jason-callaway / openshift-compliance Goto Github PK

Need to address this control in the Master SCTM:

g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].

Many controls have paramaterized values. For example, from AC-1:

ACCESS CONTROL POLICY AND PROCEDURES Control: The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]

These parameters need to be defined in the master_sctm.xlsx spreadsheet in the Parameter column.

This is human work that can't be automated.

Need to address this control in the Master SCTM:

AUDIT REDUCTION AND REPORT GENERATION Control: The information system provides an audit reduction and report generation capability that: a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and

Need to address this control in the Master SCTM:

b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;

Need to address this control in the Master SCTM:

PROTECTION OF AUDIT INFORMATION Control: The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

Need to address this control in the Master SCTM:

CONFIGURATION MANAGEMENT POLICY AND PROCEDURES Control: The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

Need to address this control in the Master SCTM:

f. Response actions to address results of the analysis of security-related information; and

Need to address this control in the Master SCTM:

AUDIT REVIEW, ANALYSIS, AND REPORTING Control: The organization: a. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and

Need to address this control in the Master SCTM:

b. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;

Need to address this control in the Master SCTM:

CONTINUOUS MONITORING Control: The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: a. Establishment of [Assignment: organization-defined metrics] to be monitored;

Need to address this control in the Master SCTM:

2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and

Need to address this control in the Master SCTM.

Need to address this control in the Master SCTM:

b. Reviews and updates the current: 1. Security awareness and training policy [Assignment: organization-defined frequency]; and

Need to address this control in the Master SCTM:

SECURITY AWARENESS TRAINING Control: The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): a. As part of initial training for new users;

Need to address this control in the Master SCTM:

AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION The information system, for password-based authentication: (a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];

Need to address this control in the Master SCTM:

AUDIT REVIEW, ANALYSIS, AND REPORTING | CORRELATION WITH PHYSICAL MONITORING The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.

Need to address this control in the Master SCTM:

(b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];

Need to address this control in the Master SCTM:

2. Configuration management procedures [Assignment: organization-defined frequency].

Need to address this control in the Master SCTM:

INTERNAL SYSTEM CONNECTIONS Control: The organization: a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and

Need to address this control in the Master SCTM:

CONTENT OF AUDIT RECORDS | CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components].

Need to address this control in the Master SCTM:

b. When required by information system changes; and

Need to address this control in the Master SCTM:

IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO PRIVILEGED ACCOUNTS The information system implements multifactor authentication for network access to privileged accounts.

Need to address this control in the Master SCTM:

b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.

Need to address this control in the Master SCTM:

CONTINUOUS MONITORING | INDEPENDENT ASSESSMENT The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to monitor the security controls in the information system on an ongoing basis.

Need to address this control in the Master SCTM:

b. Retains individual training records for [Assignment: organization-defined time period].

Need to address this control in the Master SCTM:

IDENTIFICATION AND AUTHENTICATION | LOCAL ACCESS TO PRIVILEGED ACCOUNTS The information system implements multifactor authentication for local access to privileged accounts.

Need to address this control in the Master SCTM:

c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;

Need to address this control in the Master SCTM:

b. Reports findings to [Assignment: organization-defined personnel or roles].

Need to address this control in the Master SCTM:

d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;

Need to address this control in the Master SCTM:

RESPONSE TO AUDIT PROCESSING FAILURES | REAL-TIME ALERTS The information system provides an alert in [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts].

Need to address this control in the Master SCTM:

ROLE-BASED SECURITY TRAINING Control: The organization provides role-based security training to personnel with assigned security roles and responsibilities: a. Before authorizing access to the information system or performing assigned duties;

Tables overrun pages, image layout is bad, authors list runs over. Need to fix the PDF.

Need to address this control in the Master SCTM:

AUDIT REDUCTION AND REPORT GENERATION | AUTOMATIC PROCESSING The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records].

Need to address this control in the Master SCTM:

AUDIT REVIEW, ANALYSIS, AND REPORTING | INTEGRATION / SCANNING AND MONITORING CAPABILITIES The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity.

Need to address this control in the Master SCTM:

c. [Assignment: organization-defined frequency] thereafter.

An individual control can be numeric or alpha numeric.

Example:

• Part 1
• Part 1a

Currently when the controls are parsed and templated we get only alpha part numbers like:

• Part a
• Part b

There's no easy way to update master_sctm_parser.py to fix this. We need a new column in the spreadsheet that contains only the part's requirement, and ideally, another column with the part label.

This could probably be automated, but it might be easier to have a human do it.

Need to address this control in the Master SCTM:

SECURITY TRAINING RECORDS Control: The organization: a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and

Need to address this control in the Master SCTM:

2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and

Need to address this control in the Master SCTM:

b. Reviews and updates the current: 1. Configuration management policy [Assignment: organization-defined frequency]; and

Need to address this control in the Master SCTM:

b. Does not alter the original content or time ordering of audit records.

Need to address this control in the Master SCTM:

b. Does not alter the original content or time ordering of audit records.

Need to address this control in the Master SCTM:

e. Correlation and analysis of security-related information generated by assessments and monitoring;

Need to address this control in the Master SCTM:

2. Security awareness and training procedures [Assignment: organization-defined frequency].

Need to address this control in the Master SCTM.

Need to address this control in the Master SCTM:

b. When required by information system changes; and

Need to address this control in the Master SCTM:

SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES Control: The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

Need to address this control in the Master SCTM:

RESPONSE TO AUDIT PROCESSING FAILURES Control: The information system: a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and

Need to address this control in the Master SCTM:

c. [Assignment: organization-defined frequency] thereafter.

Need to address this control in the Master SCTM:

PROTECTION OF AUDIT INFORMATION | CRYPTOGRAPHIC PROTECTION The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools.