fedramp-rev5.yaml

urn: urn:intuitem:risk:library:fedramp-rev5
locale: en
ref_id: GSA-FEDRAMP-rev5
name: GSA FedRAMP Rev5
description: The Federal Risk and Authorization Management Program (FedRAMP) provides
  a standardized approach to security authorizations for Cloud Service Offerings.
copyright: FedRAMP
version: 1
provider: US General Services Administration
packager: intuitem
objects:
  framework:
    urn: urn:intuitem:risk:framework:fedramp-rev5
    ref_id: GSA-FEDRAMP-rev5
    name: GSA FedRAMP rev5
    description: The Federal Risk and Authorization Management Program (FedRAMP) provides
      a standardized approach to security authorizations for Cloud Service Offerings.
    implementation_groups_definition:
    - ref_id: L
      name: Low
      description: "Low Impact is most appropriate for CSOs where the loss of confidentiality,\
        \ integrity, and availability would result in limited adverse effect on an\
        \ agency\u2019s operations, assets, or individuals."
    - ref_id: M
      name: Moderate
      description: "Moderate Impact accounts for the majority of CSOs that receive\
        \ FedRAMP authorization and is most appropriate for CSOs where the loss of\
        \ confidentiality, integrity, and availability would result in serious adverse\
        \ effect on an agency\u2019s operations, assets, or individuals."
    - ref_id: H
      name: High
      description: High Impact data is usually in Law Enforcement and Emergency Services
        systems, Financial systems, Health systems, and any other system where loss
        of confidentiality, integrity, or availability could be expected to have a
        severe or catastrophic adverse effect on organizational operations, organizational
        assets, or individuals.
    requirement_nodes:
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      assessable: false
      depth: 1
      name: ACCESS CONTROL
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-1
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-1
      name: Policy and Procedures
      description: "a. Develop, document, and disseminate to [Assignment: organization-defined\
        \ personnel or roles]:\n 1. [Selection (one or more): Organization-level;\
        \ Mission/business process-level; System-level] access control policy that:\n\
        \ (a) Addresses purpose, scope, roles, responsibilities, management commitment,\
        \ coordination among organizational entities, and compliance; and\n (b) Is\
        \ consistent with applicable laws, executive orders, directives, regulations,\
        \ policies, standards, and guidelines; and\n 2. Procedures to facilitate the\
        \ implementation of the access control policy and the associated access controls;\n\
        \ b. Designate an [Assignment: organization-defined official] to manage the\
        \ development, documentation, and dissemination of the access control policy\
        \ and procedures; and\n c. Review and update the current access control:\n\
        \ 1. Policy [Assignment: organization-defined frequency] and following [Assignment:\
        \ organization-defined events]; and\n 2. Procedures [Assignment: organization-defined\
        \ frequency] and following [Assignment: organization-defined events]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-2
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-2
      name: Account Management
      description: "a. Define and document the types of accounts allowed and specifically\
        \ prohibited for use within the system;\n b. Assign account managers;\n c.\
        \ Require [Assignment: organization-defined prerequisites and criteria] for\
        \ group and role membership;\n d. Specify:\n 1. Authorized users of the system;\n\
        \ 2. Group and role membership; and\n 3. Access authorizations (i.e., privileges)\
        \ and [Assignment: organization-defined attributes (as required)] for each\
        \ account;\n e. Require approvals by [Assignment: organization-defined personnel\
        \ or roles] for requests to create accounts;\n f. Create, enable, modify,\
        \ disable, and remove accounts in accordance with [Assignment: organization-defined\
        \ policy, procedures, prerequisites, and criteria];\n g. Monitor the use of\
        \ accounts;\n h. Notify account managers and [Assignment: organization-defined\
        \ personnel or roles] within:\n 1. [Assignment: organization-defined time\
        \ period] when accounts are no longer required;\n 2. [Assignment: organization-defined\
        \ time period] when users are terminated or transferred; and\n 3. [Assignment:\
        \ organization-defined time period] when system usage or need-to-know changes\
        \ for an individual;\n i. Authorize access to the system based on:\n 1. A\
        \ valid access authorization;\n 2. Intended system usage; and\n 3. [Assignment:\
        \ organization-defined attributes (as required)];\n j. Review accounts for\
        \ compliance with account management requirements [Assignment: organization-defined\
        \ frequency];\n k. Establish and implement a process for changing shared or\
        \ group account authenticators (if deployed) when individuals are removed\
        \ from the group; and\n l. Align account management processes with personnel\
        \ termination and transfer processes."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-2-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-2 (1)
      name: Account Management | Automated System Account Management
      description: 'Support the management of system accounts using [Assignment: organization-defined
        automated mechanisms].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-2-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-2 (2)
      name: Account Management | Automated Temporary and Emergency Account Management
      description: 'Automatically [Selection: remove; disable] temporary and emergency
        accounts after [Assignment: organization-defined time period for each type
        of account].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-2-(3)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-2 (3)
      name: Account Management | Disable Accounts
      description: "Disable accounts within [Assignment: organization-defined time\
        \ period] when the accounts: \n (a) Have expired;\n (b) Are no longer associated\
        \ with a user or individual;\n (c) Are in violation of organizational policy;\
        \ or\n (d) Have been inactive for [Assignment: organization-defined time period]."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-2-(4)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-2 (4)
      name: Account Management | Automated Audit Actions
      description: Automatically audit account creation, modification, enabling, disabling,
        and removal actions.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-2-(5)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-2 (5)
      name: Account Management | Inactivity Logout
      description: 'Require that users log out when [Assignment: organization-defined
        time period of expected inactivity or description of when to log out].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-2-(7)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-2 (7)
      name: Account Management | Privileged User Accounts
      description: " (a) Establish and administer privileged user accounts in accordance\
        \ with [Selection: a role-based access scheme; an attribute-based access scheme];\n\
        \ (b) Monitor privileged role or attribute assignments;\n (c) Monitor changes\
        \ to roles or attributes; and\n (d) Revoke access when privileged role or\
        \ attribute assignments are no longer appropriate."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-2-(9)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-2 (9)
      name: Account Management | Restrictions on Use of Shared and Group Accounts
      description: 'Only permit the use of shared and group accounts that meet [Assignment:
        organization-defined conditions for establishing shared and group accounts].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-2-(11)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-2 (11)
      name: Account Management | Usage Conditions
      description: 'Enforce [Assignment: organization-defined circumstances and/or
        usage conditions] for [Assignment: organization-defined system accounts].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-2-(12)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-2 (12)
      name: Account Management | Account Monitoring for Atypical Usage
      description: " (a) Monitor system accounts for [Assignment: organization-defined\
        \ atypical usage]; and\n (b) Report atypical usage of system accounts to [Assignment:\
        \ organization-defined personnel or roles]."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-2-(13)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-2 (13)
      name: Account Management | Disable Accounts for High-risk Individuals
      description: 'Disable accounts of individuals within [Assignment: organization-defined
        time period] of discovery of [Assignment: organization-defined significant
        risks].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-3
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-3
      name: Access Enforcement
      description: Enforce approved authorizations for logical access to information
        and system resources in accordance with applicable access control policies.
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-4
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-4
      name: Information Flow Enforcement
      description: 'Enforce approved authorizations for controlling the flow of information
        within the system and between connected systems based on [Assignment: organization-defined
        information flow control policies].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-4-(4)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-4 (4)
      name: Information Flow Enforcement | Flow Control of Encrypted Information
      description: 'Prevent encrypted information from bypassing [Assignment: organization-defined
        information flow control mechanisms] by [Selection (one or more): decrypting
        the information; blocking the flow of the encrypted information; terminating
        communications sessions attempting to pass encrypted information; [Assignment:
        organization-defined procedure or method]].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-4-(21)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-4 (21)
      name: Information Flow Enforcement | Physical or Logical Separation of Information
        Flows
      description: 'Separate information flows logically or physically using [Assignment:
        organization-defined mechanisms and/or techniques] to accomplish [Assignment:
        organization-defined required separations by types of information].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-5
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-5
      name: Separation of Duties
      description: "a. Identify and document [Assignment: organization-defined duties\
        \ of individuals requiring separation]; and\n b. Define system access authorizations\
        \ to support separation of duties."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-6
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-6
      name: Least Privilege
      description: Employ the principle of least privilege, allowing only authorized
        accesses for users (or processes acting on behalf of users) that are necessary
        to accomplish assigned organizational tasks.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-6-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-6 (1)
      name: Least Privilege | Authorize Access to Security Functions
      description: "Authorize access for [Assignment: organization-defined individuals\
        \ or roles] to:\n (a) [Assignment: organization-defined security functions\
        \ (deployed in hardware, software, and firmware)]; and\n (b) [Assignment:\
        \ organization-defined security-relevant information]."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-6-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-6 (2)
      name: Least Privilege | Non-privileged Access for Nonsecurity Functions
      description: 'Require that users of system accounts (or roles) with access to
        [Assignment: organization-defined security functions or security-relevant
        information] use non-privileged accounts or roles, when accessing nonsecurity
        functions.'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-6-(3)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-6 (3)
      name: Least Privilege | Network Access to Privileged Commands
      description: 'Authorize network access to [Assignment: organization-defined
        privileged commands] only for [Assignment: organization-defined compelling
        operational needs] and document the rationale for such access in the security
        plan for the system.'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-6-(5)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-6 (5)
      name: Least Privilege | Privileged Accounts
      description: 'Restrict privileged accounts on the system to [Assignment: organization-defined
        personnel or roles].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-6-(7)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-6 (7)
      name: Least Privilege | Review of User Privileges
      description: " (a) Review [Assignment: organization-defined frequency] the privileges\
        \ assigned to [Assignment: organization-defined roles or classes of users]\
        \ to validate the need for such privileges; and\n (b) Reassign or remove privileges,\
        \ if necessary, to correctly reflect organizational mission and business needs."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-6-(8)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-6 (8)
      name: Least Privilege | Privilege Levels for Code Execution
      description: 'Prevent the following software from executing at higher privilege
        levels than users executing the software: [Assignment: organization-defined
        software].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-6-(9)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-6 (9)
      name: Least Privilege | Log Use of Privileged Functions
      description: Log the execution of privileged functions.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-6-(10)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-6 (10)
      name: Least Privilege | Prohibit Non-privileged Users from Executing Privileged
        Functions
      description: Prevent non-privileged users from executing privileged functions.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-7
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-7
      name: Unsuccessful Logon Attempts
      description: "a. Enforce a limit of [Assignment: organization-defined number]\
        \ consecutive invalid logon attempts by a user during a [Assignment: organization-defined\
        \ time period]; and\n b. Automatically [Selection (one or more): lock the\
        \ account or node for an [Assignment: organization-defined time period]; lock\
        \ the account or node until released by an administrator; delay next logon\
        \ prompt per [Assignment: organization-defined delay algorithm]; notify system\
        \ administrator; take other [Assignment: organization-defined action]] when\
        \ the maximum number of unsuccessful attempts is exceeded."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-8
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-8
      name: System Use Notification
      description: "a. Display [Assignment: organization-defined system use notification\
        \ message or banner] to users before granting access to the system that provides\
        \ privacy and security notices consistent with applicable laws, executive\
        \ orders, directives, regulations, policies, standards, and guidelines and\
        \ state that:\n 1. Users are accessing a U.S. Government system;\n 2. System\
        \ usage may be monitored, recorded, and subject to audit;\n 3. Unauthorized\
        \ use of the system is prohibited and subject to criminal and civil penalties;\
        \ and\n 4. Use of the system indicates consent to monitoring and recording;\n\
        \ b. Retain the notification message or banner on the screen until users acknowledge\
        \ the usage conditions and take explicit actions to log on to or further access\
        \ the system; and\n c. For publicly accessible systems:\n 1. Display system\
        \ use information [Assignment: organization-defined conditions], before granting\
        \ further access to the publicly accessible system;\n 2. Display references,\
        \ if any, to monitoring, recording, or auditing that are consistent with privacy\
        \ accommodations for such systems that generally prohibit those activities;\
        \ and\n 3. Include a description of the authorized uses of the system."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-10
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-10
      name: Concurrent Session Control
      description: 'Limit the number of concurrent sessions for each [Assignment:
        organization-defined account and/or account type] to [Assignment: organization-defined
        number].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-11
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-11
      name: Device Lock
      description: "a. Prevent further access to the system by [Selection (one or\
        \ more): initiating a device lock after [Assignment: organization-defined\
        \ time period] of inactivity; requiring the user to initiate a device lock\
        \ before leaving the system unattended]; and\n b. Retain the device lock until\
        \ the user reestablishes access using established identification and authentication\
        \ procedures."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-11-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-11 (1)
      name: Device Lock | Pattern-hiding Displays
      description: Conceal, via the device lock, information previously visible on
        the display with a publicly viewable image.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-12
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-12
      name: Session Termination
      description: 'Automatically terminate a user session after [Assignment: organization-defined
        conditions or trigger events requiring session disconnect].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-14
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-14
      name: Permitted Actions Without Identification or Authentication
      description: "a. Identify [Assignment: organization-defined user actions] that\
        \ can be performed on the system without identification or authentication\
        \ consistent with organizational mission and business functions; and\n b.\
        \ Document and provide supporting rationale in the security plan for the system,\
        \ user actions not requiring identification or authentication."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-17
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-17
      name: Remote Access
      description: "a. Establish and document usage restrictions, configuration/connection\
        \ requirements, and implementation guidance for each type of remote access\
        \ allowed; and\n b. Authorize each type of remote access to the system prior\
        \ to allowing such connections."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-17-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-17 (1)
      name: Remote Access | Monitoring and Control
      description: Employ automated mechanisms to monitor and control remote access
        methods.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-17-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-17 (2)
      name: Remote Access | Protection of Confidentiality and Integrity Using Encryption
      description: Implement cryptographic mechanisms to protect the confidentiality
        and integrity of remote access sessions.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-17-(3)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-17 (3)
      name: Remote Access | Managed Access Control Points
      description: Route remote accesses through authorized and managed network access
        control points.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-17-(4)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-17 (4)
      name: Remote Access | Privileged Commands and Access
      description: " (a) Authorize the execution of privileged commands and access\
        \ to security-relevant information via remote access only in a format that\
        \ provides assessable evidence and for the following needs: [Assignment: organization-defined\
        \ needs]; and\n (b) Document the rationale for remote access in the security\
        \ plan for the system."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-18
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-18
      name: Wireless Access
      description: "a. Establish configuration requirements, connection requirements,\
        \ and implementation guidance for each type of wireless access; and\n b. Authorize\
        \ each type of wireless access to the system prior to allowing such connections."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-18-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-18 (1)
      name: Wireless Access | Authentication and Encryption
      description: 'Protect wireless access to the system using authentication of
        [Selection (one or more): users; devices] and encryption.'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-18-(3)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-18 (3)
      name: Wireless Access | Disable Wireless Networking
      description: Disable, when not intended for use, wireless networking capabilities
        embedded within system components prior to issuance and deployment.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-18-(4)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-18 (4)
      name: Wireless Access | Restrict Configurations by Users
      description: Identify and explicitly authorize users allowed to independently
        configure wireless networking capabilities.
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-18-(5)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-18 (5)
      name: Wireless Access | Antennas and Transmission Power Levels
      description: Select radio antennas and calibrate transmission power levels to
        reduce the probability that signals from wireless access points can be received
        outside of organization-controlled boundaries.
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-19
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-19
      name: Access Control for Mobile Devices
      description: "a. Establish configuration requirements, connection requirements,\
        \ and implementation guidance for organization-controlled mobile devices,\
        \ to include when such devices are outside of controlled areas; and\n b. Authorize\
        \ the connection of mobile devices to organizational systems."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-19-(5)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-19 (5)
      name: Access Control for Mobile Devices | Full Device or Container-based Encryption
      description: 'Employ [Selection: full-device encryption; container-based encryption]
        to protect the confidentiality and integrity of information on [Assignment:
        organization-defined mobile devices].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-20
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-20
      name: Use of External Systems
      description: "a. [Selection (one or more): Establish [Assignment: organization-defined\
        \ terms and conditions]; Identify [Assignment: organization-defined controls\
        \ asserted to be implemented on external systems]], consistent with the trust\
        \ relationships established with other organizations owning, operating, and/or\
        \ maintaining external systems, allowing authorized individuals to:\n 1. Access\
        \ the system from external systems; and\n 2. Process, store, or transmit organization-controlled\
        \ information using external systems; or\n b. Prohibit the use of [Assignment:\
        \ organizationally-defined types of external systems]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-20-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-20 (1)
      name: Use of External Systems | Limits on Authorized Use
      description: "Permit authorized individuals to use an external system to access\
        \ the system or to process, store, or transmit organization-controlled information\
        \ only after:\n (a) Verification of the implementation of controls on the\
        \ external system as specified in the organization\u2019s security and privacy\
        \ policies and security and privacy plans; or\n (b) Retention of approved\
        \ system connection or processing agreements with the organizational entity\
        \ hosting the external system."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-20-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-20 (2)
      name: "Use of External Systems | Portable Storage Devices \u2014 Restricted\
        \ Use"
      description: 'Restrict the use of organization-controlled portable storage devices
        by authorized individuals on external systems using [Assignment: organization-defined
        restrictions].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-21
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-21
      name: Information Sharing
      description: "a. Enable authorized users to determine whether access authorizations\
        \ assigned to a sharing partner match the information\u2019s access and use\
        \ restrictions for [Assignment: organization-defined information sharing circumstances\
        \ where user discretion is required]; and\n b. Employ [Assignment: organization-defined\
        \ automated mechanisms or manual processes] to assist users in making information\
        \ sharing and collaboration decisions."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ac-22
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node2
      ref_id: AC-22
      name: Publicly Accessible Content
      description: "a. Designate individuals authorized to make information publicly\
        \ accessible;\n b. Train authorized individuals to ensure that publicly accessible\
        \ information does not contain nonpublic information;\n c. Review the proposed\
        \ content of information prior to posting onto the publicly accessible system\
        \ to ensure that nonpublic information is not included; and\n d. Review the\
        \ content on the publicly accessible system for nonpublic information [Assignment:\
        \ organization-defined frequency] and remove such information, if discovered."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:node53
      assessable: false
      depth: 1
      name: AWARENESS AND TRAINING
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:at-1
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node53
      ref_id: AT-1
      name: Policy and Procedures
      description: "a. Develop, document, and disseminate to [Assignment: organization-defined\
        \ personnel or roles]:\n 1. [Selection (one or more): Organization-level;\
        \ Mission/business process-level; System-level] awareness and training policy\
        \ that:\n (a) Addresses purpose, scope, roles, responsibilities, management\
        \ commitment, coordination among organizational entities, and compliance;\
        \ and\n (b) Is consistent with applicable laws, executive orders, directives,\
        \ regulations, policies, standards, and guidelines; and\n 2. Procedures to\
        \ facilitate the implementation of the awareness and training policy and the\
        \ associated awareness and training controls;\n b. Designate an [Assignment:\
        \ organization-defined official] to manage the development, documentation,\
        \ and dissemination of the awareness and training policy and procedures; and\n\
        \ c. Review and update the current awareness and training:\n 1. Policy [Assignment:\
        \ organization-defined frequency] and following [Assignment: organization-defined\
        \ events]; and\n 2. Procedures [Assignment: organization-defined frequency]\
        \ and following [Assignment: organization-defined events]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:at-2
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node53
      ref_id: AT-2
      name: Literacy Training and Awareness
      description: "a. Provide security and privacy literacy training to system users\
        \ (including managers, senior executives, and contractors):\n 1. As part of\
        \ initial training for new users and [Assignment: organization-defined frequency]\
        \ thereafter; and\n 2. When required by system changes or following [Assignment:\
        \ organization-defined events];\n b. Employ the following techniques to increase\
        \ the security and privacy awareness of system users [Assignment: organization-defined\
        \ awareness techniques];\n c. Update literacy training and awareness content\
        \ [Assignment: organization-defined frequency] and following [Assignment:\
        \ organization-defined events]; and\n d. Incorporate lessons learned from\
        \ internal or external security incidents or breaches into literacy training\
        \ and awareness techniques."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:at-2-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node53
      ref_id: AT-2 (2)
      name: Literacy Training and Awareness | Insider Threat
      description: Provide literacy training on recognizing and reporting potential
        indicators of insider threat.
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:at-2-(3)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node53
      ref_id: AT-2 (3)
      name: Literacy Training and Awareness | Social Engineering and Mining
      description: Provide literacy training on recognizing and reporting potential
        and actual instances of social engineering and social mining.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:at-3
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node53
      ref_id: AT-3
      name: Role-based Training
      description: "a. Provide role-based security and privacy training to personnel\
        \ with the following roles and responsibilities: [Assignment: organization-defined\
        \ roles and responsibilities]:\n 1. Before authorizing access to the system,\
        \ information, or performing assigned duties, and [Assignment: organization-defined\
        \ frequency] thereafter; and\n 2. When required by system changes;\n b. Update\
        \ role-based training content [Assignment: organization-defined frequency]\
        \ and following [Assignment: organization-defined events]; and\n c. Incorporate\
        \ lessons learned from internal or external security incidents or breaches\
        \ into role-based training."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:at-4
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node53
      ref_id: AT-4
      name: Training Records
      description: "a. Document and monitor information security and privacy training\
        \ activities, including security and privacy awareness training and specific\
        \ role-based security and privacy training; and\n b. Retain individual training\
        \ records for [Assignment: organization-defined time period]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:node60
      assessable: false
      depth: 1
      name: AUDIT AND ACCOUNTABILITY
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:au-1
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node60
      ref_id: AU-1
      name: Policy and Procedures
      description: "a. Develop, document, and disseminate to [Assignment: organization-defined\
        \ personnel or roles]:\n 1. [Selection (one or more): Organization-level;\
        \ Mission/business process-level; System-level] audit and accountability policy\
        \ that:\n (a) Addresses purpose, scope, roles, responsibilities, management\
        \ commitment, coordination among organizational entities, and compliance;\
        \ and\n (b) Is consistent with applicable laws, executive orders, directives,\
        \ regulations, policies, standards, and guidelines; and\n 2. Procedures to\
        \ facilitate the implementation of the audit and accountability policy and\
        \ the associated audit and accountability controls;\n b. Designate an [Assignment:\
        \ organization-defined official] to manage the development, documentation,\
        \ and dissemination of the audit and accountability policy and procedures;\
        \ and\n c. Review and update the current audit and accountability:\n 1. Policy\
        \ [Assignment: organization-defined frequency] and following [Assignment:\
        \ organization-defined events]; and\n 2. Procedures [Assignment: organization-defined\
        \ frequency] and following [Assignment: organization-defined events]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:au-2
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node60
      ref_id: AU-2
      name: Event Logging
      description: "a. Identify the types of events that the system is capable of\
        \ logging in support of the audit function: [Assignment: organization-defined\
        \ event types that the system is capable of logging];\n b. Coordinate the\
        \ event logging function with other organizational entities requiring audit-related\
        \ information to guide and inform the selection criteria for events to be\
        \ logged;\n c. Specify the following event types for logging within the system:\
        \ [Assignment: organization-defined event types (subset of the event types\
        \ defined in AU-2a.) along with the frequency of (or situation requiring)\
        \ logging for each identified event type];\n d. Provide a rationale for why\
        \ the event types selected for logging are deemed to be adequate to support\
        \ after-the-fact investigations of incidents; and\n e. Review and update the\
        \ event types selected for logging [Assignment: organization-defined frequency]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:au-3
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node60
      ref_id: AU-3
      name: Content of Audit Records
      description: "Ensure that audit records contain information that establishes\
        \ the following:\n a. What type of event occurred;\n b. When the event occurred;\n\
        \ c. Where the event occurred;\n d. Source of the event;\n e. Outcome of the\
        \ event; and \n f. Identity of any individuals, subjects, or objects/entities\
        \ associated with the event."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:au-3-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node60
      ref_id: AU-3 (1)
      name: Content of Audit Records | Additional Audit Information
      description: 'Generate audit records containing the following additional information:
        [Assignment: organization-defined additional information].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:au-4
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node60
      ref_id: AU-4
      name: Audit Log Storage Capacity
      description: 'Allocate audit log storage capacity to accommodate [Assignment:
        organization-defined audit log retention requirements].'
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:au-5
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node60
      ref_id: AU-5
      name: Response to Audit Logging Process Failures
      description: "a. Alert [Assignment: organization-defined personnel or roles]\
        \ within [Assignment: organization-defined time period] in the event of an\
        \ audit logging process failure; and\n b. Take the following additional actions:\
        \ [Assignment: organization-defined additional actions]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:au-5-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node60
      ref_id: AU-5 (1)
      name: Response to Audit Logging Process Failures | Storage Capacity Warning
      description: 'Provide a warning to [Assignment: organization-defined personnel,
        roles, and/or locations] within [Assignment: organization-defined time period]
        when allocated audit log storage volume reaches [Assignment: organization-defined
        percentage] of repository maximum audit log storage capacity.'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:au-5-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node60
      ref_id: AU-5 (2)
      name: Response to Audit Logging Process Failures | Real-time Alerts
      description: 'Provide an alert within [Assignment: organization-defined real-time
        period] to [Assignment: organization-defined personnel, roles, and/or locations]
        when the following audit failure events occur: [Assignment: organization-defined
        audit logging failure events requiring real-time alerts].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:au-6
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node60
      ref_id: AU-6
      name: Audit Record Review, Analysis, and Reporting
      description: "a. Review and analyze system audit records [Assignment: organization-defined\
        \ frequency] for indications of [Assignment: organization-defined inappropriate\
        \ or unusual activity] and the potential impact of the inappropriate or unusual\
        \ activity;\n b. Report findings to [Assignment: organization-defined personnel\
        \ or roles]; and\n c. Adjust the level of audit record review, analysis, and\
        \ reporting within the system when there is a change in risk based on law\
        \ enforcement information, intelligence information, or other credible sources\
        \ of information."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:au-6-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node60
      ref_id: AU-6 (1)
      name: Audit Record Review, Analysis, and Reporting | Automated Process Integration
      description: 'Integrate audit record review, analysis, and reporting processes
        using [Assignment: organization-defined automated mechanisms].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:au-6-(3)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node60
      ref_id: AU-6 (3)
      name: Audit Record Review, Analysis, and Reporting | Correlate Audit Record
        Repositories
      description: Analyze and correlate audit records across different repositories
        to gain organization-wide situational awareness.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:au-6-(4)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node60
      ref_id: AU-6 (4)
      name: Audit Record Review, Analysis, and Reporting | Central Review and Analysis
      description: Provide and implement the capability to centrally review and analyze
        audit records from multiple components within the system.
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:au-6-(5)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node60
      ref_id: AU-6 (5)
      name: Audit Record Review, Analysis, and Reporting | Integrated Analysis of
        Audit Records
      description: 'Integrate analysis of audit records with analysis of [Selection
        (one or more): vulnerability scanning information; performance data; system
        monitoring information; [Assignment: organization-defined data/information
        collected from other sources]] to further enhance the ability to identify
        inappropriate or unusual activity.'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:au-6-(6)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node60
      ref_id: AU-6 (6)
      name: Audit Record Review, Analysis, and Reporting | Correlation with Physical
        Monitoring
      description: Correlate information from audit records with information obtained
        from monitoring physical access to further enhance the ability to identify
        suspicious, inappropriate, unusual, or malevolent activity.
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:au-6-(7)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node60
      ref_id: AU-6 (7)
      name: Audit Record Review, Analysis, and Reporting | Permitted Actions
      description: 'Specify the permitted actions for each [Selection (one or more):
        system process; role; user] associated with the review, analysis, and reporting
        of audit record information.'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:au-7
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node60
      ref_id: AU-7
      name: Audit Record Reduction and Report Generation
      description: "Provide and implement an audit record reduction and report generation\
        \ capability that:\n a. Supports on-demand audit record review, analysis,\
        \ and reporting requirements and after-the-fact investigations of incidents;\
        \ and\n b. Does not alter the original content or time ordering of audit records."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:au-7-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node60
      ref_id: AU-7 (1)
      name: Audit Record Reduction and Report Generation | Automatic Processing
      description: 'Provide and implement the capability to process, sort, and search
        audit records for events of interest based on the following content: [Assignment:
        organization-defined fields within audit records].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:au-8
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node60
      ref_id: AU-8
      name: Time Stamps
      description: "a. Use internal system clocks to generate time stamps for audit\
        \ records; and\n b. Record time stamps for audit records that meet [Assignment:\
        \ organization-defined granularity of time measurement] and that use Coordinated\
        \ Universal Time, have a fixed local time offset from Coordinated Universal\
        \ Time, or that include the local time offset as part of the time stamp."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:au-9
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node60
      ref_id: AU-9
      name: Protection of Audit Information
      description: "a. Protect audit information and audit logging tools from unauthorized\
        \ access, modification, and deletion; and\n b. Alert [Assignment: organization-defined\
        \ personnel or roles] upon detection of unauthorized access, modification,\
        \ or deletion of audit information."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:au-9-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node60
      ref_id: AU-9 (2)
      name: Protection of Audit Information | Store on Separate Physical Systems or
        Components
      description: 'Store audit records [Assignment: organization-defined frequency]
        in a repository that is part of a physically different system or system component
        than the system or component being audited.'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:au-9-(3)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node60
      ref_id: AU-9 (3)
      name: Protection of Audit Information | Cryptographic Protection
      description: Implement cryptographic mechanisms to protect the integrity of
        audit information and audit tools.
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:au-9-(4)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node60
      ref_id: AU-9 (4)
      name: Protection of Audit Information | Access by Subset of Privileged Users
      description: 'Authorize access to management of audit logging functionality
        to only [Assignment: organization-defined subset of privileged users or roles].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:au-10
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node60
      ref_id: AU-10
      name: Non-repudiation
      description: 'Provide irrefutable evidence that an individual (or process acting
        on behalf of an individual) has performed [Assignment: organization-defined
        actions to be covered by non-repudiation].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:au-11
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node60
      ref_id: AU-11
      name: Audit Record Retention
      description: 'Retain audit records for [Assignment: organization-defined time
        period consistent with records retention policy] to provide support for after-the-fact
        investigations of incidents and to meet regulatory and organizational information
        retention requirements.'
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:au-12
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node60
      ref_id: AU-12
      name: Audit Record Generation
      description: "a. Provide audit record generation capability for the event types\
        \ the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined\
        \ system components];\n b. Allow [Assignment: organization-defined personnel\
        \ or roles] to select the event types that are to be logged by specific components\
        \ of the system; and\n c. Generate audit records for the event types defined\
        \ in AU-2c that include the audit record content defined in AU-3."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:au-12-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node60
      ref_id: AU-12 (1)
      name: Audit Record Generation | System-wide and Time-correlated Audit Trail
      description: 'Compile audit records from [Assignment: organization-defined system
        components] into a system-wide (logical or physical) audit trail that is time-correlated
        to within [Assignment: organization-defined level of tolerance for the relationship
        between time stamps of individual records in the audit trail].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:au-12-(3)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node60
      ref_id: AU-12 (3)
      name: Audit Record Generation | Changes by Authorized Individuals
      description: 'Provide and implement the capability for [Assignment: organization-defined
        individuals or roles] to change the logging to be performed on [Assignment:
        organization-defined system components] based on [Assignment: organization-defined
        selectable event criteria] within [Assignment: organization-defined time thresholds].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:node88
      assessable: false
      depth: 1
      name: SECURITY ASSESSMENT AND AUTHORIZATION
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ca-1
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node88
      ref_id: CA-1
      name: Policy and Procedures
      description: "a. Develop, document, and disseminate to [Assignment: organization-defined\
        \ personnel or roles]:\n 1. [Selection (one or more): Organization-level;\
        \ Mission/business process-level; System-level] assessment, authorization,\
        \ and monitoring policy that:\n (a) Addresses purpose, scope, roles, responsibilities,\
        \ management commitment, coordination among organizational entities, and compliance;\
        \ and\n (b) Is consistent with applicable laws, executive orders, directives,\
        \ regulations, policies, standards, and guidelines; and\n 2. Procedures to\
        \ facilitate the implementation of the assessment, authorization, and monitoring\
        \ policy and the associated assessment, authorization, and monitoring controls;\n\
        \ b. Designate an [Assignment: organization-defined official] to manage the\
        \ development, documentation, and dissemination of the assessment, authorization,\
        \ and monitoring policy and procedures; and\n c. Review and update the current\
        \ assessment, authorization, and monitoring:\n 1. Policy [Assignment: organization-defined\
        \ frequency] and following [Assignment: organization-defined events]; and\n\
        \ 2. Procedures [Assignment: organization-defined frequency] and following\
        \ [Assignment: organization-defined events]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ca-2
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node88
      ref_id: CA-2
      name: Control Assessments
      description: "a. Select the appropriate assessor or assessment team for the\
        \ type of assessment to be conducted;\n b. Develop a control assessment plan\
        \ that describes the scope of the assessment including:\n 1. Controls and\
        \ control enhancements under assessment;\n 2. Assessment procedures to be\
        \ used to determine control effectiveness; and\n 3. Assessment environment,\
        \ assessment team, and assessment roles and responsibilities;\n c. Ensure\
        \ the control assessment plan is reviewed and approved by the authorizing\
        \ official or designated representative prior to conducting the assessment;\n\
        \ d. Assess the controls in the system and its environment of operation [Assignment:\
        \ organization-defined frequency] to determine the extent to which the controls\
        \ are implemented correctly, operating as intended, and producing the desired\
        \ outcome with respect to meeting established security and privacy requirements;\n\
        \ e. Produce a control assessment report that document the results of the\
        \ assessment; and\n f. Provide the results of the control assessment to [Assignment:\
        \ organization-defined individuals or roles]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ca-2-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node88
      ref_id: CA-2 (1)
      name: Control Assessments | Independent Assessors
      description: Employ independent assessors or assessment teams to conduct control
        assessments.
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ca-2-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node88
      ref_id: CA-2 (2)
      name: Control Assessments | Specialized Assessments
      description: 'Include as part of control assessments, [Assignment: organization-defined
        frequency], [Selection: announced; unannounced], [Selection (one or more):
        in-depth monitoring; security instrumentation; automated security test cases;
        vulnerability scanning; malicious user testing; insider threat assessment;
        performance and load testing; data leakage or data loss assessment; [Assignment:
        organization-defined other forms of assessment]].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ca-2-(3)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node88
      ref_id: CA-2 (3)
      name: Control Assessments | Leveraging Results from External Organizations
      description: 'Leverage the results of control assessments performed by [Assignment:
        organization-defined external organization] on [Assignment: organization-defined
        system] when the assessment meets [Assignment: organization-defined requirements].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ca-3
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node88
      ref_id: CA-3
      name: Information Exchange
      description: "a. Approve and manage the exchange of information between the\
        \ system and other systems using [Selection (one or more): interconnection\
        \ security agreements; information exchange security agreements; memoranda\
        \ of understanding or agreement; service level agreements; user agreements;\
        \ nondisclosure agreements; [Assignment: organization-defined type of agreement]];\n\
        \ b. Document, as part of each exchange agreement, the interface characteristics,\
        \ security and privacy requirements, controls, and responsibilities for each\
        \ system, and the impact level of the information communicated; and\n c. Review\
        \ and update the agreements [Assignment: organization-defined frequency]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ca-3-(6)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node88
      ref_id: CA-3 (6)
      name: Information Exchange | Transfer Authorizations
      description: Verify that individuals or systems transferring data between interconnecting
        systems have the requisite authorizations (i.e., write permissions or privileges)
        prior to accepting such data.
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ca-5
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node88
      ref_id: CA-5
      name: Plan of Action and Milestones
      description: "a. Develop a plan of action and milestones for the system to document\
        \ the planned remediation actions of the organization to correct weaknesses\
        \ or deficiencies noted during the assessment of the controls and to reduce\
        \ or eliminate known vulnerabilities in the system; and\n b. Update existing\
        \ plan of action and milestones [Assignment: organization-defined frequency]\
        \ based on the findings from control assessments, independent audits or reviews,\
        \ and continuous monitoring activities."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ca-6
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node88
      ref_id: CA-6
      name: Authorization
      description: "a. Assign a senior official as the authorizing official for the\
        \ system;\n b. Assign a senior official as the authorizing official for common\
        \ controls available for inheritance by organizational systems;\n c. Ensure\
        \ that the authorizing official for the system, before commencing operations:\n\
        \ 1. Accepts the use of common controls inherited by the system; and\n 2.\
        \ Authorizes the system to operate;\n d. Ensure that the authorizing official\
        \ for common controls authorizes the use of those controls for inheritance\
        \ by organizational systems;\n e. Update the authorizations [Assignment: organization-defined\
        \ frequency]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ca-7
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node88
      ref_id: CA-7
      name: Continuous Monitoring
      description: "Develop a system-level continuous monitoring strategy and implement\
        \ continuous monitoring in accordance with the organization-level continuous\
        \ monitoring strategy that includes:\n a. Establishing the following system-level\
        \ metrics to be monitored: [Assignment: organization-defined system-level\
        \ metrics];\n b. Establishing [Assignment: organization-defined frequencies]\
        \ for monitoring and [Assignment: organization-defined frequencies] for assessment\
        \ of control effectiveness;\n c. Ongoing control assessments in accordance\
        \ with the continuous monitoring strategy;\n d. Ongoing monitoring of system\
        \ and organization-defined metrics in accordance with the continuous monitoring\
        \ strategy;\n e. Correlation and analysis of information generated by control\
        \ assessments and monitoring;\n f. Response actions to address results of\
        \ the analysis of control assessment and monitoring information; and\n g.\
        \ Reporting the security and privacy status of the system to [Assignment:\
        \ organization-defined personnel or roles] [Assignment: organization-defined\
        \ frequency]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ca-7-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node88
      ref_id: CA-7 (1)
      name: Continuous Monitoring | Independent Assessment
      description: Employ independent assessors or assessment teams to monitor the
        controls in the system on an ongoing basis.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ca-7-(4)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node88
      ref_id: CA-7 (4)
      name: Continuous Monitoring | Risk Monitoring
      description: "Ensure risk monitoring is an integral part of the continuous monitoring\
        \ strategy that includes the following:\n (a) Effectiveness monitoring;\n\
        \ (b) Compliance monitoring; and\n (c) Change monitoring."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ca-8
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node88
      ref_id: CA-8
      name: Penetration Testing
      description: 'Conduct penetration testing [Assignment: organization-defined
        frequency] on [Assignment: organization-defined systems or system components].'
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ca-8-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node88
      ref_id: CA-8 (1)
      name: Penetration Testing | Independent Penetration Testing Agent or Team
      description: Employ an independent penetration testing agent or team to perform
        penetration testing on the system or system components.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ca-8-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node88
      ref_id: CA-8 (2)
      name: Penetration Testing | Red Team Exercises
      description: 'Employ the following red-team exercises to simulate attempts by
        adversaries to compromise organizational systems in accordance with applicable
        rules of engagement: [Assignment: organization-defined red team exercises].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ca-9
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node88
      ref_id: CA-9
      name: Internal System Connections
      description: "a. Authorize internal connections of [Assignment: organization-defined\
        \ system components or classes of components] to the system;\n b. Document,\
        \ for each internal connection, the interface characteristics, security and\
        \ privacy requirements, and the nature of the information communicated;\n\
        \ c. Terminate internal system connections after [Assignment: organization-defined\
        \ conditions]; and\n d. Review [Assignment: organization-defined frequency]\
        \ the continued need for each internal connection."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      assessable: false
      depth: 1
      name: CONFIGURATION MANAGEMENT
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-1
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-1
      name: Policy and Procedures
      description: "a. Develop, document, and disseminate to [Assignment: organization-defined\
        \ personnel or roles]:\n 1. [Selection (one or more): Organization-level;\
        \ Mission/business process-level; System-level] configuration management policy\
        \ that:\n (a) Addresses purpose, scope, roles, responsibilities, management\
        \ commitment, coordination among organizational entities, and compliance;\
        \ and\n (b) Is consistent with applicable laws, executive orders, directives,\
        \ regulations, policies, standards, and guidelines; and\n 2. Procedures to\
        \ facilitate the implementation of the configuration management policy and\
        \ the associated configuration management controls;\n b. Designate an [Assignment:\
        \ organization-defined official] to manage the development, documentation,\
        \ and dissemination of the configuration management policy and procedures;\
        \ and\n c. Review and update the current configuration management:\n 1. Policy\
        \ [Assignment: organization-defined frequency] and following [Assignment:\
        \ organization-defined events]; and\n 2. Procedures [Assignment: organization-defined\
        \ frequency] and following [Assignment: organization-defined events]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-2
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-2
      name: Baseline Configuration
      description: "a. Develop, document, and maintain under configuration control,\
        \ a current baseline configuration of the system; and\n b. Review and update\
        \ the baseline configuration of the system:\n 1. [Assignment: organization-defined\
        \ frequency];\n 2. When required due to [Assignment: organization-defined\
        \ circumstances]; and\n 3. When system components are installed or upgraded."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-2-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-2 (2)
      name: Baseline Configuration | Automation Support for Accuracy and Currency
      description: 'Maintain the currency, completeness, accuracy, and availability
        of the baseline configuration of the system using [Assignment: organization-defined
        automated mechanisms].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-2-(3)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-2 (3)
      name: Baseline Configuration | Retention of Previous Configurations
      description: 'Retain [Assignment: organization-defined number] of previous versions
        of baseline configurations of the system to support rollback.'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-2-(7)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-2 (7)
      name: Baseline Configuration | Configure Systems and Components for High-risk
        Areas
      description: " (a) Issue [Assignment: organization-defined systems or system\
        \ components] with [Assignment: organization-defined configurations] to individuals\
        \ traveling to locations that the organization deems to be of significant\
        \ risk; and\n (b) Apply the following controls to the systems or components\
        \ when the individuals return from travel: [Assignment: organization-defined\
        \ controls]."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-3
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-3
      name: Configuration Change Control
      description: "a. Determine and document the types of changes to the system that\
        \ are configuration-controlled;\n b. Review proposed configuration-controlled\
        \ changes to the system and approve or disapprove such changes with explicit\
        \ consideration for security and privacy impact analyses;\n c. Document configuration\
        \ change decisions associated with the system;\n d. Implement approved configuration-controlled\
        \ changes to the system;\n e. Retain records of configuration-controlled changes\
        \ to the system for [Assignment: organization-defined time period];\n f. Monitor\
        \ and review activities associated with configuration-controlled changes to\
        \ the system; and\n g. Coordinate and provide oversight for configuration\
        \ change control activities through [Assignment: organization-defined configuration\
        \ change control element] that convenes [Selection (one or more): [Assignment:\
        \ organization-defined frequency]; when [Assignment: organization-defined\
        \ configuration change conditions]]."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-3-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-3 (1)
      name: Configuration Change Control | Automated Documentation, Notification,
        and Prohibition of Changes
      description: "Use [Assignment: organization-defined automated mechanisms] to:\n\
        \ (a) Document proposed changes to the system;\n (b) Notify [Assignment: organization-defined\
        \ approval authorities] of proposed changes to the system and request change\
        \ approval;\n (c) Highlight proposed changes to the system that have not been\
        \ approved or disapproved within [Assignment: organization-defined time period];\n\
        \ (d) Prohibit changes to the system until designated approvals are received;\n\
        \ (e) Document all changes to the system; and\n (f) Notify [Assignment: organization-defined\
        \ personnel] when approved changes to the system are completed."
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-3-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-3 (2)
      name: Configuration Change Control | Testing, Validation, and Documentation
        of Changes
      description: Test, validate, and document changes to the system before finalizing
        the implementation of the changes.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-3-(4)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-3 (4)
      name: Configuration Change Control | Security and Privacy Representatives
      description: 'Require [Assignment: organization-defined security and privacy
        representatives] to be members of the [Assignment: organization-defined configuration
        change control element].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-3-(6)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-3 (6)
      name: Configuration Change Control | Cryptography Management
      description: 'Ensure that cryptographic mechanisms used to provide the following
        controls are under configuration management: [Assignment: organization-defined
        controls].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-4
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-4
      name: Impact Analyses
      description: Analyze changes to the system to determine potential security and
        privacy impacts prior to change implementation.
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-4-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-4 (1)
      name: Impact Analyses | Separate Test Environments
      description: Analyze changes to the system in a separate test environment before
        implementation in an operational environment, looking for security and privacy
        impacts due to flaws, weaknesses, incompatibility, or intentional malice.
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-4-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-4 (2)
      name: Impact Analyses | Verification of Controls
      description: After system changes, verify that the impacted controls are implemented
        correctly, operating as intended, and producing the desired outcome with regard
        to meeting the security and privacy requirements for the system.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-5
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-5
      name: Access Restrictions for Change
      description: Define, document, approve, and enforce physical and logical access
        restrictions associated with changes to the system.
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-5-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-5 (1)
      name: Access Restrictions for Change | Automated Access Enforcement and Audit
        Records
      description: " (a) Enforce access restrictions using [Assignment: organization-defined\
        \ automated mechanisms]; and \n (b) Automatically generate audit records of\
        \ the enforcement actions."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-5-(5)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-5 (5)
      name: Access Restrictions for Change | Privilege Limitation for Production and
        Operation
      description: " (a) Limit privileges to change system components and system-related\
        \ information within a production or operational environment; and\n (b) Review\
        \ and reevaluate privileges [Assignment: organization-defined frequency]."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-6
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-6
      name: Configuration Settings
      description: "a. Establish and document configuration settings for components\
        \ employed within the system that reflect the most restrictive mode consistent\
        \ with operational requirements using [Assignment: organization-defined common\
        \ secure configurations];\n b. Implement the configuration settings;\n c.\
        \ Identify, document, and approve any deviations from established configuration\
        \ settings for [Assignment: organization-defined system components] based\
        \ on [Assignment: organization-defined operational requirements]; and\n d.\
        \ Monitor and control changes to the configuration settings in accordance\
        \ with organizational policies and procedures."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-6-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-6 (1)
      name: Configuration Settings | Automated Management, Application, and Verification
      description: 'Manage, apply, and verify configuration settings for [Assignment:
        organization-defined system components] using [Assignment: organization-defined
        automated mechanisms].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-6-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-6 (2)
      name: Configuration Settings | Respond to Unauthorized Changes
      description: 'Take the following actions in response to unauthorized changes
        to [Assignment: organization-defined configuration settings]: [Assignment:
        organization-defined actions].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-7
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-7
      name: Least Functionality
      description: "a. Configure the system to provide only [Assignment: organization-defined\
        \ mission essential capabilities]; and\n b. Prohibit or restrict the use of\
        \ the following functions, ports, protocols, software, and/or services: [Assignment:\
        \ organization-defined prohibited or restricted functions, system ports, protocols,\
        \ software, and/or services]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-7-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-7 (1)
      name: Least Functionality | Periodic Review
      description: " (a) Review the system [Assignment: organization-defined frequency]\
        \ to identify unnecessary and/or nonsecure functions, ports, protocols, software,\
        \ and services; and\n (b) Disable or remove [Assignment: organization-defined\
        \ functions, ports, protocols, software, and services within the system deemed\
        \ to be unnecessary and/or nonsecure]."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-7-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-7 (2)
      name: Least Functionality | Prevent Program Execution
      description: 'Prevent program execution in accordance with [Selection (one or
        more): [Assignment: organization-defined policies, rules of behavior, and/or
        access agreements regarding software program usage and restrictions]; rules
        authorizing the terms and conditions of software program usage].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-7-(5)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-7 (5)
      name: "Least Functionality | Authorized Software \u2014 Allow-by-exception"
      description: " (a) Identify [Assignment: organization-defined software programs\
        \ authorized to execute on the system];\n (b) Employ a deny-all, permit-by-exception\
        \ policy to allow the execution of authorized software programs on the system;\
        \ and\n (c) Review and update the list of authorized software programs [Assignment:\
        \ organization-defined frequency]."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-8
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-8
      name: System Component Inventory
      description: "a. Develop and document an inventory of system components that:\n\
        \ 1. Accurately reflects the system;\n 2. Includes all components within the\
        \ system;\n 3. Does not include duplicate accounting of components or components\
        \ assigned to any other system;\n 4. Is at the level of granularity deemed\
        \ necessary for tracking and reporting; and\n 5. Includes the following information\
        \ to achieve system component accountability: [Assignment: organization-defined\
        \ information deemed necessary to achieve effective system component accountability];\
        \ and\n b. Review and update the system component inventory [Assignment: organization-defined\
        \ frequency]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-8-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-8 (1)
      name: System Component Inventory | Updates During Installation and Removal
      description: Update the inventory of system components as part of component
        installations, removals, and system updates.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-8-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-8 (2)
      name: System Component Inventory | Automated Maintenance
      description: 'Maintain the currency, completeness, accuracy, and availability
        of the inventory of system components using [Assignment: organization-defined
        automated mechanisms].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-8-(3)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-8 (3)
      name: System Component Inventory | Automated Unauthorized Component Detection
      description: " (a) Detect the presence of unauthorized hardware, software, and\
        \ firmware components within the system using [Assignment: organization-defined\
        \ automated mechanisms] [Assignment: organization-defined frequency]; and\n\
        \ (b) Take the following actions when unauthorized components are detected:\
        \ [Selection (one or more): disable network access by such components; isolate\
        \ the components; notify [Assignment: organization-defined personnel or roles]]."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-8-(4)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-8 (4)
      name: System Component Inventory | Accountability Information
      description: 'Include in the system component inventory information, a means
        for identifying by [Selection (one or more): name; position; role], individuals
        responsible and accountable for administering those components.'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-9
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-9
      name: Configuration Management Plan
      description: "Develop, document, and implement a configuration management plan\
        \ for the system that:\n a. Addresses roles, responsibilities, and configuration\
        \ management processes and procedures;\n b. Establishes a process for identifying\
        \ configuration items throughout the system development life cycle and for\
        \ managing the configuration of the configuration items;\n c. Defines the\
        \ configuration items for the system and places the configuration items under\
        \ configuration management;\n d. Is reviewed and approved by [Assignment:\
        \ organization-defined personnel or roles]; and\n e. Protects the configuration\
        \ management plan from unauthorized disclosure and modification."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-10
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-10
      name: Software Usage Restrictions
      description: "a. Use software and associated documentation in accordance with\
        \ contract agreements and copyright laws;\n b. Track the use of software and\
        \ associated documentation protected by quantity licenses to control copying\
        \ and distribution; and\n c. Control and document the use of peer-to-peer\
        \ file sharing technology to ensure that this capability is not used for the\
        \ unauthorized distribution, display, performance, or reproduction of copyrighted\
        \ work."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-11
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-11
      name: User-installed Software
      description: "a. Establish [Assignment: organization-defined policies] governing\
        \ the installation of software by users;\n b. Enforce software installation\
        \ policies through the following methods: [Assignment: organization-defined\
        \ methods]; and\n c. Monitor policy compliance [Assignment: organization-defined\
        \ frequency]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-12
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-12
      name: Information Location
      description: "a. Identify and document the location of [Assignment: organization-defined\
        \ information] and the specific system components on which the information\
        \ is processed and stored;\n b. Identify and document the users who have access\
        \ to the system and system components where the information is processed and\
        \ stored; and\n c. Document changes to the location (i.e., system or system\
        \ components) where the information is processed and stored."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-12-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-12 (1)
      name: Information Location | Automated Tools to Support Information Location
      description: 'Use automated tools to identify [Assignment: organization-defined
        information by information type] on [Assignment: organization-defined system
        components] to ensure controls are in place to protect organizational information
        and individual privacy.'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cm-14
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node105
      ref_id: CM-14
      name: Signed Components
      description: 'Prevent the installation of [Assignment: organization-defined
        software and firmware components] without verification that the component
        has been digitally signed using a certificate that is recognized and approved
        by the organization.'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      assessable: false
      depth: 1
      name: CONTINGENCY PLANNING
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-1
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-1
      name: Policy and Procedures
      description: "a. Develop, document, and disseminate to [Assignment: organization-defined\
        \ personnel or roles]:\n 1. [Selection (one or more): Organization-level;\
        \ Mission/business process-level; System-level] contingency planning policy\
        \ that:\n (a) Addresses purpose, scope, roles, responsibilities, management\
        \ commitment, coordination among organizational entities, and compliance;\
        \ and\n (b) Is consistent with applicable laws, executive orders, directives,\
        \ regulations, policies, standards, and guidelines; and\n 2. Procedures to\
        \ facilitate the implementation of the contingency planning policy and the\
        \ associated contingency planning controls;\n b. Designate an [Assignment:\
        \ organization-defined official] to manage the development, documentation,\
        \ and dissemination of the contingency planning policy and procedures; and\n\
        \ c. Review and update the current contingency planning:\n 1. Policy [Assignment:\
        \ organization-defined frequency] and following [Assignment: organization-defined\
        \ events]; and\n 2. Procedures [Assignment: organization-defined frequency]\
        \ and following [Assignment: organization-defined events]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-2
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-2
      name: Contingency Plan
      description: "a. Develop a contingency plan for the system that:\n 1. Identifies\
        \ essential mission and business functions and associated contingency requirements;\n\
        \ 2. Provides recovery objectives, restoration priorities, and metrics;\n\
        \ 3. Addresses contingency roles, responsibilities, assigned individuals with\
        \ contact information;\n 4. Addresses maintaining essential mission and business\
        \ functions despite a system disruption, compromise, or failure; \n 5. Addresses\
        \ eventual, full system restoration without deterioration of the controls\
        \ originally planned and implemented;\n 6. Addresses the sharing of contingency\
        \ information; and\n 7. Is reviewed and approved by [Assignment: organization-defined\
        \ personnel or roles];\n b. Distribute copies of the contingency plan to [Assignment:\
        \ organization-defined key contingency personnel (identified by name and/or\
        \ by role) and organizational elements];\n c. Coordinate contingency planning\
        \ activities with incident handling activities;\n d. Review the contingency\
        \ plan for the system [Assignment: organization-defined frequency];\n e. Update\
        \ the contingency plan to address changes to the organization, system, or\
        \ environment of operation and problems encountered during contingency plan\
        \ implementation, execution, or testing;\n f. Communicate contingency plan\
        \ changes to [Assignment: organization-defined key contingency personnel (identified\
        \ by name and/or by role) and organizational elements];\n g. Incorporate lessons\
        \ learned from contingency plan testing, training, or actual contingency activities\
        \ into contingency testing and training; and\n h. Protect the contingency\
        \ plan from unauthorized disclosure and modification."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-2-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-2 (1)
      name: Contingency Plan | Coordinate with Related Plans
      description: Coordinate contingency plan development with organizational elements
        responsible for related plans.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-2-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-2 (2)
      name: Contingency Plan | Capacity Planning
      description: Conduct capacity planning so that necessary capacity for information
        processing, telecommunications, and environmental support exists during contingency
        operations.
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-2-(3)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-2 (3)
      name: Contingency Plan | Resume Mission and Business Functions
      description: 'Plan for the resumption of [Selection: all; essential] mission
        and business functions within [Assignment: organization-defined time period]
        of contingency plan activation.'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-2-(5)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-2 (5)
      name: Contingency Plan | Continue Mission and Business Functions
      description: 'Plan for the continuance of [Selection: all; essential] mission
        and business functions with minimal or no loss of operational continuity and
        sustains that continuity until full system restoration at primary processing
        and/or storage sites.'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-2-(8)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-2 (8)
      name: Contingency Plan | Identify Critical Assets
      description: 'Identify critical system assets supporting [Selection: all; essential]
        mission and business functions.'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-3
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-3
      name: Contingency Training
      description: "a. Provide contingency training to system users consistent with\
        \ assigned roles and responsibilities: \n 1. Within [Assignment: organization-defined\
        \ time period] of assuming a contingency role or responsibility;\n 2. When\
        \ required by system changes; and\n 3. [Assignment: organization-defined frequency]\
        \ thereafter; and\n b. Review and update contingency training content [Assignment:\
        \ organization-defined frequency] and following [Assignment: organization-defined\
        \ events]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-3-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-3 (1)
      name: Contingency Training | Simulated Events
      description: Incorporate simulated events into contingency training to facilitate
        effective response by personnel in crisis situations.
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-4
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-4
      name: Contingency Plan Testing
      description: "a. Test the contingency plan for the system [Assignment: organization-defined\
        \ frequency] using the following tests to determine the effectiveness of the\
        \ plan and the readiness to execute the plan: [Assignment: organization-defined\
        \ tests].\n b. Review the contingency plan test results; and\n c. Initiate\
        \ corrective actions, if needed."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-4-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-4 (1)
      name: Contingency Plan Testing | Coordinate with Related Plans
      description: Coordinate contingency plan testing with organizational elements
        responsible for related plans.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-4-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-4 (2)
      name: Contingency Plan Testing | Alternate Processing Site
      description: "Test the contingency plan at the alternate processing site:\n\
        \ (a) To familiarize contingency personnel with the facility and available\
        \ resources; and\n (b) To evaluate the capabilities of the alternate processing\
        \ site to support contingency operations."
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-6
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-6
      name: Alternate Storage Site
      description: "a. Establish an alternate storage site, including necessary agreements\
        \ to permit the storage and retrieval of system backup information; and\n\
        \ b. Ensure that the alternate storage site provides controls equivalent to\
        \ that of the primary site."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-6-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-6 (1)
      name: Alternate Storage Site | Separation from Primary Site
      description: Identify an alternate storage site that is sufficiently separated
        from the primary storage site to reduce susceptibility to the same threats.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-6-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-6 (2)
      name: Alternate Storage Site | Recovery Time and Recovery Point Objectives
      description: Configure the alternate storage site to facilitate recovery operations
        in accordance with recovery time and recovery point objectives.
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-6-(3)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-6 (3)
      name: Alternate Storage Site | Accessibility
      description: Identify potential accessibility problems to the alternate storage
        site in the event of an area-wide disruption or disaster and outline explicit
        mitigation actions.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-7
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-7
      name: Alternate Processing Site
      description: "a. Establish an alternate processing site, including necessary\
        \ agreements to permit the transfer and resumption of [Assignment: organization-defined\
        \ system operations] for essential mission and business functions within [Assignment:\
        \ organization-defined time period consistent with recovery time and recovery\
        \ point objectives] when the primary processing capabilities are unavailable;\n\
        \ b. Make available at the alternate processing site, the equipment and supplies\
        \ required to transfer and resume operations or put contracts in place to\
        \ support delivery to the site within the organization-defined time period\
        \ for transfer and resumption; and\n c. Provide controls at the alternate\
        \ processing site that are equivalent to those at the primary site."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-7-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-7 (1)
      name: Alternate Processing Site | Separation from Primary Site
      description: Identify an alternate processing site that is sufficiently separated
        from the primary processing site to reduce susceptibility to the same threats.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-7-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-7 (2)
      name: Alternate Processing Site | Accessibility
      description: Identify potential accessibility problems to alternate processing
        sites in the event of an area-wide disruption or disaster and outlines explicit
        mitigation actions.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-7-(3)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-7 (3)
      name: Alternate Processing Site | Priority of Service
      description: Develop alternate processing site agreements that contain priority-of-service
        provisions in accordance with availability requirements (including recovery
        time objectives).
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-7-(4)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-7 (4)
      name: Alternate Processing Site | Preparation for Use
      description: Prepare the alternate processing site so that the site can serve
        as the operational site supporting essential mission and business functions.
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-8
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-8
      name: Telecommunications Services
      description: 'Establish alternate telecommunications services, including necessary
        agreements to permit the resumption of [Assignment: organization-defined system
        operations] for essential mission and business functions within [Assignment:
        organization-defined time period] when the primary telecommunications capabilities
        are unavailable at either the primary or alternate processing or storage sites.'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-8-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-8 (1)
      name: Telecommunications Services | Priority of Service Provisions
      description: " (a) Develop primary and alternate telecommunications service\
        \ agreements that contain priority-of-service provisions in accordance with\
        \ availability requirements (including recovery time objectives); and\n (b)\
        \ Request Telecommunications Service Priority for all telecommunications services\
        \ used for national security emergency preparedness if the primary and/or\
        \ alternate telecommunications services are provided by a common carrier."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-8-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-8 (2)
      name: Telecommunications Services | Single Points of Failure
      description: Obtain alternate telecommunications services to reduce the likelihood
        of sharing a single point of failure with primary telecommunications services.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-8-(3)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-8 (3)
      name: Telecommunications Services | Separation of Primary and Alternate Providers
      description: Obtain alternate telecommunications services from providers that
        are separated from primary service providers to reduce susceptibility to the
        same threats.
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-8-(4)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-8 (4)
      name: Telecommunications Services | Provider Contingency Plan
      description: " (a) Require primary and alternate telecommunications service\
        \ providers to have contingency plans;\n (b) Review provider contingency plans\
        \ to ensure that the plans meet organizational contingency requirements; and\n\
        \ (c) Obtain evidence of contingency testing and training by providers [Assignment:\
        \ organization-defined frequency]."
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-9
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-9
      name: System Backup
      description: "a. Conduct backups of user-level information contained in [Assignment:\
        \ organization-defined system components] [Assignment: organization-defined\
        \ frequency consistent with recovery time and recovery point objectives];\n\
        \ b. Conduct backups of system-level information contained in the system [Assignment:\
        \ organization-defined frequency consistent with recovery time and recovery\
        \ point objectives];\n c. Conduct backups of system documentation, including\
        \ security- and privacy-related documentation [Assignment: organization-defined\
        \ frequency consistent with recovery time and recovery point objectives];\
        \ and \n d. Protect the confidentiality, integrity, and availability of backup\
        \ information."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-9-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-9 (1)
      name: System Backup | Testing for Reliability and Integrity
      description: 'Test backup information [Assignment: organization-defined frequency]
        to verify media reliability and information integrity.'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-9-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-9 (2)
      name: System Backup | Test Restoration Using Sampling
      description: Use a sample of backup information in the restoration of selected
        system functions as part of contingency plan testing.
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-9-(3)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-9 (3)
      name: System Backup | Separate Storage for Critical Information
      description: 'Store backup copies of [Assignment: organization-defined critical
        system software and other security-related information] in a separate facility
        or in a fire rated container that is not collocated with the operational system.'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-9-(5)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-9 (5)
      name: System Backup | Transfer to Alternate Storage Site
      description: 'Transfer system backup information to the alternate storage site
        [Assignment: organization-defined time period and transfer rate consistent
        with the recovery time and recovery point objectives].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-9-(8)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-9 (8)
      name: System Backup | Cryptographic Protection
      description: 'Implement cryptographic mechanisms to prevent unauthorized disclosure
        and modification of [Assignment: organization-defined backup information].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-10
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-10
      name: System Recovery and Reconstitution
      description: 'Provide for the recovery and reconstitution of the system to a
        known state within [Assignment: organization-defined time period consistent
        with recovery time and recovery point objectives] after a disruption, compromise,
        or failure.'
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-10-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-10 (2)
      name: System Recovery and Reconstitution | Transaction Recovery
      description: Implement transaction recovery for systems that are transaction-based.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:cp-10-(4)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node140
      ref_id: CP-10 (4)
      name: System Recovery and Reconstitution | Restore Within Time Period
      description: 'Provide the capability to restore system components within [Assignment:
        organization-defined restoration time periods] from configuration-controlled
        and integrity-protected information representing a known, operational state
        for the components.'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      assessable: false
      depth: 1
      name: IDENTIFICATION AND AUTHENTICATION
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-1
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-1
      name: Policy and Procedures
      description: "a. Develop, document, and disseminate to [Assignment: organization-defined\
        \ personnel or roles]:\n 1. [Selection (one or more): Organization-level;\
        \ Mission/business process-level; System-level] identification and authentication\
        \ policy that:\n (a) Addresses purpose, scope, roles, responsibilities, management\
        \ commitment, coordination among organizational entities, and compliance;\
        \ and\n (b) Is consistent with applicable laws, executive orders, directives,\
        \ regulations, policies, standards, and guidelines; and\n 2. Procedures to\
        \ facilitate the implementation of the identification and authentication policy\
        \ and the associated identification and authentication controls;\n b. Designate\
        \ an [Assignment: organization-defined official] to manage the development,\
        \ documentation, and dissemination of the identification and authentication\
        \ policy and procedures; and\n c. Review and update the current identification\
        \ and authentication:\n 1. Policy [Assignment: organization-defined frequency]\
        \ and following [Assignment: organization-defined events]; and\n 2. Procedures\
        \ [Assignment: organization-defined frequency] and following [Assignment:\
        \ organization-defined events]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-2
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-2
      name: Identification and Authentication (organizational Users)
      description: Uniquely identify and authenticate organizational users and associate
        that unique identification with processes acting on behalf of those users.
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-2-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-2 (1)
      name: Identification and Authentication (organizational Users) | Multi-factor
        Authentication to Privileged Accounts
      description: Implement multi-factor authentication for access to privileged
        accounts.
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-2-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-2 (2)
      name: Identification and Authentication (organizational Users) | Multi-factor
        Authentication to Non-privileged Accounts
      description: Implement multi-factor authentication for access to non-privileged
        accounts.
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-2-(5)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-2 (5)
      name: Identification and Authentication (organizational Users) | Individual
        Authentication with Group Authentication
      description: When shared accounts or authenticators are employed, require users
        to be individually authenticated before granting access to the shared accounts
        or resources.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-2-(6)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-2 (6)
      name: "Identification and Authentication (organizational Users) | Access to\
        \ Accounts \u2014separate Device"
      description: "Implement multi-factor authentication for [Selection (one or more):\
        \ local; network; remote] access to [Selection (one or more): privileged accounts;\
        \ non-privileged accounts] such that:\n (a) One of the factors is provided\
        \ by a device separate from the system gaining access; and\n (b) The device\
        \ meets [Assignment: organization-defined strength of mechanism requirements]."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-2-(8)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-2 (8)
      name: "Identification and Authentication (organizational Users) | Access to\
        \ Accounts \u2014 Replay Resistant"
      description: 'Implement replay-resistant authentication mechanisms for access
        to [Selection (one or more): privileged accounts; non-privileged accounts].'
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-2-(12)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-2 (12)
      name: Identification and Authentication (organizational Users) | Acceptance
        of PIV Credentials
      description: Accept and electronically verify Personal Identity Verification-compliant
        credentials.
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-3
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-3
      name: Device Identification and Authentication
      description: 'Uniquely identify and authenticate [Assignment: organization-defined
        devices and/or types of devices] before establishing a [Selection (one or
        more): local; remote; network] connection.'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-4
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-4
      name: Identifier Management
      description: "Manage system identifiers by:\n a. Receiving authorization from\
        \ [Assignment: organization-defined personnel or roles] to assign an individual,\
        \ group, role, service, or device identifier;\n b. Selecting an identifier\
        \ that identifies an individual, group, role, service, or device;\n c. Assigning\
        \ the identifier to the intended individual, group, role, service, or device;\
        \ and\n d. Preventing reuse of identifiers for [Assignment: organization-defined\
        \ time period]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-4-(4)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-4 (4)
      name: Identifier Management | Identify User Status
      description: 'Manage individual identifiers by uniquely identifying each individual
        as [Assignment: organization-defined characteristic identifying individual
        status].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-5
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-5
      name: Authenticator Management
      description: "Manage system authenticators by:\n a. Verifying, as part of the\
        \ initial authenticator distribution, the identity of the individual, group,\
        \ role, service, or device receiving the authenticator;\n b. Establishing\
        \ initial authenticator content for any authenticators issued by the organization;\n\
        \ c. Ensuring that authenticators have sufficient strength of mechanism for\
        \ their intended use;\n d. Establishing and implementing administrative procedures\
        \ for initial authenticator distribution, for lost or compromised or damaged\
        \ authenticators, and for revoking authenticators;\n e. Changing default authenticators\
        \ prior to first use;\n f. Changing or refreshing authenticators [Assignment:\
        \ organization-defined time period by authenticator type] or when [Assignment:\
        \ organization-defined events] occur;\n g. Protecting authenticator content\
        \ from unauthorized disclosure and modification;\n h. Requiring individuals\
        \ to take, and having devices implement, specific controls to protect authenticators;\
        \ and\n i. Changing authenticators for group or role accounts when membership\
        \ to those accounts changes."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-5-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-5 (1)
      name: Authenticator Management | Password-based Authentication
      description: "For password-based authentication:\n (a) Maintain a list of commonly-used,\
        \ expected, or compromised passwords and update the list [Assignment: organization-defined\
        \ frequency] and when organizational passwords are suspected to have been\
        \ compromised directly or indirectly;\n (b) Verify, when users create or update\
        \ passwords, that the passwords are not found on the list of commonly-used,\
        \ expected, or compromised passwords in IA-5 (1) (a);\n (c) Transmit passwords\
        \ only over cryptographically-protected channels;\n (d) Store passwords using\
        \ an approved salted key derivation function, preferably using a keyed hash;\n\
        \ (e) Require immediate selection of a new password upon account recovery;\n\
        \ (f) Allow user selection of long passwords and passphrases, including spaces\
        \ and all printable characters;\n (g) Employ automated tools to assist the\
        \ user in selecting strong password authenticators; and\n (h) Enforce the\
        \ following composition and complexity rules: [Assignment: organization-defined\
        \ composition and complexity rules]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-5-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-5 (2)
      name: Authenticator Management | Public Key-based Authentication
      description: " (a) For public key-based authentication:\n (1) Enforce authorized\
        \ access to the corresponding private key; and\n (2) Map the authenticated\
        \ identity to the account of the individual or group; and\n (b) When public\
        \ key infrastructure (PKI) is used:\n (1) Validate certificates by constructing\
        \ and verifying a certification path to an accepted trust anchor, including\
        \ checking certificate status information; and\n (2) Implement a local cache\
        \ of revocation data to support path discovery and validation."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-5-(6)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-5 (6)
      name: Authenticator Management | Protection of Authenticators
      description: Protect authenticators commensurate with the security category
        of the information to which use of the authenticator permits access.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-5-(7)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-5 (7)
      name: Authenticator Management | No Embedded Unencrypted Static Authenticators
      description: Ensure that unencrypted static authenticators are not embedded
        in applications or other forms of static storage.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-5-(8)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-5 (8)
      name: Authenticator Management | Multiple System Accounts
      description: 'Implement [Assignment: organization-defined security controls]
        to manage the risk of compromise due to individuals having accounts on multiple
        systems.'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-5-(13)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-5 (13)
      name: Authenticator Management | Expiration of Cached Authenticators
      description: 'Prohibit the use of cached authenticators after [Assignment: organization-defined
        time period].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-6
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-6
      name: Authentication Feedback
      description: Obscure feedback of authentication information during the authentication
        process to protect the information from possible exploitation and use by unauthorized
        individuals.
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-7
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-7
      name: Cryptographic Module Authentication
      description: Implement mechanisms for authentication to a cryptographic module
        that meet the requirements of applicable laws, executive orders, directives,
        policies, regulations, standards, and guidelines for such authentication.
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-8
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-8
      name: Identification and Authentication (non-organizational Users)
      description: Uniquely identify and authenticate non-organizational users or
        processes acting on behalf of non-organizational users.
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-8-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-8 (1)
      name: Identification and Authentication (non-organizational Users) | Acceptance
        of PIV Credentials from Other Agencies
      description: Accept and electronically verify Personal Identity Verification-compliant
        credentials from other federal agencies.
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-8-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-8 (2)
      name: Identification and Authentication (non-organizational Users) | Acceptance
        of External Authenticators
      description: " (a) Accept only external authenticators that are NIST-compliant;\
        \ and\n (b) Document and maintain a list of accepted external authenticators."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-8-(4)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-8 (4)
      name: Identification and Authentication (non-organizational Users) | Use of
        Defined Profiles
      description: 'Conform to the following profiles for identity management [Assignment:
        organization-defined identity management profiles].'
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-11
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-11
      name: Re-authentication
      description: 'Require users to re-authenticate when [Assignment: organization-defined
        circumstances or situations requiring re-authentication].'
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-12
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-12
      name: Identity Proofing
      description: "a. Identity proof users that require accounts for logical access\
        \ to systems based on appropriate identity assurance level requirements as\
        \ specified in applicable standards and guidelines; \n b. Resolve user identities\
        \ to a unique individual; and\n c. Collect, validate, and verify identity\
        \ evidence."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-12-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-12 (2)
      name: Identity Proofing | Identity Evidence
      description: Require evidence of individual identification be presented to the
        registration authority.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-12-(3)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-12 (3)
      name: Identity Proofing | Identity Evidence Validation and Verification
      description: 'Require that the presented identity evidence be validated and
        verified through [Assignment: organizational defined methods of validation
        and verification].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-12-(4)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-12 (4)
      name: Identity Proofing | In-person Validation and Verification
      description: Require that the validation and verification of identity evidence
        be conducted in person before a designated registration authority.
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ia-12-(5)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node176
      ref_id: IA-12 (5)
      name: Identity Proofing | Address Confirmation
      description: 'Require that a [Selection: registration code; notice of proofing]
        be delivered through an out-of-band channel to verify the users address (physical
        or digital) of record.'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:node207
      assessable: false
      depth: 1
      name: INCIDENT RESPONSE
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ir-1
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node207
      ref_id: IR-1
      name: Policy and Procedures
      description: "a. Develop, document, and disseminate to [Assignment: organization-defined\
        \ personnel or roles]:\n 1. [Selection (one or more): Organization-level;\
        \ Mission/business process-level; System-level] incident response policy that:\n\
        \ (a) Addresses purpose, scope, roles, responsibilities, management commitment,\
        \ coordination among organizational entities, and compliance; and\n (b) Is\
        \ consistent with applicable laws, executive orders, directives, regulations,\
        \ policies, standards, and guidelines; and\n 2. Procedures to facilitate the\
        \ implementation of the incident response policy and the associated incident\
        \ response controls;\n b. Designate an [Assignment: organization-defined official]\
        \ to manage the development, documentation, and dissemination of the incident\
        \ response policy and procedures; and\n c. Review and update the current incident\
        \ response:\n 1. Policy [Assignment: organization-defined frequency] and following\
        \ [Assignment: organization-defined events]; and\n 2. Procedures [Assignment:\
        \ organization-defined frequency] and following [Assignment: organization-defined\
        \ events]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ir-2
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node207
      ref_id: IR-2
      name: Incident Response Training
      description: "a. Provide incident response training to system users consistent\
        \ with assigned roles and responsibilities:\n 1. Within [Assignment: organization-defined\
        \ time period] of assuming an incident response role or responsibility or\
        \ acquiring system access;\n 2. When required by system changes; and\n 3.\
        \ [Assignment: organization-defined frequency] thereafter; and\n b. Review\
        \ and update incident response training content [Assignment: organization-defined\
        \ frequency] and following [Assignment: organization-defined events]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ir-2-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node207
      ref_id: IR-2 (1)
      name: Incident Response Training | Simulated Events
      description: Incorporate simulated events into incident response training to
        facilitate the required response by personnel in crisis situations.
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ir-2-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node207
      ref_id: IR-2 (2)
      name: Incident Response Training | Automated Training Environments
      description: 'Provide an incident response training environment using [Assignment:
        organization-defined automated mechanisms].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ir-3
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node207
      ref_id: IR-3
      name: Incident Response Testing
      description: 'Test the effectiveness of the incident response capability for
        the system [Assignment: organization-defined frequency] using the following
        tests: [Assignment: organization-defined tests].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ir-3-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node207
      ref_id: IR-3 (2)
      name: Incident Response Testing | Coordination with Related Plans
      description: Coordinate incident response testing with organizational elements
        responsible for related plans.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ir-4
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node207
      ref_id: IR-4
      name: Incident Handling
      description: "a. Implement an incident handling capability for incidents that\
        \ is consistent with the incident response plan and includes preparation,\
        \ detection and analysis, containment, eradication, and recovery;\n b. Coordinate\
        \ incident handling activities with contingency planning activities;\n c.\
        \ Incorporate lessons learned from ongoing incident handling activities into\
        \ incident response procedures, training, and testing, and implement the resulting\
        \ changes accordingly; and\n d. Ensure the rigor, intensity, scope, and results\
        \ of incident handling activities are comparable and predictable across the\
        \ organization."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ir-4-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node207
      ref_id: IR-4 (1)
      name: Incident Handling | Automated Incident Handling Processes
      description: 'Support the incident handling process using [Assignment: organization-defined
        automated mechanisms].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ir-4-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node207
      ref_id: IR-4 (2)
      name: Incident Handling | Dynamic Reconfiguration
      description: 'Include the following types of dynamic reconfiguration for [Assignment:
        organization-defined system components] as part of the incident response capability:
        [Assignment: organization-defined types of dynamic reconfiguration].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ir-4-(4)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node207
      ref_id: IR-4 (4)
      name: Incident Handling | Information Correlation
      description: Correlate incident information and individual incident responses
        to achieve an organization-wide perspective on incident awareness and response.
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ir-4-(6)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node207
      ref_id: IR-4 (6)
      name: Incident Handling | Insider Threats
      description: Implement an incident handling capability for incidents involving
        insider threats.
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ir-4-(11)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node207
      ref_id: IR-4 (11)
      name: Incident Handling | Integrated Incident Response Team
      description: 'Establish and maintain an integrated incident response team that
        can be deployed to any location identified by the organization in [Assignment:
        organization-defined time period].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ir-5
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node207
      ref_id: IR-5
      name: Incident Monitoring
      description: Track and document incidents.
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ir-5-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node207
      ref_id: IR-5 (1)
      name: Incident Monitoring | Automated Tracking, Data Collection, and Analysis
      description: 'Track incidents and collect and analyze incident information using
        [Assignment: organization-defined automated mechanisms].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ir-6
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node207
      ref_id: IR-6
      name: Incident Reporting
      description: "a. Require personnel to report suspected incidents to the organizational\
        \ incident response capability within [Assignment: organization-defined time\
        \ period]; and\n b. Report incident information to [Assignment: organization-defined\
        \ authorities]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ir-6-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node207
      ref_id: IR-6 (1)
      name: Incident Reporting | Automated Reporting
      description: 'Report incidents using [Assignment: organization-defined automated
        mechanisms].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ir-6-(3)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node207
      ref_id: IR-6 (3)
      name: Incident Reporting | Supply Chain Coordination
      description: Provide incident information to the provider of the product or
        service and other organizations involved in the supply chain or supply chain
        governance for systems or system components related to the incident.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ir-7
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node207
      ref_id: IR-7
      name: Incident Response Assistance
      description: Provide an incident response support resource, integral to the
        organizational incident response capability, that offers advice and assistance
        to users of the system for the handling and reporting of incidents.
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ir-7-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node207
      ref_id: IR-7 (1)
      name: Incident Response Assistance | Automation Support for Availability of
        Information and Support
      description: 'Increase the availability of incident response information and
        support using [Assignment: organization-defined automated mechanisms].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ir-8
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node207
      ref_id: IR-8
      name: Incident Response Plan
      description: "a. Develop an incident response plan that:\n 1. Provides the organization\
        \ with a roadmap for implementing its incident response capability;\n 2. Describes\
        \ the structure and organization of the incident response capability;\n 3.\
        \ Provides a high-level approach for how the incident response capability\
        \ fits into the overall organization;\n 4. Meets the unique requirements of\
        \ the organization, which relate to mission, size, structure, and functions;\n\
        \ 5. Defines reportable incidents;\n 6. Provides metrics for measuring the\
        \ incident response capability within the organization;\n 7. Defines the resources\
        \ and management support needed to effectively maintain and mature an incident\
        \ response capability;\n 8. Addresses the sharing of incident information;\n\
        \ 9. Is reviewed and approved by [Assignment: organization-defined personnel\
        \ or roles] [Assignment: organization-defined frequency]; and\n 10. Explicitly\
        \ designates responsibility for incident response to [Assignment: organization-defined\
        \ entities, personnel, or roles].\n b. Distribute copies of the incident response\
        \ plan to [Assignment: organization-defined incident response personnel (identified\
        \ by name and/or by role) and organizational elements];\n c. Update the incident\
        \ response plan to address system and organizational changes or problems encountered\
        \ during plan implementation, execution, or testing;\n d. Communicate incident\
        \ response plan changes to [Assignment: organization-defined incident response\
        \ personnel (identified by name and/or by role) and organizational elements];\
        \ and\n e. Protect the incident response plan from unauthorized disclosure\
        \ and modification."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ir-9
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node207
      ref_id: IR-9
      name: Information Spillage Response
      description: "Respond to information spills by:\n a. Assigning [Assignment:\
        \ organization-defined personnel or roles] with responsibility for responding\
        \ to information spills;\n b. Identifying the specific information involved\
        \ in the system contamination;\n c. Alerting [Assignment: organization-defined\
        \ personnel or roles] of the information spill using a method of communication\
        \ not associated with the spill;\n d. Isolating the contaminated system or\
        \ system component;\n e. Eradicating the information from the contaminated\
        \ system or component;\n f. Identifying other systems or system components\
        \ that may have been subsequently contaminated; and\n g. Performing the following\
        \ additional actions: [Assignment: organization-defined actions]."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ir-9-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node207
      ref_id: IR-9 (2)
      name: Information Spillage Response | Training
      description: 'Provide information spillage response training [Assignment: organization-defined
        frequency].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ir-9-(3)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node207
      ref_id: IR-9 (3)
      name: Information Spillage Response | Post-spill Operations
      description: 'Implement the following procedures to ensure that organizational
        personnel impacted by information spills can continue to carry out assigned
        tasks while contaminated systems are undergoing corrective actions: [Assignment:
        organization-defined procedures].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ir-9-(4)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node207
      ref_id: IR-9 (4)
      name: Information Spillage Response | Exposure to Unauthorized Personnel
      description: 'Employ the following controls for personnel exposed to information
        not within assigned access authorizations: [Assignment: organization-defined
        controls].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:node232
      assessable: false
      depth: 1
      name: MAINTENANCE
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ma-1
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node232
      ref_id: MA-1
      name: Policy and Procedures
      description: "a. Develop, document, and disseminate to [Assignment: organization-defined\
        \ personnel or roles]:\n 1. [Selection (one or more): Organization-level;\
        \ Mission/business process-level; System-level] maintenance policy that:\n\
        \ (a) Addresses purpose, scope, roles, responsibilities, management commitment,\
        \ coordination among organizational entities, and compliance; and\n (b) Is\
        \ consistent with applicable laws, executive orders, directives, regulations,\
        \ policies, standards, and guidelines; and\n 2. Procedures to facilitate the\
        \ implementation of the maintenance policy and the associated maintenance\
        \ controls;\n b. Designate an [Assignment: organization-defined official]\
        \ to manage the development, documentation, and dissemination of the maintenance\
        \ policy and procedures; and\n c. Review and update the current maintenance:\n\
        \ 1. Policy [Assignment: organization-defined frequency] and following [Assignment:\
        \ organization-defined events]; and\n 2. Procedures [Assignment: organization-defined\
        \ frequency] and following [Assignment: organization-defined events]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ma-2
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node232
      ref_id: MA-2
      name: Controlled Maintenance
      description: "a. Schedule, document, and review records of maintenance, repair,\
        \ and replacement on system components in accordance with manufacturer or\
        \ vendor specifications and/or organizational requirements;\n b. Approve and\
        \ monitor all maintenance activities, whether performed on site or remotely\
        \ and whether the system or system components are serviced on site or removed\
        \ to another location;\n c. Require that [Assignment: organization-defined\
        \ personnel or roles] explicitly approve the removal of the system or system\
        \ components from organizational facilities for off-site maintenance, repair,\
        \ or replacement;\n d. Sanitize equipment to remove the following information\
        \ from associated media prior to removal from organizational facilities for\
        \ off-site maintenance, repair, or replacement: [Assignment: organization-defined\
        \ information];\n e. Check all potentially impacted controls to verify that\
        \ the controls are still functioning properly following maintenance, repair,\
        \ or replacement actions; and\n f. Include the following information in organizational\
        \ maintenance records: [Assignment: organization-defined information]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ma-2-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node232
      ref_id: MA-2 (2)
      name: Controlled Maintenance | Automated Maintenance Activities
      description: " (a) Schedule, conduct, and document maintenance, repair, and\
        \ replacement actions for the system using [Assignment: organization-defined\
        \ automated mechanisms]; and\n (b) Produce up-to date, accurate, and complete\
        \ records of all maintenance, repair, and replacement actions requested, scheduled,\
        \ in process, and completed."
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ma-3
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node232
      ref_id: MA-3
      name: Maintenance Tools
      description: "a. Approve, control, and monitor the use of system maintenance\
        \ tools; and\n b. Review previously approved system maintenance tools [Assignment:\
        \ organization-defined frequency]."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ma-3-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node232
      ref_id: MA-3 (1)
      name: Maintenance Tools | Inspect Tools
      description: Inspect the maintenance tools used by maintenance personnel for
        improper or unauthorized modifications.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ma-3-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node232
      ref_id: MA-3 (2)
      name: Maintenance Tools | Inspect Media
      description: Check media containing diagnostic and test programs for malicious
        code before the media are used in the system.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ma-3-(3)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node232
      ref_id: MA-3 (3)
      name: Maintenance Tools | Prevent Unauthorized Removal
      description: "Prevent the removal of maintenance equipment containing organizational\
        \ information by:\n (a) Verifying that there is no organizational information\
        \ contained on the equipment;\n (b) Sanitizing or destroying the equipment;\n\
        \ (c) Retaining the equipment within the facility; or\n (d) Obtaining an exemption\
        \ from [Assignment: organization-defined personnel or roles] explicitly authorizing\
        \ removal of the equipment from the facility."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ma-4
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node232
      ref_id: MA-4
      name: Nonlocal Maintenance
      description: "a. Approve and monitor nonlocal maintenance and diagnostic activities;\n\
        \ b. Allow the use of nonlocal maintenance and diagnostic tools only as consistent\
        \ with organizational policy and documented in the security plan for the system;\n\
        \ c. Employ strong authentication in the establishment of nonlocal maintenance\
        \ and diagnostic sessions;\n d. Maintain records for nonlocal maintenance\
        \ and diagnostic activities; and\n e. Terminate session and network connections\
        \ when nonlocal maintenance is completed."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ma-4-(3)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node232
      ref_id: MA-4 (3)
      name: Nonlocal Maintenance | Comparable Security and Sanitization
      description: " (a) Require that nonlocal maintenance and diagnostic services\
        \ be performed from a system that implements a security capability comparable\
        \ to the capability implemented on the system being serviced; or\n (b) Remove\
        \ the component to be serviced from the system prior to nonlocal maintenance\
        \ or diagnostic services; sanitize the component (for organizational information);\
        \ and after the service is performed, inspect and sanitize the component (for\
        \ potentially malicious software) before reconnecting the component to the\
        \ system."
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ma-5
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node232
      ref_id: MA-5
      name: Maintenance Personnel
      description: "a. Establish a process for maintenance personnel authorization\
        \ and maintain a list of authorized maintenance organizations or personnel;\n\
        \ b. Verify that non-escorted personnel performing maintenance on the system\
        \ possess the required access authorizations; and\n c. Designate organizational\
        \ personnel with required access authorizations and technical competence to\
        \ supervise the maintenance activities of personnel who do not possess the\
        \ required access authorizations."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ma-5-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node232
      ref_id: MA-5 (1)
      name: Maintenance Personnel | Individuals Without Appropriate Access
      description: " (a) Implement procedures for the use of maintenance personnel\
        \ that lack appropriate security clearances or are not U.S. citizens, that\
        \ include the following requirements:\n (1) Maintenance personnel who do not\
        \ have needed access authorizations, clearances, or formal access approvals\
        \ are escorted and supervised during the performance of maintenance and diagnostic\
        \ activities on the system by approved organizational personnel who are fully\
        \ cleared, have appropriate access authorizations, and are technically qualified;\
        \ and\n (2) Prior to initiating maintenance or diagnostic activities by personnel\
        \ who do not have needed access authorizations, clearances or formal access\
        \ approvals, all volatile information storage components within the system\
        \ are sanitized and all nonvolatile storage media are removed or physically\
        \ disconnected from the system and secured; and\n (b) Develop and implement\
        \ [Assignment: organization-defined alternate controls] in the event a system\
        \ component cannot be sanitized, removed, or disconnected from the system."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ma-6
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node232
      ref_id: MA-6
      name: Timely Maintenance
      description: 'Obtain maintenance support and/or spare parts for [Assignment:
        organization-defined system components] within [Assignment: organization-defined
        time period] of failure.'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:node245
      assessable: false
      depth: 1
      name: MEDIA PROTECTION
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:mp-1
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node245
      ref_id: MP-1
      name: Policy and Procedures
      description: "a. Develop, document, and disseminate to [Assignment: organization-defined\
        \ personnel or roles]:\n 1. [Selection (one or more): Organization-level;\
        \ Mission/business process-level; System-level] media protection policy that:\n\
        \ (a) Addresses purpose, scope, roles, responsibilities, management commitment,\
        \ coordination among organizational entities, and compliance; and\n (b) Is\
        \ consistent with applicable laws, executive orders, directives, regulations,\
        \ policies, standards, and guidelines; and\n 2. Procedures to facilitate the\
        \ implementation of the media protection policy and the associated media protection\
        \ controls;\n b. Designate an [Assignment: organization-defined official]\
        \ to manage the development, documentation, and dissemination of the media\
        \ protection policy and procedures; and\n c. Review and update the current\
        \ media protection:\n 1. Policy [Assignment: organization-defined frequency]\
        \ and following [Assignment: organization-defined events]; and\n 2. Procedures\
        \ [Assignment: organization-defined frequency] and following [Assignment:\
        \ organization-defined events]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:mp-2
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node245
      ref_id: MP-2
      name: Media Access
      description: 'Restrict access to [Assignment: organization-defined types of
        digital and/or non-digital media] to [Assignment: organization-defined personnel
        or roles].'
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:mp-3
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node245
      ref_id: MP-3
      name: Media Marking
      description: "a. Mark system media indicating the distribution limitations,\
        \ handling caveats, and applicable security markings (if any) of the information;\
        \ and\n b. Exempt [Assignment: organization-defined types of system media]\
        \ from marking if the media remain within [Assignment: organization-defined\
        \ controlled areas]."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:mp-4
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node245
      ref_id: MP-4
      name: Media Storage
      description: "a. Physically control and securely store [Assignment: organization-defined\
        \ types of digital and/or non-digital media] within [Assignment: organization-defined\
        \ controlled areas]; and\n b. Protect system media types defined in MP-4a\
        \ until the media are destroyed or sanitized using approved equipment, techniques,\
        \ and procedures."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:mp-5
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node245
      ref_id: MP-5
      name: Media Transport
      description: "a. Protect and control [Assignment: organization-defined types\
        \ of system media] during transport outside of controlled areas using [Assignment:\
        \ organization-defined controls];\n b. Maintain accountability for system\
        \ media during transport outside of controlled areas;\n c. Document activities\
        \ associated with the transport of system media; and\n d. Restrict the activities\
        \ associated with the transport of system media to authorized personnel."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:mp-6
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node245
      ref_id: MP-6
      name: Media Sanitization
      description: "a. Sanitize [Assignment: organization-defined system media] prior\
        \ to disposal, release out of organizational control, or release for reuse\
        \ using [Assignment: organization-defined sanitization techniques and procedures];\
        \ and\n b. Employ sanitization mechanisms with the strength and integrity\
        \ commensurate with the security category or classification of the information."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:mp-6-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node245
      ref_id: MP-6 (1)
      name: Media Sanitization | Review, Approve, Track, Document, and Verify
      description: Review, approve, track, document, and verify media sanitization
        and disposal actions.
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:mp-6-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node245
      ref_id: MP-6 (2)
      name: Media Sanitization | Equipment Testing
      description: 'Test sanitization equipment and procedures [Assignment: organization-defined
        frequency] to ensure that the intended sanitization is being achieved.'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:mp-6-(3)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node245
      ref_id: MP-6 (3)
      name: Media Sanitization | Nondestructive Techniques
      description: 'Apply nondestructive sanitization techniques to portable storage
        devices prior to connecting such devices to the system under the following
        circumstances: [Assignment: organization-defined circumstances requiring sanitization
        of portable storage devices].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:mp-7
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node245
      ref_id: MP-7
      name: Media Use
      description: "a. [Selection: Restrict; Prohibit] the use of [Assignment: organization-defined\
        \ types of system media] on [Assignment: organization-defined systems or system\
        \ components] using [Assignment: organization-defined controls]; and\n b.\
        \ Prohibit the use of portable storage devices in organizational systems when\
        \ such devices have no identifiable owner."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:node256
      assessable: false
      depth: 1
      name: PHYSICAL AND ENVIRONMENTAL PROTECTION
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pe-1
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node256
      ref_id: PE-1
      name: Policy and Procedures
      description: "a. Develop, document, and disseminate to [Assignment: organization-defined\
        \ personnel or roles]:\n 1. [Selection (one or more): Organization-level;\
        \ Mission/business process-level; System-level] physical and environmental\
        \ protection policy that:\n (a) Addresses purpose, scope, roles, responsibilities,\
        \ management commitment, coordination among organizational entities, and compliance;\
        \ and\n (b) Is consistent with applicable laws, executive orders, directives,\
        \ regulations, policies, standards, and guidelines; and\n 2. Procedures to\
        \ facilitate the implementation of the physical and environmental protection\
        \ policy and the associated physical and environmental protection controls;\n\
        \ b. Designate an [Assignment: organization-defined official] to manage the\
        \ development, documentation, and dissemination of the physical and environmental\
        \ protection policy and procedures; and\n c. Review and update the current\
        \ physical and environmental protection:\n 1. Policy [Assignment: organization-defined\
        \ frequency] and following [Assignment: organization-defined events]; and\n\
        \ 2. Procedures [Assignment: organization-defined frequency] and following\
        \ [Assignment: organization-defined events]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pe-2
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node256
      ref_id: PE-2
      name: Physical Access Authorizations
      description: "a. Develop, approve, and maintain a list of individuals with authorized\
        \ access to the facility where the system resides;\n b. Issue authorization\
        \ credentials for facility access;\n c. Review the access list detailing authorized\
        \ facility access by individuals [Assignment: organization-defined frequency];\
        \ and\n d. Remove individuals from the facility access list when access is\
        \ no longer required."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pe-3
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node256
      ref_id: PE-3
      name: Physical Access Control
      description: "a. Enforce physical access authorizations at [Assignment: organization-defined\
        \ entry and exit points to the facility where the system resides] by:\n 1.\
        \ Verifying individual access authorizations before granting access to the\
        \ facility; and\n 2. Controlling ingress and egress to the facility using\
        \ [Selection (one or more): [Assignment: organization-defined physical access\
        \ control systems or devices]; guards];\n b. Maintain physical access audit\
        \ logs for [Assignment: organization-defined entry or exit points];\n c. Control\
        \ access to areas within the facility designated as publicly accessible by\
        \ implementing the following controls: [Assignment: organization-defined physical\
        \ access controls];\n d. Escort visitors and control visitor activity [Assignment:\
        \ organization-defined circumstances requiring visitor escorts and control\
        \ of visitor activity];\n e. Secure keys, combinations, and other physical\
        \ access devices;\n f. Inventory [Assignment: organization-defined physical\
        \ access devices] every [Assignment: organization-defined frequency]; and\n\
        \ g. Change combinations and keys [Assignment: organization-defined frequency]\
        \ and/or when keys are lost, combinations are compromised, or when individuals\
        \ possessing the keys or combinations are transferred or terminated."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pe-3-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node256
      ref_id: PE-3 (1)
      name: Physical Access Control | System Access
      description: 'Enforce physical access authorizations to the system in addition
        to the physical access controls for the facility at [Assignment: organization-defined
        physical spaces containing one or more components of the system].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pe-4
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node256
      ref_id: PE-4
      name: Access Control for Transmission
      description: 'Control physical access to [Assignment: organization-defined system
        distribution and transmission lines] within organizational facilities using
        [Assignment: organization-defined security controls].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pe-5
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node256
      ref_id: PE-5
      name: Access Control for Output Devices
      description: 'Control physical access to output from [Assignment: organization-defined
        output devices] to prevent unauthorized individuals from obtaining the output.'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pe-6
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node256
      ref_id: PE-6
      name: Monitoring Physical Access
      description: "a. Monitor physical access to the facility where the system resides\
        \ to detect and respond to physical security incidents;\n b. Review physical\
        \ access logs [Assignment: organization-defined frequency] and upon occurrence\
        \ of [Assignment: organization-defined events or potential indications of\
        \ events]; and\n c. Coordinate results of reviews and investigations with\
        \ the organizational incident response capability."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pe-6-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node256
      ref_id: PE-6 (1)
      name: Monitoring Physical Access | Intrusion Alarms and Surveillance Equipment
      description: Monitor physical access to the facility where the system resides
        using physical intrusion alarms and surveillance equipment.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pe-6-(4)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node256
      ref_id: PE-6 (4)
      name: Monitoring Physical Access | Monitoring Physical Access to Systems
      description: 'Monitor physical access to the system in addition to the physical
        access monitoring of the facility at [Assignment: organization-defined physical
        spaces containing one or more components of the system].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pe-8
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node256
      ref_id: PE-8
      name: Visitor Access Records
      description: "a. Maintain visitor access records to the facility where the system\
        \ resides for [Assignment: organization-defined time period];\n b. Review\
        \ visitor access records [Assignment: organization-defined frequency]; and\n\
        \ c. Report anomalies in visitor access records to [Assignment: organization-defined\
        \ personnel]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pe-8-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node256
      ref_id: PE-8 (1)
      name: Visitor Access Records | Automated Records Maintenance and Review
      description: 'Maintain and review visitor access records using [Assignment:
        organization-defined automated mechanisms].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pe-9
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node256
      ref_id: PE-9
      name: Power Equipment and Cabling
      description: Protect power equipment and power cabling for the system from damage
        and destruction.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pe-10
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node256
      ref_id: PE-10
      name: Emergency Shutoff
      description: "a. Provide the capability of shutting off power to [Assignment:\
        \ organization-defined system or individual system components] in emergency\
        \ situations;\n b. Place emergency shutoff switches or devices in [Assignment:\
        \ organization-defined location by system or system component] to facilitate\
        \ access for authorized personnel; and\n c. Protect emergency power shutoff\
        \ capability from unauthorized activation."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pe-11
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node256
      ref_id: PE-11
      name: Emergency Power
      description: 'Provide an uninterruptible power supply to facilitate [Selection
        (one or more): an orderly shutdown of the system; transition of the system
        to long-term alternate power] in the event of a primary power source loss.'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pe-11-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node256
      ref_id: PE-11 (1)
      name: "Emergency Power | Alternate Power Supply \u2014 Minimal Operational Capability"
      description: 'Provide an alternate power supply for the system that is activated
        [Selection: manually; automatically] and that can maintain minimally required
        operational capability in the event of an extended loss of the primary power
        source.'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pe-12
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node256
      ref_id: PE-12
      name: Emergency Lighting
      description: Employ and maintain automatic emergency lighting for the system
        that activates in the event of a power outage or disruption and that covers
        emergency exits and evacuation routes within the facility.
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pe-13
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node256
      ref_id: PE-13
      name: Fire Protection
      description: Employ and maintain fire detection and suppression systems that
        are supported by an independent energy source.
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pe-13-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node256
      ref_id: PE-13 (1)
      name: "Fire Protection | Detection Systems \u2014 Automatic Activation and Notification"
      description: 'Employ fire detection systems that activate automatically and
        notify [Assignment: organization-defined personnel or roles] and [Assignment:
        organization-defined emergency responders] in the event of a fire.'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pe-13-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node256
      ref_id: PE-13 (2)
      name: "Fire Protection | Suppression Systems \u2014 Automatic Activation and\
        \ Notification"
      description: " (a) Employ fire suppression systems that activate automatically\
        \ and notify [Assignment: organization-defined personnel or roles] and [Assignment:\
        \ organization-defined emergency responders]; and\n (b) Employ an automatic\
        \ fire suppression capability when the facility is not staffed on a continuous\
        \ basis."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pe-14
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node256
      ref_id: PE-14
      name: Environmental Controls
      description: "a. Maintain [Selection (one or more): temperature; humidity; pressure;\
        \ radiation; [Assignment: organization-defined environmental control]] levels\
        \ within the facility where the system resides at [Assignment: organization-defined\
        \ acceptable levels]; and\n b. Monitor environmental control levels [Assignment:\
        \ organization-defined frequency]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pe-14-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node256
      ref_id: PE-14 (2)
      name: Environmental Controls | Monitoring with Alarms and Notifications
      description: 'Employ environmental control monitoring that provides an alarm
        or notification of changes potentially harmful to personnel or equipment to
        [Assignment: organization-defined personnel or roles].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pe-15
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node256
      ref_id: PE-15
      name: Water Damage Protection
      description: Protect the system from damage resulting from water leakage by
        providing master shutoff or isolation valves that are accessible, working
        properly, and known to key personnel.
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pe-15-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node256
      ref_id: PE-15 (1)
      name: Water Damage Protection | Automation Support
      description: 'Detect the presence of water near the system and alert [Assignment:
        organization-defined personnel or roles] using [Assignment: organization-defined
        automated mechanisms].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pe-16
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node256
      ref_id: PE-16
      name: Delivery and Removal
      description: "a. Authorize and control [Assignment: organization-defined types\
        \ of system components] entering and exiting the facility; and\n b. Maintain\
        \ records of the system components."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pe-17
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node256
      ref_id: PE-17
      name: Alternate Work Site
      description: "a. Determine and document the [Assignment: organization-defined\
        \ alternate work sites] allowed for use by employees;\n b. Employ the following\
        \ controls at alternate work sites: [Assignment: organization-defined controls];\n\
        \ c. Assess the effectiveness of controls at alternate work sites; and\n d.\
        \ Provide a means for employees to communicate with information security and\
        \ privacy personnel in case of incidents."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pe-18
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node256
      ref_id: PE-18
      name: Location of System Components
      description: 'Position system components within the facility to minimize potential
        damage from [Assignment: organization-defined physical and environmental hazards]
        and to minimize the opportunity for unauthorized access.'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:node283
      assessable: false
      depth: 1
      name: PLANNING
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pl-1
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node283
      ref_id: PL-1
      name: Policy and Procedures
      description: "a. Develop, document, and disseminate to [Assignment: organization-defined\
        \ personnel or roles]:\n 1. [Selection (one or more): Organization-level;\
        \ Mission/business process-level; System-level] planning policy that:\n (a)\
        \ Addresses purpose, scope, roles, responsibilities, management commitment,\
        \ coordination among organizational entities, and compliance; and\n (b) Is\
        \ consistent with applicable laws, executive orders, directives, regulations,\
        \ policies, standards, and guidelines; and\n 2. Procedures to facilitate the\
        \ implementation of the planning policy and the associated planning controls;\n\
        \ b. Designate an [Assignment: organization-defined official] to manage the\
        \ development, documentation, and dissemination of the planning policy and\
        \ procedures; and\n c. Review and update the current planning:\n 1. Policy\
        \ [Assignment: organization-defined frequency] and following [Assignment:\
        \ organization-defined events]; and\n 2. Procedures [Assignment: organization-defined\
        \ frequency] and following [Assignment: organization-defined events]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pl-2
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node283
      ref_id: PL-2
      name: System Security and Privacy Plans
      description: "a. Develop security and privacy plans for the system that:\n 1.\
        \ Are consistent with the organization\u2019s enterprise architecture;\n 2.\
        \ Explicitly define the constituent system components;\n 3. Describe the operational\
        \ context of the system in terms of mission and business processes;\n 4. Identify\
        \ the individuals that fulfill system roles and responsibilities;\n 5. Identify\
        \ the information types processed, stored, and transmitted by the system;\n\
        \ 6. Provide the security categorization of the system, including supporting\
        \ rationale;\n 7. Describe any specific threats to the system that are of\
        \ concern to the organization; \n 8. Provide the results of a privacy risk\
        \ assessment for systems processing personally identifiable information;\n\
        \ 9. Describe the operational environment for the system and any dependencies\
        \ on or connections to other systems or system components;\n 10. Provide an\
        \ overview of the security and privacy requirements for the system;\n 11.\
        \ Identify any relevant control baselines or overlays, if applicable;\n 12.\
        \ Describe the controls in place or planned for meeting the security and privacy\
        \ requirements, including a rationale for any tailoring decisions;\n 13. Include\
        \ risk determinations for security and privacy architecture and design decisions;\n\
        \ 14. Include security- and privacy-related activities affecting the system\
        \ that require planning and coordination with [Assignment: organization-defined\
        \ individuals or groups]; and\n 15. Are reviewed and approved by the authorizing\
        \ official or designated representative prior to plan implementation.\n b.\
        \ Distribute copies of the plans and communicate subsequent changes to the\
        \ plans to [Assignment: organization-defined personnel or roles];\n c. Review\
        \ the plans [Assignment: organization-defined frequency]; \n d. Update the\
        \ plans to address changes to the system and environment of operation or problems\
        \ identified during plan implementation or control assessments; and\n e. Protect\
        \ the plans from unauthorized disclosure and modification."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pl-4
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node283
      ref_id: PL-4
      name: Rules of Behavior
      description: "a. Establish and provide to individuals requiring access to the\
        \ system, the rules that describe their responsibilities and expected behavior\
        \ for information and system usage, security, and privacy;\n b. Receive a\
        \ documented acknowledgment from such individuals, indicating that they have\
        \ read, understand, and agree to abide by the rules of behavior, before authorizing\
        \ access to information and the system;\n c. Review and update the rules of\
        \ behavior [Assignment: organization-defined frequency]; and\n d. Require\
        \ individuals who have acknowledged a previous version of the rules of behavior\
        \ to read and re-acknowledge [Selection (one or more): [Assignment: organization-defined\
        \ frequency]; when the rules are revised or updated]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pl-4-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node283
      ref_id: PL-4 (1)
      name: Rules of Behavior | Social Media and External Site/application Usage Restrictions
      description: "Include in the rules of behavior, restrictions on:\n (a) Use of\
        \ social media, social networking sites, and external sites/applications;\n\
        \ (b) Posting organizational information on public websites; and\n (c) Use\
        \ of organization-provided identifiers (e.g., email addresses) and authentication\
        \ secrets (e.g., passwords) for creating accounts on external sites/applications."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pl-8
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node283
      ref_id: PL-8
      name: Security and Privacy Architectures
      description: "a. Develop security and privacy architectures for the system that:\n\
        \ 1. Describe the requirements and approach to be taken for protecting the\
        \ confidentiality, integrity, and availability of organizational information;\n\
        \ 2. Describe the requirements and approach to be taken for processing personally\
        \ identifiable information to minimize privacy risk to individuals;\n 3. Describe\
        \ how the architectures are integrated into and support the enterprise architecture;\
        \ and\n 4. Describe any assumptions about, and dependencies on, external systems\
        \ and services;\n b. Review and update the architectures [Assignment: organization-defined\
        \ frequency] to reflect changes in the enterprise architecture; and\n c. Reflect\
        \ planned architecture changes in security and privacy plans, Concept of Operations\
        \ (CONOPS), criticality analysis, organizational procedures, and procurements\
        \ and acquisitions."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pl-10
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node283
      ref_id: PL-10
      name: Baseline Selection
      description: Select a control baseline for the system.
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:pl-11
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node283
      ref_id: PL-11
      name: Baseline Tailoring
      description: Tailor the selected control baseline by applying specified tailoring
        actions.
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:node291
      assessable: false
      depth: 1
      name: PERSONNEL SECURITY
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ps-1
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node291
      ref_id: PS-1
      name: Policy and Procedures
      description: "a. Develop, document, and disseminate to [Assignment: organization-defined\
        \ personnel or roles]:\n 1. [Selection (one or more): Organization-level;\
        \ Mission/business process-level; System-level] personnel security policy\
        \ that:\n (a) Addresses purpose, scope, roles, responsibilities, management\
        \ commitment, coordination among organizational entities, and compliance;\
        \ and\n (b) Is consistent with applicable laws, executive orders, directives,\
        \ regulations, policies, standards, and guidelines; and\n 2. Procedures to\
        \ facilitate the implementation of the personnel security policy and the associated\
        \ personnel security controls;\n b. Designate an [Assignment: organization-defined\
        \ official] to manage the development, documentation, and dissemination of\
        \ the personnel security policy and procedures; and\n c. Review and update\
        \ the current personnel security:\n 1. Policy [Assignment: organization-defined\
        \ frequency] and following [Assignment: organization-defined events]; and\n\
        \ 2. Procedures [Assignment: organization-defined frequency] and following\
        \ [Assignment: organization-defined events]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ps-2
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node291
      ref_id: PS-2
      name: Position Risk Designation
      description: "a. Assign a risk designation to all organizational positions;\n\
        \ b. Establish screening criteria for individuals filling those positions;\
        \ and\n c. Review and update position risk designations [Assignment: organization-defined\
        \ frequency]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ps-3
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node291
      ref_id: PS-3
      name: Personnel Screening
      description: "a. Screen individuals prior to authorizing access to the system;\
        \ and\n b. Rescreen individuals in accordance with [Assignment: organization-defined\
        \ conditions requiring rescreening and, where rescreening is so indicated,\
        \ the frequency of rescreening]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ps-3-(3)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node291
      ref_id: PS-3 (3)
      name: Personnel Screening | Information Requiring Special Protective Measures
      description: "Verify that individuals accessing a system processing, storing,\
        \ or transmitting information requiring special protection:\n (a) Have valid\
        \ access authorizations that are demonstrated by assigned official government\
        \ duties; and\n (b) Satisfy [Assignment: organization-defined additional personnel\
        \ screening criteria]."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ps-4
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node291
      ref_id: PS-4
      name: Personnel Termination
      description: "Upon termination of individual employment:\n a. Disable system\
        \ access within [Assignment: organization-defined time period];\n b. Terminate\
        \ or revoke any authenticators and credentials associated with the individual;\n\
        \ c. Conduct exit interviews that include a discussion of [Assignment: organization-defined\
        \ information security topics];\n d. Retrieve all security-related organizational\
        \ system-related property; and\n e. Retain access to organizational information\
        \ and systems formerly controlled by terminated individual."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ps-4-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node291
      ref_id: PS-4 (2)
      name: Personnel Termination | Automated Actions
      description: 'Use [Assignment: organization-defined automated mechanisms] to
        [Selection (one or more): notify [Assignment: organization-defined personnel
        or roles] of individual termination actions; disable access to system resources].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ps-5
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node291
      ref_id: PS-5
      name: Personnel Transfer
      description: "a. Review and confirm ongoing operational need for current logical\
        \ and physical access authorizations to systems and facilities when individuals\
        \ are reassigned or transferred to other positions within the organization;\n\
        \ b. Initiate [Assignment: organization-defined transfer or reassignment actions]\
        \ within [Assignment: organization-defined time period following the formal\
        \ transfer action];\n c. Modify access authorization as needed to correspond\
        \ with any changes in operational need due to reassignment or transfer; and\n\
        \ d. Notify [Assignment: organization-defined personnel or roles] within [Assignment:\
        \ organization-defined time period]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ps-6
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node291
      ref_id: PS-6
      name: Access Agreements
      description: "a. Develop and document access agreements for organizational systems;\n\
        \ b. Review and update the access agreements [Assignment: organization-defined\
        \ frequency]; and\n c. Verify that individuals requiring access to organizational\
        \ information and systems: \n 1. Sign appropriate access agreements prior\
        \ to being granted access; and\n 2. Re-sign access agreements to maintain\
        \ access to organizational systems when access agreements have been updated\
        \ or [Assignment: organization-defined frequency]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ps-7
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node291
      ref_id: PS-7
      name: External Personnel Security
      description: "a. Establish personnel security requirements, including security\
        \ roles and responsibilities for external providers;\n b. Require external\
        \ providers to comply with personnel security policies and procedures established\
        \ by the organization;\n c. Document personnel security requirements;\n d.\
        \ Require external providers to notify [Assignment: organization-defined personnel\
        \ or roles] of any personnel transfers or terminations of external personnel\
        \ who possess organizational credentials and/or badges, or who have system\
        \ privileges within [Assignment: organization-defined time period]; and\n\
        \ e. Monitor provider compliance with personnel security requirements."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ps-8
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node291
      ref_id: PS-8
      name: Personnel Sanctions
      description: "a. Employ a formal sanctions process for individuals failing to\
        \ comply with established information security and privacy policies and procedures;\
        \ and\n b. Notify [Assignment: organization-defined personnel or roles] within\
        \ [Assignment: organization-defined time period] when a formal employee sanctions\
        \ process is initiated, identifying the individual sanctioned and the reason\
        \ for the sanction."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ps-9
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node291
      ref_id: PS-9
      name: Position Descriptions
      description: Incorporate security and privacy roles and responsibilities into
        organizational position descriptions.
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:node303
      assessable: false
      depth: 1
      name: RISK ASSESSMENT
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ra-1
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node303
      ref_id: RA-1
      name: Policy and Procedures
      description: "a. Develop, document, and disseminate to [Assignment: organization-defined\
        \ personnel or roles]:\n 1. [Selection (one or more): Organization-level;\
        \ Mission/business process-level; System-level] risk assessment policy that:\n\
        \ (a) Addresses purpose, scope, roles, responsibilities, management commitment,\
        \ coordination among organizational entities, and compliance; and\n (b) Is\
        \ consistent with applicable laws, executive orders, directives, regulations,\
        \ policies, standards, and guidelines; and\n 2. Procedures to facilitate the\
        \ implementation of the risk assessment policy and the associated risk assessment\
        \ controls;\n b. Designate an [Assignment: organization-defined official]\
        \ to manage the development, documentation, and dissemination of the risk\
        \ assessment policy and procedures; and\n c. Review and update the current\
        \ risk assessment:\n 1. Policy [Assignment: organization-defined frequency]\
        \ and following [Assignment: organization-defined events]; and\n 2. Procedures\
        \ [Assignment: organization-defined frequency] and following [Assignment:\
        \ organization-defined events]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ra-2
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node303
      ref_id: RA-2
      name: Security Categorization
      description: "a. Categorize the system and information it processes, stores,\
        \ and transmits;\n b. Document the security categorization results, including\
        \ supporting rationale, in the security plan for the system; and\n c. Verify\
        \ that the authorizing official or authorizing official designated representative\
        \ reviews and approves the security categorization decision."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ra-3
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node303
      ref_id: RA-3
      name: Risk Assessment
      description: "a. Conduct a risk assessment, including:\n 1. Identifying threats\
        \ to and vulnerabilities in the system;\n 2. Determining the likelihood and\
        \ magnitude of harm from unauthorized access, use, disclosure, disruption,\
        \ modification, or destruction of the system, the information it processes,\
        \ stores, or transmits, and any related information; and\n 3. Determining\
        \ the likelihood and impact of adverse effects on individuals arising from\
        \ the processing of personally identifiable information;\n b. Integrate risk\
        \ assessment results and risk management decisions from the organization and\
        \ mission or business process perspectives with system-level risk assessments;\n\
        \ c. Document risk assessment results in [Selection: security and privacy\
        \ plans; risk assessment report; [Assignment: organization-defined document]];\n\
        \ d. Review risk assessment results [Assignment: organization-defined frequency];\n\
        \ e. Disseminate risk assessment results to [Assignment: organization-defined\
        \ personnel or roles]; and\n f. Update the risk assessment [Assignment: organization-defined\
        \ frequency] or when there are significant changes to the system, its environment\
        \ of operation, or other conditions that may impact the security or privacy\
        \ state of the system."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ra-3-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node303
      ref_id: RA-3 (1)
      name: Risk Assessment | Supply Chain Risk Assessment
      description: " (a) Assess supply chain risks associated with [Assignment: organization-defined\
        \ systems, system components, and system services]; and\n (b) Update the supply\
        \ chain risk assessment [Assignment: organization-defined frequency], when\
        \ there are significant changes to the relevant supply chain, or when changes\
        \ to the system, environments of operation, or other conditions may necessitate\
        \ a change in the supply chain."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ra-5
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node303
      ref_id: RA-5
      name: Vulnerability Monitoring and Scanning
      description: "a. Monitor and scan for vulnerabilities in the system and hosted\
        \ applications [Assignment: organization-defined frequency and/or randomly\
        \ in accordance with organization-defined process] and when new vulnerabilities\
        \ potentially affecting the system are identified and reported;\n b. Employ\
        \ vulnerability monitoring tools and techniques that facilitate interoperability\
        \ among tools and automate parts of the vulnerability management process by\
        \ using standards for:\n 1. Enumerating platforms, software flaws, and improper\
        \ configurations;\n 2. Formatting checklists and test procedures; and\n 3.\
        \ Measuring vulnerability impact; \n c. Analyze vulnerability scan reports\
        \ and results from vulnerability monitoring;\n d. Remediate legitimate vulnerabilities\
        \ [Assignment: organization-defined response times] in accordance with an\
        \ organizational assessment of risk;\n e. Share information obtained from\
        \ the vulnerability monitoring process and control assessments with [Assignment:\
        \ organization-defined personnel or roles] to help eliminate similar vulnerabilities\
        \ in other systems; and\n f. Employ vulnerability monitoring tools that include\
        \ the capability to readily update the vulnerabilities to be scanned."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ra-5-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node303
      ref_id: RA-5 (2)
      name: Vulnerability Monitoring and Scanning | Update Vulnerabilities to Be Scanned
      description: 'Update the system vulnerabilities to be scanned [Selection (one
        or more): [Assignment: organization-defined frequency]; prior to a new scan;
        when new vulnerabilities are identified and reported].'
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ra-5-(3)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node303
      ref_id: RA-5 (3)
      name: Vulnerability Monitoring and Scanning | Breadth and Depth of Coverage
      description: Define the breadth and depth of vulnerability scanning coverage.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ra-5-(4)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node303
      ref_id: RA-5 (4)
      name: Vulnerability Monitoring and Scanning | Discoverable Information
      description: 'Determine information about the system that is discoverable and
        take [Assignment: organization-defined corrective actions].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ra-5-(5)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node303
      ref_id: RA-5 (5)
      name: Vulnerability Monitoring and Scanning | Privileged Access
      description: 'Implement privileged access authorization to [Assignment: organization-defined
        system components] for [Assignment: organization-defined vulnerability scanning
        activities].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ra-5-(8)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node303
      ref_id: RA-5 (8)
      name: Vulnerability Monitoring and Scanning | Review Historic Audit Logs
      description: 'Review historic audit logs to determine if a vulnerability identified
        in a [Assignment: organization-defined system] has been previously exploited
        within an [Assignment: organization-defined time period].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ra-5-(11)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node303
      ref_id: RA-5 (11)
      name: Vulnerability Monitoring and Scanning | Public Disclosure Program
      description: Establish a public reporting channel for receiving reports of vulnerabilities
        in organizational systems and system components.
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ra-7
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node303
      ref_id: RA-7
      name: Risk Response
      description: Respond to findings from security and privacy assessments, monitoring,
        and audits in accordance with organizational risk tolerance.
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:ra-9
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node303
      ref_id: RA-9
      name: Criticality Analysis
      description: 'Identify critical system components and functions by performing
        a criticality analysis for [Assignment: organization-defined systems, system
        components, or system services] at [Assignment: organization-defined decision
        points in the system development life cycle].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:node317
      assessable: false
      depth: 1
      name: SYSTEM AND SERVICES ACQUISITION
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sa-1
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node317
      ref_id: SA-1
      name: Policy and Procedures
      description: "a. Develop, document, and disseminate to [Assignment: organization-defined\
        \ personnel or roles]:\n 1. [Selection (one or more): Organization-level;\
        \ Mission/business process-level; System-level] system and services acquisition\
        \ policy that:\n (a) Addresses purpose, scope, roles, responsibilities, management\
        \ commitment, coordination among organizational entities, and compliance;\
        \ and\n (b) Is consistent with applicable laws, executive orders, directives,\
        \ regulations, policies, standards, and guidelines; and\n 2. Procedures to\
        \ facilitate the implementation of the system and services acquisition policy\
        \ and the associated system and services acquisition controls;\n b. Designate\
        \ an [Assignment: organization-defined official] to manage the development,\
        \ documentation, and dissemination of the system and services acquisition\
        \ policy and procedures; and\n c. Review and update the current system and\
        \ services acquisition:\n 1. Policy [Assignment: organization-defined frequency]\
        \ and following [Assignment: organization-defined events]; and\n 2. Procedures\
        \ [Assignment: organization-defined frequency] and following [Assignment:\
        \ organization-defined events]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sa-2
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node317
      ref_id: SA-2
      name: Allocation of Resources
      description: "a. Determine the high-level information security and privacy requirements\
        \ for the system or system service in mission and business process planning;\n\
        \ b. Determine, document, and allocate the resources required to protect the\
        \ system or system service as part of the organizational capital planning\
        \ and investment control process; and\n c. Establish a discrete line item\
        \ for information security and privacy in organizational programming and budgeting\
        \ documentation."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sa-3
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node317
      ref_id: SA-3
      name: System Development Life Cycle
      description: "a. Acquire, develop, and manage the system using [Assignment:\
        \ organization-defined system development life cycle] that incorporates information\
        \ security and privacy considerations;\n b. Define and document information\
        \ security and privacy roles and responsibilities throughout the system development\
        \ life cycle;\n c. Identify individuals having information security and privacy\
        \ roles and responsibilities; and\n d. Integrate the organizational information\
        \ security and privacy risk management process into system development life\
        \ cycle activities."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sa-4
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node317
      ref_id: SA-4
      name: Acquisition Process
      description: "Include the following requirements, descriptions, and criteria,\
        \ explicitly or by reference, using [Selection (one or more): standardized\
        \ contract language; [Assignment: organization-defined contract language]]\
        \ in the acquisition contract for the system, system component, or system\
        \ service:\n a. Security and privacy functional requirements;\n b. Strength\
        \ of mechanism requirements;\n c. Security and privacy assurance requirements;\n\
        \ d. Controls needed to satisfy the security and privacy requirements.\n e.\
        \ Security and privacy documentation requirements;\n f. Requirements for protecting\
        \ security and privacy documentation;\n g. Description of the system development\
        \ environment and environment in which the system is intended to operate;\n\
        \ h. Allocation of responsibility or identification of parties responsible\
        \ for information security, privacy, and supply chain risk management; and\n\
        \ i. Acceptance criteria."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sa-4-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node317
      ref_id: SA-4 (1)
      name: Acquisition Process | Functional Properties of Controls
      description: Require the developer of the system, system component, or system
        service to provide a description of the functional properties of the controls
        to be implemented.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sa-4-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node317
      ref_id: SA-4 (2)
      name: Acquisition Process | Design and Implementation Information for Controls
      description: 'Require the developer of the system, system component, or system
        service to provide design and implementation information for the controls
        that includes: [Selection (one or more): security-relevant external system
        interfaces; high-level design; low-level design; source code or hardware schematics;
        [Assignment: organization-defined design and implementation information]]
        at [Assignment: organization-defined level of detail].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sa-4-(5)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node317
      ref_id: SA-4 (5)
      name: Acquisition Process | System, Component, and Service Configurations
      description: "Require the developer of the system, system component, or system\
        \ service to:\n (a) Deliver the system, component, or service with [Assignment:\
        \ organization-defined security configurations] implemented; and\n (b) Use\
        \ the configurations as the default for any subsequent system, component,\
        \ or service reinstallation or upgrade."
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sa-4-(9)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node317
      ref_id: SA-4 (9)
      name: Acquisition Process | Functions, Ports, Protocols, and Services in Use
      description: Require the developer of the system, system component, or system
        service to identify the functions, ports, protocols, and services intended
        for organizational use.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sa-4-(10)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node317
      ref_id: SA-4 (10)
      name: Acquisition Process | Use of Approved PIV Products
      description: Employ only information technology products on the FIPS 201-approved
        products list for Personal Identity Verification (PIV) capability implemented
        within organizational systems.
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sa-5
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node317
      ref_id: SA-5
      name: System Documentation
      description: "a. Obtain or develop administrator documentation for the system,\
        \ system component, or system service that describes:\n 1. Secure configuration,\
        \ installation, and operation of the system, component, or service; \n 2.\
        \ Effective use and maintenance of security and privacy functions and mechanisms;\
        \ and\n 3. Known vulnerabilities regarding configuration and use of administrative\
        \ or privileged functions;\n b. Obtain or develop user documentation for the\
        \ system, system component, or system service that describes:\n 1. User-accessible\
        \ security and privacy functions and mechanisms and how to effectively use\
        \ those functions and mechanisms;\n 2. Methods for user interaction, which\
        \ enables individuals to use the system, component, or service in a more secure\
        \ manner and protect individual privacy; and\n 3. User responsibilities in\
        \ maintaining the security of the system, component, or service and privacy\
        \ of individuals;\n c. Document attempts to obtain system, system component,\
        \ or system service documentation when such documentation is either unavailable\
        \ or nonexistent and take [Assignment: organization-defined actions] in response;\
        \ and\n d. Distribute documentation to [Assignment: organization-defined personnel\
        \ or roles]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sa-8
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node317
      ref_id: SA-8
      name: Security and Privacy Engineering Principles
      description: 'Apply the following systems security and privacy engineering principles
        in the specification, design, development, implementation, and modification
        of the system and system components: [Assignment: organization-defined systems
        security and privacy engineering principles].'
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sa-9
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node317
      ref_id: SA-9
      name: External System Services
      description: "a. Require that providers of external system services comply with\
        \ organizational security and privacy requirements and employ the following\
        \ controls: [Assignment: organization-defined controls];\n b. Define and document\
        \ organizational oversight and user roles and responsibilities with regard\
        \ to external system services; and\n c. Employ the following processes, methods,\
        \ and techniques to monitor control compliance by external service providers\
        \ on an ongoing basis: [Assignment: organization-defined processes, methods,\
        \ and techniques]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sa-9-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node317
      ref_id: SA-9 (1)
      name: External System Services | Risk Assessments and Organizational Approvals
      description: " (a) Conduct an organizational assessment of risk prior to the\
        \ acquisition or outsourcing of information security services; and\n (b) Verify\
        \ that the acquisition or outsourcing of dedicated information security services\
        \ is approved by [Assignment: organization-defined personnel or roles]."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sa-9-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node317
      ref_id: SA-9 (2)
      name: External System Services | Identification of Functions, Ports, Protocols,
        and Services
      description: 'Require providers of the following external system services to
        identify the functions, ports, protocols, and other services required for
        the use of such services: [Assignment: organization-defined external system
        services].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sa-9-(5)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node317
      ref_id: SA-9 (5)
      name: External System Services | Processing, Storage, and Service Location
      description: 'Restrict the location of [Selection (one or more): information
        processing; information or data; system services] to [Assignment: organization-defined
        locations] based on [Assignment: organization-defined requirements or conditions].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sa-10
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node317
      ref_id: SA-10
      name: Developer Configuration Management
      description: "Require the developer of the system, system component, or system\
        \ service to:\n a. Perform configuration management during system, component,\
        \ or service [Selection (one or more): design; development; implementation;\
        \ operation; disposal];\n b. Document, manage, and control the integrity of\
        \ changes to [Assignment: organization-defined configuration items under configuration\
        \ management];\n c. Implement only organization-approved changes to the system,\
        \ component, or service;\n d. Document approved changes to the system, component,\
        \ or service and the potential security and privacy impacts of such changes;\
        \ and\n e. Track security flaws and flaw resolution within the system, component,\
        \ or service and report findings to [Assignment: organization-defined personnel]."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sa-11
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node317
      ref_id: SA-11
      name: Developer Testing and Evaluation
      description: "Require the developer of the system, system component, or system\
        \ service, at all post-design stages of the system development life cycle,\
        \ to:\n a. Develop and implement a plan for ongoing security and privacy control\
        \ assessments;\n b. Perform [Selection (one or more): unit; integration; system;\
        \ regression] testing/evaluation [Assignment: organization-defined frequency]\
        \ at [Assignment: organization-defined depth and coverage];\n c. Produce evidence\
        \ of the execution of the assessment plan and the results of the testing and\
        \ evaluation;\n d. Implement a verifiable flaw remediation process; and\n\
        \ e. Correct flaws identified during testing and evaluation."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sa-11-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node317
      ref_id: SA-11 (1)
      name: Developer Testing and Evaluation | Static Code Analysis
      description: Require the developer of the system, system component, or system
        service to employ static code analysis tools to identify common flaws and
        document the results of the analysis.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sa-11-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node317
      ref_id: SA-11 (2)
      name: Developer Testing and Evaluation | Threat Modeling and Vulnerability Analyses
      description: "Require the developer of the system, system component, or system\
        \ service to perform threat modeling and vulnerability analyses during development\
        \ and the subsequent testing and evaluation of the system, component, or service\
        \ that: \n (a) Uses the following contextual information: [Assignment: organization-defined\
        \ information concerning impact, environment of operations, known or assumed\
        \ threats, and acceptable risk levels];\n (b) Employs the following tools\
        \ and methods: [Assignment: organization-defined tools and methods];\n (c)\
        \ Conducts the modeling and analyses at the following level of rigor: [Assignment:\
        \ organization-defined breadth and depth of modeling and analyses]; and\n\
        \ (d) Produces evidence that meets the following acceptance criteria: [Assignment:\
        \ organization-defined acceptance criteria]."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sa-15
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node317
      ref_id: SA-15
      name: Development Process, Standards, and Tools
      description: "a. Require the developer of the system, system component, or system\
        \ service to follow a documented development process that:\n 1. Explicitly\
        \ addresses security and privacy requirements;\n 2. Identifies the standards\
        \ and tools used in the development process;\n 3. Documents the specific tool\
        \ options and tool configurations used in the development process; and\n 4.\
        \ Documents, manages, and ensures the integrity of changes to the process\
        \ and/or tools used in development; and\n b. Review the development process,\
        \ standards, tools, tool options, and tool configurations [Assignment: organization-defined\
        \ frequency] to determine if the process, standards, tools, tool options and\
        \ tool configurations selected and employed can satisfy the following security\
        \ and privacy requirements: [Assignment: organization-defined security and\
        \ privacy requirements]."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sa-15-(3)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node317
      ref_id: SA-15 (3)
      name: Development Process, Standards, and Tools | Criticality Analysis
      description: "Require the developer of the system, system component, or system\
        \ service to perform a criticality analysis:\n (a) At the following decision\
        \ points in the system development life cycle: [Assignment: organization-defined\
        \ decision points in the system development life cycle]; and\n (b) At the\
        \ following level of rigor: [Assignment: organization-defined breadth and\
        \ depth of criticality analysis]."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sa-16
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node317
      ref_id: SA-16
      name: Developer-provided Training
      description: 'Require the developer of the system, system component, or system
        service to provide the following training on the correct use and operation
        of the implemented security and privacy functions, controls, and/or mechanisms:
        [Assignment: organization-defined training].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sa-17
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node317
      ref_id: SA-17
      name: Developer Security and Privacy Architecture and Design
      description: "Require the developer of the system, system component, or system\
        \ service to produce a design specification and security and privacy architecture\
        \ that:\n a. Is consistent with the organization\u2019s security and privacy\
        \ architecture that is an integral part the organization\u2019s enterprise\
        \ architecture;\n b. Accurately and completely describes the required security\
        \ and privacy functionality, and the allocation of controls among physical\
        \ and logical components; and\n c. Expresses how individual security and privacy\
        \ functions, mechanisms, and services work together to provide required security\
        \ and privacy capabilities and a unified approach to protection."
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sa-21
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node317
      ref_id: SA-21
      name: Developer Screening
      description: "Require that the developer of [Assignment: organization-defined\
        \ system, system component, or system service]:\n a. Has appropriate access\
        \ authorizations as determined by assigned [Assignment: organization-defined\
        \ official government duties]; and\n b. Satisfies the following additional\
        \ personnel screening criteria: [Assignment: organization-defined additional\
        \ personnel screening criteria]."
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sa-22
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node317
      ref_id: SA-22
      name: Unsupported System Components
      description: "a. Replace system components when support for the components is\
        \ no longer available from the developer, vendor, or manufacturer; or\n b.\
        \ Provide the following options for alternative sources for continued support\
        \ for unsupported components [Selection (one or more): in-house support; [Assignment:\
        \ organization-defined support from external providers]]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      assessable: false
      depth: 1
      name: SYSTEM AND COMMUNICATIONS PROTECTION
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-1
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-1
      name: Policy and Procedures
      description: "a. Develop, document, and disseminate to [Assignment: organization-defined\
        \ personnel or roles]:\n 1. [Selection (one or more): Organization-level;\
        \ Mission/business process-level; System-level] system and communications\
        \ protection policy that:\n (a) Addresses purpose, scope, roles, responsibilities,\
        \ management commitment, coordination among organizational entities, and compliance;\
        \ and\n (b) Is consistent with applicable laws, executive orders, directives,\
        \ regulations, policies, standards, and guidelines; and\n 2. Procedures to\
        \ facilitate the implementation of the system and communications protection\
        \ policy and the associated system and communications protection controls;\n\
        \ b. Designate an [Assignment: organization-defined official] to manage the\
        \ development, documentation, and dissemination of the system and communications\
        \ protection policy and procedures; and\n c. Review and update the current\
        \ system and communications protection:\n 1. Policy [Assignment: organization-defined\
        \ frequency] and following [Assignment: organization-defined events]; and\n\
        \ 2. Procedures [Assignment: organization-defined frequency] and following\
        \ [Assignment: organization-defined events]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-2
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-2
      name: Separation of System and User Functionality
      description: Separate user functionality, including user interface services,
        from system management functionality.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-3
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-3
      name: Security Function Isolation
      description: Isolate security functions from nonsecurity functions.
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-4
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-4
      name: Information in Shared System Resources
      description: Prevent unauthorized and unintended information transfer via shared
        system resources.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-5
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-5
      name: Denial-of-service Protection
      description: "a. [Selection: Protect against; Limit] the effects of the following\
        \ types of denial-of-service events: [Assignment: organization-defined types\
        \ of denial-of-service events]; and\n b. Employ the following controls to\
        \ achieve the denial-of-service objective: [Assignment: organization-defined\
        \ controls by type of denial-of-service event]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-7
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-7
      name: Boundary Protection
      description: "a. Monitor and control communications at the external managed\
        \ interfaces to the system and at key internal managed interfaces within the\
        \ system;\n b. Implement subnetworks for publicly accessible system components\
        \ that are [Selection: physically; logically] separated from internal organizational\
        \ networks; and\n c. Connect to external networks or systems only through\
        \ managed interfaces consisting of boundary protection devices arranged in\
        \ accordance with an organizational security and privacy architecture."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-7-(3)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-7 (3)
      name: Boundary Protection | Access Points
      description: Limit the number of external network connections to the system.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-7-(4)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-7 (4)
      name: Boundary Protection | External Telecommunications Services
      description: " (a) Implement a managed interface for each external telecommunication\
        \ service;\n (b) Establish a traffic flow policy for each managed interface;\n\
        \ (c) Protect the confidentiality and integrity of the information being transmitted\
        \ across each interface;\n (d) Document each exception to the traffic flow\
        \ policy with a supporting mission or business need and duration of that need;\n\
        \ (e) Review exceptions to the traffic flow policy [Assignment: organization-defined\
        \ frequency] and remove exceptions that are no longer supported by an explicit\
        \ mission or business need;\n (f) Prevent unauthorized exchange of control\
        \ plane traffic with external networks;\n (g) Publish information to enable\
        \ remote networks to detect unauthorized control plane traffic from internal\
        \ networks; and\n (h) Filter unauthorized control plane traffic from external\
        \ networks."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-7-(5)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-7 (5)
      name: "Boundary Protection | Deny by Default \u2014 Allow by Exception"
      description: 'Deny network communications traffic by default and allow network
        communications traffic by exception [Selection (one or more): at managed interfaces;
        for [Assignment: organization-defined systems]].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-7-(7)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-7 (7)
      name: Boundary Protection | Split Tunneling for Remote Devices
      description: 'Prevent split tunneling for remote devices connecting to organizational
        systems unless the split tunnel is securely provisioned using [Assignment:
        organization-defined safeguards].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-7-(8)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-7 (8)
      name: Boundary Protection | Route Traffic to Authenticated Proxy Servers
      description: 'Route [Assignment: organization-defined internal communications
        traffic] to [Assignment: organization-defined external networks] through authenticated
        proxy servers at managed interfaces.'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-7-(10)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-7 (10)
      name: Boundary Protection | Prevent Exfiltration
      description: " (a) Prevent the exfiltration of information; and\n (b) Conduct\
        \ exfiltration tests [Assignment: organization-defined frequency]."
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-7-(12)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-7 (12)
      name: Boundary Protection | Host-based Protection
      description: 'Implement [Assignment: organization-defined host-based boundary
        protection mechanisms] at [Assignment: organization-defined system components].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-7-(18)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-7 (18)
      name: Boundary Protection | Fail Secure
      description: Prevent systems from entering unsecure states in the event of an
        operational failure of a boundary protection device.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-7-(20)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-7 (20)
      name: Boundary Protection | Dynamic Isolation and Segregation
      description: 'Provide the capability to dynamically isolate [Assignment: organization-defined
        system components] from other system components.'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-7-(21)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-7 (21)
      name: Boundary Protection | Isolation of System Components
      description: 'Employ boundary protection mechanisms to isolate [Assignment:
        organization-defined system components] supporting [Assignment: organization-defined
        missions and/or business functions].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-8
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-8
      name: Transmission Confidentiality and Integrity
      description: 'Protect the [Selection (one or more): confidentiality; integrity]
        of transmitted information.'
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-8-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-8 (1)
      name: Transmission Confidentiality and Integrity | Cryptographic Protection
      description: 'Implement cryptographic mechanisms to [Selection (one or more):
        prevent unauthorized disclosure of information; detect changes to information]
        during transmission.'
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-10
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-10
      name: Network Disconnect
      description: 'Terminate the network connection associated with a communications
        session at the end of the session or after [Assignment: organization-defined
        time period] of inactivity.'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-12
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-12
      name: Cryptographic Key Establishment and Management
      description: 'Establish and manage cryptographic keys when cryptography is employed
        within the system in accordance with the following key management requirements:
        [Assignment: organization-defined requirements for key generation, distribution,
        storage, access, and destruction].'
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-12-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-12 (1)
      name: Cryptographic Key Establishment and Management | Availability
      description: Maintain availability of information in the event of the loss of
        cryptographic keys by users.
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-13
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-13
      name: Cryptographic Protection
      description: "a. Determine the [Assignment: organization-defined cryptographic\
        \ uses]; and\n b. Implement the following types of cryptography required for\
        \ each specified cryptographic use: [Assignment: organization-defined types\
        \ of cryptography for each specified cryptographic use]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-15
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-15
      name: Collaborative Computing Devices and Applications
      description: "a. Prohibit remote activation of collaborative computing devices\
        \ and applications with the following exceptions: [Assignment: organization-defined\
        \ exceptions where remote activation is to be allowed]; and\n b. Provide an\
        \ explicit indication of use to users physically present at the devices."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-17
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-17
      name: Public Key Infrastructure Certificates
      description: "a. Issue public key certificates under an [Assignment: organization-defined\
        \ certificate policy] or obtain public key certificates from an approved service\
        \ provider; and\n b. Include only approved trust anchors in trust stores or\
        \ certificate stores managed by the organization."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-18
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-18
      name: Mobile Code
      description: "a. Define acceptable and unacceptable mobile code and mobile code\
        \ technologies; and\n b. Authorize, monitor, and control the use of mobile\
        \ code within the system."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-20
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-20
      name: Secure Name/address Resolution Service (authoritative Source)
      description: "a. Provide additional data origin authentication and integrity\
        \ verification artifacts along with the authoritative name resolution data\
        \ the system returns in response to external name/address resolution queries;\
        \ and\n b. Provide the means to indicate the security status of child zones\
        \ and (if the child supports secure resolution services) to enable verification\
        \ of a chain of trust among parent and child domains, when operating as part\
        \ of a distributed, hierarchical namespace."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-21
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-21
      name: Secure Name/address Resolution Service (recursive or Caching Resolver)
      description: Request and perform data origin authentication and data integrity
        verification on the name/address resolution responses the system receives
        from authoritative sources.
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-22
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-22
      name: Architecture and Provisioning for Name/address Resolution Service
      description: Ensure the systems that collectively provide name/address resolution
        service for an organization are fault-tolerant and implement internal and
        external role separation.
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-23
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-23
      name: Session Authenticity
      description: Protect the authenticity of communications sessions.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-24
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-24
      name: Fail in Known State
      description: 'Fail to a [Assignment: organization-defined known system state]
        for the following failures on the indicated components while preserving [Assignment:
        organization-defined system state information] in failure: [Assignment: list
        of organization-defined types of system failures on organization-defined system
        components].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-28
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-28
      name: Protection of Information at Rest
      description: 'Protect the [Selection (one or more): confidentiality; integrity]
        of the following information at rest: [Assignment: organization-defined information
        at rest].'
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-28-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-28 (1)
      name: Protection of Information at Rest | Cryptographic Protection
      description: 'Implement cryptographic mechanisms to prevent unauthorized disclosure
        and modification of the following information at rest on [Assignment: organization-defined
        system components or media]: [Assignment: organization-defined information].'
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-39
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-39
      name: Process Isolation
      description: Maintain a separate execution domain for each executing system
        process.
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-45
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-45
      name: System Time Synchronization
      description: Synchronize system clocks within and between systems and system
        components.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sc-45-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node343
      ref_id: SC-45 (1)
      name: System Time Synchronization | Synchronization with Authoritative Time
        Source
      description: " (a) Compare the internal system clocks [Assignment: organization-defined\
        \ frequency] with [Assignment: organization-defined authoritative time source];\
        \ and\n (b) Synchronize the internal system clocks to the authoritative time\
        \ source when the time difference is greater than [Assignment: organization-defined\
        \ time period]."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      assessable: false
      depth: 1
      name: SYSTEM AND INFORMATION INTEGRITY
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-1
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-1
      name: Policy and Procedures
      description: "a. Develop, document, and disseminate to [Assignment: organization-defined\
        \ personnel or roles]:\n 1. [Selection (one or more): Organization-level;\
        \ Mission/business process-level; System-level] system and information integrity\
        \ policy that:\n (a) Addresses purpose, scope, roles, responsibilities, management\
        \ commitment, coordination among organizational entities, and compliance;\
        \ and\n (b) Is consistent with applicable laws, executive orders, directives,\
        \ regulations, policies, standards, and guidelines; and\n 2. Procedures to\
        \ facilitate the implementation of the system and information integrity policy\
        \ and the associated system and information integrity controls;\n b. Designate\
        \ an [Assignment: organization-defined official] to manage the development,\
        \ documentation, and dissemination of the system and information integrity\
        \ policy and procedures; and\n c. Review and update the current system and\
        \ information integrity:\n 1. Policy [Assignment: organization-defined frequency]\
        \ and following [Assignment: organization-defined events]; and\n 2. Procedures\
        \ [Assignment: organization-defined frequency] and following [Assignment:\
        \ organization-defined events]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-2
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-2
      name: Flaw Remediation
      description: "a. Identify, report, and correct system flaws;\n b. Test software\
        \ and firmware updates related to flaw remediation for effectiveness and potential\
        \ side effects before installation;\n c. Install security-relevant software\
        \ and firmware updates within [Assignment: organization-defined time period]\
        \ of the release of the updates; and\n d. Incorporate flaw remediation into\
        \ the organizational configuration management process."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-2-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-2 (2)
      name: Flaw Remediation | Automated Flaw Remediation Status
      description: 'Determine if system components have applicable security-relevant
        software and firmware updates installed using [Assignment: organization-defined
        automated mechanisms] [Assignment: organization-defined frequency].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-2-(3)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-2 (3)
      name: Flaw Remediation | Time to Remediate Flaws and Benchmarks for Corrective
        Actions
      description: " (a) Measure the time between flaw identification and flaw remediation;\
        \ and\n (b) Establish the following benchmarks for taking corrective actions:\
        \ [Assignment: organization-defined benchmarks]."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-3
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-3
      name: Malicious Code Protection
      description: "a. Implement [Selection (one or more): signature based; non-signature\
        \ based] malicious code protection mechanisms at system entry and exit points\
        \ to detect and eradicate malicious code;\n b. Automatically update malicious\
        \ code protection mechanisms as new releases are available in accordance with\
        \ organizational configuration management policy and procedures;\n c. Configure\
        \ malicious code protection mechanisms to:\n 1. Perform periodic scans of\
        \ the system [Assignment: organization-defined frequency] and real-time scans\
        \ of files from external sources at [Selection (one or more): endpoint; network\
        \ entry and exit points] as the files are downloaded, opened, or executed\
        \ in accordance with organizational policy; and\n 2. [Selection (one or more):\
        \ block malicious code; quarantine malicious code; take [Assignment: organization-defined\
        \ action]]; and send alert to [Assignment: organization-defined personnel\
        \ or roles] in response to malicious code detection; and\n d. Address the\
        \ receipt of false positives during malicious code detection and eradication\
        \ and the resulting potential impact on the availability of the system."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-4
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-4
      name: System Monitoring
      description: "a. Monitor the system to detect:\n 1. Attacks and indicators of\
        \ potential attacks in accordance with the following monitoring objectives:\
        \ [Assignment: organization-defined monitoring objectives]; and\n 2. Unauthorized\
        \ local, network, and remote connections;\n b. Identify unauthorized use of\
        \ the system through the following techniques and methods: [Assignment: organization-defined\
        \ techniques and methods];\n c. Invoke internal monitoring capabilities or\
        \ deploy monitoring devices:\n 1. Strategically within the system to collect\
        \ organization-determined essential information; and\n 2. At ad hoc locations\
        \ within the system to track specific types of transactions of interest to\
        \ the organization;\n d. Analyze detected events and anomalies;\n e. Adjust\
        \ the level of system monitoring activity when there is a change in risk to\
        \ organizational operations and assets, individuals, other organizations,\
        \ or the Nation;\n f. Obtain legal opinion regarding system monitoring activities;\
        \ and\n g. Provide [Assignment: organization-defined system monitoring information]\
        \ to [Assignment: organization-defined personnel or roles] [Selection (one\
        \ or more): as needed; [Assignment: organization-defined frequency]]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-4-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-4 (1)
      name: System Monitoring | System-wide Intrusion Detection System
      description: Connect and configure individual intrusion detection tools into
        a system-wide intrusion detection system.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-4-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-4 (2)
      name: System Monitoring | Automated Tools and Mechanisms for Real-time Analysis
      description: Employ automated tools and mechanisms to support near real-time
        analysis of events.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-4-(4)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-4 (4)
      name: System Monitoring | Inbound and Outbound Communications Traffic
      description: " (a) Determine criteria for unusual or unauthorized activities\
        \ or conditions for inbound and outbound communications traffic;\n (b) Monitor\
        \ inbound and outbound communications traffic [Assignment: organization-defined\
        \ frequency] for [Assignment: organization-defined unusual or unauthorized\
        \ activities or conditions]."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-4-(5)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-4 (5)
      name: System Monitoring | System-generated Alerts
      description: 'Alert [Assignment: organization-defined personnel or roles] when
        the following system-generated indications of compromise or potential compromise
        occur: [Assignment: organization-defined compromise indicators].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-4-(10)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-4 (10)
      name: System Monitoring | Visibility of Encrypted Communications
      description: 'Make provisions so that [Assignment: organization-defined encrypted
        communications traffic] is visible to [Assignment: organization-defined system
        monitoring tools and mechanisms].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-4-(11)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-4 (11)
      name: System Monitoring | Analyze Communications Traffic Anomalies
      description: 'Analyze outbound communications traffic at the external interfaces
        to the system and selected [Assignment: organization-defined interior points
        within the system] to discover anomalies.'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-4-(12)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-4 (12)
      name: System Monitoring | Automated Organization-generated Alerts
      description: 'Alert [Assignment: organization-defined personnel or roles] using
        [Assignment: organization-defined automated mechanisms] when the following
        indications of inappropriate or unusual activities with security or privacy
        implications occur: [Assignment: organization-defined activities that trigger
        alerts].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-4-(14)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-4 (14)
      name: System Monitoring | Wireless Intrusion Detection
      description: Employ a wireless intrusion detection system to identify rogue
        wireless devices and to detect attack attempts and potential compromises or
        breaches to the system.
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-4-(16)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-4 (16)
      name: System Monitoring | Correlate Monitoring Information
      description: Correlate information from monitoring tools and mechanisms employed
        throughout the system.
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-4-(18)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-4 (18)
      name: System Monitoring | Analyze Traffic and Covert Exfiltration
      description: 'Analyze outbound communications traffic at external interfaces
        to the system and at the following interior points to detect covert exfiltration
        of information: [Assignment: organization-defined interior points within the
        system].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-4-(19)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-4 (19)
      name: System Monitoring | Risk for Individuals
      description: 'Implement [Assignment: organization-defined additional monitoring]
        of individuals who have been identified by [Assignment: organization-defined
        sources] as posing an increased level of risk.'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-4-(20)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-4 (20)
      name: System Monitoring | Privileged Users
      description: 'Implement the following additional monitoring of privileged users:
        [Assignment: organization-defined additional monitoring].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-4-(22)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-4 (22)
      name: System Monitoring | Unauthorized Network Services
      description: " (a) Detect network services that have not been authorized or\
        \ approved by [Assignment: organization-defined authorization or approval\
        \ processes]; and\n (b) [Selection (one or more): Audit; Alert [Assignment:\
        \ organization-defined personnel or roles]] when detected."
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-4-(23)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-4 (23)
      name: System Monitoring | Host-based Devices
      description: 'Implement the following host-based monitoring mechanisms at [Assignment:
        organization-defined system components]: [Assignment: organization-defined
        host-based monitoring mechanisms].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-5
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-5
      name: Security Alerts, Advisories, and Directives
      description: "a. Receive system security alerts, advisories, and directives\
        \ from [Assignment: organization-defined external organizations] on an ongoing\
        \ basis;\n b. Generate internal security alerts, advisories, and directives\
        \ as deemed necessary;\n c. Disseminate security alerts, advisories, and directives\
        \ to: [Selection (one or more): [Assignment: organization-defined personnel\
        \ or roles]; [Assignment: organization-defined elements within the organization];\
        \ [Assignment: organization-defined external organizations]]; and\n d. Implement\
        \ security directives in accordance with established time frames, or notify\
        \ the issuing organization of the degree of noncompliance."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-5-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-5 (1)
      name: Security Alerts, Advisories, and Directives | Automated Alerts and Advisories
      description: 'Broadcast security alert and advisory information throughout the
        organization using [Assignment: organization-defined automated mechanisms].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-6
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-6
      name: Security and Privacy Function Verification
      description: "a. Verify the correct operation of [Assignment: organization-defined\
        \ security and privacy functions];\n b. Perform the verification of the functions\
        \ specified in SI-6a [Selection (one or more): [Assignment: organization-defined\
        \ system transitional states]; upon command by user with appropriate privilege;\
        \ [Assignment: organization-defined frequency]];\n c. Alert [Assignment: organization-defined\
        \ personnel or roles] to failed security and privacy verification tests; and\n\
        \ d. [Selection (one or more): Shut the system down; Restart the system; [Assignment:\
        \ organization-defined alternative action (s)]] when anomalies are discovered."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-7
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-7
      name: Software, Firmware, and Information Integrity
      description: "a. Employ integrity verification tools to detect unauthorized\
        \ changes to the following software, firmware, and information: [Assignment:\
        \ organization-defined software, firmware, and information]; and\n b. Take\
        \ the following actions when unauthorized changes to the software, firmware,\
        \ and information are detected: [Assignment: organization-defined actions]."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-7-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-7 (1)
      name: Software, Firmware, and Information Integrity | Integrity Checks
      description: 'Perform an integrity check of [Assignment: organization-defined
        software, firmware, and information] [Selection (one or more): at startup;
        at [Assignment: organization-defined transitional states or security-relevant
        events]; [Assignment: organization-defined frequency]].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-7-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-7 (2)
      name: Software, Firmware, and Information Integrity | Automated Notifications
        of Integrity Violations
      description: 'Employ automated tools that provide notification to [Assignment:
        organization-defined personnel or roles] upon discovering discrepancies during
        integrity verification.'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-7-(5)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-7 (5)
      name: Software, Firmware, and Information Integrity | Automated Response to
        Integrity Violations
      description: 'Automatically [Selection (one or more): shut the system down;
        restart the system; implement [Assignment: organization-defined controls]]
        when integrity violations are discovered.'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-7-(7)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-7 (7)
      name: Software, Firmware, and Information Integrity | Integration of Detection
        and Response
      description: 'Incorporate the detection of the following unauthorized changes
        into the organizational incident response capability: [Assignment: organization-defined
        security-relevant changes to the system].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-7-(15)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-7 (15)
      name: Software, Firmware, and Information Integrity | Code Authentication
      description: 'Implement cryptographic mechanisms to authenticate the following
        software or firmware components prior to installation: [Assignment: organization-defined
        software or firmware components].'
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-8
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-8
      name: Spam Protection
      description: "a. Employ spam protection mechanisms at system entry and exit\
        \ points to detect and act on unsolicited messages; and\n b. Update spam protection\
        \ mechanisms when new releases are available in accordance with organizational\
        \ configuration management policy and procedures."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-8-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-8 (2)
      name: Spam Protection | Automatic Updates
      description: 'Automatically update spam protection mechanisms [Assignment: organization-defined
        frequency].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-10
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-10
      name: Information Input Validation
      description: 'Check the validity of the following information inputs: [Assignment:
        organization-defined information inputs to the system].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-11
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-11
      name: Error Handling
      description: "a. Generate error messages that provide information necessary\
        \ for corrective actions without revealing information that could be exploited;\
        \ and\n b. Reveal error messages only to [Assignment: organization-defined\
        \ personnel or roles]."
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-12
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-12
      name: Information Management and Retention
      description: Manage and retain information within the system and information
        output from the system in accordance with applicable laws, executive orders,
        directives, regulations, policies, standards, guidelines and operational requirements.
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:si-16
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node379
      ref_id: SI-16
      name: Memory Protection
      description: 'Implement the following controls to protect the system memory
        from unauthorized code execution: [Assignment: organization-defined controls].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:node415
      assessable: false
      depth: 1
      name: SUPPLY CHAIN RISK MANAGEMENT FAMILY
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sr-1
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node415
      ref_id: SR-1
      name: Policy and Procedures
      description: "a. Develop, document, and disseminate to [Assignment: organization-defined\
        \ personnel or roles]:\n 1. [Selection (one or more): Organization-level;\
        \ Mission/business process-level; System-level] supply chain risk management\
        \ policy that:\n (a) Addresses purpose, scope, roles, responsibilities, management\
        \ commitment, coordination among organizational entities, and compliance;\
        \ and\n (b) Is consistent with applicable laws, executive orders, directives,\
        \ regulations, policies, standards, and guidelines; and\n 2. Procedures to\
        \ facilitate the implementation of the supply chain risk management policy\
        \ and the associated supply chain risk management controls;\n b. Designate\
        \ an [Assignment: organization-defined official] to manage the development,\
        \ documentation, and dissemination of the supply chain risk management policy\
        \ and procedures; and\n c. Review and update the current supply chain risk\
        \ management:\n 1. Policy [Assignment: organization-defined frequency] and\
        \ following [Assignment: organization-defined events]; and\n 2. Procedures\
        \ [Assignment: organization-defined frequency] and following [Assignment:\
        \ organization-defined events]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sr-2
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node415
      ref_id: SR-2
      name: Supply Chain Risk Management Plan
      description: "a. Develop a plan for managing supply chain risks associated with\
        \ the research and development, design, manufacturing, acquisition, delivery,\
        \ integration, operations and maintenance, and disposal of the following systems,\
        \ system components or system services: [Assignment: organization-defined\
        \ systems, system components, or system services];\n b. Review and update\
        \ the supply chain risk management plan [Assignment: organization-defined\
        \ frequency] or as required, to address threat, organizational or environmental\
        \ changes; and\n c. Protect the supply chain risk management plan from unauthorized\
        \ disclosure and modification."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sr-2-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node415
      ref_id: SR-2 (1)
      name: Supply Chain Risk Management Plan | Establish SCRM Team
      description: 'Establish a supply chain risk management team consisting of [Assignment:
        organization-defined personnel, roles, and responsibilities] to lead and support
        the following SCRM activities: [Assignment: organization-defined supply chain
        risk management activities].'
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sr-3
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node415
      ref_id: SR-3
      name: Supply Chain Controls and Processes
      description: "a. Establish a process or processes to identify and address weaknesses\
        \ or deficiencies in the supply chain elements and processes of [Assignment:\
        \ organization-defined system or system component] in coordination with [Assignment:\
        \ organization-defined supply chain personnel];\n b. Employ the following\
        \ controls to protect against supply chain risks to the system, system component,\
        \ or system service and to limit the harm or consequences from supply chain-related\
        \ events: [Assignment: organization-defined supply chain controls]; and\n\
        \ c. Document the selected and implemented supply chain processes and controls\
        \ in [Selection: security and privacy plans; supply chain risk management\
        \ plan; [Assignment: organization-defined document]]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sr-5
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node415
      ref_id: SR-5
      name: Acquisition Strategies, Tools, and Methods
      description: 'Employ the following acquisition strategies, contract tools, and
        procurement methods to protect against, identify, and mitigate supply chain
        risks: [Assignment: organization-defined acquisition strategies, contract
        tools, and procurement methods].'
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sr-6
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node415
      ref_id: SR-6
      name: Supplier Assessments and Reviews
      description: 'Assess and review the supply chain-related risks associated with
        suppliers or contractors and the system, system component, or system service
        they provide [Assignment: organization-defined frequency].'
      implementation_groups:
      - H
      - M
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sr-8
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node415
      ref_id: SR-8
      name: Notification Agreements
      description: 'Establish agreements and procedures with entities involved in
        the supply chain for the system, system component, or system service for the
        [Selection (one or more): notification of supply chain compromises; results
        of assessments or audits; [Assignment: organization-defined information]].'
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sr-9
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node415
      ref_id: SR-9
      name: Tamper Resistance and Detection
      description: Implement a tamper protection program for the system, system component,
        or system service.
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sr-9-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node415
      ref_id: SR-9 (1)
      name: Tamper Resistance and Detection | Multiple Stages of System Development
        Life Cycle
      description: Employ anti-tamper technologies, tools, and techniques throughout
        the system development life cycle.
      implementation_groups:
      - H
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sr-10
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node415
      ref_id: SR-10
      name: Inspection of Systems or Components
      description: 'Inspect the following systems or system components [Selection
        (one or more): at random; at [Assignment: organization-defined frequency],
        upon [Assignment: organization-defined indications of need for inspection]]
        to detect tampering: [Assignment: organization-defined systems or system components].'
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sr-11
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node415
      ref_id: SR-11
      name: Component Authenticity
      description: "a. Develop and implement anti-counterfeit policy and procedures\
        \ that include the means to detect and prevent counterfeit components from\
        \ entering the system; and\n b. Report counterfeit system components to [Selection\
        \ (one or more): source of counterfeit component; [Assignment: organization-defined\
        \ external reporting organizations]; [Assignment: organization-defined personnel\
        \ or roles]]."
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sr-11-(1)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node415
      ref_id: SR-11 (1)
      name: Component Authenticity | Anti-counterfeit Training
      description: 'Train [Assignment: organization-defined personnel or roles] to
        detect counterfeit system components (including hardware, software, and firmware).'
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sr-11-(2)
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node415
      ref_id: SR-11 (2)
      name: Component Authenticity | Configuration Control for Component Service and
        Repair
      description: 'Maintain configuration control over the following system components
        awaiting service or repair and serviced or repaired components awaiting return
        to service: [Assignment: organization-defined system components].'
      implementation_groups:
      - H
      - M
      - L
    - urn: urn:intuitem:risk:req_node:fedramp-rev5:sr-12
      assessable: true
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:fedramp-rev5:node415
      ref_id: SR-12
      name: Component Disposal
      description: 'Dispose of [Assignment: organization-defined data, documentation,
        tools, or system components] using the following techniques and methods: [Assignment:
        organization-defined techniques and methods].'
      implementation_groups:
      - H
      - M
      - L