Appendix A List of Acronyms¶
API |
Application Programming Interface |
BYOD |
Bring Your Own Device |
CIA |
Confidentiality Integrity Availability |
CIS |
Center for Internet Security |
CNSSI |
Committee on National Security Systems Instruction |
COBIT |
Control Objectives for Information and Related Technologies |
CRADA |
Cooperative Research And Development Agreement |
CSC |
Critical Security Controls |
CSF |
Cybersecurity Framework |
FIPS |
Federal Information Processing Standard |
FIPPS |
Fair Information Privacy Principles |
HTTP |
Hypertext Transfer Protocol |
HTTPS |
Hypertext Transfer Protocol Secure |
IDAM |
Identity and Access Management |
IEC |
International Electrotechnical Commission |
IP |
Internet Protocol |
ISA |
International Society of Automation |
ISO |
International Organization for Standardization |
IT |
Information Technology |
ITL |
Information Technology Laboratory |
MAC |
Media Access Control |
MFA |
Multi Factor Authentication |
NCCoE |
National Cybersecurity Center of Excellence |
NIST |
National Institute of Standards and Technology |
NIST IR |
NIST Interagency or Internal Report |
PDA |
Problematic Data Action |
PII |
Personally Identifiable Information |
PIN |
Personal Identification Number |
PRAM |
Privacy Risk Assessment Methodology |
RDP |
Remote Desktop Protocol |
RMF |
Risk Management Framework |
SMS |
Short Messaging Service |
SP |
Special Publication |
URL |
Uniform Resource Locator |
USB |
Universal Series Bus |
VDI |
Virtual Desktop Interface |
Appendix B Glossary¶
Access Control |
The process of granting or denying specific requests to 1) obtain and use information and related information processing services and 2) enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances). SOURCE: Federal Information Processing Standard (FIPS) 201-3 |
Adversary |
Person, group, organization, or government that conducts or has the intent to conduct detrimental activities. SOURCE: CNSSI 4009-2015 |
Asset |
A major application, general support system, high impact program, physical plant, mission critical system, personnel, equipment, or a logically related group of systems. SOURCE: Committee on National Security Systems Instruction (CNSSI) 4009-2015 |
Authentication |
Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system. SOURCE: FIPS 200 |
Authorization |
Access privileges granted to a user, program, or process or the act of granting those privileges. SOURCE: CNSSI 4009-2015 |
Breach |
The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where: a person other than an authorized user accesses or potentially accesses personally identifiable information; or an authorized user accesses personally identifiable information for another than authorized purpose. SOURCE: NIST SP 800-53 Rev. 5 |
Control |
The means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be of an administrative, technical, management, or legal nature. SOURCE: NIST SP 800-160 Vol. 2 Rev. 1 |
Confidentiality |
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. SOURCE: FIPS 200 |
Data |
A subset of information in an electronic format that allows it to be retrieved or transmitted. SOURCE: CNSSI 4008-2015 |
Data Action |
A system/product/service data life cycle operation, including, but not limited to collection, retention, logging, generation, transformation, use, disclosure, sharing, transmission, and disposal. SOURCE: NIST Privacy Framework Version 1.0 |
Disassociability |
Enabling the processing of PII or events without association to individuals or devices beyond the operational requirements of the system. SOURCE: NISTIR 8062 |
Encrypt |
Cryptographically transform data to produce cipher text. SOURCE: CNSSI 4009-2015 |
Enterprise |
An entity of any size, complexity, or positioning within an organizational structure. SOURCE: NIST SP 800-72 |
Event |
Any observable occurrence in a network or system. SOURCE: CNSSI 4009-2015 |
Exfiltration |
The unauthorized transfer of information from an information system. SOURCE: CNSSI 4009-2015 |
Incident |
An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. SOURCE: FIPS 200 |
Integrity |
Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity. SOURCE: FIPS 200 |
Key Management |
The activities involving handling of cryptographic keys and other related security parameters (e.g. passwords) during the entire life cycle of the keys, including their generation, storage, establishment, entry and output, and destruction. SOURCE: CNSSI 4009-2015 |
Manageability |
Providing the capability for granular administration of PII including alteration, deletion, and selective disclosure. SOURCE: NISTIR 8062 |
Malware |
Hardware, firmware, or software that is intentionally included or inserted in a system for a harmful purpose. SOURCE: CNSSI 4009-2015 |
Mitigation |
A decision, action, or practice intended to reduce the level of risk associated with one or more threat events, threat scenarios, or vulnerabilities. SOURCE: NIST SP 1800-160 Vol. 2 Rev. 1 |
Multi-Factor Authentication |
Authentication using two or more factors to achieve authentication. Factors include: (i) something you know (e.g. password/personal identification number (PIN)); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). SOURCE: CNSSI 4009-2015 |
Phishing |
A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person. SOURCE: CNSSI 4009-2015 |
Predictability |
Enabling reliable assumptions by individuals, owners, and operators about PII and its processing by a system. SOURCE: NISTIR 8062 |
Risk |
The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring. SOURCE: FIPS 200 |
Security Control |
The safeguards or countermeasures prescribed for an information system or an organization to protect the confidentiality, integrity, and availability of the system and its information. SOURCE: NIST SP 800-53 |
Security Policy |
A set of rules that governs all aspects of security-relevant system and system component behavior. SOURCE: NIST SP 800-53 Rev. 5 |
Spear Phishing |
A colloquial term that can be used to describe any highly targeted phishing attack. SOURCE: CNSSI 4009-2015 |
Threat |
Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other organizations, or the Nation through a system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. SOURCE: NIST SP 800-53 Rev. 5 |
Vulnerability |
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. SOURCE: FIPS 200 |
Appendix C References¶
W. Barker, Guideline for Identifying an Information System as a National Security System, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-59, Gaithersburg, Md., Aug. 2003, 17 pp. Available: https://doi.org/10.6028/NIST.SP.800-59.
T. McBride et. al, Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events, National Institute of Standards and Technology (NIST) Special Publication (SP) 1800-25, Gaithersburg, Md., Dec. 2020, 488 pp. Available: https://doi.org/10.6028/NIST.SP.1800-25.
T. McBride et. al, Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events, National Institute of Standards and Technology (NIST) Special Publication (SP) 1800-26, Gaithersburg, Md., Dec. 2020, 441 pp. Available: https://doi.org/10.6028/NIST.SP.1800-26.
T. McBride et. al, Data Integrity: Recovering from Ransomware and Other Destructive Events, National Institute of Standards and Technology (NIST) Special Publication (SP) 1800-11, Gaithersburg, Md., Sep. 2020, 377 pp. Available: https://doi.org/10.6028/NIST.SP.1800-11.
M. Souppaya and K. Scarfone, Guide to Malware Incident Prevention and Handling for Desktops and Laptops, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-83 Revision 1, Gaithersburg, Md., July 2013, 36 pp. Available: https://doi.org/10.6028/NIST.SP.800-83r1.
M. Souppaya and K. Scarfone, Guide to Enterprise Telework, Remote Access, and Bring Your Own Devise (BYOD) Security, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-46 Revision 2, Gaithersburg, Md., July 2016, 43 pp. Available: https://doi.org/10.6028/NIST.SP.800-46r2.
NIST. Privacy Framework. Available: https://www.nist.gov/privacy-framework.
NIST. Cybersecurity Framework. Available: http://www.nist.gov/cyberframework.
W. Barker et. al, Ransomware Risk Management: A Cybersecurity Framework Profile, NIST Interagency Report 8374, Gaithersburg, Md., Feb. 2022, 23 pp. Available: https://doi.org/10.6028/NIST.IR.8374.
R. Ross et. al, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-160 Volume 2 Revision 1, Gaithersburg, Md., Dec. 2021, 309 pp. Available: https://doi.org/10.6028/NIST.SP.800-160v2r1
Joint Task Force Transformation Initiative, Guide for Conducting Risk Assessments, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30 Revision 1, Gaithersburg, Md., Sep. 2012, 83 pp. Available: https://doi.org/10.6028/NIST.SP.800-30r1.
Joint Task Force, Risk Management Framework for Information Systems and Organizations, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 Revision 2, Gaithersburg, Md., Dec. 2018, 164 pp. Available: https://doi.org/10.6028/NIST.SP.800-37r2.
NIST. Risk Management Framework. Available: https://csrc.nist.gov/projects/risk-management/about-rmf.
NIST. Privacy Risk Assessment Methodology. Available: https://www.nist.gov/privacy-framework/nist-pram.
S. Brooks et. al, An Introduction to Privacy Engineering and Risk Management in Federal Systems, NIST Interagency Report 8062, Gaithersburg, Md., Jan. 2017, 41 pp. Available: https://doi.org/10.6028/NIST.IR.8062.
NIST. Catalog of Problematic Data Actions and Problems. Available: https://github.com/usnistgov/PrivacyEngCollabSpace/blob/master/tools/risk-assessment/NIST-Privacy-Risk-Assessment-Methodology-PRAM/catalog-PDAP.md
NIST Cybersecurity Center of Excellence, Mobile Device Security, Bring Your Own Device Practice Guide, NIST SP 1800-22, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-22.pdf
NIST Privacy Framework Repository, https://www.nist.gov/privacy-framework/resource-repository
Appendix D Security Control Map¶
The following table lists the NIST Cybersecurity Framework Functions, Categories, and Subcategories addressed by this project and maps them to relevant NIST standards, industry standards, and controls and best practices.
Table 6‑1 Security Control Map
Cybersecurity Framework v1.1 |
Standards & Best Practices |
||
---|---|---|---|
Function |
Category |
Subcategory |
Informative References |
IDENTIFY (ID) |
Asset Management (ID.AM) |
ID.AM-2: Software platforms and applications within the organization are inventoried |
CIS CSC 2 COBIT 5 BAI09.01, BAI09.02, BAI09.05 ISA 62443-2-1:2009 4.2.3.4 ISA 62443-3-3:2013 SR 7.8 ISO/IEC 27001:2013 A.8.1.1, A.8.1.2, A.12.5.1 NIST SP 800-53 Rev. 4 CM-8, PM-5 |
Risk Assessment (ID.RA) |
ID.RA-1: Asset vulnerabilities are identified and documented |
CIS CSC 4 COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04, DSS05.01, DSS05.02 ISA 62443-2-1:2009 4.2.3, 4.2.3.7, 4.2.3.9, 4.2.3.12 ISO/IEC 27001:2013 A.12.6.1, A.18.2.3 NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, RA3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5 |
|
ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources |
CIS CSC 4 COBIT 5 BAI08.01 ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 ISO/IEC 27001:2013 A.6.1.4 NIST SP 800-53 Rev. 4 SI-5, PM-15, PM-16 |
||
ID.RA-3: Threats, both internal and external, are identified and documented |
CIS CSC 4 COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04 ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 ISO/IEC 27001:2013 Clause 6.1.2 NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12, PM16 |
||
PROTECT (PR) |
Identity Management, Authentication and Access Control (PR.AC) |
PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes |
CIS CSC 1, 5, 15, 16 COBIT 5 DSS05.04, DSS06.03 ISA 62443-2-1:2009 4.3.3.5.1 ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9 ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3 NIST SP 800-53 Rev. 4 AC-1, AC-2, IA-1, IA-2, IA-3, IA-4, IA-5, IA-6, IA-7, IA-8, IA-9, IA-10, IA-11 |
PR.AC-3: Remote access is managed |
CIS CSC 12 COBIT 5 APO13.01, DSS01.04, DSS05.03 ISA 62443-2-1:2009 4.3.3.6.6 ISA 62443-3-3:2013 SR 1.13, SR 2.6 ISO/IEC 27001:2013 A.6.2.1, A.6.2.2, A.11.2.6, A.13.1.1, A.13.2.1 NIST SP 800-53 Rev. 4 AC-1, AC-17, AC-19, AC-20, SC-15 |
||
PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties |
CIS CSC 3, 5, 12, 14, 15, 16, 18 COBIT 5 DSS05.04 ISA 62443-2-1:2009 4.3.3.7.3 ISA 62443-3-3:2013 SR 2.1 ISO/IEC 27001:2013 A.6.1.2, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5 NIST SP 800-53 Rev. 4 AC-1, AC-2, AC-3, AC5, AC-6, AC-14, AC-16, AC-24 |
||
PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation) |
CIS CSC 9, 14, 15, 18 COBIT 5 DSS01.05, DSS05.02 ISA 62443-2-1:2009 4.3.3.4 ISA 62443-3-3:2013 SR 3.1, SR 3.8 ISO/IEC 27001:2013 A.13.1.1, A.13.1.3, A.13.2.1, A.14.1.2, A.14.1.3 NIST SP 800-53 Rev. 4 AC-4, AC-10, SC-7 |
||
PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks) |
CIS CSC 1, 12, 15, 16 COBIT 5 DSS05.04, DSS05.10, DSS06.10 ISA 62443-2-1:2009 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9 |
||
Data Security (PR.DS) |
PR.DS-1: Data-at-rest is protected |
CIS CSC 13, 14 COBIT 5 APO01.06, BAI02.01, BAI06.01, DSS04.07, DSS05.03, DSS06.06 ISA 62443-3-3:2013 SR 3.4, SR 4.1 ISO/IEC 27001:2013 A.8.2.3 NIST SP 800-53 Rev. 4 MP-8, SC-12, SC-28 |
|
PR.DS-2: Data-in-transit is protected |
CIS CSC 13, 14 COBIT 5 APO01.06, DSS05.02, DSS06.06 ISA 62443-3-3:2013 SR 3.1, SR 3.8, SR 4.1, SR 4.2 ISO/IEC 27001:2013 A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3 NIST SP 800-53 Rev. 4 SC-8, SC-11, SC-12 |
||
PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition |
CIS CSC 1 COBIT 5 BAI09.03 ISA 62443-2-1:2009 4.3.3.3.9, 4.3.4.4.1 ISA 62443-3-3:2013 SR 4.2 ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.8.3.3, A.11.2.5, A.11.2.7 NIST SP 800-53 Rev. 4 CM-8, MP-6, PE-16 |
||
Information Protection Processes and Procedures (PR.IP) |
PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met |
CIS CSC 10 COBIT 5 APO13.01, DSS01.01, DSS04.07 ISA 62443-2-1:2009 4.3.4.3.9 ISA 62443-3-3:2013 SR 7.3, SR 7.4 ISO/IEC 27001:2013 A.12.3.1, A.17.1.2, A.17.1.3, A.18.1.3 NIST SP 800-53 Rev. 4 CP-4, CP-6, CP-9 |
|
Protective Technology (PR.PT) |
PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy |
CIS CSC 1, 3, 5, 6, 14, 15, 16 COBIT 5 APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01 ISA 62443-2-1:2009 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4 ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12 ISO/IEC 27001:2013 A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1 NIST SP 800-53 Rev. 4 AU Family |
Appendix E Privacy Control Map¶
The following table lists the NIST Privacy Framework Functions, Categories, and Subcategories addressed by this project and maps them to relevant NIST standards, industry standards, and controls and best practices.
NOTE: The International Organization for Standardization (IS0) standard 27701 references were not mapped by NIST, but by an external organization. They are available at the NIST Privacy Framework Repository [B18] and provided here for convenience. The Fair Information Privacy Principles (FIPPS) references are provided to aid understanding of the Privacy Control Map.
Table 6‑2 Privacy Control Map
Privacy Framework 1.0 |
Standards and Best Practices |
|||
---|---|---|---|---|
Function |
Category |
Subcategory |
Informative Refences |
|
IDENTIFY-P (ID-P): Develop the organizational understanding to manage privacy risk for individuals arising from data processing. |
Inventory and Mapping (ID.IM-P): Data processing by systems, products, or services is understood and informs the management of privacy risk. |
ID.IM-P1: Systems/products/services that process data are inventoried. |
FIPPS 7: Purpose Specification/Use Limitation NIST SP 800-37 Rev. 2: Task P-10 NIST SP 800-53 Rev. 5: CM-8 (10), CM-12, CM-13, PM-5 NIST IR 8062 NIST PRAM: Worksheet 2 ISO/IEC 27701:2019 7.2.8, 8.2.6 |
|
CONTROL-P (CT-P): Develop and Optional (Risk Based) appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks. |
Data Processing Management (CT.DM-P): Data are managed consistent with the organization’s risk strategy to protect individuals’ privacy, increase manageability, and enable the implementation of privacy principles (e.g., individual participation, data quality, data minimization). |
CT.DM-P8: Audit/log records are determined, documented, and reviewed in accordance with policy and incorporating the principle of data minimization. |
FIPPS 4: Minimization NIST SP 800-53 Rev. 5: AU-1, AU-2, AU-3, AU-6, AU-7, AU-12, AU-13, AU-14, AU-16 NIST IR 8062 ISO/IEC 27701:2019 6.9.4.1, 6.9.4.2, 6.15.1.3 |
|
Disassociated Processing (CT.DP-P): Data processing solutions increase disassociability consistent with the organization’s risk strategy to protect individuals’ privacy and enable implementation of privacy principles (e.g., data minimization). |
CT.DP-P2: Data are processed to limit the identification of individuals (e.g., de-identification privacy techniques, tokenization). |
FIPPS 7: Purpose Specification/Use Limitation NIST SP 800-53 Rev. 5: AC-23, AU-3(3), IA-4(8), PE-8(3), SA-8(33), SI-12(1), SI-12(2), SI-19 NIST SP 800-63-3 NIST SP 800-188 (draft) NIST IR 8053 NIST IR 8062 ISO/IEC 27701:2019 7.4.2, 7.4.4 |
||
Data Processing Awareness (CM.AW-P): Individuals and organizations have reliable knowledge about data processing practices and associated privacy risks, and effective mechanisms are used and maintained to increase predictability consistent with the organization’s risk strategy to protect individuals’ privacy. |
CM.AW-P3: System/product/service design enables data processing visibility. |
FIPPS 7: Purpose Specification/Use Limitation NIST SP 800-53 Rev. 5: PL-8, PT-5(1), SA-17, SC-42(4) NIST IR 8062 ISO/IEC 27701:2019 7.3.2, 7.3.3, 8.3.1 |
||
PROTECT-P (PR-P): Develop and Implement appropriate data processing safeguards. |
Data Protection Policies, Processes, and Procedures (PR.PO-P): Security and privacy policies (e.g., purpose, scope, roles and responsibilities in the data processing ecosystem, and management commitment), processes, and procedures are maintained and used to manage the protection of data. |
PR.PO-P4: Policy and regulations regarding the physical operating environment for organizational assets are met. |
FIPPS 5: Quality and Integrity FIPPS 7: Purpose Specification/Use Limitation NIST SP 800-53 Rev. 5: PE-1 ISO/IEC 27701:2019 All of 6.8 |
|
Identity Management, Authentication, and Access Control (PR.AC-P): Access to data and devices is limited to authorized individuals, processes, and devices, and is managed consistent with the assessed risk of unauthorized access. |
PR.AC-P1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized individuals, processes, and devices. |
FIPPS 8: Security NIST SP 800-53 Rev. 5: IA-1, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, IA-10, IA-11, IA-12 NIST SP 800-63-3 ISO/IEC 27701:2019 6.6.2.1, 6.6.2.2, 6.6.4.2 |
||
PR.AC-P3: Remote access is managed. |
FIPPS 8: Security FIPS Publication 199 NIST SP 800-46 Rev. 2 NIST SP 800-53 Rev. 5: AC-1, AC-17, AC-19, AC-20, SC-15 NIST SP 800-77 NIST SP 800-113 NIST SP 800-114 Rev. 1 NIST SP 800-121 Rev. 2 ISO/IEC 27701:2019 6.6.2.1, 6.6.2.2 |
|||
PR.AC-P4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties. |
FIPPS 8: Security NIST SP 800-53 Rev. 5: AC-1, AC-2, AC-3, AC-5, AC-6, AC-14, AC-16, AC-24 NIST SP 800-162 |
|||
PR.AC-P5: Network integrity is protected (e.g., network segregation, network segmentation). |
FIPPS 8: Security NIST SP 800-53 Rev. 5: AC-4, AC-10, SC-7, SC-10, SC-20 |
|||
PR.AC-P6: Individuals and devices are proofed and bound to credentials and authenticated commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks). |
FIPPS 8: Security NIST SP 800-53 Rev. 5: AC-14, AC-16, IA-1, IA-2, IA-3, IA-4, IA-5, IA-8, IA-9, IA-10, IA-11, IA-12, PE-2, PS-3 NIST SP 800-63-3 |
|||
Data Security (PR.DS-P): Data are managed consistent with the organization’s risk strategy to protect individuals’ privacy and maintain data confidentiality, integrity, and availability. |
PR.DS-P1: Data-at-rest are protected. |
FIPPS 8: Security NIST SP 800-53 Rev. 5: MP-2, MP-3, MP-4, MP-5, MP-6, MP-7, MP-8, SC-28 NIST SP 800-175B |
||
PR.DS-P2: Data-in-transit are protected. |
FIPPS 8: Security NIST SP 800-53 Rev. 5:
SC-8, SC-11
NIST SP 800-175B |
|||
PR.DS-P3: Systems/products/services and associated data are formally managed throughout removal, transfers, and disposition. |
FIPPS 8: Security NIST SP 800-53 Rev. 5: CM-8, MP-6, PE-16, PE-20 |