, or device receiving the authenticator;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References OMB M-04-04; OMB M-11-11; FIPS Pub 201; SP 800-73; SP 800-63; SP 800-76; SP 800-78; FICAM Roadmap and Implementation Guidance; Web: idmanagement.gov;
Part b
Requirement
b. Establishing initial authenticator content for authenticators defined by the organization;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References OMB M-04-04; OMB M-11-11; FIPS Pub 201; SP 800-73; SP 800-63; SP 800-76; SP 800-78; FICAM Roadmap and Implementation Guidance; Web: idmanagement.gov;
Part c
Requirement
c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References OMB M-04-04; OMB M-11-11; FIPS Pub 201; SP 800-73; SP 800-63; SP 800-76; SP 800-78; FICAM Roadmap and Implementation Guidance; Web: idmanagement.gov;
Part d
Requirement
d. Establishing and implementing administrative procedures for initial authenticator distribution,for lost/compromised or damaged authenticators, and for revoking authenticators;
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.135. IA-5 - Authenticator Management 147
OpenShift Compliance Guide, Release 1.0 beta
References OMB M-04-04; OMB M-11-11; FIPS Pub 201; SP 800-73; SP 800-63; SP 800-76; SP 800-78; FICAM Roadmap and Implementation Guidance; Web: idmanagement.gov;
Part e
Requirement
e. Changing default content of authenticators prior to information system installation;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References OMB M-04-04; OMB M-11-11; FIPS Pub 201; SP 800-73; SP 800-63; SP 800-76; SP 800-78; FICAM Roadmap and Implementation Guidance; Web: idmanagement.gov;
Part f
Requirement
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authentica-tors;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References OMB M-04-04; OMB M-11-11; FIPS Pub 201; SP 800-73; SP 800-63; SP 800-76; SP 800-78; FICAM Roadmap and Implementation Guidance; Web: idmanagement.gov;
Part g
Requirement
g. Changing/refreshing authenticators [Assignment: organization-defined time period by authen-ticator type];
Role Organization
Status Inherited
Details Dependent on implementing organization.
References OMB M-04-04; OMB M-11-11; FIPS Pub 201; SP 800-73; SP 800-63; SP 800-76; SP 800-78; FICAM Roadmap and Implementation Guidance; Web: idmanagement.gov;
Part h
Requirement
h. Protecting authenticator content from unauthorized disclosure and modification;
Role Organization
Status Inherited
Details Dependent on implementing organization.
148 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
References OMB M-04-04; OMB M-11-11; FIPS Pub 201; SP 800-73; SP 800-63; SP 800-76; SP 800-78; FICAM Roadmap and Implementation Guidance; Web: idmanagement.gov;
Part i
Requirement
i. Requiring individuals to take, and having devices implement, specific security safeguards toprotect authenticators; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References OMB M-04-04; OMB M-11-11; FIPS Pub 201; SP 800-73; SP 800-63; SP 800-76; SP 800-78; FICAM Roadmap and Implementation Guidance; Web: idmanagement.gov;
Part j
Requirement
j. Changing authenticators for group/role accounts when membership to those accounts changes.
Role Organization
Status Inherited
Details Dependent on implementing organization.
References OMB M-04-04; OMB M-11-11; FIPS Pub 201; SP 800-73; SP 800-63; SP 800-76; SP 800-78; FICAM Roadmap and Implementation Guidance; Web: idmanagement.gov;
3.136 IA-5(1) - Authenticator Management | Password-based Authen-tication
Requirement AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION Theinformation system, for password-based authentication: (a) Enforces minimum password complex-ity of [Assignment: organization-defined requirements for case sensitivity, number of characters,mix of upper-case letters, lower-case letters, numbers, and special characters, including minimumrequirements for each type]; (b) Enforces at least the following number of changed characters whennew passwords are created: [Assignment: organization-defined number]; (c) Stores and transmitsonly encrypted representations of passwords; (d) Enforces password minimum and maximum life-time restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime max-imum]; (e) Prohibits password reuse for [Assignment: organization-defined number] generations;and (f) Allows the use of a temporary password for system logons with an immediate change to apermanent password.
3.136.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.136. IA-5(1) - Authenticator Management | Password-based Authentication 149
OpenShift Compliance Guide, Release 1.0 beta
3.136.2 IA-5(1) What is the solution and how is it implemented?
Part a
Requirement AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION Theinformation system, for password-based authentication: (a) Enforces minimum password complex-ity of [Assignment: organization-defined requirements for case sensitivity, number of characters,mix of upper-case letters, lower-case letters, numbers, and special characters, including minimumrequirements for each type];
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
Part b
Requirement
(b) Enforces at least the following number of changed characters when new passwords are created:[Assignment: organization-defined number];
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
Part c
Requirement
(c) Stores and transmits only encrypted representations of passwords;
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
Part d
Requirement
(d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum];
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
150 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Part e
Requirement
(e) Prohibits password reuse for [Assignment: organization-defined number] generations; and
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
Part f
Requirement
(f) Allows the use of a temporary password for system logons with an immediate change to apermanent password.
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
3.137 IA-5(11) - Authenticator Management | Hardware Token-basedAuthentication
Requirement AUTHENTICATOR MANAGEMENT | HARDWARE TOKEN-BASED AUTHENTICA-TION The information system, for hardware token-based authentication, employs mechanisms thatsatisfy [Assignment: organization-defined token quality requirements].
3.137.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.137.2 IA-5(11) What is the solution and how is it implemented?
Part a
Requirement AUTHENTICATOR MANAGEMENT | HARDWARE TOKEN-BASED AUTHENTICA-TION The information system, for hardware token-based authentication, employs mechanisms thatsatisfy [Assignment: organization-defined token quality requirements].
Role Organization
Status Inherited
Details undefined
3.137. IA-5(11) - Authenticator Management | Hardware Token-based Authentication 151
OpenShift Compliance Guide, Release 1.0 beta
3.138 IA-5(2) - Authenticator Management | Pki-based Authentication
Requirement AUTHENTICATOR MANAGEMENT | PKI-BASED AUTHENTICATION The informa-tion system, for PKI-based authentication: (a) Validates certifications by constructing and verifyinga certification path to an accepted trust anchor including checking certificate status information; (b)Enforces authorized access to the corresponding private key; (c) Maps the authenticated identityto the account of the individual or group; and (d) Implements a local cache of revocation data tosupport path discovery and validation in case of inability to access revocation information via thenetwork.
3.138.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.138.2 IA-5(2) What is the solution and how is it implemented?
Part a
Requirement AUTHENTICATOR MANAGEMENT | PKI-BASED AUTHENTICATION The informa-tion system, for PKI-based authentication: (a) Validates certifications by constructing and verifyinga certification path to an accepted trust anchor including checking certificate status information;
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
Part b
Requirement
(b) Enforces authorized access to the corresponding private key;
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
Part c
Requirement
(c) Maps the authenticated identity to the account of the individual or group; and
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
152 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Part d
Requirement
(d) Implements a local cache of revocation data to support path discovery and validation in case ofinability to access revocation information via the network.
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
3.139 IA-5(3) - Authenticator Management | In-person Or TrustedThird-party Registration
Requirement AUTHENTICATOR MANAGEMENT | IN-PERSON OR TRUSTED THIRD-PARTYREGISTRATION The organization requires that the registration process to receive [Assignment:organization-defined types of and/or specific authenticators] be conducted [Selection: in person; bya trusted third party] before [Assignment: organization-defined registration authority] with autho-rization by [Assignment: organization-defined personnel or roles].
3.139.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.139.2 IA-5(3) What is the solution and how is it implemented?
Part a
Requirement AUTHENTICATOR MANAGEMENT | IN-PERSON OR TRUSTED THIRD-PARTYREGISTRATION The organization requires that the registration process to receive [Assignment:organization-defined types of and/or specific authenticators] be conducted [Selection: in person; bya trusted third party] before [Assignment: organization-defined registration authority] with autho-rization by [Assignment: organization-defined personnel or roles].
Role Organization
Status Inherited
Details undefined
3.140 IA-6 - Authenticator Feedback
Requirement AUTHENTICATOR FEEDBACK Control: The information system obscures feedback ofauthentication information during the authentication process to protect the information from possibleexploitation/use by unauthorized individuals.
3.139. IA-5(3) - Authenticator Management | In-person Or Trusted Third-party Registration 153
OpenShift Compliance Guide, Release 1.0 beta
3.140.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.140.2 IA-6 What is the solution and how is it implemented?
Part a
Requirement AUTHENTICATOR FEEDBACK Control: The information system obscures feedback ofauthentication information during the authentication process to protect the information from possibleexploitation/use by unauthorized individuals.
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
3.141 IA-7 - Cryptographic Module Authentication
Requirement CRYPTOGRAPHIC MODULE AUTHENTICATION Control: The information systemimplements mechanisms for authentication to a cryptographic module that meet the requirements ofapplicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidancefor such authentication.
3.141.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.141.2 IA-7 What is the solution and how is it implemented?
Part a
Requirement CRYPTOGRAPHIC MODULE AUTHENTICATION Control: The information systemimplements mechanisms for authentication to a cryptographic module that meet the requirements ofapplicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidancefor such authentication.
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
References FIPS Pub 140; Web: csrc.nist.gov/groups/STM/cmvp/index.html;
154 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.142 IA-8 - Identification And Authentication (non-organizationalUsers)
Requirement IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS)Control: The information system uniquely identifies and authenticates non-organizational users (orprocesses acting on behalf of non-organizational users).
3.142.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.142.2 IA-8 What is the solution and how is it implemented?
Part a
Requirement IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS)Control: The information system uniquely identifies and authenticates non-organizational users (orprocesses acting on behalf of non-organizational users).
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
References OMB M-04-04; OMB M-11-11; OMB Memoranda 10-06-2011; FICAM Roadmap and Im-plementation Guidance; FIPS Pub 201; SP 800-63; SP 800-116; National Strategy for Trusted Iden-tities in Cyberspace; Web: idmanagement.gov;
3.143 IA-8(1) - Identification And Authentication | Acceptance Of PivCredentials From Other Agencies
Requirement IDENTIFICATION AND AUTHENTICATION | ACCEPTANCE OF PIV CREDEN-TIALS FROM OTHER AGENCIES The information system accepts and electronically verifies Per-sonal Identity Verification (PIV) credentials from other federal agencies.
3.143.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.142. IA-8 - Identification And Authentication (non-organizational Users) 155
OpenShift Compliance Guide, Release 1.0 beta
3.143.2 IA-8(1) What is the solution and how is it implemented?
Part a
Requirement IDENTIFICATION AND AUTHENTICATION | ACCEPTANCE OF PIV CREDEN-TIALS FROM OTHER AGENCIES The information system accepts and electronically verifies Per-sonal Identity Verification (PIV) credentials from other federal agencies.
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
3.144 IA-8(2) - Identification And Authentication | Acceptance OfThird-party Credentials
Requirement IDENTIFICATION AND AUTHENTICATION | ACCEPTANCE OF THIRD-PARTYCREDENTIALS The information system accepts only FICAM-approved third-party credentials.
3.144.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.144.2 IA-8(2) What is the solution and how is it implemented?
Part a
Requirement IDENTIFICATION AND AUTHENTICATION | ACCEPTANCE OF THIRD-PARTYCREDENTIALS The information system accepts only FICAM-approved third-party credentials.
Role Organization
Status Inherited
Details undefined
3.145 IA-8(3) - Identification And Authentication | Use Of Ficam-approved Products
Requirement IDENTIFICATION AND AUTHENTICATION | USE OF FICAM-APPROVED PROD-UCTS The organization employs only FICAM-approved information system components in [As-signment: organization-defined information systems] to accept third-party credentials.
156 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.145.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.145.2 IA-8(3) What is the solution and how is it implemented?
Part a
Requirement IDENTIFICATION AND AUTHENTICATION | USE OF FICAM-APPROVED PROD-UCTS The organization employs only FICAM-approved information system components in [As-signment: organization-defined information systems] to accept third-party credentials.
Role Organization
Status Inherited
Details undefined
3.146 IA-8(4) - Identification And Authentication | Use Of Ficam-issued Profiles
Requirement IDENTIFICATION AND AUTHENTICATION | USE OF FICAM-ISSUED PROFILESThe information system conforms to FICAM-issued profiles.
3.146.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.146.2 IA-8(4) What is the solution and how is it implemented?
Part a
Requirement IDENTIFICATION AND AUTHENTICATION | USE OF FICAM-ISSUED PROFILESThe information system conforms to FICAM-issued profiles.
Role Organization
Status Inherited
Details undefined
3.146. IA-8(4) - Identification And Authentication | Use Of Ficam-issued Profiles 157
OpenShift Compliance Guide, Release 1.0 beta
3.147 IP-1 - Consent
Requirement CONSENT Control: The organization: a. Provides means, where feasible and appropriate,for individuals to authorize the collection, use, maintaining, and sharing of personally identifiableinformation (PII) prior to its collection; b. Provides appropriate means for individuals to understandthe consequences of decisions to approve or decline the authorization of the collection, use, dissem-ination, and retention of PII; c. Obtains consent, where feasible and appropriate, from individualsprior to any new uses or disclosure of previously collected PII; and d. Ensures that individuals areaware of and, where feasible, consent to all uses of PII not initially described in the public noticethat was in effect at the time the organization collected the PII.
3.147.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
3.147.2 IP-1 What is the solution and how is it implemented?
Part a
Requirement CONSENT Control: The organization: a. Provides means, where feasible and appropriate,for individuals to authorize the collection, use, maintaining, and sharing of personally identifiableinformation (PII) prior to its collection;
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (b), (e)(3); Section 208(c), E-Government Act of2002 (P.L. 107-347); OMB M-03-22; OMB M-10-22;
Part b
Requirement
b. Provides appropriate means for individuals to understand the consequences of decisions to ap-prove or decline the authorization of the collection, use, dissemination, and retention of PII;
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (b), (e)(3); Section 208(c), E-Government Act of2002 (P.L. 107-347); OMB M-03-22; OMB M-10-22;
158 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Part c
Requirement
c. Obtains consent, where feasible and appropriate, from individuals prior to any new uses ordisclosure of previously collected PII; and
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (b), (e)(3); Section 208(c), E-Government Act of2002 (P.L. 107-347); OMB M-03-22; OMB M-10-22;
Part d
Requirement
d. Ensures that individuals are aware of and, where feasible, consent to all uses of PII not initiallydescribed in the public notice that was in effect at the time the organization collected the PII.
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (b), (e)(3); Section 208(c), E-Government Act of2002 (P.L. 107-347); OMB M-03-22; OMB M-10-22;
3.148 IP-1(1) - Consent | Mechanisms Supporting Itemized Or TieredConsent
Requirement CONSENT | MECHANISMS SUPPORTING ITEMIZED OR TIERED CONSENT Theorganization implements mechanisms to support itemized or tiered consent for specific uses of data.
3.148.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
3.148.2 IP-1(1) What is the solution and how is it implemented?
Part a
Requirement CONSENT | MECHANISMS SUPPORTING ITEMIZED OR TIERED CONSENT Theorganization implements mechanisms to support itemized or tiered consent for specific uses of data.
Role OpenShift Tenant
Status Planned
3.148. IP-1(1) - Consent | Mechanisms Supporting Itemized Or Tiered Consent 159
OpenShift Compliance Guide, Release 1.0 beta
Details undefined
3.149 IP-2 - Individual Access
Requirement INDIVIDUAL ACCESS Control: The organization: a. Provides individuals the ability tohave access to their personally identifiable information (PII) maintained in its system(s) of records; b.Publishes rules and regulations governing how individuals may request access to records maintainedin a Privacy Act system of records; c. Publishes access procedures in System of Records Notices(SORNs); and d. Adheres to Privacy Act requirements and OMB policies and guidance for theproper processing of Privacy Act requests.
3.149.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
3.149.2 IP-2 What is the solution and how is it implemented?
Part a
Requirement INDIVIDUAL ACCESS Control: The organization: a. Provides individuals the ability tohave access to their personally identifiable information (PII) maintained in its system(s) of records;
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. §§ 552a (c)(3), (d)(5), (e) (4), (j), (k), (t); OMB CircularA-130;
Part b
Requirement
b. Publishes rules and regulations governing how individuals may request access to records main-tained in a Privacy Act system of records;
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. §§ 552a (c)(3), (d)(5), (e) (4), (j), (k), (t); OMB CircularA-130;
160 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Part c
Requirement
c. Publishes access procedures in System of Records Notices (SORNs); and
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. §§ 552a (c)(3), (d)(5), (e) (4), (j), (k), (t); OMB CircularA-130;
Part d
Requirement
d. Adheres to Privacy Act requirements and OMB policies and guidance for the proper processingof Privacy Act requests.
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. §§ 552a (c)(3), (d)(5), (e) (4), (j), (k), (t); OMB CircularA-130;
3.150 IP-3 - Redress
Requirement REDRESS Control: The organization: a. Provides a process for individuals to have inaccu-rate personally identifiable information (PII) maintained by the organization corrected or amended,as appropriate; and b. Establishes a process for disseminating corrections or amendments of thePII to other authorized users of the PII, such as external information-sharing partners and, wherefeasible and appropriate, notifies affected individuals that their information has been corrected oramended.
3.150.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
3.150.2 IP-3 What is the solution and how is it implemented?
Part a
Requirement REDRESS Control: The organization: a. Provides a process for individuals to have inaccu-rate personally identifiable information (PII) maintained by the organization corrected or amended,as appropriate; and
3.150. IP-3 - Redress 161
OpenShift Compliance Guide, Release 1.0 beta
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (d), (c)(4); OMB Circular A-130;
Part b
Requirement
b. Establishes a process for disseminating corrections or amendments of the PII to other autho-rized users of the PII, such as external information-sharing partners and, where feasible andappropriate, notifies affected individuals that their information has been corrected or amended.
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (d), (c)(4); OMB Circular A-130;
3.151 IP-4 - Complaint Management
Requirement COMPLAINT MANAGEMENT Control: The organization implements a process for re-ceiving and responding to complaints, concerns, or questions from individuals about the organiza-tional privacy practices.
3.151.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
3.151.2 IP-4 What is the solution and how is it implemented?
Part a
Requirement COMPLAINT MANAGEMENT Control: The organization implements a process for re-ceiving and responding to complaints, concerns, or questions from individuals about the organiza-tional privacy practices.
Role OpenShift Tenant
Status Planned
Details undefined
References OMB Circular A-130; OMB M-07-16; OMB M-08-09;
162 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.152 IP-4(1) - Complaint Management | Response Times
Requirement COMPLAINT MANAGEMENT | RESPONSE TIMES The organization responds to com-plaints, concerns, or questions from individuals within [Assignment: organization-defined time pe-riod].
3.152.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
3.152.2 IP-4(1) What is the solution and how is it implemented?
Part a
Requirement COMPLAINT MANAGEMENT | RESPONSE TIMES The organization responds to com-plaints, concerns, or questions from individuals within [Assignment: organization-defined time pe-riod].
Role OpenShift Tenant
Status Planned
Details undefined
3.153 IR-1 - Incident Response Policy And Procedures
Requirement INCIDENT RESPONSE POLICY AND PROCEDURES Control: The organization: a.Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1.An incident response policy that addresses purpose, scope, roles, responsibilities, management com-mitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitatethe implementation of the incident response policy and associated incident response controls; andb. Reviews and updates the current: 1. Incident response policy [Assignment: organization-definedfrequency]; and 2. Incident response procedures [Assignment: organization-defined frequency].
3.153.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.153.2 IR-1 What is the solution and how is it implemented?
3.152. IP-4(1) - Complaint Management | Response Times 163
OpenShift Compliance Guide, Release 1.0 beta
Part a
Requirement INCIDENT RESPONSE POLICY AND PROCEDURES Control: The organization: a.Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:1. An incident response policy that addresses purpose, scope, roles, responsibilities, managementcommitment, coordination among organizational entities, and compliance; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-61; SP 800-83; SP 800-100;
Part b
Requirement
2. Procedures to facilitate the implementation of the incident response policy and associated inci-dent response controls; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-61; SP 800-83; SP 800-100;
Part c
Requirement
b. Reviews and updates the current: 1. Incident response policy [Assignment: organization-defined frequency]; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-61; SP 800-83; SP 800-100;
Part d
Requirement
2. Incident response procedures [Assignment: organization-defined frequency].
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-61; SP 800-83; SP 800-100;
164 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.154 IR-2 - Incident Response Training
Requirement INCIDENT RESPONSE TRAINING Control: The organization provides incident re-sponse training to information system users consistent with assigned roles and responsibilities: a.Within [Assignment: organization-defined time period] of assuming an incident response role orresponsibility; b. When required by information system changes; and c. [Assignment: organization-defined frequency] thereafter.
3.154.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.154.2 IR-2 What is the solution and how is it implemented?
Part a
Requirement INCIDENT RESPONSE TRAINING Control: The organization provides incident re-sponse training to information system users consistent with assigned roles and responsibilities: a.Within [Assignment: organization-defined time period] of assuming an incident response role orresponsibility;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-16; SP 800-50;
Part b
Requirement
b. When required by information system changes; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-16; SP 800-50;
Part c
Requirement
c. [Assignment: organization-defined frequency] thereafter.
Role Organization
Status Inherited
3.154. IR-2 - Incident Response Training 165
OpenShift Compliance Guide, Release 1.0 beta
Details Dependent on implementing organization.
References SP 800-16; SP 800-50;
3.155 IR-2(1) - Incident Response Training | Simulated Events
Requirement INCIDENT RESPONSE TRAINING | SIMULATED EVENTS The organization incorpo-rates simulated events into incident response training to facilitate effective response by personnel incrisis situations.
3.155.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.155.2 IR-2(1) What is the solution and how is it implemented?
Part a
Requirement INCIDENT RESPONSE TRAINING | SIMULATED EVENTS The organization incorpo-rates simulated events into incident response training to facilitate effective response by personnel incrisis situations.
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.156 IR-2(2) - Incident Response Training | Automated Training En-vironments
Requirement INCIDENT RESPONSE TRAINING | AUTOMATED TRAINING ENVIRONMENTSThe organization employs automated mechanisms to provide a more thorough and realistic incidentresponse training environment.
3.156.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
166 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.156.2 IR-2(2) What is the solution and how is it implemented?
Part a
Requirement INCIDENT RESPONSE TRAINING | AUTOMATED TRAINING ENVIRONMENTSThe organization employs automated mechanisms to provide a more thorough and realistic incidentresponse training environment.
Role Organization
Status Inherited
Details undefined
3.157 IR-3(2) - Incident Response Testing | Coordination With RelatedPlans
Requirement INCIDENT RESPONSE TESTING | COORDINATION WITH RELATED PLANS Theorganization coordinates incident response testing with organizational elements responsible for re-lated plans.
3.157.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.157.2 IR-3(2) What is the solution and how is it implemented?
Part a
Requirement INCIDENT RESPONSE TESTING | COORDINATION WITH RELATED PLANS Theorganization coordinates incident response testing with organizational elements responsible for re-lated plans.
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.158 IR-4 - Incident Handling
Requirement INCIDENT HANDLING Control: The organization: a. Implements an incident handlingcapability for security incidents that includes preparation, detection and analysis, containment, erad-ication, and recovery; b. Coordinates incident handling activities with contingency planning activ-ities; and c. Incorporates lessons learned from ongoing incident handling activities into incidentresponse procedures, training, and testing/exercises, and implements the resulting changes accord-ingly.
3.157. IR-3(2) - Incident Response Testing | Coordination With Related Plans 167
OpenShift Compliance Guide, Release 1.0 beta
3.158.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.158.2 IR-4 What is the solution and how is it implemented?
Part a
Requirement INCIDENT HANDLING Control: The organization: a. Implements an incident handlingcapability for security incidents that includes preparation, detection and analysis, containment, erad-ication, and recovery;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References EO 13587; SP 800-61;
Part b
Requirement
b. Coordinates incident handling activities with contingency planning activities; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References EO 13587; SP 800-61;
Part c
Requirement
c. Incorporates lessons learned from ongoing incident handling activities into incident responseprocedures, training, and testing/exercises, and implements the resulting changes accordingly.
Role Organization
Status Inherited
Details Dependent on implementing organization.
References EO 13587; SP 800-61;
168 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.159 IR-4(1) - Incident Handling | Automated Incident Handling Pro-cesses
Requirement INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES Theorganization employs automated mechanisms to support the incident handling process.
3.159.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.159.2 IR-4(1) What is the solution and how is it implemented?
Part a
Requirement INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES Theorganization employs automated mechanisms to support the incident handling process.
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.160 IR-5 - Incidentmonitoring
Requirement INCIDENTMONITORING Control: The organization tracks and documents informationsystem security incidents.
3.160.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.160.2 IR-5 What is the solution and how is it implemented?
Part a
Requirement INCIDENTMONITORING Control: The organization tracks and documents informationsystem security incidents.
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.159. IR-4(1) - Incident Handling | Automated Incident Handling Processes 169
OpenShift Compliance Guide, Release 1.0 beta
References SP 800-61;
3.161 IR-5(1) - Incident Monitoring | Automated Tracking / Data Col-lection / Analysis
Requirement INCIDENT MONITORING | AUTOMATED TRACKING / DATA COLLECTION /ANALYSIS The organization employs automated mechanisms to assist in the tracking of securityincidents and in the collection and analysis of incident information.
3.161.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.161.2 IR-5(1) What is the solution and how is it implemented?
Part a
Requirement INCIDENT MONITORING | AUTOMATED TRACKING / DATA COLLECTION /ANALYSIS The organization employs automated mechanisms to assist in the tracking of securityincidents and in the collection and analysis of incident information.
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.162 IR-6 - Incident Reporting
Requirement INCIDENT REPORTING Control: The organization: a. Requires personnel to reportsuspected security incidents to the organizational incident response capability within [Assignment:organization-defined time period]; and b. Reports security incident information to [Assignment:organization-defined authorities].
3.162.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
170 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.162.2 IR-6 What is the solution and how is it implemented?
Part a
Requirement INCIDENT REPORTING Control: The organization: a. Requires personnel to reportsuspected security incidents to the organizational incident response capability within [Assignment:organization-defined time period]; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-61; Web: www.us-cert.gov;
Part b
Requirement
b. Reports security incident information to [Assignment: organization-defined authorities].
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-61; Web: www.us-cert.gov;
3.163 IR-6(1) - Incident Reporting | Automated Reporting
Requirement INCIDENT REPORTING | AUTOMATED REPORTING The organization employs au-tomated mechanisms to assist in the reporting of security incidents.
3.163.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.163.2 IR-6(1) What is the solution and how is it implemented?
Part a
Requirement INCIDENT REPORTING | AUTOMATED REPORTING The organization employs au-tomated mechanisms to assist in the reporting of security incidents.
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.163. IR-6(1) - Incident Reporting | Automated Reporting 171
OpenShift Compliance Guide, Release 1.0 beta
3.164 IR-7 - Incident Response Assistance
Requirement INCIDENT RESPONSE ASSISTANCE Control: The organization provides an incidentresponse support resource, integral to the organizational incident response capability that offersadvice and assistance to users of the information system for the handling and reporting of securityincidents.
3.164.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.164.2 IR-7 What is the solution and how is it implemented?
Part a
Requirement INCIDENT RESPONSE ASSISTANCE Control: The organization provides an incidentresponse support resource, integral to the organizational incident response capability that offersadvice and assistance to users of the information system for the handling and reporting of securityincidents.
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.165 IR-7(1) - Incident Response Assistance | Automation SupportFor Availability Of Information / Support
Requirement INCIDENT RESPONSE ASSISTANCE | AUTOMATION SUPPORT FOR AVAILABIL-ITY OF INFORMATION / SUPPORT The organization employs automated mechanisms to increasethe availability of incident response-related information and support.
3.165.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.165.2 IR-7(1) What is the solution and how is it implemented?
172 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Part a
Requirement INCIDENT RESPONSE ASSISTANCE | AUTOMATION SUPPORT FOR AVAILABIL-ITY OF INFORMATION / SUPPORT The organization employs automated mechanisms to increasethe availability of incident response-related information and support.
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.166 IR-8 - Incident Response Plan
Requirement INCIDENT RESPONSE PLAN Control: The organization: a. Develops an incident re-sponse plan that: 1. Provides the organization with a roadmap for implementing its incident re-sponse capability; 2. Describes the structure and organization of the incident response capability;3. Provides a high-level approach for how the incident response capability fits into the overall or-ganization; 4. Meets the unique requirements of the organization, which relate to mission, size,structure, and functions; 5. Defines reportable incidents; 6. Provides metrics for measuring theincident response capability within the organization; 7. Defines the resources and management sup-port needed to effectively maintain and mature an incident response capability; and 8. Is reviewedand approved by [Assignment: organization-defined personnel or roles]; b. Distributes copies ofthe incident response plan to [Assignment: organization-defined incident response personnel (iden-tified by name and/or by role) and organizational elements]; c. Reviews the incident response plan[Assignment: organization-defined frequency]; d. Updates the incident response plan to addresssystem/organizational changes or problems encountered during plan implementation, execution, ortesting; e. Communicates incident response plan changes to [Assignment: organization-defined in-cident response personnel (identified by name and/or by role) and organizational elements]; and f.Protects the incident response plan from unauthorized disclosure and modification.
3.166.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.166.2 IR-8 What is the solution and how is it implemented?
Part a
Requirement INCIDENT RESPONSE PLAN Control: The organization: a. Develops an incident re-sponse plan that: 1. Provides the organization with a roadmap for implementing its incident responsecapability;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-61;
3.166. IR-8 - Incident Response Plan 173
OpenShift Compliance Guide, Release 1.0 beta
Part b
Requirement
2. Describes the structure and organization of the incident response capability;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-61;
Part c
Requirement
3. Provides a high-level approach for how the incident response capability fits into the overallorganization;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-61;
Part d
Requirement
4. Meets the unique requirements of the organization, which relate to mission, size, structure, andfunctions;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-61;
Part e
Requirement
5. Defines reportable incidents;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-61;
174 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Part f
Requirement
6. Provides metrics for measuring the incident response capability within the organization;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-61;
Part g
Requirement
7. Defines the resources and management support needed to effectively maintain and mature anincident response capability; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-61;
Part h
Requirement
8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-61;
Part i
Requirement
b. Distributes copies of the incident response plan to [Assignment: organization-defined incidentresponse personnel (identified by name and/or by role) and organizational elements];
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-61;
3.166. IR-8 - Incident Response Plan 175
OpenShift Compliance Guide, Release 1.0 beta
Part j
Requirement
c. Reviews the incident response plan [Assignment: organization-defined frequency];
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-61;
Part k
Requirement
d. Updates the incident response plan to address system/organizational changes or problems en-countered during plan implementation, execution, or testing;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-61;
Part l
Requirement
e. Communicates incident response plan changes to [Assignment: organization-defined incidentresponse personnel (identified by name and/or by role) and organizational elements]; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-61;
Part m
Requirement
f. Protects the incident response plan from unauthorized disclosure and modification.
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-61;
176 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.167 MA-1 - System Maintenance Policy And Procedures
Requirement SYSTEM MAINTENANCE POLICY AND PROCEDURES Control: The organization:a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, manage-ment commitment, coordination among organizational entities, and compliance; and 2. Proceduresto facilitate the implementation of the system maintenance policy and associated system mainte-nance controls; and b. Reviews and updates the current: 1. System maintenance policy [As-signment: organization-defined frequency]; and 2. System maintenance procedures [Assignment:organization-defined frequency].
3.167.1 Control Summary Information
Role OpenShift Tenant
Status Not implemented
Origin Tenant SSP
3.167.2 MA-1 What is the solution and how is it implemented?
Part a
Requirement SYSTEM MAINTENANCE POLICY AND PROCEDURES Control: The organization:a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, managementcommitment, coordination among organizational entities, and compliance; and
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Design Specification document andSystem Security Plan.
References SP 800-12; SP 800-100;
Part b
Requirement
2. Procedures to facilitate the implementation of the system maintenance policy and associatedsystem maintenance controls; and
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Design Specification document andSystem Security Plan.
References SP 800-12; SP 800-100;
3.167. MA-1 - System Maintenance Policy And Procedures 177
OpenShift Compliance Guide, Release 1.0 beta
Part c
Requirement
b. Reviews and updates the current: 1. System maintenance policy [Assignment: organization-defined frequency]; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-100;
Part d
Requirement
2. System maintenance procedures [Assignment: organization-defined frequency].
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-100;
3.168 MA-2 - Controlled Maintenance
Requirement CONTROLLED MAINTENANCE Control: The organization: a. Schedules, performs,documents, and reviews records of maintenance and repairs on information system components inaccordance with manufacturer or vendor specifications and/or organizational requirements; b. Ap-proves and monitors all maintenance activities, whether performed on site or remotely and whetherthe equipment is serviced on site or removed to another location; c. Requires that [Assignment:organization-defined personnel or roles] explicitly approve the removal of the information systemor system components from organizational facilities for off-site maintenance or repairs; d. Sanitizesequipment to remove all information from associated media prior to removal from organizationalfacilities for off-site maintenance or repairs; e. Checks all potentially impacted security controls toverify that the controls are still functioning properly following maintenance or repair actions; andf. Includes [Assignment: organization-defined maintenance-related information] in organizationalmaintenance records.
3.168.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
178 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.168.2 MA-2 What is the solution and how is it implemented?
Part a
Requirement CONTROLLED MAINTENANCE Control: The organization: a. Schedules, performs,documents, and reviews records of maintenance and repairs on information system components inaccordance with manufacturer or vendor specifications and/or organizational requirements;
Role Organization
Status Inherited
Details Dependent on implementing organization.
Part b
Requirement
b. Approves and monitors all maintenance activities, whether performed on site or remotely andwhether the equipment is serviced on site or removed to another location;
Role Organization
Status Inherited
Details Dependent on implementing organization.
Part c
Requirement
c. Requires that [Assignment: organization-defined personnel or roles] explicitly approve the re-moval of the information system or system components from organizational facilities for off-sitemaintenance or repairs;
Role Organization
Status Inherited
Details Dependent on implementing organization.
Part d
Requirement
d. Sanitizes equipment to remove all information from associated media prior to removal fromorganizational facilities for off-site maintenance or repairs;
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.168. MA-2 - Controlled Maintenance 179
OpenShift Compliance Guide, Release 1.0 beta
Part e
Requirement
e. Checks all potentially impacted security controls to verify that the controls are still functioningproperly following maintenance or repair actions; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
Part f
Requirement
f. Includes [Assignment: organization-defined maintenance-related information] in organizationalmaintenance records.
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.169 MA-2(2) - Controlled Maintenance | Automated MaintenanceActivities
Requirement CONTROLLED MAINTENANCE | AUTOMATED MAINTENANCE ACTIVITIES Theorganization: (a) Employs automated mechanisms to schedule, conduct, and document maintenanceand repairs; and (b) Produces up-to date, accurate, and complete records of all maintenance andrepair actions requested, scheduled, in process, and completed.
3.169.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.169.2 MA-2(2) What is the solution and how is it implemented?
Part a
Requirement CONTROLLED MAINTENANCE | AUTOMATED MAINTENANCE ACTIVITIES Theorganization: (a) Employs automated mechanisms to schedule, conduct, and document maintenanceand repairs; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
180 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Part b
Requirement
(b) Produces up-to date, accurate, and complete records of all maintenance and repair actions re-quested, scheduled, in process, and completed.
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.170 MA-3(1) - Maintenance Tools | Inspect Tools
Requirement MAINTENANCE TOOLS | INSPECT TOOLS The organization inspects the maintenancetools carried into a facility by maintenance personnel for improper or unauthorized modifications.
3.170.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.170.2 MA-3(1) What is the solution and how is it implemented?
Part a
Requirement MAINTENANCE TOOLS | INSPECT TOOLS The organization inspects the maintenancetools carried into a facility by maintenance personnel for improper or unauthorized modifications.
Role Organization
Status Inherited
Details undefined
3.171 MA-4 - Nonlocal Maintenance
Requirement NONLOCAL MAINTENANCE Control: The organization: a. Approves and monitorsnonlocal maintenance and diagnostic activities; b. Allows the use of nonlocal maintenance and diag-nostic tools only as consistent with organizational policy and documented in the security plan for theinformation system; c. Employs strong authenticators in the establishment of nonlocal maintenanceand diagnostic sessions; d. Maintains records for nonlocal maintenance and diagnostic activities;and e. Terminates session and network connections when nonlocal maintenance is completed.
3.170. MA-3(1) - Maintenance Tools | Inspect Tools 181
OpenShift Compliance Guide, Release 1.0 beta
3.171.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.171.2 MA-4 What is the solution and how is it implemented?
Part a
Requirement NONLOCAL MAINTENANCE Control: The organization: a. Approves and monitorsnonlocal maintenance and diagnostic activities;
Role Organization
Status Inherited
Details undefined
References FIPS Pub 140-2; FIPS Pub 197; FIPS Pub 201; SP 800-63; SP 800-88; CNSS Policy 15;
Part b
Requirement
b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organiza-tional policy and documented in the security plan for the information system;
Role Organization
Status Inherited
Details undefined
References FIPS Pub 140-2; FIPS Pub 197; FIPS Pub 201; SP 800-63; SP 800-88; CNSS Policy 15;
Part c
Requirement
c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnosticsessions;
Role Organization
Status Inherited
Details undefined
References FIPS Pub 140-2; FIPS Pub 197; FIPS Pub 201; SP 800-63; SP 800-88; CNSS Policy 15;
Part d
Requirement
d. Maintains records for nonlocal maintenance and diagnostic activities; and
Role Organization
182 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Status Inherited
Details undefined
References FIPS Pub 140-2; FIPS Pub 197; FIPS Pub 201; SP 800-63; SP 800-88; CNSS Policy 15;
Part e
Requirement
e. Terminates session and network connections when nonlocal maintenance is completed.
Role Organization
Status Inherited
Details undefined
References FIPS Pub 140-2; FIPS Pub 197; FIPS Pub 201; SP 800-63; SP 800-88; CNSS Policy 15;
3.172 MA-4(2) - Nonlocal Maintenance | Document Nonlocal Mainte-nance
Requirement NONLOCAL MAINTENANCE | DOCUMENT NONLOCAL MAINTENANCE The or-ganization documents in the security plan for the information system, the policies and proceduresfor the establishment and use of nonlocal maintenance and diagnostic connections.
3.172.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.172.2 MA-4(2) What is the solution and how is it implemented?
Part a
Requirement NONLOCAL MAINTENANCE | DOCUMENT NONLOCAL MAINTENANCE The or-ganization documents in the security plan for the information system, the policies and proceduresfor the establishment and use of nonlocal maintenance and diagnostic connections.
Role Organization
Status Inherited
Details undefined
3.172. MA-4(2) - Nonlocal Maintenance | Document Nonlocal Maintenance 183
OpenShift Compliance Guide, Release 1.0 beta
3.173 MA-5 - Maintenance Personnel
Requirement MAINTENANCE PERSONNEL Control: The organization: a. Establishes a process formaintenance personnel authorization and maintains a list of authorized maintenance organizations orpersonnel; b. Ensures that non-escorted personnel performing maintenance on the information sys-tem have required access authorizations; and c. Designates organizational personnel with requiredaccess authorizations and technical competence to supervise the maintenance activities of personnelwho do not possess the required access authorizations.
3.173.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.173.2 MA-5 What is the solution and how is it implemented?
Part a
Requirement MAINTENANCE PERSONNEL Control: The organization: a. Establishes a process formaintenance personnel authorization and maintains a list of authorized maintenance organizationsor personnel;
Role Organization
Status Inherited
Details Dependent on implementing organization.
Part b
Requirement
b. Ensures that non-escorted personnel performing maintenance on the information system haverequired access authorizations; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
Part c
Requirement
c. Designates organizational personnel with required access authorizations and technical com-petence to supervise the maintenance activities of personnel who do not possess the requiredaccess authorizations.
Role Organization
Status Inherited
Details Dependent on implementing organization.
184 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.174 MA-5(1) - Maintenance Personnel | Individuals Without Appro-priate Access
Requirement MAINTENANCE PERSONNEL | INDIVIDUALS WITHOUT APPROPRIATE ACCESSThe organization: (a) Implements procedures for the use of maintenance personnel that lack ap-propriate security clearances or are not U.S. citizens, that include the following requirements: (1)Maintenance personnel who do not have needed access authorizations, clearances, or formal accessapprovals are escorted and supervised during the performance of maintenance and diagnostic activ-ities on the information system by approved organizational personnel who are fully cleared, haveappropriate access authorizations, and are technically qualified; (2) Prior to initiating maintenanceor diagnostic activities by personnel who do not have needed access authorizations, clearances orformal access approvals, all volatile information storage components within the information systemare sanitized and all nonvolatile storage media are removed or physically disconnected from thesystem and secured; and (b) Develops and implements alternate security safeguards in the event aninformation system component cannot be sanitized, removed, or disconnected from the system.
3.174.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.174.2 MA-5(1) What is the solution and how is it implemented?
Part a
Requirement MAINTENANCE PERSONNEL | INDIVIDUALS WITHOUT APPROPRIATE ACCESSThe organization: (a) Implements procedures for the use of maintenance personnel that lack ap-propriate security clearances or are not U.S. citizens, that include the following requirements: (1)Maintenance personnel who do not have needed access authorizations, clearances, or formal accessapprovals are escorted and supervised during the performance of maintenance and diagnostic activ-ities on the information system by approved organizational personnel who are fully cleared, haveappropriate access authorizations, and are technically qualified;
Role Organization
Status Inherited
Details Dependent on implementing organization.
Part b
Requirement
(2) Prior to initiating maintenance or diagnostic activities by personnel who do not have neededaccess authorizations, clearances or formal access approvals, all volatile information storagecomponents within the information system are sanitized and all nonvolatile storage media areremoved or physically disconnected from the system and secured; and
Role Organization
Status Inherited
3.174. MA-5(1) - Maintenance Personnel | Individuals Without Appropriate Access 185
OpenShift Compliance Guide, Release 1.0 beta
Details Dependent on implementing organization.
Part c
Requirement
(b) Develops and implements alternate security safeguards in the event an information system com-ponent cannot be sanitized, removed, or disconnected from the system.
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.175 MA-6 - Timely Maintenance
Requirement TIMELY MAINTENANCE Control: The organization obtains maintenance supportand/or spare parts for [Assignment: organization-defined information system components] within[Assignment: organization-defined time period] of failure.
3.175.1 Control Summary Information
Role IaaS
Status Implemented
Origin Inherited from pre-existing ATO
3.175.2 MA-6 What is the solution and how is it implemented?
Part a
Requirement TIMELY MAINTENANCE Control: The organization obtains maintenance supportand/or spare parts for [Assignment: organization-defined information system components] within[Assignment: organization-defined time period] of failure.
Role IaaS
Status Implemented
Details Inherited from IaaS.
3.176 MP-1 - Media Protection Policy And Procedures
Requirement MEDIA PROTECTION POLICY AND PROCEDURES Control: The organization: a.Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1.A media protection policy that addresses purpose, scope, roles, responsibilities, management com-mitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitatethe implementation of the media protection policy and associated media protection controls; and b.Reviews and updates the current: 1. Media protection policy [Assignment: organization-definedfrequency]; and 2. Media protection procedures [Assignment: organization-defined frequency].
186 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.176.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.176.2 MP-1 What is the solution and how is it implemented?
Part a
Requirement MEDIA PROTECTION POLICY AND PROCEDURES Control: The organization: a.Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:1. A media protection policy that addresses purpose, scope, roles, responsibilities, managementcommitment, coordination among organizational entities, and compliance; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-100;
Part b
Requirement
2. Procedures to facilitate the implementation of the media protection policy and associated mediaprotection controls; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-100;
Part c
Requirement
b. Reviews and updates the current: 1. Media protection policy [Assignment: organization-definedfrequency]; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-100;
3.176. MP-1 - Media Protection Policy And Procedures 187
OpenShift Compliance Guide, Release 1.0 beta
Part d
Requirement
2. Media protection procedures [Assignment: organization-defined frequency].
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-100;
3.177 MP-2 - Media Access
Requirement MEDIA ACCESS Control: The organization restricts access to [Assignment:organization-defined types of digital and/or non-digital media] to [Assignment: organization-definedpersonnel or roles].
3.177.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.177.2 MP-2 What is the solution and how is it implemented?
Part a
Requirement MEDIA ACCESS Control: The organization restricts access to [Assignment:organization-defined types of digital and/or non-digital media] to [Assignment: organization-definedpersonnel or roles].
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 199; SP 800-111;
3.178 MP-3 - Media Marking
Requirement MEDIA MARKING Control: The organization: a. Marks information system media indi-cating the distribution limitations, handling caveats, and applicable security markings (if any) of theinformation; and b. Exempts [Assignment: organization-defined types of information system me-dia] from marking as long as the media remain within [Assignment: organization-defined controlledareas].
188 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.178.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.178.2 MP-3 What is the solution and how is it implemented?
Part a
Requirement MEDIA MARKING Control: The organization: a. Marks information system media indi-cating the distribution limitations, handling caveats, and applicable security markings (if any) of theinformation; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 199;
Part b
Requirement
b. Exempts [Assignment: organization-defined types of information system media] from markingas long as the media remain within [Assignment: organization-defined controlled areas].
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 199;
3.179 MP-4 - Media Storage
Requirement MEDIA STORAGE Control: The organization: a. Physically controls and securely stores[Assignment: organization-defined types of digital and/or non-digital media] within [Assignment:organization-defined controlled areas]; and b. Protects information system media until the media aredestroyed or sanitized using approved equipment, techniques, and procedures.
3.179.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.179. MP-4 - Media Storage 189
OpenShift Compliance Guide, Release 1.0 beta
3.179.2 MP-4 What is the solution and how is it implemented?
Part a
Requirement MEDIA STORAGE Control: The organization: a. Physically controls and securely stores[Assignment: organization-defined types of digital and/or non-digital media] within [Assignment:organization-defined controlled areas]; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 199; SP 800-56; SP 800-57; SP 800-111;
Part b
Requirement
b. Protects information system media until the media are destroyed or sanitized using approvedequipment, techniques, and procedures.
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 199; SP 800-56; SP 800-57; SP 800-111;
3.180 MP-5 - Media Transport
Requirement MEDIA TRANSPORT Control: The organization: a. Protects and controls [Assignment:organization-defined types of information system media] during transport outside of controlled ar-eas using [Assignment: organization-defined security safeguards]; b. Maintains accountability forinformation system media during transport outside of controlled areas; c. Documents activities as-sociated with the transport of information system media; and d. Restricts the activities associatedwith the transport of information system media to authorized personnel.
3.180.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.180.2 MP-5 What is the solution and how is it implemented?
Part a
Requirement MEDIA TRANSPORT Control: The organization: a. Protects and controls [Assignment:organization-defined types of information system media] during transport outside of controlled areasusing [Assignment: organization-defined security safeguards];
190 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 199; SP 800-60;
Part b
Requirement
b. Maintains accountability for information system media during transport outside of controlledareas;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 199; SP 800-60;
Part c
Requirement
c. Documents activities associated with the transport of information system media; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 199; SP 800-60;
Part d
Requirement
d. Restricts the activities associated with the transport of information system media to authorizedpersonnel.
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 199; SP 800-60;
3.181 MP-5(4) - Media Transport | Cryptographic Protection
Requirement MEDIA TRANSPORT | CRYPTOGRAPHIC PROTECTION The information system im-plements cryptographic mechanisms to protect the confidentiality and integrity of information storedon digital media during transport outside of controlled areas.
3.181. MP-5(4) - Media Transport | Cryptographic Protection 191
OpenShift Compliance Guide, Release 1.0 beta
3.181.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.181.2 MP-5(4) What is the solution and how is it implemented?
Part a
Requirement MEDIA TRANSPORT | CRYPTOGRAPHIC PROTECTION The information system im-plements cryptographic mechanisms to protect the confidentiality and integrity of information storedon digital media during transport outside of controlled areas.
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.182 MP-6 - Media Sanitization
Requirement MEDIA SANITIZATION Control: The organization: a. Sanitizes [Assignment:organization-defined information system media] prior to disposal, release out of organizational con-trol, or release for reuse using [Assignment: organization-defined sanitization techniques and pro-cedures] in accordance with applicable federal and organizational standards and policies; and b.Employs sanitization mechanisms with the strength and integrity commensurate with the securitycategory or classification of the information.
3.182.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.182.2 MP-6 What is the solution and how is it implemented?
Part a
Requirement MEDIA SANITIZATION Control: The organization: a. Sanitizes [Assignment:organization-defined information system media] prior to disposal, release out of organizational con-trol, or release for reuse using [Assignment: organization-defined sanitization techniques and pro-cedures] in accordance with applicable federal and organizational standards and policies; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 199; SP 800-60; SP 800-88; Web: www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml;
192 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Part b
Requirement
b. Employs sanitization mechanisms with the strength and integrity commensurate with the secu-rity category or classification of the information.
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 199; SP 800-60; SP 800-88; Web: www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml;
3.183 MP-6(1) - Media Sanitization | Review / Approve / Track / Docu-ment / Verify
Requirement MEDIA SANITIZATION | REVIEW / APPROVE / TRACK / DOCUMENT / VERIFYThe organization reviews, approves, tracks, documents, and verifies media sanitization and disposalactions.
3.183.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.183.2 MP-6(1) What is the solution and how is it implemented?
Part a
Requirement MEDIA SANITIZATION | REVIEW / APPROVE / TRACK / DOCUMENT / VERIFYThe organization reviews, approves, tracks, documents, and verifies media sanitization and disposalactions.
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.184 MP-6(2) - Media Sanitization | Equipment Testing
Requirement MEDIA SANITIZATION | EQUIPMENT TESTING The organization tests sanitizationequipment and procedures [Assignment: organization-defined frequency] to verify that the intendedsanitization is being achieved.
3.183. MP-6(1) - Media Sanitization | Review / Approve / Track / Document / Verify 193
OpenShift Compliance Guide, Release 1.0 beta
3.184.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.184.2 MP-6(2) What is the solution and how is it implemented?
Part a
Requirement MEDIA SANITIZATION | EQUIPMENT TESTING The organization tests sanitizationequipment and procedures [Assignment: organization-defined frequency] to verify that the intendedsanitization is being achieved.
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.185 MP-6(3) - Media Sanitization | Nondestructive Techniques
Requirement MEDIA SANITIZATION | NONDESTRUCTIVE TECHNIQUES The organization ap-plies nondestructive sanitization techniques to portable storage devices prior to connecting suchdevices to the information system under the following circumstances: [Assignment: organization-defined circumstances requiring sanitization of portable storage devices].
3.185.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.185.2 MP-6(3) What is the solution and how is it implemented?
Part a
Requirement MEDIA SANITIZATION | NONDESTRUCTIVE TECHNIQUES The organization ap-plies nondestructive sanitization techniques to portable storage devices prior to connecting suchdevices to the information system under the following circumstances: [Assignment: organization-defined circumstances requiring sanitization of portable storage devices].
Role Organization
Status Inherited
Details Dependent on implementing organization.
194 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.186 MP-7 - Media Use
Requirement MEDIA USE Control: The organization [Selection: restricts; prohibits] the use of [As-signment: organization-defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined secu-rity safeguards].
3.186.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.186.2 MP-7 What is the solution and how is it implemented?
Part a
Requirement MEDIA USE Control: The organization [Selection: restricts; prohibits] the use of [As-signment: organization-defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined secu-rity safeguards].
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 199; SP 800-111;
3.187 PE-1 - Physical And Environmental Protection Policy And Pro-cedures
Requirement PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURESControl: The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A physical and environmental protection policy that addresses pur-pose, scope, roles, responsibilities, management commitment, coordination among organizationalentities, and compliance; and 2. Procedures to facilitate the implementation of the physical andenvironmental protection policy and associated physical and environmental protection controls; andb. Reviews and updates the current: 1. Physical and environmental protection policy [Assignment:organization-defined frequency]; and 2. Physical and environmental protection procedures [Assign-ment: organization-defined frequency].
3.187.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.186. MP-7 - Media Use 195
OpenShift Compliance Guide, Release 1.0 beta
3.187.2 PE-1 What is the solution and how is it implemented?
Part a
Requirement PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURESControl: The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A physical and environmental protection policy that addresses pur-pose, scope, roles, responsibilities, management commitment, coordination among organizationalentities, and compliance; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-100;
Part b
Requirement
2. Procedures to facilitate the implementation of the physical and environmental protection policyand associated physical and environmental protection controls; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-100;
Part c
Requirement
b. Reviews and updates the current: 1. Physical and environmental protection policy [Assignment:organization-defined frequency]; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-100;
Part d
Requirement
2. Physical and environmental protection procedures [Assignment: organization-defined fre-quency].
Role Organization
Status Inherited
Details Dependent on implementing organization.
196 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
References SP 800-12; SP 800-100;
3.188 PE-10 - Emergency Shutoff
Requirement EMERGENCY SHUTOFF Control: The organization: a. Provides the capability of shut-ting off power to the information system or individual system components in emergency situations;b. Places emergency shutoff switches or devices in [Assignment: organization-defined location byinformation system or system component] to facilitate safe and easy access for personnel; and c.Protects emergency power shutoff capability from unauthorized activation.
3.188.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.188.2 PE-10 What is the solution and how is it implemented?
Part a
Requirement EMERGENCY SHUTOFF Control: The organization: a. Provides the capability of shut-ting off power to the information system or individual system components in emergency situations;
Role Organization
Status Inherited
Details undefined
Part b
Requirement
b. Places emergency shutoff switches or devices in [Assignment: organization-defined location byinformation system or system component] to facilitate safe and easy access for personnel; and
Role Organization
Status Inherited
Details undefined
Part c
Requirement
c. Protects emergency power shutoff capability from unauthorized activation.
Role Organization
Status Inherited
Details undefined
3.188. PE-10 - Emergency Shutoff 197
OpenShift Compliance Guide, Release 1.0 beta
3.189 PE-11 - Emergency Power
Requirement EMERGENCY POWER Control: The organization provides a short-term uninterruptiblepower supply to facilitate [Selection (one or more): an orderly shutdown of the information system;transition of the information system to long-term alternate power] in the event of a primary powersource loss.
3.189.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.189.2 PE-11 What is the solution and how is it implemented?
Part a
Requirement EMERGENCY POWER Control: The organization provides a short-term uninterruptiblepower supply to facilitate [Selection (one or more): an orderly shutdown of the information system;transition of the information system to long-term alternate power] in the event of a primary powersource loss.
Role Organization
Status Inherited
Details undefined
3.190 PE-11(1) - Emergency Power | Long-term Alternate Power Sup-ply - Minimal Operational Capability
Requirement EMERGENCY POWER | LONG-TERM ALTERNATE POWER SUPPLY - MINIMALOPERATIONAL CAPABILITY The organization provides a long-term alternate power supply forthe information system that is capable of maintaining minimally required operational capability inthe event of an extended loss of the primary power source.
3.190.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.190.2 PE-11(1) What is the solution and how is it implemented?
198 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Part a
Requirement EMERGENCY POWER | LONG-TERM ALTERNATE POWER SUPPLY - MINIMALOPERATIONAL CAPABILITY The organization provides a long-term alternate power supply forthe information system that is capable of maintaining minimally required operational capability inthe event of an extended loss of the primary power source.
Role Organization
Status Inherited
Details undefined
3.191 PE-12 - Emergency Lighting
Requirement EMERGENCY LIGHTING Control: The organization employs and maintains automaticemergency lighting for the information system that activates in the event of a power outage or dis-ruption and that covers emergency exits and evacuation routes within the facility.
3.191.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.191.2 PE-12 What is the solution and how is it implemented?
Part a
Requirement EMERGENCY LIGHTING Control: The organization employs and maintains automaticemergency lighting for the information system that activates in the event of a power outage or dis-ruption and that covers emergency exits and evacuation routes within the facility.
Role Organization
Status Inherited
Details undefined
3.192 PE-13 - Fire Protection
Requirement FIRE PROTECTION Control: The organization employs and maintains fire suppressionand detection devices/systems for the information system that are supported by an independent en-ergy source.
3.192.1 Control Summary Information
Role Organization
Status Inherited
3.191. PE-12 - Emergency Lighting 199
OpenShift Compliance Guide, Release 1.0 beta
Origin Inherited from pre-existing ATO
3.192.2 PE-13 What is the solution and how is it implemented?
Part a
Requirement FIRE PROTECTION Control: The organization employs and maintains fire suppressionand detection devices/systems for the information system that are supported by an independent en-ergy source.
Role Organization
Status Inherited
Details undefined
3.193 PE-13(1) - Fire Protection | Detection Devices / Systems
Requirement FIRE PROTECTION | DETECTION DEVICES / SYSTEMS The organization employsfire detection devices/systems for the information system that activate automatically and notify [As-signment: organization-defined personnel or roles] and [Assignment: organization-defined emer-gency responders] in the event of a fire.
3.193.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.193.2 PE-13(1) What is the solution and how is it implemented?
Part a
Requirement FIRE PROTECTION | DETECTION DEVICES / SYSTEMS The organization employsfire detection devices/systems for the information system that activate automatically and notify [As-signment: organization-defined personnel or roles] and [Assignment: organization-defined emer-gency responders] in the event of a fire.
Role Organization
Status Inherited
Details undefined
3.194 PE-13(2) - Fire Protection | Suppression Devices / Systems
Requirement FIRE PROTECTION | SUPPRESSION DEVICES / SYSTEMS The organization em-ploys fire suppression devices/systems for the information system that provide automatic notifi-cation of any activation to Assignment: organization-defined personnel or roles] and [Assignment:organization-defined emergency responders].
200 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.194.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.194.2 PE-13(2) What is the solution and how is it implemented?
Part a
Requirement FIRE PROTECTION | SUPPRESSION DEVICES / SYSTEMS The organization em-ploys fire suppression devices/systems for the information system that provide automatic notifi-cation of any activation to Assignment: organization-defined personnel or roles] and [Assignment:organization-defined emergency responders].
Role Organization
Status Inherited
Details undefined
3.195 PE-13(3) - Fire Protection | Automatic Fire Suppression
Requirement FIRE PROTECTION | AUTOMATIC FIRE SUPPRESSION The organization employs anautomatic fire suppression capability for the information system when the facility is not staffed on acontinuous basis.
3.195.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.195.2 PE-13(3) What is the solution and how is it implemented?
Part a
Requirement FIRE PROTECTION | AUTOMATIC FIRE SUPPRESSION The organization employs anautomatic fire suppression capability for the information system when the facility is not staffed on acontinuous basis.
Role Organization
Status Inherited
Details undefined
3.195. PE-13(3) - Fire Protection | Automatic Fire Suppression 201
OpenShift Compliance Guide, Release 1.0 beta
3.196 PE-14 - Temperature And Humidity Controls
Requirement TEMPERATURE AND HUMIDITY CONTROLS Control: The organization: a. Main-tains temperature and humidity levels within the facility where the information system resides at[Assignment: organization-defined acceptable levels]; and b. Monitors temperature and humiditylevels [Assignment: organization-defined frequency].
3.196.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.196.2 PE-14 What is the solution and how is it implemented?
Part a
Requirement TEMPERATURE AND HUMIDITY CONTROLS Control: The organization: a. Main-tains temperature and humidity levels within the facility where the information system resides at[Assignment: organization-defined acceptable levels]; and
Role Organization
Status Inherited
Details undefined
Part b
Requirement
b. Monitors temperature and humidity levels [Assignment: organization-defined frequency].
Role Organization
Status Inherited
Details undefined
3.197 PE-15 - Water Damage Protection
Requirement WATER DAMAGE PROTECTION Control: The organization protects the informationsystem from damage resulting from water leakage by providing master shutoff or isolation valvesthat are accessible, working properly, and known to key personnel.
3.197.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
202 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.197.2 PE-15 What is the solution and how is it implemented?
Part a
Requirement WATER DAMAGE PROTECTION Control: The organization protects the informationsystem from damage resulting from water leakage by providing master shutoff or isolation valvesthat are accessible, working properly, and known to key personnel.
Role Organization
Status Inherited
Details undefined
3.198 PE-15(1) - Water Damage Protection | Automation Support
Requirement WATER DAMAGE PROTECTION | AUTOMATION SUPPORT The organization em-ploys automated mechanisms to detect the presence of water in the vicinity of the information systemand alerts [Assignment: organization-defined personnel or roles].
3.198.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.198.2 PE-15(1) What is the solution and how is it implemented?
Part a
Requirement WATER DAMAGE PROTECTION | AUTOMATION SUPPORT The organization em-ploys automated mechanisms to detect the presence of water in the vicinity of the information systemand alerts [Assignment: organization-defined personnel or roles].
Role Organization
Status Inherited
Details undefined
3.199 PE-16 - Delivery And Removal
Requirement DELIVERY AND REMOVAL Control: The organization authorizes, monitors, and con-trols [Assignment: organization-defined types of information system components] entering and ex-iting the facility and maintains records of those items.
3.198. PE-15(1) - Water Damage Protection | Automation Support 203
OpenShift Compliance Guide, Release 1.0 beta
3.199.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.199.2 PE-16 What is the solution and how is it implemented?
Part a
Requirement DELIVERY AND REMOVAL Control: The organization authorizes, monitors, and con-trols [Assignment: organization-defined types of information system components] entering and ex-iting the facility and maintains records of those items.
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.200 PE-17 - Alternate Work Site
Requirement ALTERNATE WORK SITE Control: The organization: a. Employs [Assignment:organization-defined security controls] at alternate work sites; b. Assesses as feasible, the effec-tiveness of security controls at alternate work sites; and c. Provides a means for employees tocommunicate with information security personnel in case of security incidents or problems.
3.200.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.200.2 PE-17 What is the solution and how is it implemented?
Part a
Requirement ALTERNATE WORK SITE Control: The organization: a. Employs [Assignment:organization-defined security controls] at alternate work sites;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-46;
204 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Part b
Requirement
b. Assesses as feasible, the effectiveness of security controls at alternate work sites; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-46;
Part c
Requirement
c. Provides a means for employees to communicate with information security personnel in case ofsecurity incidents or problems.
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-46;
3.201 PE-18 - Location Of Information System Components
Requirement LOCATION OF INFORMATION SYSTEM COMPONENTS Control: The organizationpositions information system components within the facility to minimize potential damage from[Assignment: organization-defined physical and environmental hazards] and to minimize the oppor-tunity for unauthorized access.
3.201.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.201.2 PE-18 What is the solution and how is it implemented?
Part a
Requirement LOCATION OF INFORMATION SYSTEM COMPONENTS Control: The organizationpositions information system components within the facility to minimize potential damage from[Assignment: organization-defined physical and environmental hazards] and to minimize the oppor-tunity for unauthorized access.
Role Organization
Status Inherited
3.201. PE-18 - Location Of Information System Components 205
OpenShift Compliance Guide, Release 1.0 beta
Details undefined
3.202 PE-2 - Physical Access Authorizations
Requirement PHYSICAL ACCESS AUTHORIZATIONS Control: The organization: a. Develops, ap-proves, and maintains a list of individuals with authorized access to the facility where the informationsystem resides; b. Issues authorization credentials for facility access; c. Reviews the access list de-tailing authorized facility access by individuals [Assignment: organization-defined frequency]; andd. Removes individuals from the facility access list when access is no longer required.
3.202.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.202.2 PE-2 What is the solution and how is it implemented?
Part a
Requirement PHYSICAL ACCESS AUTHORIZATIONS Control: The organization: a. Develops, ap-proves, and maintains a list of individuals with authorized access to the facility where the informationsystem resides;
Role Organization
Status Inherited
Details Dependent on implementing organization.
Part b
Requirement
b. Issues authorization credentials for facility access;
Role Organization
Status Inherited
Details Dependent on implementing organization.
Part c
Requirement
c. Reviews the access list detailing authorized facility access by individuals [Assignment:organization-defined frequency]; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
206 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Part d
Requirement
d. Removes individuals from the facility access list when access is no longer required.
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.203 PE-3 - Physical Access Control
Requirement PHYSICAL ACCESS CONTROL Control: The organization: a. Enforces physical ac-cess authorizations at [Assignment: organization-defined entry/exit points to the facility where theinformation system resides] by; 1. Verifying individual access authorizations before granting ac-cess to the facility; and 2. Controlling ingress/egress to the facility using [Selection (one or more):[Assignment: organization-defined physical access control systems/devices]; guards]; b. Maintainsphysical access audit logs for [Assignment: organization-defined entry/exit points]; c. Provides[Assignment: organization-defined security safeguards] to control access to areas within the facilityofficially designated as publicly accessible; d. Escorts visitors and monitors visitor activity [Assign-ment: organization-defined circumstances requiring visitor escorts and monitoring]; e. Secures keys,combinations, and other physical access devices; f. Inventories [Assignment: organization-definedphysical access devices] every [Assignment: organization-defined frequency]; and g. Changes com-binations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combi-nations are compromised, or individuals are transferred or terminated.
3.203.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.203.2 PE-3 What is the solution and how is it implemented?
Part a
Requirement PHYSICAL ACCESS CONTROL Control: The organization: a. Enforces physical accessauthorizations at [Assignment: organization-defined entry/exit points to the facility where the infor-mation system resides] by; 1. Verifying individual access authorizations before granting access tothe facility; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 201; SP 800-73; SP 800-76; SP 800-78; SP 800-116; ICD 704; ICD 705; DoDI5200.39; Personal Identity Verification (PIV) in Enterprise Physical Access Control System (E-PACS); Web: idmanagement.gov, fips201ep.cio.gov;
3.203. PE-3 - Physical Access Control 207
OpenShift Compliance Guide, Release 1.0 beta
Part b
Requirement
2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment:organization-defined physical access control systems/devices]; guards];
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 201; SP 800-73; SP 800-76; SP 800-78; SP 800-116; ICD 704; ICD 705; DoDI5200.39; Personal Identity Verification (PIV) in Enterprise Physical Access Control System (E-PACS); Web: idmanagement.gov, fips201ep.cio.gov;
Part c
Requirement
b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 201; SP 800-73; SP 800-76; SP 800-78; SP 800-116; ICD 704; ICD 705; DoDI5200.39; Personal Identity Verification (PIV) in Enterprise Physical Access Control System (E-PACS); Web: idmanagement.gov, fips201ep.cio.gov;
Part d
Requirement
c. Provides [Assignment: organization-defined security safeguards] to control access to areaswithin the facility officially designated as publicly accessible;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 201; SP 800-73; SP 800-76; SP 800-78; SP 800-116; ICD 704; ICD 705; DoDI5200.39; Personal Identity Verification (PIV) in Enterprise Physical Access Control System (E-PACS); Web: idmanagement.gov, fips201ep.cio.gov;
Part e
Requirement
d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstancesrequiring visitor escorts and monitoring];
Role Organization
Status Inherited
208 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Details Dependent on implementing organization.
References FIPS Pub 201; SP 800-73; SP 800-76; SP 800-78; SP 800-116; ICD 704; ICD 705; DoDI5200.39; Personal Identity Verification (PIV) in Enterprise Physical Access Control System (E-PACS); Web: idmanagement.gov, fips201ep.cio.gov;
Part f
Requirement
e. Secures keys, combinations, and other physical access devices;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 201; SP 800-73; SP 800-76; SP 800-78; SP 800-116; ICD 704; ICD 705; DoDI5200.39; Personal Identity Verification (PIV) in Enterprise Physical Access Control System (E-PACS); Web: idmanagement.gov, fips201ep.cio.gov;
Part g
Requirement
f. Inventories [Assignment: organization-defined physical access devices] every [Assignment:organization-defined frequency]; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 201; SP 800-73; SP 800-76; SP 800-78; SP 800-116; ICD 704; ICD 705; DoDI5200.39; Personal Identity Verification (PIV) in Enterprise Physical Access Control System (E-PACS); Web: idmanagement.gov, fips201ep.cio.gov;
Part h
Requirement
g. Changes combinations and keys [Assignment: organization-defined frequency] and/or whenkeys are lost, combinations are compromised, or individuals are transferred or terminated.
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 201; SP 800-73; SP 800-76; SP 800-78; SP 800-116; ICD 704; ICD 705; DoDI5200.39; Personal Identity Verification (PIV) in Enterprise Physical Access Control System (E-PACS); Web: idmanagement.gov, fips201ep.cio.gov;
3.203. PE-3 - Physical Access Control 209
OpenShift Compliance Guide, Release 1.0 beta
3.204 PE-4 - Access Control For Transmission Medium
Requirement ACCESS CONTROL FOR TRANSMISSION MEDIUM Control: The organization con-trols physical access to [Assignment: organization-defined information system distribution andtransmission lines] within organizational facilities using [Assignment: organization-defined secu-rity safeguards].
3.204.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.204.2 PE-4 What is the solution and how is it implemented?
Part a
Requirement ACCESS CONTROL FOR TRANSMISSION MEDIUM Control: The organization con-trols physical access to [Assignment: organization-defined information system distribution andtransmission lines] within organizational facilities using [Assignment: organization-defined secu-rity safeguards].
Role Organization
Status Inherited
Details Dependent on implementing organization.
References NSTISSI No. 7003;
3.205 PE-5 - Access Control For Output Devices
Requirement ACCESS CONTROL FOR OUTPUT DEVICES Control: The organization controls phys-ical access to information system output devices to prevent unauthorized individuals from obtainingthe output.
3.205.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.205.2 PE-5 What is the solution and how is it implemented?
210 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Part a
Requirement ACCESS CONTROL FOR OUTPUT DEVICES Control: The organization controls phys-ical access to information system output devices to prevent unauthorized individuals from obtainingthe output.
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.206 PE-6 - Monitoring Physical Access
Requirement MONITORING PHYSICAL ACCESS Control: The organization: a. Monitors physicalaccess to the facility where the information system resides to detect and respond to physical secu-rity incidents; b. Reviews physical access logs [Assignment: organization-defined frequency] andupon occurrence of [Assignment: organization-defined events or potential indications of events];and c. Coordinates results of reviews and investigations with the organizational incident responsecapability.
3.206.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.206.2 PE-6 What is the solution and how is it implemented?
Part a
Requirement MONITORING PHYSICAL ACCESS Control: The organization: a. Monitors physicalaccess to the facility where the information system resides to detect and respond to physical securityincidents;
Role Organization
Status Inherited
Details Dependent on implementing organization.
Part b
Requirement
b. Reviews physical access logs [Assignment: organization-defined frequency] and upon occur-rence of [Assignment: organization-defined events or potential indications of events]; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.206. PE-6 - Monitoring Physical Access 211
OpenShift Compliance Guide, Release 1.0 beta
Part c
Requirement
c. Coordinates results of reviews and investigations with the organizational incident response ca-pability.
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.207 PE-6(1) - Monitoring Physical Access | Intrusion Alarms /Surveillance Equipment
Requirement MONITORING PHYSICAL ACCESS | INTRUSION ALARMS / SURVEILLANCEEQUIPMENT The organization monitors physical intrusion alarms and surveillance equipment.
3.207.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.207.2 PE-6(1) What is the solution and how is it implemented?
Part a
Requirement MONITORING PHYSICAL ACCESS | INTRUSION ALARMS / SURVEILLANCEEQUIPMENT The organization monitors physical intrusion alarms and surveillance equipment.
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.208 PE-6(4) - Monitoring Physical Access | Monitoring Physical Ac-cess To Information Systems
Requirement MONITORING PHYSICAL ACCESS | MONITORING PHYSICAL ACCESS TO IN-FORMATION SYSTEMS The organization monitors physical access to the information system inaddition to the physical access monitoring of the facility as [Assignment: organization-defined phys-ical spaces containing one or more components of the information system].
212 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.208.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.208.2 PE-6(4) What is the solution and how is it implemented?
Part a
Requirement MONITORING PHYSICAL ACCESS | MONITORING PHYSICAL ACCESS TO IN-FORMATION SYSTEMS The organization monitors physical access to the information system inaddition to the physical access monitoring of the facility as [Assignment: organization-defined phys-ical spaces containing one or more components of the information system].
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.209 PE-8 - Visitor Access Records
Requirement VISITOR ACCESS RECORDS Control: The organization: a. Maintains visitor accessrecords to the facility where the information system resides for [Assignment: organization-definedtime period]; and b. Reviews visitor access records [Assignment: organization-defined frequency].
3.209.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.209.2 PE-8 What is the solution and how is it implemented?
Part a
Requirement VISITOR ACCESS RECORDS Control: The organization: a. Maintains visitor accessrecords to the facility where the information system resides for [Assignment: organization-definedtime period]; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.209. PE-8 - Visitor Access Records 213
OpenShift Compliance Guide, Release 1.0 beta
Part b
Requirement
b. Reviews visitor access records [Assignment: organization-defined frequency].
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.210 PE-8(1) - Visitor Access Records | Automated Records Mainte-nance / Review
Requirement VISITOR ACCESS RECORDS | AUTOMATED RECORDS MAINTENANCE / RE-VIEW The organization employs automated mechanisms to facilitate the maintenance and reviewof visitor access records.
3.210.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.210.2 PE-8(1) What is the solution and how is it implemented?
Part a
Requirement VISITOR ACCESS RECORDS | AUTOMATED RECORDS MAINTENANCE / RE-VIEW The organization employs automated mechanisms to facilitate the maintenance and reviewof visitor access records.
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.211 PE-9 - Power Equipment And Cabling
Requirement POWER EQUIPMENT AND CABLING Control: The organization protects power equip-ment and power cabling for the information system from damage and destruction.
3.211.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
214 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.211.2 PE-9 What is the solution and how is it implemented?
Part a
Requirement POWER EQUIPMENT AND CABLING Control: The organization protects power equip-ment and power cabling for the information system from damage and destruction.
Role Organization
Status Inherited
Details undefined
3.212 PL-1 - Security Planning Policy And Procedures
Requirement SECURITY PLANNING POLICY AND PROCEDURES Control: The organization: a.Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1.A security planning policy that addresses purpose, scope, roles, responsibilities, management com-mitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitatethe implementation of the security planning policy and associated security planning controls; andb. Reviews and updates the current: 1. Security planning policy [Assignment: organization-definedfrequency]; and 2. Security planning procedures [Assignment: organization-defined frequency].
3.212.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.212.2 PL-1 What is the solution and how is it implemented?
Part a
Requirement SECURITY PLANNING POLICY AND PROCEDURES Control: The organization: a.Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:1. A security planning policy that addresses purpose, scope, roles, responsibilities, managementcommitment, coordination among organizational entities, and compliance; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-18; SP 800-100;
Part b
Requirement
2. Procedures to facilitate the implementation of the security planning policy and associated secu-rity planning controls; and
3.212. PL-1 - Security Planning Policy And Procedures 215
OpenShift Compliance Guide, Release 1.0 beta
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-18; SP 800-100;
Part c
Requirement
b. Reviews and updates the current: 1. Security planning policy [Assignment: organization-defined frequency]; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-18; SP 800-100;
Part d
Requirement
2. Security planning procedures [Assignment: organization-defined frequency].
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-18; SP 800-100;
3.213 PL-2 - System Security Plan
Requirement SYSTEM SECURITY PLAN Control: The organization: a. Develops a security plan forthe information system that: 1. Is consistent with the organization’s enterprise architecture; 2. Ex-plicitly defines the authorization boundary for the system; 3. Describes the operational context ofthe information system in terms of missions and business processes; 4. Provides the security cat-egorization of the information system including supporting rationale; 5. Describes the operationalenvironment for the information system and relationships with or connections to other informationsystems; 6. Provides an overview of the security requirements for the system; 7. Identifies anyrelevant overlays, if applicable; 8. Describes the security controls in place or planned for meetingthose requirements including a rationale for the tailoring and supplementation decisions; and 9. Isreviewed and approved by the authorizing official or designated representative prior to plan imple-mentation; b. Distributes copies of the security plan and communicates subsequent changes to theplan to [Assignment: organization-defined personnel or roles]; c. Reviews the security plan for theinformation system [Assignment: organization-defined frequency]; d. Updates the plan to addresschanges to the information system/environment of operation or problems identified during plan im-plementation or security control assessments; and e. Protects the security plan from unauthorizeddisclosure and modification.
216 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.213.1 Control Summary Information
Role OpenShift Tenant
Status Not implemented
Origin Tenant SSP
3.213.2 PL-2 What is the solution and how is it implemented?
Part a
Requirement SYSTEM SECURITY PLAN Control: The organization: a. Develops a security plan forthe information system that: 1. Is consistent with the organization’s enterprise architecture;
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References SP 800-18;
Part b
Requirement
2. Explicitly defines the authorization boundary for the system;
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References SP 800-18;
Part c
Requirement
3. Describes the operational context of the information system in terms of missions and businessprocesses;
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References SP 800-18;
Part d
Requirement
4. Provides the security categorization of the information system including supporting rationale;
Role OpenShift Tenant
3.213. PL-2 - System Security Plan 217
OpenShift Compliance Guide, Release 1.0 beta
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References SP 800-18;
Part e
Requirement
5. Describes the operational environment for the information system and relationships with orconnections to other information systems;
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References SP 800-18;
Part f
Requirement
6. Provides an overview of the security requirements for the system;
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References SP 800-18;
Part g
Requirement
7. Identifies any relevant overlays, if applicable;
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References SP 800-18;
Part h
Requirement
8. Describes the security controls in place or planned for meeting those requirements including arationale for the tailoring and supplementation decisions; and
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
218 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
References SP 800-18;
Part i
Requirement
9. Is reviewed and approved by the authorizing official or designated representative prior to planimplementation;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-18;
Part j
Requirement
b. Distributes copies of the security plan and communicates subsequent changes to the plan to[Assignment: organization-defined personnel or roles];
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-18;
Part k
Requirement
c. Reviews the security plan for the information system [Assignment: organization-defined fre-quency];
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-18;
Part l
Requirement
d. Updates the plan to address changes to the information system/environment of operation orproblems identified during plan implementation or security control assessments; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-18;
3.213. PL-2 - System Security Plan 219
OpenShift Compliance Guide, Release 1.0 beta
Part m
Requirement
e. Protects the security plan from unauthorized disclosure and modification.
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-18;
3.214 PL-2(3) - System Security Plan | Plan / Coordinate With OtherOrganizational Entities
Requirement SYSTEM SECURITY PLAN | PLAN / COORDINATE WITH OTHER ORGANIZA-TIONAL ENTITIES The organization plans and coordinates security-related activities affecting theinformation system with [Assignment: organization-defined individuals or groups] before conduct-ing such activities in order to reduce the impact on other organizational entities.
3.214.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.214.2 PL-2(3) What is the solution and how is it implemented?
Part a
Requirement SYSTEM SECURITY PLAN | PLAN / COORDINATE WITH OTHER ORGANIZA-TIONAL ENTITIES The organization plans and coordinates security-related activities affecting theinformation system with [Assignment: organization-defined individuals or groups] before conduct-ing such activities in order to reduce the impact on other organizational entities.
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.215 PL-4 - Rules Of Behavior
Requirement RULES OF BEHAVIOR Control: The organization: a. Establishes and makes readilyavailable to individuals requiring access to the information system, the rules that describe their re-sponsibilities and expected behavior with regard to information and information system usage; b.Receives a signed acknowledgment from such individuals, indicating that they have read, under-stand, and agree to abide by the rules of behavior, before authorizing access to information and
220 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
the information system; c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and d. Requires individuals who have signed a previous version of the rules ofbehavior to read and resign when the rules of behavior are revised/updated.
3.215.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.215.2 PL-4 What is the solution and how is it implemented?
Part a
Requirement RULES OF BEHAVIOR Control: The organization: a. Establishes and makes readilyavailable to individuals requiring access to the information system, the rules that describe theirresponsibilities and expected behavior with regard to information and information system usage;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-18;
Part b
Requirement
b. Receives a signed acknowledgment from such individuals, indicating that they have read, un-derstand, and agree to abide by the rules of behavior, before authorizing access to informationand the information system;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-18;
Part c
Requirement
c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-18;
3.215. PL-4 - Rules Of Behavior 221
OpenShift Compliance Guide, Release 1.0 beta
Part d
Requirement
d. Requires individuals who have signed a previous version of the rules of behavior to read andresign when the rules of behavior are revised/updated.
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-18;
3.216 PL-4(1) - Rules Of Behavior | Social Media And Networking Re-strictions
Requirement RULES OF BEHAVIOR | SOCIAL MEDIA AND NETWORKING RESTRICTIONSThe organization includes in the rules of behavior, explicit restrictions on the use of social me-dia/networking sites and posting organizational information on public websites.
3.216.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.216.2 PL-4(1) What is the solution and how is it implemented?
Part a
Requirement RULES OF BEHAVIOR | SOCIAL MEDIA AND NETWORKING RESTRICTIONSThe organization includes in the rules of behavior, explicit restrictions on the use of social me-dia/networking sites and posting organizational information on public websites.
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.217 PS-1 - Personnel Security Policy And Procedures
Requirement PERSONNEL SECURITY POLICY AND PROCEDURES Control: The organization: a.Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1.A personnel security policy that addresses purpose, scope, roles, responsibilities, management com-mitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitatethe implementation of the personnel security policy and associated personnel security controls; andb. Reviews and updates the current: 1. Personnel security policy [Assignment: organization-definedfrequency]; and 2. Personnel security procedures [Assignment: organization-defined frequency].
222 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.217.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.217.2 PS-1 What is the solution and how is it implemented?
Part a
Requirement PERSONNEL SECURITY POLICY AND PROCEDURES Control: The organization: a.Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:1. A personnel security policy that addresses purpose, scope, roles, responsibilities, managementcommitment, coordination among organizational entities, and compliance; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-100;
Part b
Requirement
2. Procedures to facilitate the implementation of the personnel security policy and associated per-sonnel security controls; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-100;
Part c
Requirement
b. Reviews and updates the current: 1. Personnel security policy [Assignment: organization-defined frequency]; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-100;
3.217. PS-1 - Personnel Security Policy And Procedures 223
OpenShift Compliance Guide, Release 1.0 beta
Part d
Requirement
2. Personnel security procedures [Assignment: organization-defined frequency].
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-100;
3.218 PS-2 - Position Risk Designation
Requirement POSITION RISK DESIGNATION Control: The organization: a. Assigns a risk desig-nation to all organizational positions; b. Establishes screening criteria for individuals filling thosepositions; and c. Reviews and updates position risk designations [Assignment: organization-definedfrequency].
3.218.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.218.2 PS-2 What is the solution and how is it implemented?
Part a
Requirement POSITION RISK DESIGNATION Control: The organization: a. Assigns a risk designa-tion to all organizational positions;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References 5 C.F.R. 731.106(a);
Part b
Requirement
b. Establishes screening criteria for individuals filling those positions; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References 5 C.F.R. 731.106(a);
224 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Part c
Requirement
c. Reviews and updates position risk designations [Assignment: organization-defined frequency].
Role Organization
Status Inherited
Details Dependent on implementing organization.
References 5 C.F.R. 731.106(a);
3.219 PS-3 - Personnel Screening
Requirement PERSONNEL SCREENING Control: The organization: a. Screens individuals prior toauthorizing access to the information system; and b. Rescreens individuals according to [Assign-ment: organization-defined conditions requiring rescreening and, where rescreening is so indicated,the frequency of such rescreening].
3.219.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.219.2 PS-3 What is the solution and how is it implemented?
Part a
Requirement PERSONNEL SCREENING Control: The organization: a. Screens individuals prior toauthorizing access to the information system; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References 5 C.F.R. 731.106; FIPS Pub 199; FIPS Pub 201; SP 800-60; SP 800-73; SP 800-76; SP800-78; ICD 704;
Part b
Requirement
b. Rescreens individuals according to [Assignment: organization-defined conditions requiring re-screening and, where rescreening is so indicated, the frequency of such rescreening].
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.219. PS-3 - Personnel Screening 225
OpenShift Compliance Guide, Release 1.0 beta
References 5 C.F.R. 731.106; FIPS Pub 199; FIPS Pub 201; SP 800-60; SP 800-73; SP 800-76; SP800-78; ICD 704;
3.220 PS-4 - Personnel Termination
Requirement PERSONNEL TERMINATION Control: The organization, upon termination of individ-ual employment: a. Disables information system access within [Assignment: organization-definedtime period]; b. Terminates/revokes any authenticators/credentials associated with the individual; c.Conducts exit interviews that include a discussion of [Assignment: organization-defined informationsecurity topics]; d. Retrieves all security-related organizational information system-related property;e. Retains access to organizational information and information systems formerly controlled by ter-minated individual; and f. Notifies [Assignment: organization-defined personnel or roles] within[Assignment: organization-defined time period].
3.220.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.220.2 PS-4 What is the solution and how is it implemented?
Part a
Requirement PERSONNEL TERMINATION Control: The organization, upon termination of individualemployment: a. Disables information system access within [Assignment: organization-defined timeperiod];
Role Organization
Status Inherited
Details Dependent on implementing organization.
Part b
Requirement
b. Terminates/revokes any authenticators/credentials associated with the individual;
Role Organization
Status Inherited
Details Dependent on implementing organization.
Part c
Requirement
c. Conducts exit interviews that include a discussion of [Assignment: organization-defined infor-mation security topics];
226 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Role Organization
Status Inherited
Details Dependent on implementing organization.
Part d
Requirement
d. Retrieves all security-related organizational information system-related property;
Role Organization
Status Inherited
Details Dependent on implementing organization.
Part e
Requirement
e. Retains access to organizational information and information systems formerly controlled byterminated individual; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
Part f
Requirement
f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment:organization-defined time period].
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.221 PS-4(2) - Personnel Termination | Automated Notification
Requirement PERSONNEL TERMINATION | AUTOMATED NOTIFICATION The organization em-ploys automated mechanisms to notify [Assignment: organization-defined personnel or roles] upontermination of an individual.
3.221.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.221. PS-4(2) - Personnel Termination | Automated Notification 227
OpenShift Compliance Guide, Release 1.0 beta
3.221.2 PS-4(2) What is the solution and how is it implemented?
Part a
Requirement PERSONNEL TERMINATION | AUTOMATED NOTIFICATION The organization em-ploys automated mechanisms to notify [Assignment: organization-defined personnel or roles] upontermination of an individual.
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.222 PS-5 - Personnel Transfer
Requirement PERSONNEL TRANSFER Control: The organization: a. Reviews and confirms on-going operational need for current logical and physical access authorizations to information sys-tems/facilities when individuals are reassigned or transferred to other positions within the organi-zation; b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [As-signment: organization-defined time period following the formal transfer action]; c. Modifies accessauthorization as needed to correspond with any changes in operational need due to reassignment ortransfer; and d. Notifies [Assignment: organization-defined personnel or roles] within [Assignment:organization-defined time period].
3.222.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.222.2 PS-5 What is the solution and how is it implemented?
Part a
Requirement PERSONNEL TRANSFER Control: The organization: a. Reviews and confirms on-going operational need for current logical and physical access authorizations to information sys-tems/facilities when individuals are reassigned or transferred to other positions within the organiza-tion;
Role Organization
Status Inherited
Details Dependent on implementing organization.
Part b
Requirement
b. Initiates [Assignment: organization-defined transfer or reassignment actions] within [Assign-ment: organization-defined time period following the formal transfer action];
228 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Role Organization
Status Inherited
Details Dependent on implementing organization.
Part c
Requirement
c. Modifies access authorization as needed to correspond with any changes in operational needdue to reassignment or transfer; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
Part d
Requirement
d. Notifies [Assignment: organization-defined personnel or roles] within [Assignment:organization-defined time period].
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.223 PS-6 - Access Agreements
Requirement ACCESS AGREEMENTS Control: The organization: a. Develops and documents accessagreements for organizational information systems; b. Reviews and updates the access agreements[Assignment: organization-defined frequency]; and c. Ensures that individuals requiring access toorganizational information and information systems: 1. Sign appropriate access agreements priorto being granted access; and 2. Re-sign access agreements to maintain access to organizationalinformation systems when access agreements have been updated or [Assignment: organization-defined frequency].
3.223.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.223. PS-6 - Access Agreements 229
OpenShift Compliance Guide, Release 1.0 beta
3.223.2 PS-6 What is the solution and how is it implemented?
Part a
Requirement ACCESS AGREEMENTS Control: The organization: a. Develops and documents accessagreements for organizational information systems;
Role Organization
Status Inherited
Details Dependent on implementing organization.
Part b
Requirement
b. Reviews and updates the access agreements [Assignment: organization-defined frequency]; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
Part c
Requirement
c. Ensures that individuals requiring access to organizational information and information sys-tems: 1. Sign appropriate access agreements prior to being granted access; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
Part d
Requirement
2. Re-sign access agreements to maintain access to organizational information systems when ac-cess agreements have been updated or [Assignment: organization-defined frequency].
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.224 PS-7 - Third-party Personnel Security
Requirement THIRD-PARTY PERSONNEL SECURITY Control: The organization: a. Estab-lishes personnel security requirements including security roles and responsibilities for third-partyproviders; b. Requires third-party providers to comply with personnel security policies and proce-dures established by the organization; c. Documents personnel security requirements; d. Requires
230 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
third-party providers to notify [Assignment: organization-defined personnel or roles] of any person-nel transfers or terminations of third-party personnel who possess organizational credentials and/orbadges, or who have information system privileges within [Assignment: organization-defined timeperiod]; and e. Monitors provider compliance.
3.224.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.224.2 PS-7 What is the solution and how is it implemented?
Part a
Requirement THIRD-PARTY PERSONNEL SECURITY Control: The organization: a. Estab-lishes personnel security requirements including security roles and responsibilities for third-partyproviders;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-35;
Part b
Requirement
b. Requires third-party providers to comply with personnel security policies and procedures es-tablished by the organization;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-35;
Part c
Requirement
c. Documents personnel security requirements;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-35;
3.224. PS-7 - Third-party Personnel Security 231
OpenShift Compliance Guide, Release 1.0 beta
Part d
Requirement
d. Requires third-party providers to notify [Assignment: organization-defined personnel or roles]of any personnel transfers or terminations of third-party personnel who possess organizationalcredentials and/or badges, or who have information system privileges within [Assignment:organization-defined time period]; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-35;
Part e
Requirement
e. Monitors provider compliance.
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-35;
3.225 PS-8 - Personnel Sanctions
Requirement PERSONNEL SANCTIONS Control: The organization: a. Employs a formal sanctionsprocess for individuals failing to comply with established information security policies and proce-dures; and b. Notifies [Assignment: organization-defined personnel or roles] within [Assignment:organization-defined time period] when a formal employee sanctions process is initiated, identifyingthe individual sanctioned and the reason for the sanction.
3.225.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.225.2 PS-8 What is the solution and how is it implemented?
Part a
Requirement PERSONNEL SANCTIONS Control: The organization: a. Employs a formal sanctionsprocess for individuals failing to comply with established information security policies and proce-dures; and
Role Organization
232 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Status Inherited
Details Dependent on implementing organization.
Part b
Requirement
b. Notifies [Assignment: organization-defined personnel or roles] within [Assignment:organization-defined time period] when a formal employee sanctions process is initiated, iden-tifying the individual sanctioned and the reason for the sanction.
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.226 RA-1 - Risk Assessment Policy And Procedures
Requirement RISK ASSESSMENT POLICY AND PROCEDURES Control: The organization: a. De-velops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. Arisk assessment policy that addresses purpose, scope, roles, responsibilities, management commit-ment, coordination among organizational entities, and compliance; and 2. Procedures to facilitatethe implementation of the risk assessment policy and associated risk assessment controls; and b.Reviews and updates the current: 1. Risk assessment policy [Assignment: organization-definedfrequency]; and 2. Risk assessment procedures [Assignment: organization-defined frequency].
3.226.1 Control Summary Information
Role OpenShift Tenant
Status Not implemented
Origin Tenant SSP
3.226.2 RA-1 What is the solution and how is it implemented?
Part a
Requirement RISK ASSESSMENT POLICY AND PROCEDURES Control: The organization: a. De-velops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1.A risk assessment policy that addresses purpose, scope, roles, responsibilities, management com-mitment, coordination among organizational entities, and compliance; and
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References SP 800-12; SP 800-30; SP 800-100;
3.226. RA-1 - Risk Assessment Policy And Procedures 233
OpenShift Compliance Guide, Release 1.0 beta
Part b
Requirement
2. Procedures to facilitate the implementation of the risk assessment policy and associated riskassessment controls; and
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References SP 800-12; SP 800-30; SP 800-100;
Part c
Requirement
b. Reviews and updates the current: 1. Risk assessment policy [Assignment: organization-definedfrequency]; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-30; SP 800-100;
Part d
Requirement
2. Risk assessment procedures [Assignment: organization-defined frequency].
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-30; SP 800-100;
3.227 RA-2 - Security Categorization
Requirement SECURITY CATEGORIZATION Control: The organization: a. Categorizes informationand the information system in accordance with applicable federal laws, Executive Orders, directives,policies, regulations, standards, and guidance; b. Documents the security categorization results(including supporting rationale) in the security plan for the information system; and c. Ensuresthat the security categorization decision is reviewed and approved by the authorizing official orauthorizing official designated representative.
234 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.227.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.227.2 RA-2 What is the solution and how is it implemented?
Part a
Requirement SECURITY CATEGORIZATION Control: The organization: a. Categorizes informationand the information system in accordance with applicable federal laws, Executive Orders, directives,policies, regulations, standards, and guidance;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 199; SP 800-30; SP 800-39; SP 800-60;
Part b
Requirement
b. Documents the security categorization results (including supporting rationale) in the securityplan for the information system; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 199; SP 800-30; SP 800-39; SP 800-60;
Part c
Requirement
c. Ensures that the security categorization decision is reviewed and approved by the authorizingofficial or authorizing official designated representative.
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 199; SP 800-30; SP 800-39; SP 800-60;
3.227. RA-2 - Security Categorization 235
OpenShift Compliance Guide, Release 1.0 beta
3.228 RA-3 - Risk Assessment
Requirement RISK ASSESSMENT Control: The organization: a. Conducts an assessment of risk,including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, dis-ruption, modification, or destruction of the information system and the information it processes,stores, or transmits; b. Documents risk assessment results in [Selection: security plan; risk assess-ment report; [Assignment: organization-defined document]]; c. Reviews risk assessment results[Assignment: organization-defined frequency]; d. Disseminates risk assessment results to [Assign-ment: organization-defined personnel or roles]; and e. Updates the risk assessment [Assignment:organization-defined frequency] or whenever there are significant changes to the information sys-tem or environment of operation (including the identification of new threats and vulnerabilities), orother conditions that may impact the security state of the system.
3.228.1 Control Summary Information
Role OpenShift Tenant
Status Not implemented
Origin Tenant SSP
3.228.2 RA-3 What is the solution and how is it implemented?
Part a
Requirement RISK ASSESSMENT Control: The organization: a. Conducts an assessment of risk,including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure,disruption, modification, or destruction of the information system and the information it processes,stores, or transmits;
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References OMB M-04-04; SP 800-30; SP 800-39; Web: idmanagement.gov;
Part b
Requirement
b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assign-ment: organization-defined document]];
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References OMB M-04-04; SP 800-30; SP 800-39; Web: idmanagement.gov;
236 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Part c
Requirement
c. Reviews risk assessment results [Assignment: organization-defined frequency];
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References OMB M-04-04; SP 800-30; SP 800-39; Web: idmanagement.gov;
Part d
Requirement
d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles];and
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References OMB M-04-04; SP 800-30; SP 800-39; Web: idmanagement.gov;
Part e
Requirement
e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever thereare significant changes to the information system or environment of operation (including theidentification of new threats and vulnerabilities), or other conditions that may impact the secu-rity state of the system.
Role Organization
Status Inherited
Details Dependent on implementing organization.
References OMB M-04-04; SP 800-30; SP 800-39; Web: idmanagement.gov;
3.229 RA-5 - Vulnerability Scanning
Requirement VULNERABILITY SCANNING Control: The organization: a. Scans for vulnerabili-ties in the information system and hosted applications [Assignment: organization-defined frequencyand/or randomly in accordance with organization-defined process] and when new vulnerabilitiespotentially affecting the system/applications are identified and reported; b. Employs vulnerabilityscanning tools and techniques that facilitate interoperability among tools and automate parts of thevulnerability management process by using standards for: 1. Enumerating platforms, software flaws,and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulner-ability impact; c. Analyzes vulnerability scan reports and results from security control assessments;d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in ac-cordance with an organizational assessment of risk; and e. Shares information obtained from the
3.229. RA-5 - Vulnerability Scanning 237
OpenShift Compliance Guide, Release 1.0 beta
vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems(i.e., systemic weaknesses or deficiencies).
3.229.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.229.2 RA-5 What is the solution and how is it implemented?
Part a
Requirement VULNERABILITY SCANNING Control: The organization: a. Scans for vulnerabilitiesin the information system and hosted applications [Assignment: organization-defined frequencyand/or randomly in accordance with organization-defined process] and when new vulnerabilitiespotentially affecting the system/applications are identified and reported;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-40; SP 800-70; SP 800-115; Web: cwe.mitre.org, nvd.nist.gov;
Part b
Requirement
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among toolsand automate parts of the vulnerability management process by using standards for: 1. Enu-merating platforms, software flaws, and improper configurations;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-40; SP 800-70; SP 800-115; Web: cwe.mitre.org, nvd.nist.gov;
Part c
Requirement
2. Formatting checklists and test procedures; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-40; SP 800-70; SP 800-115; Web: cwe.mitre.org, nvd.nist.gov;
238 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Part d
Requirement
3. Measuring vulnerability impact;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-40; SP 800-70; SP 800-115; Web: cwe.mitre.org, nvd.nist.gov;
Part e
Requirement
c. Analyzes vulnerability scan reports and results from security control assessments;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-40; SP 800-70; SP 800-115; Web: cwe.mitre.org, nvd.nist.gov;
Part f
Requirement
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in ac-cordance with an organizational assessment of risk; and
Role OpenShift Landlord
Status Planned
Details Documented in the POAM created as a result of vulnerability scanning.
References SP 800-40; SP 800-70; SP 800-115; Web: cwe.mitre.org, nvd.nist.gov;
Part g
Requirement
e. Shares information obtained from the vulnerability scanning process and security control as-sessments with [Assignment: organization-defined personnel or roles] to help eliminate similarvulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-40; SP 800-70; SP 800-115; Web: cwe.mitre.org, nvd.nist.gov;
3.229. RA-5 - Vulnerability Scanning 239
OpenShift Compliance Guide, Release 1.0 beta
3.230 SA-1 - System And Services Acquisition Policy And Proce-dures
Requirement SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES Control: Theorganization: a. Develops, documents, and disseminates to [Assignment: organization-defined per-sonnel or roles]: 1. A system and services acquisition policy that addresses purpose, scope, roles,responsibilities, management commitment, coordination among organizational entities, and com-pliance; and 2. Procedures to facilitate the implementation of the system and services acquisitionpolicy and associated system and services acquisition controls; and b. Reviews and updates the cur-rent: 1. System and services acquisition policy [Assignment: organization-defined frequency]; and2. System and services acquisition procedures [Assignment: organization-defined frequency].
3.230.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.230.2 SA-1 What is the solution and how is it implemented?
Part a
Requirement SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES Control: Theorganization: a. Develops, documents, and disseminates to [Assignment: organization-defined per-sonnel or roles]: 1. A system and services acquisition policy that addresses purpose, scope, roles,responsibilities, management commitment, coordination among organizational entities, and compli-ance; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-100;
Part b
Requirement
2. Procedures to facilitate the implementation of the system and services acquisition policy andassociated system and services acquisition controls; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-100;
240 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Part c
Requirement
b. Reviews and updates the current: 1. System and services acquisition policy [Assignment:organization-defined frequency]; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-100;
Part d
Requirement
2. System and services acquisition procedures [Assignment: organization-defined frequency].
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-100;
3.231 SA-11 - Developer Security Testing And Evaluation
Requirement DEVELOPER SECURITY TESTING AND EVALUATION Control: The organizationrequires the developer of the information system, system component, or information system serviceto: a. Create and implement a security assessment plan; b. Perform [Selection (one or more): unit;integration; system; regression] testing/evaluation at [Assignment: organization-defined depth andcoverage]; c. Produce evidence of the execution of the security assessment plan and the results ofthe security testing/evaluation; d. Implement a verifiable flaw remediation process; and e. Correctflaws identified during security testing/evaluation.
3.231.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.231.2 SA-11 What is the solution and how is it implemented?
Part a
Requirement DEVELOPER SECURITY TESTING AND EVALUATION Control: The organizationrequires the developer of the information system, system component, or information system serviceto: a. Create and implement a security assessment plan;
Role Organization
3.231. SA-11 - Developer Security Testing And Evaluation 241
OpenShift Compliance Guide, Release 1.0 beta
Status Inherited
Details Documented in the project’s System Test Plan.
References ISO/IEC 15408; SP 800-53A; Web: nvd.nist.gov, cwe.mitre.org, cve.mitre.org,capec.mitre.org;
Part b
Requirement
b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at[Assignment: organization-defined depth and coverage];
Role Organization
Status Inherited
Details Dependent on implementing organization.
References ISO/IEC 15408; SP 800-53A; Web: nvd.nist.gov, cwe.mitre.org, cve.mitre.org,capec.mitre.org;
Part c
Requirement
c. Produce evidence of the execution of the security assessment plan and the results of the securitytesting/evaluation;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References ISO/IEC 15408; SP 800-53A; Web: nvd.nist.gov, cwe.mitre.org, cve.mitre.org,capec.mitre.org;
Part d
Requirement
d. Implement a verifiable flaw remediation process; and
Role OpenShift Landlord, OpenShift Tenant
Status Planned
Details Documented in the POAM created as a result of vulnerability scanning.
References ISO/IEC 15408; SP 800-53A; Web: nvd.nist.gov, cwe.mitre.org, cve.mitre.org,capec.mitre.org;
Part e
Requirement
e. Correct flaws identified during security testing/evaluation.
Role OpenShift Landlord, OpenShift Tenant
242 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Status Planned
Details Documented in the POAM created as a result of vulnerability scanning.
References ISO/IEC 15408; SP 800-53A; Web: nvd.nist.gov, cwe.mitre.org, cve.mitre.org,capec.mitre.org;
3.232 SA-16 - Developer-provided Training
Requirement DEVELOPER-PROVIDED TRAINING Control: The organization requires the developerof the information system, system component, or information system service to provide [Assign-ment: organization-defined training] on the correct use and operation of the implemented securityfunctions, controls, and/or mechanisms.
3.232.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.232.2 SA-16 What is the solution and how is it implemented?
Part a
Requirement DEVELOPER-PROVIDED TRAINING Control: The organization requires the developerof the information system, system component, or information system service to provide [Assign-ment: organization-defined training] on the correct use and operation of the implemented securityfunctions, controls, and/or mechanisms.
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
3.233 SA-17 - Developer Security Architecture And Design
Requirement DEVELOPER SECURITY ARCHITECTURE AND DESIGN Control: The organizationrequires the developer of the information system, system component, or information system serviceto produce a design specification and security architecture that: a. Is consistent with and supportiveof the organization’s security architecture which is established within and is an integrated part of theorganization’s enterprise architecture; b. Accurately and completely describes the required securityfunctionality, and the allocation of security controls among physical and logical components; andc. Expresses how individual security functions, mechanisms, and services work together to providerequired security capabilities and a unified approach to protection.
3.232. SA-16 - Developer-provided Training 243
OpenShift Compliance Guide, Release 1.0 beta
3.233.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.233.2 SA-17 What is the solution and how is it implemented?
Part a
Requirement DEVELOPER SECURITY ARCHITECTURE AND DESIGN Control: The organizationrequires the developer of the information system, system component, or information system serviceto produce a design specification and security architecture that: a. Is consistent with and supportiveof the organization’s security architecture which is established within and is an integrated part of theorganization’s enterprise architecture;
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
Part b
Requirement
b. Accurately and completely describes the required security functionality, and the allocation ofsecurity controls among physical and logical components; and
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
Part c
Requirement
c. Expresses how individual security functions, mechanisms, and services work together to pro-vide required security capabilities and a unified approach to protection.
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
3.234 SA-2 - Allocation Of Resources
Requirement ALLOCATION OF RESOURCES Control: The organization: a. Determines informationsecurity requirements for the information system or information system service in mission/businessprocess planning; b. Determines, documents, and allocates the resources required to protect theinformation system or information system service as part of its capital planning and investment
244 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
control process; and c. Establishes a discrete line item for information security in organizationalprogramming and budgeting documentation.
3.234.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.234.2 SA-2 What is the solution and how is it implemented?
Part a
Requirement ALLOCATION OF RESOURCES Control: The organization: a. Determines informationsecurity requirements for the information system or information system service in mission/businessprocess planning;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-65;
Part b
Requirement
b. Determines, documents, and allocates the resources required to protect the information systemor information system service as part of its capital planning and investment control process; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-65;
Part c
Requirement
c. Establishes a discrete line item for information security in organizational programming andbudgeting documentation.
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-65;
3.234. SA-2 - Allocation Of Resources 245
OpenShift Compliance Guide, Release 1.0 beta
3.235 SA-3 - System Development Life Cycle
Requirement SYSTEM DEVELOPMENT LIFE CYCLE Control: The organization: a. Manages theinformation system using [Assignment: organization-defined system development life cycle] thatincorporates information security considerations; b. Defines and documents information securityroles and responsibilities throughout the system development life cycle; c. Identifies individualshaving information security roles and responsibilities; and d. Integrates the organizational informa-tion security risk management process into system development life cycle activities.
3.235.1 Control Summary Information
Role OpenShift Tenant
Status Not implemented
Origin Tenant SSP
3.235.2 SA-3 What is the solution and how is it implemented?
Part a
Requirement SYSTEM DEVELOPMENT LIFE CYCLE Control: The organization: a. Manages theinformation system using [Assignment: organization-defined system development life cycle] thatincorporates information security considerations;
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References SP 800-37; SP 800-64;
Part b
Requirement
b. Defines and documents information security roles and responsibilities throughout the systemdevelopment life cycle;
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References SP 800-37; SP 800-64;
Part c
Requirement
c. Identifies individuals having information security roles and responsibilities; and
Role OpenShift Tenant
Status Not implemented
246 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Details Documented in the individual project / program’s System Security Plan.
References SP 800-37; SP 800-64;
Part d
Requirement
d. Integrates the organizational information security risk management process into system devel-opment life cycle activities.
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References SP 800-37; SP 800-64;
3.236 SA-4 - Acquisition Process
Requirement ACQUISITION PROCESS Control: The organization includes the following require-ments, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the in-formation system, system component, or information system service in accordance with applicablefederal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and orga-nizational mission/business needs: a. Security functional requirements; b. Security strength re-quirements; c. Security assurance requirements; d. Security-related documentation requirements;e. Requirements for protecting security-related documentation; f. Description of the informationsystem development environment and environment in which the system is intended to operate; andg. Acceptance criteria.
3.236.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.236.2 SA-4 What is the solution and how is it implemented?
Part a
Requirement ACQUISITION PROCESS Control: The organization includes the following require-ments, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the in-formation system, system component, or information system service in accordance with applicablefederal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organiza-tional mission/business needs: a. Security functional requirements;
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.236. SA-4 - Acquisition Process 247
OpenShift Compliance Guide, Release 1.0 beta
References HSPD-12; ISO/IEC 15408; FIPS Pub 140-2; FIPS Pub 201; SP 800-23; SP 800-35; SP800-36; SP 800-37; SP 800-64; SP 800-70; SP 800-137; Federal Acquisition Regulation; Web:www.niap-ccevs.org, fips201ep.cio.gov, www.acquisition.gov/far;
Part b
Requirement
b. Security strength requirements;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References HSPD-12; ISO/IEC 15408; FIPS Pub 140-2; FIPS Pub 201; SP 800-23; SP 800-35; SP800-36; SP 800-37; SP 800-64; SP 800-70; SP 800-137; Federal Acquisition Regulation; Web:www.niap-ccevs.org, fips201ep.cio.gov, www.acquisition.gov/far;
Part c
Requirement
c. Security assurance requirements;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References HSPD-12; ISO/IEC 15408; FIPS Pub 140-2; FIPS Pub 201; SP 800-23; SP 800-35; SP800-36; SP 800-37; SP 800-64; SP 800-70; SP 800-137; Federal Acquisition Regulation; Web:www.niap-ccevs.org, fips201ep.cio.gov, www.acquisition.gov/far;
Part d
Requirement
d. Security-related documentation requirements;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References HSPD-12; ISO/IEC 15408; FIPS Pub 140-2; FIPS Pub 201; SP 800-23; SP 800-35; SP800-36; SP 800-37; SP 800-64; SP 800-70; SP 800-137; Federal Acquisition Regulation; Web:www.niap-ccevs.org, fips201ep.cio.gov, www.acquisition.gov/far;
Part e
Requirement
e. Requirements for protecting security-related documentation;
Role Organization
248 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Status Inherited
Details Dependent on implementing organization.
References HSPD-12; ISO/IEC 15408; FIPS Pub 140-2; FIPS Pub 201; SP 800-23; SP 800-35; SP800-36; SP 800-37; SP 800-64; SP 800-70; SP 800-137; Federal Acquisition Regulation; Web:www.niap-ccevs.org, fips201ep.cio.gov, www.acquisition.gov/far;
Part f
Requirement
f. Description of the information system development environment and environment in which thesystem is intended to operate; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References HSPD-12; ISO/IEC 15408; FIPS Pub 140-2; FIPS Pub 201; SP 800-23; SP 800-35; SP800-36; SP 800-37; SP 800-64; SP 800-70; SP 800-137; Federal Acquisition Regulation; Web:www.niap-ccevs.org, fips201ep.cio.gov, www.acquisition.gov/far;
Part g
Requirement
g. Acceptance criteria.
Role Organization
Status Inherited
Details Dependent on implementing organization.
References HSPD-12; ISO/IEC 15408; FIPS Pub 140-2; FIPS Pub 201; SP 800-23; SP 800-35; SP800-36; SP 800-37; SP 800-64; SP 800-70; SP 800-137; Federal Acquisition Regulation; Web:www.niap-ccevs.org, fips201ep.cio.gov, www.acquisition.gov/far;
3.237 SA-4(1) - Acquisition Process | Functional Properties Of Secu-rity Controls
Requirement ACQUISITION PROCESS | FUNCTIONAL PROPERTIES OF SECURITY CONTROLSThe organization requires the developer of the information system, system component, or informa-tion system service to provide a description of the functional properties of the security controls tobe employed.
3.237.1 Control Summary Information
Role OpenShift Tenant
Status Not implemented
Origin Tenant SSP
3.237. SA-4(1) - Acquisition Process | Functional Properties Of Security Controls 249
OpenShift Compliance Guide, Release 1.0 beta
3.237.2 SA-4(1) What is the solution and how is it implemented?
Part a
Requirement ACQUISITION PROCESS | FUNCTIONAL PROPERTIES OF SECURITY CONTROLSThe organization requires the developer of the information system, system component, or informa-tion system service to provide a description of the functional properties of the security controls tobe employed.
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Design Specification document andSystem Security Plan.
3.238 SA-4(10) - Acquisition Process | Use Of Approved Piv Products
Requirement ACQUISITION PROCESS | USE OF APPROVED PIV PRODUCTS The organizationemploys only information technology products on the FIPS 201-approved products list for PersonalIdentity Verification (PIV) capability implemented within organizational information systems.
3.238.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.238.2 SA-4(10) What is the solution and how is it implemented?
Part a
Requirement ACQUISITION PROCESS | USE OF APPROVED PIV PRODUCTS The organizationemploys only information technology products on the FIPS 201-approved products list for PersonalIdentity Verification (PIV) capability implemented within organizational information systems.
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.239 SA-4(2) - Acquisition Process | Design / Implementation Infor-mation For Security Controls
Requirement ACQUISITION PROCESS | DESIGN / IMPLEMENTATION INFORMATION FOR SE-CURITY CONTROLS The organization requires the developer of the information system, systemcomponent, or information system service to provide design and implementation information for thesecurity controls to be employed that includes: [Selection (one or more): security-relevant external
250 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
system interfaces; high-level design; low-level design; source code or hardware schematics; [As-signment: organization-defined design/implementation information]] at [Assignment: organization-defined level of detail].
3.239.1 Control Summary Information
Role OpenShift Tenant
Status Not implemented
Origin Tenant SSP
3.239.2 SA-4(2) What is the solution and how is it implemented?
Part a
Requirement ACQUISITION PROCESS | DESIGN / IMPLEMENTATION INFORMATION FOR SE-CURITY CONTROLS The organization requires the developer of the information system, systemcomponent, or information system service to provide design and implementation information for thesecurity controls to be employed that includes: [Selection (one or more): security-relevant externalsystem interfaces; high-level design; low-level design; source code or hardware schematics; [As-signment: organization-defined design/implementation information]] at [Assignment: organization-defined level of detail].
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Design Specification document andSystem Security Plan.
3.240 SA-5 - Information System Documentation
Requirement INFORMATION SYSTEM DOCUMENTATION Control: The organization: a. Obtainsadministrator documentation for the information system, system component, or information systemservice that describes: 1. Secure configuration, installation, and operation of the system, component,or service; 2. Effective use and maintenance of security functions/mechanisms; and 3. Known vul-nerabilities regarding configuration and use of administrative (i.e., privileged) functions; b. Obtainsuser documentation for the information system, system component, or information system servicethat describes: 1. User-accessible security functions/mechanisms and how to effectively use thosesecurity functions/mechanisms; 2. Methods for user interaction, which enables individuals to usethe system, component, or service in a more secure manner; and 3. User responsibilities in maintain-ing the security of the system, component, or service; c. Documents attempts to obtain informationsystem, system component, or information system service documentation when such documentationis either unavailable or nonexistent and [Assignment: organization-defined actions] in response; d.Protects documentation as required, in accordance with the risk management strategy; and e. Dis-tributes documentation to [Assignment: organization-defined personnel or roles].
3.240.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
3.240. SA-5 - Information System Documentation 251
OpenShift Compliance Guide, Release 1.0 beta
Origin OpenShift Landlord SSP
3.240.2 SA-5 What is the solution and how is it implemented?
Part a
Requirement INFORMATION SYSTEM DOCUMENTATION Control: The organization: a. Obtainsadministrator documentation for the information system, system component, or information systemservice that describes: 1. Secure configuration, installation, and operation of the system, component,or service;
Role OpenShift Landlord
Status Implemented
Details Documentation available from the OSE vendor, Red Hat.
Part b
Requirement
2. Effective use and maintenance of security functions/mechanisms; and
Role OpenShift Landlord
Status Implemented
Details Documentation available from the OSE vendor, Red Hat.
Part c
Requirement
3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) func-tions;
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
Part d
Requirement
b. Obtains user documentation for the information system, system component, or informationsystem service that describes: 1. User-accessible security functions/mechanisms and how toeffectively use those security functions/mechanisms;
Role OpenShift Landlord
Status Implemented
Details Documentation available from the OSE vendor, Red Hat.
252 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Part e
Requirement
2. Methods for user interaction, which enables individuals to use the system, component, or ser-vice in a more secure manner; and
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
Part f
Requirement
3. User responsibilities in maintaining the security of the system, component, or service;
Role Organization
Status Inherited
Details Dependent on implementing organization.
Part g
Requirement
c. Documents attempts to obtain information system, system component, or information systemservice documentation when such documentation is either unavailable or nonexistent and [As-signment: organization-defined actions] in response;
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
Part h
Requirement
d. Protects documentation as required, in accordance with the risk management strategy; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
Part i
Requirement
e. Distributes documentation to [Assignment: organization-defined personnel or roles].
Role Organization
Status Inherited
3.240. SA-5 - Information System Documentation 253
OpenShift Compliance Guide, Release 1.0 beta
Details Dependent on implementing organization.
3.241 SA-9 - External Information System Services
Requirement EXTERNAL INFORMATION SYSTEM SERVICES Control: The organization: a. Re-quires that providers of external information system services comply with organizational informa-tion security requirements and employ [Assignment: organization-defined security controls] in ac-cordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards,and guidance; b. Defines and documents government oversight and user roles and responsibilitieswith regard to external information system services; and c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by externalservice providers on an ongoing basis.
3.241.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.241.2 SA-9 What is the solution and how is it implemented?
Part a
Requirement EXTERNAL INFORMATION SYSTEM SERVICES Control: The organization: a. Re-quires that providers of external information system services comply with organizational informa-tion security requirements and employ [Assignment: organization-defined security controls] in ac-cordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards,and guidance;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-35;
Part b
Requirement
b. Defines and documents government oversight and user roles and responsibilities with regard toexternal information system services; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-35;
254 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Part c
Requirement
c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitorsecurity control compliance by external service providers on an ongoing basis.
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-35;
3.242 SC-1 - System And Communications Protection Policy AndProcedures
Requirement SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURESControl: The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A system and communications protection policy that addresses pur-pose, scope, roles, responsibilities, management commitment, coordination among organizationalentities, and compliance; and 2. Procedures to facilitate the implementation of the system and com-munications protection policy and associated system and communications protection controls; andb. Reviews and updates the current: 1. System and communications protection policy [Assign-ment: organization-defined frequency]; and 2. System and communications protection procedures[Assignment: organization-defined frequency].
3.242.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.242.2 SC-1 What is the solution and how is it implemented?
Part a
Requirement SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURESControl: The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A system and communications protection policy that addresses pur-pose, scope, roles, responsibilities, management commitment, coordination among organizationalentities, and compliance; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-100;
3.242. SC-1 - System And Communications Protection Policy And Procedures 255
OpenShift Compliance Guide, Release 1.0 beta
Part b
Requirement
2. Procedures to facilitate the implementation of the system and communications protection policyand associated system and communications protection controls; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-100;
Part c
Requirement
b. Reviews and updates the current: 1. System and communications protection policy [Assign-ment: organization-defined frequency]; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-100;
Part d
Requirement
2. System and communications protection procedures [Assignment: organization-defined fre-quency].
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-100;
3.243 SC-10 - Network Disconnect
Requirement NETWORK DISCONNECT Control: The information system terminates the networkconnection associated with a communications session at the end of the session or after [Assignment:organization-defined time period] of inactivity.
3.243.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
256 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.243.2 SC-10 What is the solution and how is it implemented?
Part a
Requirement NETWORK DISCONNECT Control: The information system terminates the networkconnection associated with a communications session at the end of the session or after [Assignment:organization-defined time period] of inactivity.
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
3.244 SC-12 - Cryptographic Key Establishment And Management
Requirement CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT Control: The or-ganization establishes and manages cryptographic keys for required cryptography employed withinthe information system in accordance with [Assignment: organization-defined requirements for keygeneration, distribution, storage, access, and destruction].
3.244.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.244.2 SC-12 What is the solution and how is it implemented?
Part a
Requirement CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT Control: The or-ganization establishes and manages cryptographic keys for required cryptography employed withinthe information system in accordance with [Assignment: organization-defined requirements for keygeneration, distribution, storage, access, and destruction].
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-56; SP 800-57;
3.245 SC-12(1) - Cryptographic Key Establishment And Management| Availability
Requirement CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | AVAILABIL-ITY The organization maintains availability of information in the event of the loss of cryptographickeys by users.
3.244. SC-12 - Cryptographic Key Establishment And Management 257
OpenShift Compliance Guide, Release 1.0 beta
3.245.1 Control Summary Information
Role Organization, OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.245.2 SC-12(1) What is the solution and how is it implemented?
Part a
Requirement CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | AVAILABIL-ITY The organization maintains availability of information in the event of the loss of cryptographickeys by users.
Role Organization, OpenShift Landlord
Status Implemented
Details Inherited from the organizational user directory
3.246 SC-13 - Cryptographic Protection
Requirement CRYPTOGRAPHIC PROTECTION Control: The information system implements [As-signment: organization-defined cryptographic uses and type of cryptography required for each use]in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, andstandards.
3.246.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.246.2 SC-13 What is the solution and how is it implemented?
Part a
Requirement CRYPTOGRAPHIC PROTECTION Control: The information system implements [As-signment: organization-defined cryptographic uses and type of cryptography required for each use]in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, andstandards.
Role Organization
Status Inherited
Details Dependent on implementing organization.
References FIPS Pub 140-2; Web: csrc.nist.gov/cryptval, www.cnss.gov;
258 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.247 SC-15 - Collaborative Computing Devices
Requirement COLLABORATIVE COMPUTING DEVICES Control: The information system: a. Pro-hibits remote activation of collaborative computing devices with the following exceptions: [Assign-ment: organization-defined exceptions where remote activation is to be allowed]; and b. Provides anexplicit indication of use to users physically present at the devices.
3.247.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.247.2 SC-15 What is the solution and how is it implemented?
Part a
Requirement COLLABORATIVE COMPUTING DEVICES Control: The information system: a. Pro-hibits remote activation of collaborative computing devices with the following exceptions: [Assign-ment: organization-defined exceptions where remote activation is to be allowed]; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
Part b
Requirement
b. Provides an explicit indication of use to users physically present at the devices.
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
3.248 SC-2 - Application Partitioning
Requirement APPLICATION PARTITIONING Control: The information system separates user func-tionality (including user interface services) from information system management functionality.
3.248.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.247. SC-15 - Collaborative Computing Devices 259
OpenShift Compliance Guide, Release 1.0 beta
3.248.2 SC-2 What is the solution and how is it implemented?
Part a
Requirement APPLICATION PARTITIONING Control: The information system separates user func-tionality (including user interface services) from information system management functionality.
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
3.249 SC-20 - Secure Name / Address Resolution Service (authorita-tive Source)
Requirement SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)Control: The information system: a. Provides additional data origin and integrity artifacts alongwith the authoritative name resolution data the system returns in response to external name/addressresolution queries; and b. Provides the means to indicate the security status of child zones and (ifthe child supports secure resolution services) to enable verification of a chain of trust among parentand child domains, when operating as part of a distributed, hierarchical namespace.
3.249.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.249.2 SC-20 What is the solution and how is it implemented?
Part a
Requirement SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)Control: The information system: a. Provides additional data origin and integrity artifacts alongwith the authoritative name resolution data the system returns in response to external name/addressresolution queries; and
Role Organization
Status Inherited
Details undefined
References OMB M-08-23; SP 800-81;
Part b
Requirement
260 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
b. Provides the means to indicate the security status of child zones and (if the child supports secureresolution services) to enable verification of a chain of trust among parent and child domains,when operating as part of a distributed, hierarchical namespace.
Role Organization
Status Inherited
Details undefined
References OMB M-08-23; SP 800-81;
3.250 SC-21 - Secure Name / Address Resolution Service (recursiveOr Caching Resolver)
Requirement SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHINGRESOLVER) Control: The information system requests and performs data origin authenticationand data integrity verification on the name/address resolution responses the system receives fromauthoritative sources.
3.250.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.250.2 SC-21 What is the solution and how is it implemented?
Part a
Requirement SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHINGRESOLVER) Control: The information system requests and performs data origin authenticationand data integrity verification on the name/address resolution responses the system receives fromauthoritative sources.
Role Organization
Status Inherited
Details undefined
References SP 800-81;
3.251 SC-22 - Architecture And Provisioning For Name / AddressResolution Service
Requirement ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTIONSERVICE Control: The information systems that collectively provide name/address resolution ser-vice for an organization are fault-tolerant and implement internal/external role separation.
3.250. SC-21 - Secure Name / Address Resolution Service (recursive Or Caching Resolver) 261
OpenShift Compliance Guide, Release 1.0 beta
3.251.1 Control Summary Information
Role OpenShift Landlord
Status Not implemented
Origin OpenShift Landlord SSP
3.251.2 SC-22 What is the solution and how is it implemented?
Part a
Requirement ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTIONSERVICE Control: The information systems that collectively provide name/address resolution ser-vice for an organization are fault-tolerant and implement internal/external role separation.
Role OpenShift Landlord
Status Not implemented
Details OSE systems are clients of DNS services and do not provide name resolution capabilities.
References SP 800-81;
3.252 SC-24 - Fail In Known State
Requirement FAIL IN KNOWN STATE Control: The information system fails to a [Assignment:organization-defined known-state] for [Assignment: organization-defined types of failures] preserv-ing [Assignment: organization-defined system state information] in failure.
3.252.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.252.2 SC-24 What is the solution and how is it implemented?
Part a
Requirement FAIL IN KNOWN STATE Control: The information system fails to a [Assignment:organization-defined known-state] for [Assignment: organization-defined types of failures] preserv-ing [Assignment: organization-defined system state information] in failure.
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
262 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.253 SC-3 - Security Function Isolation
Requirement SECURITY FUNCTION ISOLATION Control: The information system isolates securityfunctions from nonsecurity functions.
3.253.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.253.2 SC-3 What is the solution and how is it implemented?
Part a
Requirement SECURITY FUNCTION ISOLATION Control: The information system isolates securityfunctions from nonsecurity functions.
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
3.254 SC-39 - Process Isolation
Requirement PROCESS ISOLATION Control: The information system maintains a separate executiondomain for each executing process.
3.254.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.254.2 SC-39 What is the solution and how is it implemented?
Part a
Requirement PROCESS ISOLATION Control: The information system maintains a separate executiondomain for each executing process.
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
3.253. SC-3 - Security Function Isolation 263
OpenShift Compliance Guide, Release 1.0 beta
3.255 SC-4 - Information In Shared Resources
Requirement INFORMATION IN SHARED RESOURCES Control: The information system preventsunauthorized and unintended information transfer via shared system resources.
3.255.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.255.2 SC-4 What is the solution and how is it implemented?
Part a
Requirement INFORMATION IN SHARED RESOURCES Control: The information system preventsunauthorized and unintended information transfer via shared system resources.
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
3.256 SC-42 - Sensor Capability And Data
Requirement SENSOR CAPABILITY AND DATA Control: The information system: a. Prohibits theremote activation of environmental sensing capabilities with the following exceptions: [Assignment:organization-defined exceptions where remote activation of sensors is allowed]; and b. Provides anexplicit indication of sensor use to [Assignment: organization-defined class of users].
3.256.1 Control Summary Information
Role IaaS
Status Inherited
Origin Inherited from pre-existing ATO
3.256.2 SC-42 What is the solution and how is it implemented?
Part a
Requirement SENSOR CAPABILITY AND DATA Control: The information system: a. Prohibits theremote activation of environmental sensing capabilities with the following exceptions: [Assignment:organization-defined exceptions where remote activation of sensors is allowed]; and
Role IaaS
Status Inherited
264 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Details Implemented by IaaS provider, OpenShift does not need access to the underlying hardware
Part b
Requirement
b. Provides an explicit indication of sensor use to [Assignment: organization-defined class ofusers].
Role IaaS
Status Inherited
Details Implemented by IaaS provider, OpenShift does not need access to the underlying hardware
3.257 SC-42(3) - Sensor Capability And Data | Prohibit Use Of Devices
Requirement SENSOR CAPABILITY AND DATA | PROHIBIT USE OF DEVICES The organizationprohibits the use of devices possessing [Assignment: organization-defined environmental sensingcapabilities] in [Assignment: organization-defined facilities, areas, or systems].
3.257.1 Control Summary Information
Role IaaS
Status Inherited
Origin Inherited from pre-existing ATO
3.257.2 SC-42(3) What is the solution and how is it implemented?
Part a
Requirement SENSOR CAPABILITY AND DATA | PROHIBIT USE OF DEVICES The organizationprohibits the use of devices possessing [Assignment: organization-defined environmental sensingcapabilities] in [Assignment: organization-defined facilities, areas, or systems].
Role IaaS
Status Inherited
Details Implemented by IaaS provider, OpenShift does not need access to the underlying hardware
3.258 SC-5 - Denial Of Service Protection
Requirement DENIAL OF SERVICE PROTECTION Control: The information system protects againstor limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing[Assignment: organization-defined security safeguards].
3.257. SC-42(3) - Sensor Capability And Data | Prohibit Use Of Devices 265
OpenShift Compliance Guide, Release 1.0 beta
3.258.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.258.2 SC-5 What is the solution and how is it implemented?
Part a
Requirement DENIAL OF SERVICE PROTECTION Control: The information system protects againstor limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing[Assignment: organization-defined security safeguards].
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
3.259 SC-7 - Boundary Protection
Requirement BOUNDARY PROTECTION Control: The information system: a. Monitors and controlscommunications at the external boundary of the system and at key internal boundaries within thesystem; b. Implements subnetworks for publicly accessible system components that are [Selection:physically; logically] separated from internal organizational networks; and c. Connects to externalnetworks or information systems only through managed interfaces consisting of boundary protectiondevices arranged in accordance with an organizational security architecture.
3.259.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.259.2 SC-7 What is the solution and how is it implemented?
Part a
Requirement BOUNDARY PROTECTION Control: The information system: a. Monitors and controlscommunications at the external boundary of the system and at key internal boundaries within thesystem;
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
References FIPS Pub 199; SP 800-41; SP 800-77;
266 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Part b
Requirement
b. Implements subnetworks for publicly accessible system components that are [Selection: physi-cally; logically] separated from internal organizational networks; and
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
References FIPS Pub 199; SP 800-41; SP 800-77;
Part c
Requirement
c. Connects to external networks or information systems only through managed interfaces con-sisting of boundary protection devices arranged in accordance with an organizational securityarchitecture.
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
References FIPS Pub 199; SP 800-41; SP 800-77;
3.260 SC-7(18) - Boundary Protection | Fail Secure
Requirement BOUNDARY PROTECTION | FAIL SECURE The information system fails securely inthe event of an operational failure of a boundary protection device.
3.260.1 Control Summary Information
Role OpenShift Landlord
Status Planned
Origin OpenShift Landlord SSP
3.260.2 SC-7(18) What is the solution and how is it implemented?
Part a
Requirement BOUNDARY PROTECTION | FAIL SECURE The information system fails securely inthe event of an operational failure of a boundary protection device.
Role OpenShift Landlord
Status Planned
Details NEED TO ADDRESS
3.260. SC-7(18) - Boundary Protection | Fail Secure 267
OpenShift Compliance Guide, Release 1.0 beta
3.261 SC-7(21) - Boundary Protection | Isolation Of Information Sys-tem Components
Requirement BOUNDARY PROTECTION | ISOLATION OF INFORMATION SYSTEM COMPO-NENTS The organization employs boundary protection mechanisms to separate [Assignment:organization-defined information system components] supporting [Assignment: organization-defined missions and/or business functions].
3.261.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.261.2 SC-7(21) What is the solution and how is it implemented?
Part a
Requirement BOUNDARY PROTECTION | ISOLATION OF INFORMATION SYSTEM COMPO-NENTS The organization employs boundary protection mechanisms to separate [Assignment:organization-defined information system components] supporting [Assignment: organization-defined missions and/or business functions].
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.262 SE-1 - Inventory Of Personally Identifiable Information
Requirement INVENTORY OF PERSONALLY IDENTIFIABLE INFORMATION Control: The orga-nization: a. Establishes, maintains, and updates [Assignment: organization-defined frequency] aninventory that contains a listing of all programs and information systems identified as collecting,using, maintaining, or sharing personally identifiable information (PII); and b. Provides each updateof the PII inventory to the CIO or information security official [Assignment: organization-definedfrequency] to support the establishment of information security requirements for all new or modifiedinformation systems containing PII.
3.262.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
268 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.262.2 SE-1 What is the solution and how is it implemented?
Part a
Requirement INVENTORY OF PERSONALLY IDENTIFIABLE INFORMATION Control: The orga-nization: a. Establishes, maintains, and updates [Assignment: organization-defined frequency] aninventory that contains a listing of all programs and information systems identified as collecting,using, maintaining, or sharing personally identifiable information (PII); and
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (e) (10); Section 208(b)(2), E-Government Act of2002 (P.L. 107-347); OMB M-03-22; OMB Circular A-130, Appendix I; FIPS Pub 199; SP 800-37;SP 800-122;
Part b
Requirement
b. Provides each update of the PII inventory to the CIO or information security official [Assign-ment: organization-defined frequency] to support the establishment of information security re-quirements for all new or modified information systems containing PII.
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (e) (10); Section 208(b)(2), E-Government Act of2002 (P.L. 107-347); OMB M-03-22; OMB Circular A-130, Appendix I; FIPS Pub 199; SP 800-37;SP 800-122;
3.263 SE-2 - Privacy Incident Response
Requirement PRIVACY INCIDENT RESPONSE Control: The organization: a. Develops and imple-ments a Privacy Incident Response Plan; and b. Provides an organized and effective response toprivacy incidents in accordance with the organizational Privacy Incident Response Plan.
3.263.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.263. SE-2 - Privacy Incident Response 269
OpenShift Compliance Guide, Release 1.0 beta
3.263.2 SE-2 What is the solution and how is it implemented?
Part a
Requirement PRIVACY INCIDENT RESPONSE Control: The organization: a. Develops and imple-ments a Privacy Incident Response Plan; and
Role Organization
Status Inherited
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (e), (i)(1), and (m); Federal Information SecurityManagement Act (FISMA) of 2002, 44 U.S.C. § 3541; OMB M-06-19; OMB M-07-16; SP 800-37;
Part b
Requirement
b. Provides an organized and effective response to privacy incidents in accordance with the orga-nizational Privacy Incident Response Plan.
Role Organization
Status Inherited
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (e), (i)(1), and (m); Federal Information SecurityManagement Act (FISMA) of 2002, 44 U.S.C. § 3541; OMB M-06-19; OMB M-07-16; SP 800-37;
3.264 SI-1 - System And Information Integrity Policy And Procedures
Requirement SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES Control:The organization: a. Develops, documents, and disseminates to [Assignment: organization-definedpersonnel or roles]: 1. A system and information integrity policy that addresses purpose, scope,roles, responsibilities, management commitment, coordination among organizational entities, andcompliance; and 2. Procedures to facilitate the implementation of the system and information in-tegrity policy and associated system and information integrity controls; and b. Reviews and updatesthe current: 1. System and information integrity policy [Assignment: organization-defined fre-quency]; and 2. System and information integrity procedures [Assignment: organization-definedfrequency].
3.264.1 Control Summary Information
Role OpenShift Tenant
Status Not implemented
Origin Tenant SSP
270 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.264.2 SI-1 What is the solution and how is it implemented?
Part a
Requirement SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES Control:The organization: a. Develops, documents, and disseminates to [Assignment: organization-definedpersonnel or roles]: 1. A system and information integrity policy that addresses purpose, scope,roles, responsibilities, management commitment, coordination among organizational entities, andcompliance; and
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Design Specification document andSystem Security Plan.
References SP 800-12; SP 800-100;
Part b
Requirement
2. Procedures to facilitate the implementation of the system and information integrity policy andassociated system and information integrity controls; and
Role Shared
Status Shared
Details Documented in the individual project / program’s System Design Specification document andSystem Security Plan.
References SP 800-12; SP 800-100;
Part c
Requirement
b. Reviews and updates the current: 1. System and information integrity policy [Assignment:organization-defined frequency]; and
Role Shared
Status Shared
Details Documented in the individual project / program’s System Design Specification document andSystem Security Plan.
References SP 800-12; SP 800-100;
Part d
Requirement
2. System and information integrity procedures [Assignment: organization-defined frequency].
Role Shared
Status Shared
3.264. SI-1 - System And Information Integrity Policy And Procedures 271
OpenShift Compliance Guide, Release 1.0 beta
Details Documented in the individual project / program’s System Design Specification document andSystem Security Plan.
References SP 800-12; SP 800-100;
3.265 SI-12 - Information Handling And Retention
Requirement INFORMATION HANDLING AND RETENTION Control: The organization handlesand retains information within the information system and information output from the system in ac-cordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards,and operational requirements.
3.265.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.265.2 SI-12 What is the solution and how is it implemented?
Part a
Requirement INFORMATION HANDLING AND RETENTION Control: The organization handlesand retains information within the information system and information output from the system in ac-cordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards,and operational requirements.
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.266 SI-16 - Memory Protection
Requirement MEMORY PROTECTION Control: The information system implements [Assignment:organization-defined security safeguards] to protect its memory from unauthorized code execution.
3.266.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
272 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.266.2 SI-16 What is the solution and how is it implemented?
Part a
Requirement MEMORY PROTECTION Control: The information system implements [Assignment:organization-defined security safeguards] to protect its memory from unauthorized code execution.
Role OpenShift Landlord
Status Implemented
Details undefined
3.267 SI-2 - Flaw Remediation
Requirement FLAW REMEDIATION Control: The organization: a. Identifies, reports, and correctsinformation system flaws; b. Tests software and firmware updates related to flaw remediation foreffectiveness and potential side effects before installation; c. Installs security-relevant software andfirmware updates within [Assignment: organization-defined time period] of the release of the up-dates; and d. Incorporates flaw remediation into the organizational configuration management pro-cess.
3.267.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.267.2 SI-2 What is the solution and how is it implemented?
Part a
Requirement FLAW REMEDIATION Control: The organization: a. Identifies, reports, and correctsinformation system flaws;
Role OpenShift Landlord
Status Implemented
Details undefined
References SP 800-40; SP 800-128;
Part b
Requirement
b. Tests software and firmware updates related to flaw remediation for effectiveness and potentialside effects before installation;
Role OpenShift Landlord
Status Implemented
3.267. SI-2 - Flaw Remediation 273
OpenShift Compliance Guide, Release 1.0 beta
Details undefined
References SP 800-40; SP 800-128;
Part c
Requirement
c. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
Role OpenShift Landlord
Status Implemented
Details undefined
References SP 800-40; SP 800-128;
Part d
Requirement
d. Incorporates flaw remediation into the organizational configuration management process.
Role OpenShift Landlord
Status Implemented
Details undefined
References SP 800-40; SP 800-128;
3.268 SI-3 - Malicious Code Protection
Requirement MALICIOUS CODE PROTECTION Control: The organization: a. Employs maliciouscode protection mechanisms at information system entry and exit points to detect and eradicate ma-licious code; b. Updates malicious code protection mechanisms whenever new releases are availablein accordance with organizational configuration management policy and procedures; c. Configuresmalicious code protection mechanisms to: 1. Perform periodic scans of the information system[Assignment: organization-defined frequency] and real-time scans of files from external sources at[Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened,or executed in accordance with organizational security policy; and 2. [Selection (one or more): blockmalicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and d. Addresses the receipt of falsepositives during malicious code detection and eradication and the resulting potential impact on theavailability of the information system.
3.268.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
274 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.268.2 SI-3 What is the solution and how is it implemented?
Part a
Requirement MALICIOUS CODE PROTECTION Control: The organization: a. Employs maliciouscode protection mechanisms at information system entry and exit points to detect and eradicatemalicious code;
Role OpenShift Landlord
Status Implemented
Details undefined
References SP 800-83;
Part b
Requirement
b. Updates malicious code protection mechanisms whenever new releases are available in accor-dance with organizational configuration management policy and procedures;
Role OpenShift Landlord
Status Implemented
Details undefined
References SP 800-83;
Part c
Requirement
c. Configures malicious code protection mechanisms to: 1. Perform periodic scans of the infor-mation system [Assignment: organization-defined frequency] and real-time scans of files fromexternal sources at [Selection (one or more); endpoint; network entry/exit points] as the filesare downloaded, opened, or executed in accordance with organizational security policy; and
Role OpenShift Landlord
Status Implemented
Details undefined
References SP 800-83;
Part d
Requirement
2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to admin-istrator; [Assignment: organization-defined action]] in response to malicious code detection;and
Role OpenShift Landlord
Status Implemented
Details undefined
3.268. SI-3 - Malicious Code Protection 275
OpenShift Compliance Guide, Release 1.0 beta
References SP 800-83;
Part e
Requirement
d. Addresses the receipt of false positives during malicious code detection and eradication and theresulting potential impact on the availability of the information system.
Role OpenShift Landlord
Status Implemented
Details undefined
References SP 800-83;
3.269 SI-4 - Information System Monitoring
Requirement INFORMATION SYSTEM MONITORING Control: The organization: a. Monitors theinformation system to detect: 1. Attacks and indicators of potential attacks in accordance with[Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network,and remote connections; b. Identifies unauthorized use of the information system through [Assign-ment: organization-defined techniques and methods]; c. Deploys monitoring devices: (i) strategi-cally within the information system to collect organization-determined essential information; and(ii) at ad hoc locations within the system to track specific types of transactions of interest to theorganization; d. Protects information obtained from intrusion-monitoring tools from unauthorizedaccess, modification, and deletion; e. Heightens the level of information system monitoring activitywhenever there is an indication of increased risk to organizational operations and assets, individuals,other organizations, or the Nation based on law enforcement information, intelligence information,or other credible sources of information; f. Obtains legal opinion with regard to information sys-tem monitoring activities in accordance with applicable federal laws, Executive Orders, directives,policies, or regulations; and g. Provides [Assignment: organization-defined information systemmonitoring information] to [Assignment: organization-defined personnel or roles] [Selection (oneor more): as needed; [Assignment: organization-defined frequency]].
3.269.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.269.2 SI-4 What is the solution and how is it implemented?
Part a
Requirement INFORMATION SYSTEM MONITORING Control: The organization: a. Monitors theinformation system to detect: 1. Attacks and indicators of potential attacks in accordance with[Assignment: organization-defined monitoring objectives]; and
Role Organization
276 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Status Inherited
Details Dependent on implementing organization.
References SP 800-61; SP 800-83; SP 800-92; SP 800-94; SP 800-137;
Part b
Requirement
2. Unauthorized local, network, and remote connections;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-61; SP 800-83; SP 800-92; SP 800-94; SP 800-137;
Part c
Requirement
b. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-61; SP 800-83; SP 800-92; SP 800-94; SP 800-137;
Part d
Requirement
c. Deploys monitoring devices: (i) strategically within the information system to collectorganization-determined essential information; and (ii) at ad hoc locations within the systemto track specific types of transactions of interest to the organization;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-61; SP 800-83; SP 800-92; SP 800-94; SP 800-137;
Part e
Requirement
d. Protects information obtained from intrusion-monitoring tools from unauthorized access, mod-ification, and deletion;
Role Organization
Status Inherited
3.269. SI-4 - Information System Monitoring 277
OpenShift Compliance Guide, Release 1.0 beta
Details Dependent on implementing organization.
References SP 800-61; SP 800-83; SP 800-92; SP 800-94; SP 800-137;
Part f
Requirement
e. Heightens the level of information system monitoring activity whenever there is an indicationof increased risk to organizational operations and assets, individuals, other organizations, orthe Nation based on law enforcement information, intelligence information, or other crediblesources of information;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-61; SP 800-83; SP 800-92; SP 800-94; SP 800-137;
Part g
Requirement
f. Obtains legal opinion with regard to information system monitoring activities in accordancewith applicable federal laws, Executive Orders, directives, policies, or regulations; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-61; SP 800-83; SP 800-92; SP 800-94; SP 800-137;
Part h
Requirement
g. Provides [Assignment: organization-defined information system monitoring information] to[Assignment: organization-defined personnel or roles] [Selection (one or more): as needed;[Assignment: organization-defined frequency]].
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-61; SP 800-83; SP 800-92; SP 800-94; SP 800-137;
3.270 SI-4(2) - Information System Monitoring | Automated Tools ForReal-time Analysis
Requirement INFORMATION SYSTEM MONITORING | AUTOMATED TOOLS FOR REAL-TIMEANALYSIS The organization employs automated tools to support near real-time analysis of events.
278 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.270.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
3.270.2 SI-4(2) What is the solution and how is it implemented?
Part a
Requirement INFORMATION SYSTEM MONITORING | AUTOMATED TOOLS FOR REAL-TIMEANALYSIS The organization employs automated tools to support near real-time analysis of events.
Role Organization
Status Inherited
Details Dependent on implementing organization.
3.271 SI-5 - Security Alerts, Advisories, And Directives
Requirement SECURITY ALERTS, ADVISORIES, AND DIRECTIVES Control: The organization:a. Receives information system security alerts, advisories, and directives from [Assignment:organization-defined external organizations] on an ongoing basis; b. Generates internal securityalerts, advisories, and directives as deemed necessary; c. Disseminates security alerts, advisories,and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles];[Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and d. Implements security directives in accordance with estab-lished time frames, or notifies the issuing organization of the degree of noncompliance.
3.271.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.271.2 SI-5 What is the solution and how is it implemented?
Part a
Requirement SECURITY ALERTS, ADVISORIES, AND DIRECTIVES Control: The organization:a. Receives information system security alerts, advisories, and directives from [Assignment:organization-defined external organizations] on an ongoing basis;
Role OpenShift Landlord
Status Implemented
Details undefined
References SP 800-40;
3.271. SI-5 - Security Alerts, Advisories, And Directives 279
OpenShift Compliance Guide, Release 1.0 beta
Part b
Requirement
b. Generates internal security alerts, advisories, and directives as deemed necessary;
Role OpenShift Landlord
Status Implemented
Details undefined
References SP 800-40;
Part c
Requirement
c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assign-ment: organization-defined personnel or roles]; [Assignment: organization-defined elementswithin the organization]; [Assignment: organization-defined external organizations]]; and
Role OpenShift Landlord
Status Implemented
Details undefined
References SP 800-40;
Part d
Requirement
d. Implements security directives in accordance with established time frames, or notifies the issu-ing organization of the degree of noncompliance.
Role OpenShift Landlord
Status Implemented
Details undefined
References SP 800-40;
3.272 SI-5(1) - Security Alerts, Advisories, And Directives | Auto-mated Alerts And Advisories
Requirement SECURITY ALERTS, ADVISORIES, AND DIRECTIVES | AUTOMATED ALERTSAND ADVISORIES The organization employs automated mechanisms to make security alert andadvisory information available throughout the organization.
3.272.1 Control Summary Information
Role Organization
Status Inherited
280 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Origin Inherited from pre-existing ATO
3.272.2 SI-5(1) What is the solution and how is it implemented?
Part a
Requirement SECURITY ALERTS, ADVISORIES, AND DIRECTIVES | AUTOMATED ALERTSAND ADVISORIES The organization employs automated mechanisms to make security alert andadvisory information available throughout the organization.
Role Organization
Status Inherited
Details undefined
3.273 SI-6 - Security Function Verification
Requirement SECURITY FUNCTION VERIFICATION Control: The information system: a. Verifiesthe correct operation of [Assignment: organization-defined security functions]; b. Performs thisverification [Selection (one or more): [Assignment: organization-defined system transitional states];upon command by user with appropriate privilege; [Assignment: organization-defined frequency]];c. Notifies [Assignment: organization-defined personnel or roles] of failed security verification tests;and d. [Selection (one or more): shuts the information system down; restarts the information system;[Assignment: organization-defined alternative action(s)]] when anomalies are discovered.
3.273.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.273.2 SI-6 What is the solution and how is it implemented?
Part a
Requirement SECURITY FUNCTION VERIFICATION Control: The information system: a. Verifiesthe correct operation of [Assignment: organization-defined security functions];
Role OpenShift Landlord
Status Implemented
Details Implemented with Ansible Tower CM and OpenSCAP scans
Part b
Requirement
3.273. SI-6 - Security Function Verification 281
OpenShift Compliance Guide, Release 1.0 beta
b. Performs this verification [Selection (one or more): [Assignment: organization-defined sys-tem transitional states]; upon command by user with appropriate privilege; [Assignment:organization-defined frequency]];
Role OpenShift Landlord
Status Implemented
Details undefined
Part c
Requirement
c. Notifies [Assignment: organization-defined personnel or roles] of failed security verificationtests; and
Role OpenShift Landlord
Status Implemented
Details undefined
Part d
Requirement
d. [Selection (one or more): shuts the information system down; restarts the information system;[Assignment: organization-defined alternative action(s)]] when anomalies are discovered.
Role OpenShift Landlord
Status Implemented
Details undefined
3.274 SI-7 - Software, Firmware, And Information Integrity
Requirement SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY Control: The orga-nization employs integrity verification tools to detect unauthorized changes to [Assignment:organization-defined software, firmware, and information].
3.274.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
282 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.274.2 SI-7 What is the solution and how is it implemented?
Part a
Requirement SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY Control: The orga-nization employs integrity verification tools to detect unauthorized changes to [Assignment:organization-defined software, firmware, and information].
Role OpenShift Landlord
Status Implemented
Details undefined
References SP 800-147; SP 800-155;
3.275 SI-7(1) - Software, Firmware, And Information Integrity | In-tegrity Checks
Requirement SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRITYCHECKS The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment:organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]].
3.275.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.275.2 SI-7(1) What is the solution and how is it implemented?
Part a
Requirement SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRITYCHECKS The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment:organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]].
Role OpenShift Landlord
Status Implemented
Details undefined
3.275. SI-7(1) - Software, Firmware, And Information Integrity | Integrity Checks 283
OpenShift Compliance Guide, Release 1.0 beta
3.276 SI-7(2) - Software, Firmware, And Information Integrity | Auto-mated Notifications Of Integrity Violations
Requirement SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | AUTOMATED NO-TIFICATIONS OF INTEGRITY VIOLATIONS The organization employs automated tools thatprovide notification to [Assignment: organization-defined personnel or roles] upon discovering dis-crepancies during integrity verification.
3.276.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.276.2 SI-7(2) What is the solution and how is it implemented?
Part a
Requirement SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | AUTOMATED NO-TIFICATIONS OF INTEGRITY VIOLATIONS The organization employs automated tools thatprovide notification to [Assignment: organization-defined personnel or roles] upon discovering dis-crepancies during integrity verification.
Role OpenShift Landlord
Status Implemented
Details undefined
3.277 SI-7(5) - Software, Firmware, And Information Integrity | Auto-mated Response To Integrity Violations
Requirement SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | AUTOMATED RE-SPONSE TO INTEGRITY VIOLATIONS The information system automatically [Selection (one ormore): shuts the information system down; restarts the information system; implements [Assign-ment: organization-defined security safeguards]] when integrity violations are discovered.
3.277.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
284 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.277.2 SI-7(5) What is the solution and how is it implemented?
Part a
Requirement SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | AUTOMATED RE-SPONSE TO INTEGRITY VIOLATIONS The information system automatically [Selection (one ormore): shuts the information system down; restarts the information system; implements [Assign-ment: organization-defined security safeguards]] when integrity violations are discovered.
Role OpenShift Landlord
Status Implemented
Details undefined
3.278 SI-7(7) - Software, Firmware, And Information Integrity | Inte-gration Of Detection And Response
Requirement SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRATION OFDETECTION AND RESPONSE The organization incorporates the detection of unauthorized [As-signment: organization-defined security-relevant changes to the information system] into the orga-nizational incident response capability.
3.278.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.278.2 SI-7(7) What is the solution and how is it implemented?
Part a
Requirement SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRATION OFDETECTION AND RESPONSE The organization incorporates the detection of unauthorized [As-signment: organization-defined security-relevant changes to the information system] into the orga-nizational incident response capability.
Role OpenShift Landlord
Status Implemented
Details undefined
3.279 SI-8 - Spam Protection
Requirement SPAM PROTECTION Control: The organization: a. Employs spam protection mecha-nisms at information system entry and exit points to detect and take action on unsolicited messages;and b. Updates spam protection mechanisms when new releases are available in accordance withorganizational configuration management policy and procedures.
3.278. SI-7(7) - Software, Firmware, And Information Integrity | Integration Of Detection AndResponse
285
OpenShift Compliance Guide, Release 1.0 beta
3.279.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.279.2 SI-8 What is the solution and how is it implemented?
Part a
Requirement SPAM PROTECTION Control: The organization: a. Employs spam protection mecha-nisms at information system entry and exit points to detect and take action on unsolicited messages;and
Role OpenShift Landlord
Status Implemented
Details undefined
References SP 800-45;
Part b
Requirement
b. Updates spam protection mechanisms when new releases are available in accordance with or-ganizational configuration management policy and procedures.
Role OpenShift Landlord
Status Implemented
Details undefined
References SP 800-45;
3.280 SI-8(1) - Spam Protection | Central Management
Requirement SPAM PROTECTION | CENTRAL MANAGEMENT The organization centrally managesspam protection mechanisms.
3.280.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
286 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.280.2 SI-8(1) What is the solution and how is it implemented?
Part a
Requirement SPAM PROTECTION | CENTRAL MANAGEMENT The organization centrally managesspam protection mechanisms.
Role OpenShift Landlord
Status Implemented
Details undefined
3.281 SI-8(2) - Spam Protection | Automatic Updates
Requirement SPAM PROTECTION | AUTOMATIC UPDATES The information system automaticallyupdates spam protection mechanisms.
3.281.1 Control Summary Information
Role OpenShift Landlord
Status Implemented
Origin OpenShift Landlord SSP
3.281.2 SI-8(2) What is the solution and how is it implemented?
Part a
Requirement SPAM PROTECTION | AUTOMATIC UPDATES The information system automaticallyupdates spam protection mechanisms.
Role OpenShift Landlord
Status Implemented
Details undefined
3.282 TR-1 - Privacy Notice
Requirement PRIVACY NOTICE Control: The organization: a. Provides effective notice to the pub-lic and to individuals regarding: (i) its activities that impact privacy, including its collection, use,sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii)authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the orga-nization uses PII and the consequences of exercising or not exercising those choices; and (iv) theability to access and have PII amended or corrected if necessary; b. Describes: (i) the PII the orga-nization collects and the purpose(s) for which it collects that information; (ii) how the organizationuses PII internally; (iii) whether the organization shares PII with external entities, the categories ofthose entities, and the purposes for such sharing; (iv) whether individuals have the ability to consentto specific uses or sharing of PII and how to exercise any such consent; (v) how individuals mayobtain access to PII; and (vi) how the PII will be protected; and c. Revises its public notices to
3.281. SI-8(2) - Spam Protection | Automatic Updates 287
OpenShift Compliance Guide, Release 1.0 beta
reflect changes in practice or policy that affect PII or changes in its activities that impact privacy,before or as soon as practicable after the change.
3.282.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
3.282.2 TR-1 What is the solution and how is it implemented?
Part a
Requirement PRIVACY NOTICE Control: The organization: a. Provides effective notice to the pub-lic and to individuals regarding: (i) its activities that impact privacy, including its collection, use,sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii)authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the orga-nization uses PII and the consequences of exercising or not exercising those choices; and (iv) theability to access and have PII amended or corrected if necessary;
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (e)(3), (e)(4); Section 208(b), E-GovernmentAct of 2002 (P.L. 107-347); OMB M-03-22; OMB M-07-16; OMB M-10-22; OMB M-10-23; ISEPrivacy Guidelines;
Part b
Requirement
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects thatinformation; (ii) how the organization uses PII internally; (iii) whether the organization sharesPII with external entities, the categories of those entities, and the purposes for such sharing;(iv) whether individuals have the ability to consent to specific uses or sharing of PII and how toexercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PIIwill be protected; and
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (e)(3), (e)(4); Section 208(b), E-GovernmentAct of 2002 (P.L. 107-347); OMB M-03-22; OMB M-07-16; OMB M-10-22; OMB M-10-23; ISEPrivacy Guidelines;
288 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
Part c
Requirement
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in itsactivities that impact privacy, before or as soon as practicable after the change.
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (e)(3), (e)(4); Section 208(b), E-GovernmentAct of 2002 (P.L. 107-347); OMB M-03-22; OMB M-07-16; OMB M-10-22; OMB M-10-23; ISEPrivacy Guidelines;
3.283 TR-1(1) - Privacy Notice | Real-time Or Layered Notice
Requirement PRIVACY NOTICE | REAL-TIME OR LAYERED NOTICE The organization providesreal-time and/or layered notice when it collects PII.
3.283.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
3.283.2 TR-1(1) What is the solution and how is it implemented?
Part a
Requirement PRIVACY NOTICE | REAL-TIME OR LAYERED NOTICE The organization providesreal-time and/or layered notice when it collects PII.
Role OpenShift Tenant
Status Planned
Details undefined
3.284 TR-2 - System Of Records Notices And Privacy Act Statements
Requirement SYSTEM OF RECORDS NOTICES AND PRIVACY ACT STATEMENTS Control: Theorganization: a. Publishes System of Records Notices (SORNs) in the Federal Register, subjectto required oversight processes, for systems containing personally identifiable information (PII); b.Keeps SORNs current; and c. Includes Privacy Act Statements on its forms that collect PII, or onseparate forms that can be retained by individuals, to provide additional formal notice to individualsfrom whom the information is being collected.
3.283. TR-1(1) - Privacy Notice | Real-time Or Layered Notice 289
OpenShift Compliance Guide, Release 1.0 beta
3.284.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
3.284.2 TR-2 What is the solution and how is it implemented?
Part a
Requirement SYSTEM OF RECORDS NOTICES AND PRIVACY ACT STATEMENTS Control: Theorganization: a. Publishes System of Records Notices (SORNs) in the Federal Register, subject torequired oversight processes, for systems containing personally identifiable information (PII);
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (e)(3); OMB Circular A-130;
Part b
Requirement
b. Keeps SORNs current; and
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (e)(3); OMB Circular A-130;
Part c
Requirement
c. Includes Privacy Act Statements on its forms that collect PII, or on separate forms that canbe retained by individuals, to provide additional formal notice to individuals from whom theinformation is being collected.
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (e)(3); OMB Circular A-130;
290 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.285 TR-2(1) - System Of Records Notices And Privacy Act State-ments | Public Website Publication
Requirement SYSTEM OF RECORDS NOTICES AND PRIVACY ACT STATEMENTS | PUBLICWEBSITE PUBLICATION The organization publishes SORNs on its public website.
3.285.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
3.285.2 TR-2(1) What is the solution and how is it implemented?
Part a
Requirement SYSTEM OF RECORDS NOTICES AND PRIVACY ACT STATEMENTS | PUBLICWEBSITE PUBLICATION The organization publishes SORNs on its public website.
Role OpenShift Tenant
Status Planned
Details undefined
3.286 TR-3 - Dissemination Of Privacy Program Information
Requirement DISSEMINATION OF PRIVACY PROGRAM INFORMATION Control: The organiza-tion: a. Ensures that the public has access to information about its privacy activities and is ableto communicate with its Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO);and b. Ensures that its privacy practices are publicly available through organizational websites orotherwise.
3.286.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
3.286.2 TR-3 What is the solution and how is it implemented?
Part a
Requirement DISSEMINATION OF PRIVACY PROGRAM INFORMATION Control: The organiza-tion: a. Ensures that the public has access to information about its privacy activities and is able tocommunicate with its Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO); and
3.285. TR-2(1) - System Of Records Notices And Privacy Act Statements | Public WebsitePublication
291
OpenShift Compliance Guide, Release 1.0 beta
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a; Section 208, E-Government Act of 2002 (P.L.107-347); OMB M-03-22; OMB M-10-23;
Part b
Requirement
b. Ensures that its privacy practices are publicly available through organizational websites or oth-erwise.
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a; Section 208, E-Government Act of 2002 (P.L.107-347); OMB M-03-22; OMB M-10-23;
3.287 UL-1 - Internal Use
Requirement INTERNAL USE Control: The organization uses personally identifiable information (PII)internally only for the authorized purpose(s) identified in the Privacy Act and/or in public notices.
3.287.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
3.287.2 UL-1 What is the solution and how is it implemented?
Part a
Requirement INTERNAL USE Control: The organization uses personally identifiable information (PII)internally only for the authorized purpose(s) identified in the Privacy Act and/or in public notices.
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (b)(1);
292 Chapter 3. Security Controls
OpenShift Compliance Guide, Release 1.0 beta
3.288 UL-2 - Information Sharing With Third Parties
Requirement INFORMATION SHARING WITH THIRD PARTIES Control: The organization: a.Shares personally identifiable information (PII) externally, only for the authorized purposes iden-tified in the Privacy Act and/or described in its notice(s) or for a purpose that is compatible withthose purposes; b. Where appropriate, enters into Memoranda of Understanding, Memoranda ofAgreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with thirdparties that specifically describe the PII covered and specifically enumerate the purposes for whichthe PII may be used; c. Monitors, audits, and trains its staff on the authorized sharing of PII withthird parties and on the consequences of unauthorized use or sharing of PII; and d. Evaluates anyproposed new instances of sharing PII with third parties to assess whether the sharing is authorizedand whether additional or new public notice is required.
3.288.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
3.288.2 UL-2 What is the solution and how is it implemented?
Part a
Requirement INFORMATION SHARING WITH THIRD PARTIES Control: The organization: a.Shares personally identifiable information (PII) externally, only for the authorized purposes iden-tified in the Privacy Act and/or described in its notice(s) or for a purpose that is compatible withthose purposes;
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (a)(7), (b), (c), (e)(3)(C), (o); ISE Privacy Guide-lines;
Part b
Requirement
b. Where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Let-ters of Intent, Computer Matching Agreements, or similar agreements, with third parties thatspecifically describe the PII covered and specifically enumerate the purposes for which the PIImay be used;
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (a)(7), (b), (c), (e)(3)(C), (o); ISE Privacy Guide-lines;
3.288. UL-2 - Information Sharing With Third Parties 293
OpenShift Compliance Guide, Release 1.0 beta
Part c
Requirement
c. Monitors, audits, and trains its staff on the authorized sharing of PII with third parties and onthe consequences of unauthorized use or sharing of PII; and
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (a)(7), (b), (c), (e)(3)(C), (o); ISE Privacy Guide-lines;
Part d
Requirement
d. Evaluates any proposed new instances of sharing PII with third parties to assess whether thesharing is authorized and whether additional or new public notice is required.
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (a)(7), (b), (c), (e)(3)(C), (o); ISE Privacy Guide-lines;
294 Chapter 3. Security Controls
CHAPTER 4
Customer Responsibility Matrix
4.1 Overview
The following controls have been down-selected from the complete list in Security Controls.
4.1.1 Procedural Generation
Like the last chapter, this chapter is automatically generated from the master_sctm.xlsx spreadsheet on this project’sGitHub. Do not edit it directly. If you’d like to change how this chapter is rendered, refer to the following:
File Descriptionmas-ter_sctm_parser.py
Python program that parses the master_sctm.xlsx spreadsheet using the openpyxl module. Whe editingthis sheet do not change the existing column headers. Column order does not matter. New columnscan be added. Only visible rows are processed, so auto-filters can be used to modify which controls arerendered.
secu-rity_control.j2
Jinja2 template that is used to render this chapter.
crm.j2 Jinja2 template that is used to generate the Customer Responsibility Matrix.
4.2 CM-8(4) - Information System Component Inventory | Account-ability Information
Requirement INFORMATION SYSTEM COMPONENT INVENTORY | ACCOUNTABILITY IN-FORMATION The organization includes in the information system component inventory infor-mation, a means for identifying by [Selection (one or more): name; position; role], individualsresponsible/accountable for administering those components.
295
OpenShift Compliance Guide, Release 1.0 beta
4.2.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
4.2.2 CM-8(4) What is the solution and how is it implemented?
Part a
Requirement INFORMATION SYSTEM COMPONENT INVENTORY | ACCOUNTABILITY IN-FORMATION The organization includes in the information system component inventory infor-mation, a means for identifying by [Selection (one or more): name; position; role], individualsresponsible/accountable for administering those components.
Role OpenShift Tenant
Status Planned
Details Specified in the individual project / program’s System Security Plan.
4.3 CP-10(2) - Information System Recovery And Reconstitution |Transaction Recovery
Requirement INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | TRANSACTIONRECOVERY The information system implements transaction recovery for systems that aretransaction-based.
4.3.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin Tenant SSP
4.3.2 CP-10(2) What is the solution and how is it implemented?
Part a
Requirement INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | TRANSACTIONRECOVERY The information system implements transaction recovery for systems that aretransaction-based.
Role OpenShift Tenant
Status Planned
Details undefined
296 Chapter 4. Customer Responsibility Matrix
OpenShift Compliance Guide, Release 1.0 beta
4.4 DI-1 - Data Quality
Requirement DATA QUALITY Control: The organization: a. Confirms to the greatest extent practicableupon collection or creation of personally identifiable information (PII), the accuracy, relevance,timeliness, and completeness of that information; b. Collects PII directly from the individual tothe greatest extent practicable; c. Checks for, and corrects as necessary, any inaccurate or outdatedPII used by its programs or systems [Assignment: organization-defined frequency]; and d. Issuesguidelines ensuring and maximizing the quality, utility, objectivity, and integrity of disseminatedinformation.
4.4.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
4.4.2 DI-1 What is the solution and how is it implemented?
Part a
Requirement DATA QUALITY Control: The organization: a. Confirms to the greatest extent practicableupon collection or creation of personally identifiable information (PII), the accuracy, relevance,timeliness, and completeness of that information;
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (c) and (e); Treasury and General GovernmentAppropriations Act for Fiscal Year 2001 (P.L. 106-554), app C § 515, 114 Stat. 2763A-153-4;Paperwork Reduction Act, 44 U.S.C. § 3501; OMB Guidelines for Ensuring and Maximizing theQuality, Objectivity, Utility, and Integrity of Information Disseminated by Federal Agencies (Octo-ber 2001); OMB M-07-16;
Part b
Requirement
b. Collects PII directly from the individual to the greatest extent practicable;
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (c) and (e); Treasury and General GovernmentAppropriations Act for Fiscal Year 2001 (P.L. 106-554), app C § 515, 114 Stat. 2763A-153-4;Paperwork Reduction Act, 44 U.S.C. § 3501; OMB Guidelines for Ensuring and Maximizing theQuality, Objectivity, Utility, and Integrity of Information Disseminated by Federal Agencies (Octo-ber 2001); OMB M-07-16;
4.4. DI-1 - Data Quality 297
OpenShift Compliance Guide, Release 1.0 beta
Part c
Requirement
c. Checks for, and corrects as necessary, any inaccurate or outdated PII used by its programs orsystems [Assignment: organization-defined frequency]; and
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (c) and (e); Treasury and General GovernmentAppropriations Act for Fiscal Year 2001 (P.L. 106-554), app C § 515, 114 Stat. 2763A-153-4;Paperwork Reduction Act, 44 U.S.C. § 3501; OMB Guidelines for Ensuring and Maximizing theQuality, Objectivity, Utility, and Integrity of Information Disseminated by Federal Agencies (Octo-ber 2001); OMB M-07-16;
Part d
Requirement
d. Issues guidelines ensuring and maximizing the quality, utility, objectivity, and integrity of dis-seminated information.
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (c) and (e); Treasury and General GovernmentAppropriations Act for Fiscal Year 2001 (P.L. 106-554), app C § 515, 114 Stat. 2763A-153-4;Paperwork Reduction Act, 44 U.S.C. § 3501; OMB Guidelines for Ensuring and Maximizing theQuality, Objectivity, Utility, and Integrity of Information Disseminated by Federal Agencies (Octo-ber 2001); OMB M-07-16;
4.5 DI-1(1) - Data Quality | Validate Pii
Requirement DATA QUALITY | VALIDATE PII The organization requests that the individual or indi-vidual’s authorized representative validate PII during the collection process.
4.5.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
4.5.2 DI-1(1) What is the solution and how is it implemented?
298 Chapter 4. Customer Responsibility Matrix
OpenShift Compliance Guide, Release 1.0 beta
Part a
Requirement DATA QUALITY | VALIDATE PII The organization requests that the individual or indi-vidual’s authorized representative validate PII during the collection process.
Role OpenShift Tenant
Status Planned
Details undefined
4.6 DI-1(2) - Data Quality | Re-validate Pii
Requirement DATA QUALITY | RE-VALIDATE PII The organization requests that the individual orindividual’s authorized representative revalidate that PII collected is still accurate [Assignment:organization-defined frequency].
4.6.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
4.6.2 DI-1(2) What is the solution and how is it implemented?
Part a
Requirement DATA QUALITY | RE-VALIDATE PII The organization requests that the individual orindividual’s authorized representative revalidate that PII collected is still accurate [Assignment:organization-defined frequency].
Role OpenShift Tenant
Status Planned
Details undefined
4.7 DI-2 - Data Integrity And Data Integrity Board
Requirement DATA INTEGRITY AND DATA INTEGRITY BOARD Control: The organization: a.Documents processes to ensure the integrity of personally identifiable information (PII) throughexisting security controls; and b. Establishes a Data Integrity Board when appropriate to overseeorganizational Computer Matching Agreements123 and to ensure that those agreements complywith the computer matching provisions of the Privacy Act.
4.7.1 Control Summary Information
Role OpenShift Tenant
Status Planned
4.6. DI-1(2) - Data Quality | Re-validate Pii 299
OpenShift Compliance Guide, Release 1.0 beta
Origin OpenShift Tenant SSP
4.7.2 DI-2 What is the solution and how is it implemented?
Part a
Requirement DATA INTEGRITY AND DATA INTEGRITY BOARD Control: The organization: a.Documents processes to ensure the integrity of personally identifiable information (PII) throughexisting security controls; and
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. §§ 552a (a)(8)(A), (o), (p), (u); OMB Circular A-130,Appendix I;
Part b
Requirement
b. Establishes a Data Integrity Board when appropriate to oversee organizational Computer Match-ing Agreements123 and to ensure that those agreements comply with the computer matchingprovisions of the Privacy Act.
Role Organization
Status Inherited
Details undefined
References The Privacy Act of 1974, 5 U.S.C. §§ 552a (a)(8)(A), (o), (p), (u); OMB Circular A-130,Appendix I;
4.8 DM-1 - Minimization Of Personally Identifiable Information
Requirement MINIMIZATION OF PERSONALLY IDENTIFIABLE INFORMATION Control: Theorganization: a. Identifies the minimum personally identifiable information (PII) elements that arerelevant and necessary to accomplish the legally authorized purpose of collection; b. Limits thecollection and retention of PII to the minimum elements identified for the purposes described in thenotice and for which the individual has provided consent; and c. Conducts an initial evaluation of PIIholdings and establishes and follows a schedule for regularly reviewing those holdings [Assignment:organization-defined frequency, at least annually] to ensure that only PII identified in the notice iscollected and retained, and that the PII continues to be necessary to accomplish the legally authorizedpurpose.
4.8.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
300 Chapter 4. Customer Responsibility Matrix
OpenShift Compliance Guide, Release 1.0 beta
4.8.2 DM-1 What is the solution and how is it implemented?
Part a
Requirement MINIMIZATION OF PERSONALLY IDENTIFIABLE INFORMATION Control: Theorganization: a. Identifies the minimum personally identifiable information (PII) elements that arerelevant and necessary to accomplish the legally authorized purpose of collection;
Role Organization
Status Inherited
Details undefined
References The Privacy Act of 1974, 5 U.S.C. §552a (e); Section 208(b), E-Government Act of 2002(P.L. 107-347); OMB M-03-22; OMB M-07-16;
Part b
Requirement
b. Limits the collection and retention of PII to the minimum elements identified for the purposesdescribed in the notice and for which the individual has provided consent; and
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. §552a (e); Section 208(b), E-Government Act of 2002(P.L. 107-347); OMB M-03-22; OMB M-07-16;
Part c
Requirement
c. Conducts an initial evaluation of PII holdings and establishes and follows a schedule for regu-larly reviewing those holdings [Assignment: organization-defined frequency, at least annually]to ensure that only PII identified in the notice is collected and retained, and that the PII continuesto be necessary to accomplish the legally authorized purpose.
Role Organization
Status Inherited
Details undefined
References The Privacy Act of 1974, 5 U.S.C. §552a (e); Section 208(b), E-Government Act of 2002(P.L. 107-347); OMB M-03-22; OMB M-07-16;
4.9 DM-2 - Data Retention And Disposal
Requirement DATA RETENTION AND DISPOSAL Control: The organization: a. Retains each collec-tion of personally identifiable information (PII) for [Assignment: organization-defined time period]to fulfill the purpose(s) identified in the notice or as required by law; b. Disposes of, destroys,erases, and/or anonymizes the PII, regardless of the method of storage, in accordance with a NARA-approved record retention schedule and in a manner that prevents loss, theft, misuse, or unauthorized
4.9. DM-2 - Data Retention And Disposal 301
OpenShift Compliance Guide, Release 1.0 beta
access; and c. Uses [Assignment: organization-defined techniques or methods] to ensure securedeletion or destruction of PII (including originals, copies, and archived records).
4.9.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
4.9.2 DM-2 What is the solution and how is it implemented?
Part a
Requirement DATA RETENTION AND DISPOSAL Control: The organization: a. Retains each collec-tion of personally identifiable information (PII) for [Assignment: organization-defined time period]to fulfill the purpose(s) identified in the notice or as required by law;
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (e)(1), (c)(2); Section 208 (e), E-Government Actof 2002 (P.L. 107-347); 44 U.S.C. Chapters 29, 31, 33; OMB M-07-16; OMB Circular A-130; SP800-88;
Part b
Requirement
b. Disposes of, destroys, erases, and/or anonymizes the PII, regardless of the method of storage,in accordance with a NARA-approved record retention schedule and in a manner that preventsloss, theft, misuse, or unauthorized access; and
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (e)(1), (c)(2); Section 208 (e), E-Government Actof 2002 (P.L. 107-347); 44 U.S.C. Chapters 29, 31, 33; OMB M-07-16; OMB Circular A-130; SP800-88;
Part c
Requirement
c. Uses [Assignment: organization-defined techniques or methods] to ensure secure deletion ordestruction of PII (including originals, copies, and archived records).
Role OpenShift Tenant
Status Planned
302 Chapter 4. Customer Responsibility Matrix
OpenShift Compliance Guide, Release 1.0 beta
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (e)(1), (c)(2); Section 208 (e), E-Government Actof 2002 (P.L. 107-347); 44 U.S.C. Chapters 29, 31, 33; OMB M-07-16; OMB Circular A-130; SP800-88;
4.10 DM-2(1) - Data Retention And Disposal | System Configuration
Requirement DATA RETENTION AND DISPOSAL | SYSTEM CONFIGURATION The organization,where feasible, configures its information systems to record the date PII is collected, created, orupdated and when PII is to be deleted or archived under an approved record retention schedule.
4.10.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
4.10.2 DM-2(1) What is the solution and how is it implemented?
Part a
Requirement DATA RETENTION AND DISPOSAL | SYSTEM CONFIGURATION The organization,where feasible, configures its information systems to record the date PII is collected, created, orupdated and when PII is to be deleted or archived under an approved record retention schedule.
Role OpenShift Tenant
Status Planned
Details undefined
4.11 DM-3 - Minimization Of Pii Used In Testing, Training, And Re-search
Requirement MINIMIZATION OF PII USED IN TESTING, TRAINING, AND RESEARCH Control:The organization: a. Develops policies and procedures that minimize the use of personally identifi-able information (PII) for testing, training, and research; and b. Implements controls to protect PIIused for testing, training, and research.
4.11.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
4.10. DM-2(1) - Data Retention And Disposal | System Configuration 303
OpenShift Compliance Guide, Release 1.0 beta
4.11.2 DM-3 What is the solution and how is it implemented?
Part a
Requirement MINIMIZATION OF PII USED IN TESTING, TRAINING, AND RESEARCH Control:The organization: a. Develops policies and procedures that minimize the use of personally identifi-able information (PII) for testing, training, and research; and
Role Organization
Status Inherited
Details undefined
References SP 800-122
Part b
Requirement
b. Implements controls to protect PII used for testing, training, and research.
Role OpenShift Tenant
Status Planned
Details undefined
References SP 800-122
4.12 IP-1 - Consent
Requirement CONSENT Control: The organization: a. Provides means, where feasible and appropriate,for individuals to authorize the collection, use, maintaining, and sharing of personally identifiableinformation (PII) prior to its collection; b. Provides appropriate means for individuals to understandthe consequences of decisions to approve or decline the authorization of the collection, use, dissem-ination, and retention of PII; c. Obtains consent, where feasible and appropriate, from individualsprior to any new uses or disclosure of previously collected PII; and d. Ensures that individuals areaware of and, where feasible, consent to all uses of PII not initially described in the public noticethat was in effect at the time the organization collected the PII.
4.12.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
4.12.2 IP-1 What is the solution and how is it implemented?
304 Chapter 4. Customer Responsibility Matrix
OpenShift Compliance Guide, Release 1.0 beta
Part a
Requirement CONSENT Control: The organization: a. Provides means, where feasible and appropriate,for individuals to authorize the collection, use, maintaining, and sharing of personally identifiableinformation (PII) prior to its collection;
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (b), (e)(3); Section 208(c), E-Government Act of2002 (P.L. 107-347); OMB M-03-22; OMB M-10-22;
Part b
Requirement
b. Provides appropriate means for individuals to understand the consequences of decisions to ap-prove or decline the authorization of the collection, use, dissemination, and retention of PII;
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (b), (e)(3); Section 208(c), E-Government Act of2002 (P.L. 107-347); OMB M-03-22; OMB M-10-22;
Part c
Requirement
c. Obtains consent, where feasible and appropriate, from individuals prior to any new uses ordisclosure of previously collected PII; and
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (b), (e)(3); Section 208(c), E-Government Act of2002 (P.L. 107-347); OMB M-03-22; OMB M-10-22;
Part d
Requirement
d. Ensures that individuals are aware of and, where feasible, consent to all uses of PII not initiallydescribed in the public notice that was in effect at the time the organization collected the PII.
Role OpenShift Tenant
Status Planned
Details undefined
4.12. IP-1 - Consent 305
OpenShift Compliance Guide, Release 1.0 beta
References The Privacy Act of 1974, 5 U.S.C. § 552a (b), (e)(3); Section 208(c), E-Government Act of2002 (P.L. 107-347); OMB M-03-22; OMB M-10-22;
4.13 IP-1(1) - Consent | Mechanisms Supporting Itemized Or TieredConsent
Requirement CONSENT | MECHANISMS SUPPORTING ITEMIZED OR TIERED CONSENT Theorganization implements mechanisms to support itemized or tiered consent for specific uses of data.
4.13.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
4.13.2 IP-1(1) What is the solution and how is it implemented?
Part a
Requirement CONSENT | MECHANISMS SUPPORTING ITEMIZED OR TIERED CONSENT Theorganization implements mechanisms to support itemized or tiered consent for specific uses of data.
Role OpenShift Tenant
Status Planned
Details undefined
4.14 IP-2 - Individual Access
Requirement INDIVIDUAL ACCESS Control: The organization: a. Provides individuals the ability tohave access to their personally identifiable information (PII) maintained in its system(s) of records; b.Publishes rules and regulations governing how individuals may request access to records maintainedin a Privacy Act system of records; c. Publishes access procedures in System of Records Notices(SORNs); and d. Adheres to Privacy Act requirements and OMB policies and guidance for theproper processing of Privacy Act requests.
4.14.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
306 Chapter 4. Customer Responsibility Matrix
OpenShift Compliance Guide, Release 1.0 beta
4.14.2 IP-2 What is the solution and how is it implemented?
Part a
Requirement INDIVIDUAL ACCESS Control: The organization: a. Provides individuals the ability tohave access to their personally identifiable information (PII) maintained in its system(s) of records;
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. §§ 552a (c)(3), (d)(5), (e) (4), (j), (k), (t); OMB CircularA-130;
Part b
Requirement
b. Publishes rules and regulations governing how individuals may request access to records main-tained in a Privacy Act system of records;
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. §§ 552a (c)(3), (d)(5), (e) (4), (j), (k), (t); OMB CircularA-130;
Part c
Requirement
c. Publishes access procedures in System of Records Notices (SORNs); and
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. §§ 552a (c)(3), (d)(5), (e) (4), (j), (k), (t); OMB CircularA-130;
Part d
Requirement
d. Adheres to Privacy Act requirements and OMB policies and guidance for the proper processingof Privacy Act requests.
Role OpenShift Tenant
Status Planned
Details undefined
4.14. IP-2 - Individual Access 307
OpenShift Compliance Guide, Release 1.0 beta
References The Privacy Act of 1974, 5 U.S.C. §§ 552a (c)(3), (d)(5), (e) (4), (j), (k), (t); OMB CircularA-130;
4.15 IP-3 - Redress
Requirement REDRESS Control: The organization: a. Provides a process for individuals to have inaccu-rate personally identifiable information (PII) maintained by the organization corrected or amended,as appropriate; and b. Establishes a process for disseminating corrections or amendments of thePII to other authorized users of the PII, such as external information-sharing partners and, wherefeasible and appropriate, notifies affected individuals that their information has been corrected oramended.
4.15.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
4.15.2 IP-3 What is the solution and how is it implemented?
Part a
Requirement REDRESS Control: The organization: a. Provides a process for individuals to have inaccu-rate personally identifiable information (PII) maintained by the organization corrected or amended,as appropriate; and
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (d), (c)(4); OMB Circular A-130;
Part b
Requirement
b. Establishes a process for disseminating corrections or amendments of the PII to other autho-rized users of the PII, such as external information-sharing partners and, where feasible andappropriate, notifies affected individuals that their information has been corrected or amended.
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (d), (c)(4); OMB Circular A-130;
308 Chapter 4. Customer Responsibility Matrix
OpenShift Compliance Guide, Release 1.0 beta
4.16 IP-4 - Complaint Management
Requirement COMPLAINT MANAGEMENT Control: The organization implements a process for re-ceiving and responding to complaints, concerns, or questions from individuals about the organiza-tional privacy practices.
4.16.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
4.16.2 IP-4 What is the solution and how is it implemented?
Part a
Requirement COMPLAINT MANAGEMENT Control: The organization implements a process for re-ceiving and responding to complaints, concerns, or questions from individuals about the organiza-tional privacy practices.
Role OpenShift Tenant
Status Planned
Details undefined
References OMB Circular A-130; OMB M-07-16; OMB M-08-09;
4.17 IP-4(1) - Complaint Management | Response Times
Requirement COMPLAINT MANAGEMENT | RESPONSE TIMES The organization responds to com-plaints, concerns, or questions from individuals within [Assignment: organization-defined time pe-riod].
4.17.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
4.17.2 IP-4(1) What is the solution and how is it implemented?
Part a
Requirement COMPLAINT MANAGEMENT | RESPONSE TIMES The organization responds to com-plaints, concerns, or questions from individuals within [Assignment: organization-defined time pe-riod].
4.16. IP-4 - Complaint Management 309
OpenShift Compliance Guide, Release 1.0 beta
Role OpenShift Tenant
Status Planned
Details undefined
4.18 MA-1 - System Maintenance Policy And Procedures
Requirement SYSTEM MAINTENANCE POLICY AND PROCEDURES Control: The organization:a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, manage-ment commitment, coordination among organizational entities, and compliance; and 2. Proceduresto facilitate the implementation of the system maintenance policy and associated system mainte-nance controls; and b. Reviews and updates the current: 1. System maintenance policy [As-signment: organization-defined frequency]; and 2. System maintenance procedures [Assignment:organization-defined frequency].
4.18.1 Control Summary Information
Role OpenShift Tenant
Status Not implemented
Origin Tenant SSP
4.18.2 MA-1 What is the solution and how is it implemented?
Part a
Requirement SYSTEM MAINTENANCE POLICY AND PROCEDURES Control: The organization:a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, managementcommitment, coordination among organizational entities, and compliance; and
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Design Specification document andSystem Security Plan.
References SP 800-12; SP 800-100;
Part b
Requirement
2. Procedures to facilitate the implementation of the system maintenance policy and associatedsystem maintenance controls; and
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Design Specification document andSystem Security Plan.
310 Chapter 4. Customer Responsibility Matrix
OpenShift Compliance Guide, Release 1.0 beta
References SP 800-12; SP 800-100;
Part c
Requirement
b. Reviews and updates the current: 1. System maintenance policy [Assignment: organization-defined frequency]; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-100;
Part d
Requirement
2. System maintenance procedures [Assignment: organization-defined frequency].
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-100;
4.19 PL-2 - System Security Plan
Requirement SYSTEM SECURITY PLAN Control: The organization: a. Develops a security plan forthe information system that: 1. Is consistent with the organization’s enterprise architecture; 2. Ex-plicitly defines the authorization boundary for the system; 3. Describes the operational context ofthe information system in terms of missions and business processes; 4. Provides the security cat-egorization of the information system including supporting rationale; 5. Describes the operationalenvironment for the information system and relationships with or connections to other informationsystems; 6. Provides an overview of the security requirements for the system; 7. Identifies anyrelevant overlays, if applicable; 8. Describes the security controls in place or planned for meetingthose requirements including a rationale for the tailoring and supplementation decisions; and 9. Isreviewed and approved by the authorizing official or designated representative prior to plan imple-mentation; b. Distributes copies of the security plan and communicates subsequent changes to theplan to [Assignment: organization-defined personnel or roles]; c. Reviews the security plan for theinformation system [Assignment: organization-defined frequency]; d. Updates the plan to addresschanges to the information system/environment of operation or problems identified during plan im-plementation or security control assessments; and e. Protects the security plan from unauthorizeddisclosure and modification.
4.19.1 Control Summary Information
Role OpenShift Tenant
Status Not implemented
4.19. PL-2 - System Security Plan 311
OpenShift Compliance Guide, Release 1.0 beta
Origin Tenant SSP
4.19.2 PL-2 What is the solution and how is it implemented?
Part a
Requirement SYSTEM SECURITY PLAN Control: The organization: a. Develops a security plan forthe information system that: 1. Is consistent with the organization’s enterprise architecture;
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References SP 800-18;
Part b
Requirement
2. Explicitly defines the authorization boundary for the system;
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References SP 800-18;
Part c
Requirement
3. Describes the operational context of the information system in terms of missions and businessprocesses;
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References SP 800-18;
Part d
Requirement
4. Provides the security categorization of the information system including supporting rationale;
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References SP 800-18;
312 Chapter 4. Customer Responsibility Matrix
OpenShift Compliance Guide, Release 1.0 beta
Part e
Requirement
5. Describes the operational environment for the information system and relationships with orconnections to other information systems;
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References SP 800-18;
Part f
Requirement
6. Provides an overview of the security requirements for the system;
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References SP 800-18;
Part g
Requirement
7. Identifies any relevant overlays, if applicable;
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References SP 800-18;
Part h
Requirement
8. Describes the security controls in place or planned for meeting those requirements including arationale for the tailoring and supplementation decisions; and
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References SP 800-18;
4.19. PL-2 - System Security Plan 313
OpenShift Compliance Guide, Release 1.0 beta
Part i
Requirement
9. Is reviewed and approved by the authorizing official or designated representative prior to planimplementation;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-18;
Part j
Requirement
b. Distributes copies of the security plan and communicates subsequent changes to the plan to[Assignment: organization-defined personnel or roles];
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-18;
Part k
Requirement
c. Reviews the security plan for the information system [Assignment: organization-defined fre-quency];
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-18;
Part l
Requirement
d. Updates the plan to address changes to the information system/environment of operation orproblems identified during plan implementation or security control assessments; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-18;
314 Chapter 4. Customer Responsibility Matrix
OpenShift Compliance Guide, Release 1.0 beta
Part m
Requirement
e. Protects the security plan from unauthorized disclosure and modification.
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-18;
4.20 RA-1 - Risk Assessment Policy And Procedures
Requirement RISK ASSESSMENT POLICY AND PROCEDURES Control: The organization: a. De-velops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. Arisk assessment policy that addresses purpose, scope, roles, responsibilities, management commit-ment, coordination among organizational entities, and compliance; and 2. Procedures to facilitatethe implementation of the risk assessment policy and associated risk assessment controls; and b.Reviews and updates the current: 1. Risk assessment policy [Assignment: organization-definedfrequency]; and 2. Risk assessment procedures [Assignment: organization-defined frequency].
4.20.1 Control Summary Information
Role OpenShift Tenant
Status Not implemented
Origin Tenant SSP
4.20.2 RA-1 What is the solution and how is it implemented?
Part a
Requirement RISK ASSESSMENT POLICY AND PROCEDURES Control: The organization: a. De-velops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1.A risk assessment policy that addresses purpose, scope, roles, responsibilities, management com-mitment, coordination among organizational entities, and compliance; and
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References SP 800-12; SP 800-30; SP 800-100;
Part b
Requirement
2. Procedures to facilitate the implementation of the risk assessment policy and associated riskassessment controls; and
4.20. RA-1 - Risk Assessment Policy And Procedures 315
OpenShift Compliance Guide, Release 1.0 beta
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References SP 800-12; SP 800-30; SP 800-100;
Part c
Requirement
b. Reviews and updates the current: 1. Risk assessment policy [Assignment: organization-definedfrequency]; and
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-30; SP 800-100;
Part d
Requirement
2. Risk assessment procedures [Assignment: organization-defined frequency].
Role Organization
Status Inherited
Details Dependent on implementing organization.
References SP 800-12; SP 800-30; SP 800-100;
4.21 RA-3 - Risk Assessment
Requirement RISK ASSESSMENT Control: The organization: a. Conducts an assessment of risk,including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, dis-ruption, modification, or destruction of the information system and the information it processes,stores, or transmits; b. Documents risk assessment results in [Selection: security plan; risk assess-ment report; [Assignment: organization-defined document]]; c. Reviews risk assessment results[Assignment: organization-defined frequency]; d. Disseminates risk assessment results to [Assign-ment: organization-defined personnel or roles]; and e. Updates the risk assessment [Assignment:organization-defined frequency] or whenever there are significant changes to the information sys-tem or environment of operation (including the identification of new threats and vulnerabilities), orother conditions that may impact the security state of the system.
4.21.1 Control Summary Information
Role OpenShift Tenant
Status Not implemented
Origin Tenant SSP
316 Chapter 4. Customer Responsibility Matrix
OpenShift Compliance Guide, Release 1.0 beta
4.21.2 RA-3 What is the solution and how is it implemented?
Part a
Requirement RISK ASSESSMENT Control: The organization: a. Conducts an assessment of risk,including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure,disruption, modification, or destruction of the information system and the information it processes,stores, or transmits;
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References OMB M-04-04; SP 800-30; SP 800-39; Web: idmanagement.gov;
Part b
Requirement
b. Documents risk assessment results in [Selection: security plan; risk assessment report; [Assign-ment: organization-defined document]];
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References OMB M-04-04; SP 800-30; SP 800-39; Web: idmanagement.gov;
Part c
Requirement
c. Reviews risk assessment results [Assignment: organization-defined frequency];
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References OMB M-04-04; SP 800-30; SP 800-39; Web: idmanagement.gov;
Part d
Requirement
d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles];and
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References OMB M-04-04; SP 800-30; SP 800-39; Web: idmanagement.gov;
4.21. RA-3 - Risk Assessment 317
OpenShift Compliance Guide, Release 1.0 beta
Part e
Requirement
e. Updates the risk assessment [Assignment: organization-defined frequency] or whenever thereare significant changes to the information system or environment of operation (including theidentification of new threats and vulnerabilities), or other conditions that may impact the secu-rity state of the system.
Role Organization
Status Inherited
Details Dependent on implementing organization.
References OMB M-04-04; SP 800-30; SP 800-39; Web: idmanagement.gov;
4.22 SA-11 - Developer Security Testing And Evaluation
Requirement DEVELOPER SECURITY TESTING AND EVALUATION Control: The organizationrequires the developer of the information system, system component, or information system serviceto: a. Create and implement a security assessment plan; b. Perform [Selection (one or more): unit;integration; system; regression] testing/evaluation at [Assignment: organization-defined depth andcoverage]; c. Produce evidence of the execution of the security assessment plan and the results ofthe security testing/evaluation; d. Implement a verifiable flaw remediation process; and e. Correctflaws identified during security testing/evaluation.
4.22.1 Control Summary Information
Role Organization
Status Inherited
Origin Inherited from pre-existing ATO
4.22.2 SA-11 What is the solution and how is it implemented?
Part a
Requirement DEVELOPER SECURITY TESTING AND EVALUATION Control: The organizationrequires the developer of the information system, system component, or information system serviceto: a. Create and implement a security assessment plan;
Role Organization
Status Inherited
Details Documented in the project’s System Test Plan.
References ISO/IEC 15408; SP 800-53A; Web: nvd.nist.gov, cwe.mitre.org, cve.mitre.org,capec.mitre.org;
318 Chapter 4. Customer Responsibility Matrix
OpenShift Compliance Guide, Release 1.0 beta
Part b
Requirement
b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at[Assignment: organization-defined depth and coverage];
Role Organization
Status Inherited
Details Dependent on implementing organization.
References ISO/IEC 15408; SP 800-53A; Web: nvd.nist.gov, cwe.mitre.org, cve.mitre.org,capec.mitre.org;
Part c
Requirement
c. Produce evidence of the execution of the security assessment plan and the results of the securitytesting/evaluation;
Role Organization
Status Inherited
Details Dependent on implementing organization.
References ISO/IEC 15408; SP 800-53A; Web: nvd.nist.gov, cwe.mitre.org, cve.mitre.org,capec.mitre.org;
Part d
Requirement
d. Implement a verifiable flaw remediation process; and
Role OpenShift Landlord, OpenShift Tenant
Status Planned
Details Documented in the POAM created as a result of vulnerability scanning.
References ISO/IEC 15408; SP 800-53A; Web: nvd.nist.gov, cwe.mitre.org, cve.mitre.org,capec.mitre.org;
Part e
Requirement
e. Correct flaws identified during security testing/evaluation.
Role OpenShift Landlord, OpenShift Tenant
Status Planned
Details Documented in the POAM created as a result of vulnerability scanning.
References ISO/IEC 15408; SP 800-53A; Web: nvd.nist.gov, cwe.mitre.org, cve.mitre.org,capec.mitre.org;
4.22. SA-11 - Developer Security Testing And Evaluation 319
OpenShift Compliance Guide, Release 1.0 beta
4.23 SA-3 - System Development Life Cycle
Requirement SYSTEM DEVELOPMENT LIFE CYCLE Control: The organization: a. Manages theinformation system using [Assignment: organization-defined system development life cycle] thatincorporates information security considerations; b. Defines and documents information securityroles and responsibilities throughout the system development life cycle; c. Identifies individualshaving information security roles and responsibilities; and d. Integrates the organizational informa-tion security risk management process into system development life cycle activities.
4.23.1 Control Summary Information
Role OpenShift Tenant
Status Not implemented
Origin Tenant SSP
4.23.2 SA-3 What is the solution and how is it implemented?
Part a
Requirement SYSTEM DEVELOPMENT LIFE CYCLE Control: The organization: a. Manages theinformation system using [Assignment: organization-defined system development life cycle] thatincorporates information security considerations;
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References SP 800-37; SP 800-64;
Part b
Requirement
b. Defines and documents information security roles and responsibilities throughout the systemdevelopment life cycle;
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References SP 800-37; SP 800-64;
Part c
Requirement
c. Identifies individuals having information security roles and responsibilities; and
Role OpenShift Tenant
Status Not implemented
320 Chapter 4. Customer Responsibility Matrix
OpenShift Compliance Guide, Release 1.0 beta
Details Documented in the individual project / program’s System Security Plan.
References SP 800-37; SP 800-64;
Part d
Requirement
d. Integrates the organizational information security risk management process into system devel-opment life cycle activities.
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Security Plan.
References SP 800-37; SP 800-64;
4.24 SA-4(1) - Acquisition Process | Functional Properties Of Secu-rity Controls
Requirement ACQUISITION PROCESS | FUNCTIONAL PROPERTIES OF SECURITY CONTROLSThe organization requires the developer of the information system, system component, or informa-tion system service to provide a description of the functional properties of the security controls tobe employed.
4.24.1 Control Summary Information
Role OpenShift Tenant
Status Not implemented
Origin Tenant SSP
4.24.2 SA-4(1) What is the solution and how is it implemented?
Part a
Requirement ACQUISITION PROCESS | FUNCTIONAL PROPERTIES OF SECURITY CONTROLSThe organization requires the developer of the information system, system component, or informa-tion system service to provide a description of the functional properties of the security controls tobe employed.
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Design Specification document andSystem Security Plan.
4.24. SA-4(1) - Acquisition Process | Functional Properties Of Security Controls 321
OpenShift Compliance Guide, Release 1.0 beta
4.25 SA-4(2) - Acquisition Process | Design / Implementation Infor-mation For Security Controls
Requirement ACQUISITION PROCESS | DESIGN / IMPLEMENTATION INFORMATION FOR SE-CURITY CONTROLS The organization requires the developer of the information system, systemcomponent, or information system service to provide design and implementation information for thesecurity controls to be employed that includes: [Selection (one or more): security-relevant externalsystem interfaces; high-level design; low-level design; source code or hardware schematics; [As-signment: organization-defined design/implementation information]] at [Assignment: organization-defined level of detail].
4.25.1 Control Summary Information
Role OpenShift Tenant
Status Not implemented
Origin Tenant SSP
4.25.2 SA-4(2) What is the solution and how is it implemented?
Part a
Requirement ACQUISITION PROCESS | DESIGN / IMPLEMENTATION INFORMATION FOR SE-CURITY CONTROLS The organization requires the developer of the information system, systemcomponent, or information system service to provide design and implementation information for thesecurity controls to be employed that includes: [Selection (one or more): security-relevant externalsystem interfaces; high-level design; low-level design; source code or hardware schematics; [As-signment: organization-defined design/implementation information]] at [Assignment: organization-defined level of detail].
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Design Specification document andSystem Security Plan.
4.26 SE-1 - Inventory Of Personally Identifiable Information
Requirement INVENTORY OF PERSONALLY IDENTIFIABLE INFORMATION Control: The orga-nization: a. Establishes, maintains, and updates [Assignment: organization-defined frequency] aninventory that contains a listing of all programs and information systems identified as collecting,using, maintaining, or sharing personally identifiable information (PII); and b. Provides each updateof the PII inventory to the CIO or information security official [Assignment: organization-definedfrequency] to support the establishment of information security requirements for all new or modifiedinformation systems containing PII.
4.26.1 Control Summary Information
Role OpenShift Tenant
322 Chapter 4. Customer Responsibility Matrix
OpenShift Compliance Guide, Release 1.0 beta
Status Planned
Origin OpenShift Tenant SSP
4.26.2 SE-1 What is the solution and how is it implemented?
Part a
Requirement INVENTORY OF PERSONALLY IDENTIFIABLE INFORMATION Control: The orga-nization: a. Establishes, maintains, and updates [Assignment: organization-defined frequency] aninventory that contains a listing of all programs and information systems identified as collecting,using, maintaining, or sharing personally identifiable information (PII); and
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (e) (10); Section 208(b)(2), E-Government Act of2002 (P.L. 107-347); OMB M-03-22; OMB Circular A-130, Appendix I; FIPS Pub 199; SP 800-37;SP 800-122;
Part b
Requirement
b. Provides each update of the PII inventory to the CIO or information security official [Assign-ment: organization-defined frequency] to support the establishment of information security re-quirements for all new or modified information systems containing PII.
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (e) (10); Section 208(b)(2), E-Government Act of2002 (P.L. 107-347); OMB M-03-22; OMB Circular A-130, Appendix I; FIPS Pub 199; SP 800-37;SP 800-122;
4.27 SI-1 - System And Information Integrity Policy And Procedures
Requirement SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES Control:The organization: a. Develops, documents, and disseminates to [Assignment: organization-definedpersonnel or roles]: 1. A system and information integrity policy that addresses purpose, scope,roles, responsibilities, management commitment, coordination among organizational entities, andcompliance; and 2. Procedures to facilitate the implementation of the system and information in-tegrity policy and associated system and information integrity controls; and b. Reviews and updatesthe current: 1. System and information integrity policy [Assignment: organization-defined fre-quency]; and 2. System and information integrity procedures [Assignment: organization-definedfrequency].
4.27. SI-1 - System And Information Integrity Policy And Procedures 323
OpenShift Compliance Guide, Release 1.0 beta
4.27.1 Control Summary Information
Role OpenShift Tenant
Status Not implemented
Origin Tenant SSP
4.27.2 SI-1 What is the solution and how is it implemented?
Part a
Requirement SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES Control:The organization: a. Develops, documents, and disseminates to [Assignment: organization-definedpersonnel or roles]: 1. A system and information integrity policy that addresses purpose, scope,roles, responsibilities, management commitment, coordination among organizational entities, andcompliance; and
Role OpenShift Tenant
Status Not implemented
Details Documented in the individual project / program’s System Design Specification document andSystem Security Plan.
References SP 800-12; SP 800-100;
Part b
Requirement
2. Procedures to facilitate the implementation of the system and information integrity policy andassociated system and information integrity controls; and
Role Shared
Status Shared
Details Documented in the individual project / program’s System Design Specification document andSystem Security Plan.
References SP 800-12; SP 800-100;
Part c
Requirement
b. Reviews and updates the current: 1. System and information integrity policy [Assignment:organization-defined frequency]; and
Role Shared
Status Shared
Details Documented in the individual project / program’s System Design Specification document andSystem Security Plan.
References SP 800-12; SP 800-100;
324 Chapter 4. Customer Responsibility Matrix
OpenShift Compliance Guide, Release 1.0 beta
Part d
Requirement
2. System and information integrity procedures [Assignment: organization-defined frequency].
Role Shared
Status Shared
Details Documented in the individual project / program’s System Design Specification document andSystem Security Plan.
References SP 800-12; SP 800-100;
4.28 TR-1 - Privacy Notice
Requirement PRIVACY NOTICE Control: The organization: a. Provides effective notice to the pub-lic and to individuals regarding: (i) its activities that impact privacy, including its collection, use,sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii)authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the orga-nization uses PII and the consequences of exercising or not exercising those choices; and (iv) theability to access and have PII amended or corrected if necessary; b. Describes: (i) the PII the orga-nization collects and the purpose(s) for which it collects that information; (ii) how the organizationuses PII internally; (iii) whether the organization shares PII with external entities, the categories ofthose entities, and the purposes for such sharing; (iv) whether individuals have the ability to consentto specific uses or sharing of PII and how to exercise any such consent; (v) how individuals mayobtain access to PII; and (vi) how the PII will be protected; and c. Revises its public notices toreflect changes in practice or policy that affect PII or changes in its activities that impact privacy,before or as soon as practicable after the change.
4.28.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
4.28.2 TR-1 What is the solution and how is it implemented?
Part a
Requirement PRIVACY NOTICE Control: The organization: a. Provides effective notice to the pub-lic and to individuals regarding: (i) its activities that impact privacy, including its collection, use,sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII); (ii)authority for collecting PII; (iii) the choices, if any, individuals may have regarding how the orga-nization uses PII and the consequences of exercising or not exercising those choices; and (iv) theability to access and have PII amended or corrected if necessary;
Role OpenShift Tenant
Status Planned
Details undefined
4.28. TR-1 - Privacy Notice 325
OpenShift Compliance Guide, Release 1.0 beta
References The Privacy Act of 1974, 5 U.S.C. § 552a (e)(3), (e)(4); Section 208(b), E-GovernmentAct of 2002 (P.L. 107-347); OMB M-03-22; OMB M-07-16; OMB M-10-22; OMB M-10-23; ISEPrivacy Guidelines;
Part b
Requirement
b. Describes: (i) the PII the organization collects and the purpose(s) for which it collects thatinformation; (ii) how the organization uses PII internally; (iii) whether the organization sharesPII with external entities, the categories of those entities, and the purposes for such sharing;(iv) whether individuals have the ability to consent to specific uses or sharing of PII and how toexercise any such consent; (v) how individuals may obtain access to PII; and (vi) how the PIIwill be protected; and
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (e)(3), (e)(4); Section 208(b), E-GovernmentAct of 2002 (P.L. 107-347); OMB M-03-22; OMB M-07-16; OMB M-10-22; OMB M-10-23; ISEPrivacy Guidelines;
Part c
Requirement
c. Revises its public notices to reflect changes in practice or policy that affect PII or changes in itsactivities that impact privacy, before or as soon as practicable after the change.
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (e)(3), (e)(4); Section 208(b), E-GovernmentAct of 2002 (P.L. 107-347); OMB M-03-22; OMB M-07-16; OMB M-10-22; OMB M-10-23; ISEPrivacy Guidelines;
4.29 TR-1(1) - Privacy Notice | Real-time Or Layered Notice
Requirement PRIVACY NOTICE | REAL-TIME OR LAYERED NOTICE The organization providesreal-time and/or layered notice when it collects PII.
4.29.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
326 Chapter 4. Customer Responsibility Matrix
OpenShift Compliance Guide, Release 1.0 beta
4.29.2 TR-1(1) What is the solution and how is it implemented?
Part a
Requirement PRIVACY NOTICE | REAL-TIME OR LAYERED NOTICE The organization providesreal-time and/or layered notice when it collects PII.
Role OpenShift Tenant
Status Planned
Details undefined
4.30 TR-2 - System Of Records Notices And Privacy Act Statements
Requirement SYSTEM OF RECORDS NOTICES AND PRIVACY ACT STATEMENTS Control: Theorganization: a. Publishes System of Records Notices (SORNs) in the Federal Register, subjectto required oversight processes, for systems containing personally identifiable information (PII); b.Keeps SORNs current; and c. Includes Privacy Act Statements on its forms that collect PII, or onseparate forms that can be retained by individuals, to provide additional formal notice to individualsfrom whom the information is being collected.
4.30.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
4.30.2 TR-2 What is the solution and how is it implemented?
Part a
Requirement SYSTEM OF RECORDS NOTICES AND PRIVACY ACT STATEMENTS Control: Theorganization: a. Publishes System of Records Notices (SORNs) in the Federal Register, subject torequired oversight processes, for systems containing personally identifiable information (PII);
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (e)(3); OMB Circular A-130;
Part b
Requirement
b. Keeps SORNs current; and
Role OpenShift Tenant
Status Planned
4.30. TR-2 - System Of Records Notices And Privacy Act Statements 327
OpenShift Compliance Guide, Release 1.0 beta
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (e)(3); OMB Circular A-130;
Part c
Requirement
c. Includes Privacy Act Statements on its forms that collect PII, or on separate forms that canbe retained by individuals, to provide additional formal notice to individuals from whom theinformation is being collected.
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (e)(3); OMB Circular A-130;
4.31 TR-2(1) - System Of Records Notices And Privacy Act State-ments | Public Website Publication
Requirement SYSTEM OF RECORDS NOTICES AND PRIVACY ACT STATEMENTS | PUBLICWEBSITE PUBLICATION The organization publishes SORNs on its public website.
4.31.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
4.31.2 TR-2(1) What is the solution and how is it implemented?
Part a
Requirement SYSTEM OF RECORDS NOTICES AND PRIVACY ACT STATEMENTS | PUBLICWEBSITE PUBLICATION The organization publishes SORNs on its public website.
Role OpenShift Tenant
Status Planned
Details undefined
4.32 TR-3 - Dissemination Of Privacy Program Information
Requirement DISSEMINATION OF PRIVACY PROGRAM INFORMATION Control: The organiza-tion: a. Ensures that the public has access to information about its privacy activities and is ableto communicate with its Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO);
328 Chapter 4. Customer Responsibility Matrix
OpenShift Compliance Guide, Release 1.0 beta
and b. Ensures that its privacy practices are publicly available through organizational websites orotherwise.
4.32.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
4.32.2 TR-3 What is the solution and how is it implemented?
Part a
Requirement DISSEMINATION OF PRIVACY PROGRAM INFORMATION Control: The organiza-tion: a. Ensures that the public has access to information about its privacy activities and is able tocommunicate with its Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO); and
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a; Section 208, E-Government Act of 2002 (P.L.107-347); OMB M-03-22; OMB M-10-23;
Part b
Requirement
b. Ensures that its privacy practices are publicly available through organizational websites or oth-erwise.
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a; Section 208, E-Government Act of 2002 (P.L.107-347); OMB M-03-22; OMB M-10-23;
4.33 UL-1 - Internal Use
Requirement INTERNAL USE Control: The organization uses personally identifiable information (PII)internally only for the authorized purpose(s) identified in the Privacy Act and/or in public notices.
4.33.1 Control Summary Information
Role OpenShift Tenant
Status Planned
4.33. UL-1 - Internal Use 329
OpenShift Compliance Guide, Release 1.0 beta
Origin OpenShift Tenant SSP
4.33.2 UL-1 What is the solution and how is it implemented?
Part a
Requirement INTERNAL USE Control: The organization uses personally identifiable information (PII)internally only for the authorized purpose(s) identified in the Privacy Act and/or in public notices.
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (b)(1);
4.34 UL-2 - Information Sharing With Third Parties
Requirement INFORMATION SHARING WITH THIRD PARTIES Control: The organization: a.Shares personally identifiable information (PII) externally, only for the authorized purposes iden-tified in the Privacy Act and/or described in its notice(s) or for a purpose that is compatible withthose purposes; b. Where appropriate, enters into Memoranda of Understanding, Memoranda ofAgreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with thirdparties that specifically describe the PII covered and specifically enumerate the purposes for whichthe PII may be used; c. Monitors, audits, and trains its staff on the authorized sharing of PII withthird parties and on the consequences of unauthorized use or sharing of PII; and d. Evaluates anyproposed new instances of sharing PII with third parties to assess whether the sharing is authorizedand whether additional or new public notice is required.
4.34.1 Control Summary Information
Role OpenShift Tenant
Status Planned
Origin OpenShift Tenant SSP
4.34.2 UL-2 What is the solution and how is it implemented?
Part a
Requirement INFORMATION SHARING WITH THIRD PARTIES Control: The organization: a.Shares personally identifiable information (PII) externally, only for the authorized purposes iden-tified in the Privacy Act and/or described in its notice(s) or for a purpose that is compatible withthose purposes;
Role OpenShift Tenant
Status Planned
Details undefined
330 Chapter 4. Customer Responsibility Matrix
OpenShift Compliance Guide, Release 1.0 beta
References The Privacy Act of 1974, 5 U.S.C. § 552a (a)(7), (b), (c), (e)(3)(C), (o); ISE Privacy Guide-lines;
Part b
Requirement
b. Where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Let-ters of Intent, Computer Matching Agreements, or similar agreements, with third parties thatspecifically describe the PII covered and specifically enumerate the purposes for which the PIImay be used;
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (a)(7), (b), (c), (e)(3)(C), (o); ISE Privacy Guide-lines;
Part c
Requirement
c. Monitors, audits, and trains its staff on the authorized sharing of PII with third parties and onthe consequences of unauthorized use or sharing of PII; and
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (a)(7), (b), (c), (e)(3)(C), (o); ISE Privacy Guide-lines;
Part d
Requirement
d. Evaluates any proposed new instances of sharing PII with third parties to assess whether thesharing is authorized and whether additional or new public notice is required.
Role OpenShift Tenant
Status Planned
Details undefined
References The Privacy Act of 1974, 5 U.S.C. § 552a (a)(7), (b), (c), (e)(3)(C), (o); ISE Privacy Guide-lines;
4.34. UL-2 - Information Sharing With Third Parties 331
OpenShift Compliance Guide, Release 1.0 beta
332 Chapter 4. Customer Responsibility Matrix
CHAPTER 5
Ansible
This chapter describes how OCP 3.3 can be deployed according to the FISMA High security controls listed in thisguide. Further, the deployed reference architecture is air-gapped in a private AWS VPC with not direct access to theInternet.
5.1 Reference Architecture
The Security CONOPS chapter describes the OpenShift FISMA High reference architecture. That architecture can beimplemented in AWS with the openshift-disconnected project.
openshift-disconnected is implemented with Ansible. It can be deployed automatically, kept compliant with its CMbaseline, and audited with OpenSCAP. The AWS VPC layout replicates an air-gapped deployment that is unable toaccess the Internet. This requires many services that are typically taken for granted like DNS to be deployed into theprivate VPC.
openshift-disconnected automatically deploys all of the required services to run OCP 3.3 in the private VPC. Manyof the functions implemented by openshift-disconnected are pluggable and can be added to your Ansible project withAnsible Galaxy from the RHTPS organization.
Some of the most reusable roles are:
Role Description800-53 Implements RHEL FISMA compliance and scans the resultant configuration with OpenSCAP.bind Deploys DNS services into the private VPCprivate-aws Sets up the public and private VPCs and deploys the EC2 instances.registry Sets up a private docker registry and populates it with all of the images required by OpenShift.yum Sets up a yum server with all of the RPM content required for the OpenShift deployment.
For instructions on how to use the openshift-disconnected project, refer to the README.
333
OpenShift Compliance Guide, Release 1.0 beta
5.2 Manual Workarounds
Some aspects of the reference architecture expressed in the Security CONOPS have not yet been implemented in theopenshift-disconnected project. Those missing components are being tracked in the Issues page for that repo. As awork around, manual implementation instructions are below.
5.2.1 User Authentication
Cluster Admins and Application developers gain access to OCP through a WebUI or CLI. In order to authenticate withthe CLI, the user must first log in to the WebUI and obtain a CLI token. The following details how to enable PKIauthentication in the WebUI.
Request Header Authentication
The request header authentication passes the authentication request to another Apache process. If that process suc-cessfully authenticates (and authorizes if desired) the user, then it passes the username back to the OpenShift masterin an HTTP header.
This Apache process may be run on the OpenShift master or separate host. This example assumes the Apache processis on a separate host.
1. OpenShift Master – master.example.com
2. Apache proxy for authentication – proxy.example.com
OpenShift Master – Creating Certificates
OpenShift manages its own certificates to encrypt inter-nodal communication. This is beneficial in another way. Wedon’t want someone to spoof our proxy and authenticate by passing in a remote header from some random host.Therefore, we will create a certificate for the Apache proxy using the CA on the OpenShift master.
SSH to the OpenShift master and elevate your privileges to root.
# oadm ca create-signer-cert \--cert='/etc/origin/master/proxyca.crt' \--key='/etc/origin/master/proxyca.key' \--name='openshift-proxy-signer@1432232228' \--serial='/etc/origin/master/proxyca.serial.txt'
# oadm create-api-client-config \--certificate-authority='/etc/origin/master/proxyca.crt' \--client-dir='/etc/origin/master/proxy' \--signer-cert='/etc/origin/master/proxyca.crt' \--signer-key='/etc/origin/master/proxyca.key' \--signer-serial='/etc/origin/master/proxyca.serial.txt' \--user='system:proxy'
# pushd /etc/origin/master# cp ca.crt /root/authproxyca.crt# cat proxy/system\:proxy.crt \proxy/system\:proxy.key > \/root/authproxy.crt# popd
334 Chapter 5. Ansible
OpenShift Compliance Guide, Release 1.0 beta
Using your favorite file transfer method, copy the authproxy.crt and authproxyca.crt from the OpenShift Master to theApache proxy host.
Apache Proxy
SSH into the Apache Proxy and install some basic packages as root.
# yum install -y httpd mod_ssl mod_session apr-util-openssl
Also, as root, create a new Apache configuration file with the following content in /etc/httpd/conf.d/
# vi /etc/httpd/conf.d/ose-proxy.conf
LoadModule session_module modules/mod_session.soLoadModule request_module modules/mod_request.so
# Nothing needs to be served over HTTP. This virtual host simply redirects to# HTTPS.<VirtualHost *:80>DocumentRoot /var/www/htmlRewriteEngine OnRewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R,L]</VirtualHost>
<VirtualHost *:443># This needs to match the certificates you generated. See the CN and X509v3# Subject Alternative Name in the output of:# openssl x509 -text -in /etc/pki/tls/certs/localhost.crtServerName proxy.example.com
DocumentRoot /var/www/htmlSSLEngine onSSLCertificateFile /etc/pki/tls/certs/localhost.crtSSLCertificateKeyFile /etc/tls/private/localhost.key
#This is the CA against which your user’s certificates will be checked.SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
SSLProtocol ALL -SSLv2 -SSLv3SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!EXP:!→˓SSLV2:!eNULLSSLUserName SSL_CLIENT_S_DN_CNSSLOptions +StdEnvVars +ExportCertData#For PKISSLVerifyClient require
SSLProxyEngine on
#These were created per the instructions in the OSE installation docsSSLProxyCACertificateFile /etc/pki/CA/certs/authproxyca.crtSSLProxyMachineCertificateFile /etc/pki/tls/certs/authproxy.crt
ErrorLog logs/ssl_error_logTransferLog logs/ssl_access_logLogLevel debugCustomLog logs/ssl_request_log \“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”
(continues on next page)
5.2. Manual Workarounds 335
OpenShift Compliance Guide, Release 1.0 beta
(continued from previous page)
# Send all requests to the consoleRewriteEngine OnRewriteRule ^/console(.*)$ https://%{HTTP_HOST}:8443/console$1 [R,L]
# In order to using the challenging-proxy an X-Csrf-Token must be present.RewriteCond %{REQUEST_URI} ^/challenging-proxyRewriteCond %{HTTP:X-Csrf-Token} ^$ [NC]RewriteRule ^.* - [F,L]
<Location /challenging-proxy/oauth/authorize># Insert your backend server name/ip here.AuthName openshiftProxyPass https://master.example.com:8443/oauth/authorize</Location>
<Location /login-proxy/oauth/authorize># Insert your backend server name/ip here.AuthName openshiftProxyPass https://master.example.com:8443/oauth/authorize</Location>
<ProxyMatch /oauth/authorize>#This require directive is very importantrequire valid-userRequestHeader set X-Remote-User %{SSL_CLIENT_S_DN_CN}s</ProxyMatch>
</VirtualHost>RequestHeader unset X-Remote-User
Please note the SSLCACertificateFile directive. This is the CA against which the clients (your users) will be validated.Out of the box, the specified file won’t work. Please replace this will the valid CA file or chain.
OpenShift Master - Auth Configuration
Now that we have Apache configured, we need to configure the authentication provider for the OpenShift Master. SSHinto the OpenShift Master and elevate your privileges to root. Then edit the Master’s configuration file.
# vi /etc/origin/master/master-config.yaml
Now, in the oathConfig section, enter the following
oauthConfig:...identityProviders:- name: requestheaderchallenge: truelogin: trueprovider:apiVersion: v1kind: RequestHeaderIdentityProviderchallengeURL: "https://proxy.example.com/challenging-proxy/oauth/authorize?$
→˓{query}"loginURL: "https://proxy.example.com/login-proxy/oauth/authorize?${query}"clientCA: /etc/origin/master/proxyca.crt
(continues on next page)
336 Chapter 5. Ansible
OpenShift Compliance Guide, Release 1.0 beta
(continued from previous page)
headers:- X-Remote-User
YAML is delimited by spaces. Please ensure you have the correct spacing.
Once you have saved the file, go ahead and restart your master.
# systemctl restart atomic-openshift-master.service
Now navigate to your OpenShift master in a web browser. If you have a valid client certificate, you should just beauthenticated.
5.2. Manual Workarounds 337
OpenShift Compliance Guide, Release 1.0 beta
338 Chapter 5. Ansible
CHAPTER 6
Frequently Asked Questions
6.1 Is this guide complete?
No. As of version 1.0 beta it is still under construction. There are several efforts under way to accredit OpenShift atFISMA High. During that process this guide will be updated, probably a lot.
6.2 Has OpenShift been accredited anywhere?
Yes, at variants of FISMA Moderate in several places in the US Department of Defense.
6.3 How can I help?
If you’d like to get involved, fork the project and send us pull requests.
If you’re not sure where to start, or if you’ve found a mistake or problem, take a look at the project Issues page for thisversion (1.0beta).
6.4 X is wrong, what’s up?
Found a mistake? Great! Open an Issue.
6.5 Who can I talk to about this?
Jason Callaway would be happy to talk your ear off about this. Or you could talk to your Red Hat account team.
339
OpenShift Compliance Guide, Release 1.0 beta
340 Chapter 6. Frequently Asked Questions
CHAPTER 7
Indices and tables
• genindex
• modindex
• search
341