This document was obtained from the Internet by AuditNet® using

advanced search techniques.

The document is from a site which has not identified restrictions

on permitted use and are sharing this information for the benefit of
the audit community. However, while we have attempted to
provide accurate information no representation is made or
warranty given as to the completeness or accuracy of the
document. In particular, you should be aware that the document
may be incomplete, may contain errors, or may have become out
of date.

While every reasonable precaution has been taken in the

preparation of this document, neither the author nor AuditNet®
assumes responsibility for errors or omissions, or for damages
resulting from the use of the information contained herein. The
information contained in this document is believed to be accurate.
However, no guarantee is provided. Use this information at your
own risk.
Audit Program Licensing Terms
1. You accept that this product is intended for your use (individual
subscription) or your group (multi-user subscription), and you will not
duplicate in any form or manner, electronic or otherwise, copies of this
product nor distribute this product to anyone else. Licensee shall not
knowingly permit anyone other than Authorized Users to use the
Licensed Materials.
2. Licensee may not use the Licensed Materials for commercial
purposes, including but not limited to the sale of the Licensed Materials
or bulk reproduction or distribution of the Licensed Materials in any
form.
3. You recognize that the product and its content are the sole
property of AuditNet® (the Publisher), and that we have copyrighted the
product.
4. You agree that the Publisher is not responsible for any interruption
of service or malfunction that is a consequence of the Internet, a
service provider, personal computer, browser or other software or
hardware components. You accept that there is no guarantee that this
product is totally error free. You further understand and accept that the
Publisher intends to provide reliable information but does not guarantee
the accuracy or completeness of any information, and is not responsible
for any results obtained from the use of such information.
5. This license is effective until terminated, when the license or
subscription period ends without renewal, or when you destroy this
product and any related documentation. The Publisher may terminate
your license without notice if you fail to comply with the conditions set
forth in this agreement, and may pursue any other legal recourse.
 NISPOM Checklist

NISPOM Chapter 8 – Check List

Based on NISPOM Chapter 8 Requirements.
Check List Compiled By: Darren Bennett (dbennett@cyberintel.com) and Joe Keegan (joe_jjk3@hotmail.com)
Assessor Name: Assessment Date:

Reference Objective and Security Test Results

Checklist Standard Sub-Section Confirmation Question Findings Compliance Y/N

Section 1. Responsibilities and Duties

1.100. 8.100. General

1.101a 8.101a Responsibilities Establishment of a line of authority for training,
For CSA oversight, program review, certification, and
accreditation of IS used by contractors for the
processing of classified information
1.101a2 8.101a-2 Responsibilities The CSA conducted a risk management evaluation
For CSA based on the contractors facility, the classification, and
sensitivity of the information processed
1.101b 8.101b Responsibilities An IS Security Policy addressing the classified
For CSA processing environment has been published and
promulgated
1.101b2 8.101b2 Responsibilities An IS Security Manager (ISSM) has been appointed
For CSA with oversight responsibility for the development,
implementation, and evaluation of the facility's
IS security program
1.101b3 8.101b3 Contractor management is certain that the ISSM is
trained to a level commensurate with the complexity of
the facility's IS
1.102. 8.102. Designated The CSA has been Designated Accrediting/Approving
Accrediting/ authority (DAA)
Approval
Authority
1.103. 8.103. IS Security The ISSM has read and understands the
Manager (ISSM) responsibilities as per Section 8.103 of the NISPOM
Responsibilities chapter 8
1.104. 8.104. Information The ISSO(s) has/have read and understand the
System responsibilities as per Section 8.104 of the NISPOM
Security chapter 8
Officer(s)
(ISSO)
1.105. 8.105. Users of IS Privileged and general users of the IS have read and
understand the responsibilities as per Section 8.105 of
the NISPOM chapter 8
Section 2. Certification and Accreditation

2.100. 8.200. Overview

2.101. 8.201. Certification
Process
2.102. 8.202. Accreditation

Section 3. Common Requirements

3.100. 8.300. Introduction

3.101. 8.301. Clearing
and Sanitization
3.101a. 8.301a. Clearing Prior to re-use of media in an area that has
an acceptable level of protection for the data, has
all data on the media been eradicated?
Including Memory, Buffers and reusable memory
To prevent access to previously stored information.
3.101b. 8.301b. Sanitization Prior to release of media to an area that does not
have an acceptable level of protection for the data,
has all data on the media been removed?
(i.e. Release from classified information controls
or release to a lower classification level)
3.102. 8.302. Examination of
Hardware and
Software
3.102a. 8.302a. IS Software Has all commercially procured software been tested
to ensure the software contains no obvious features
that might be detrimental to the security of the IS?
Has Security-related software been tested to verify
that the security features function as specified?
3.102b. 8.302b. IS Hardware Has the hardware been examined to determine that
it is in good working order and has no elements
that might be detrimental to the secure operation of
the IS when under facility control and cognizance?
(Changes and developments that affect security
may require re-examination)
3.103. 8.303. Identification and
Authentication
Management
3.103a. 8.303a. Unique Is each user uniquely identified and is that identity
Identification associated with all auditable actions taken by
that individual?

Page 1
 NISPOM Checklist

3.103b. 8.303b. Authentication Is each user required to authenticate their identity

at Login at login by using an authenticator (i.e. password) as
well as their user id before executing any application
or utility on the system?
3.103c. 8.303c. Applicability of Is it possible to waive the requirement for
Logon Logon Authentication (are all of the following
Authentication statements true?)

*The workstation does not have a permanent internal

hard drive, and the removable hard drive and other
associated storage media are stored in an approved
security container when not in use

*All of the users with access to the workstation and the

security container/ removable media have the required
clearance level and need-to-know for all of the data
processed on the workstation

*The workstation is located within an approved security

area, and all uncleared/lower-cleared personnel are
escorted within the area.
3.103d. 8.303d. Access to Has access to authentication data been restricted to
Authentication authorized personnel through the use of encryption or
Data file access controls, or both?
3.103e. 8.303e. User ID Reuse Have all previous access authorizations (including file
accesses for that user ID) been removed prior to
reuse of any user ID's? (If applicable)
3.103f. 8.303f. User ID Removal Have users that have terminated employment,
lost access to the system for cause, or no longer
have reason to access the IS had their user ID and
its authentication disabled or removed from the system?
3.103g. 8.303g. User ID User IDs are revalidated annually (or more frequently)
Revalidation
3.103h. 8.303h. Protection of Authenticators in the form of knowledge
Individual (password) or possession (smart card, keys) are not
Authenticator shared with anyone.
3.103i. 8.303i. Protection of Are all of the following requirements met when using
Individual passwords as authenticators?
Passwords
(1) Passwords shall be protected at a level
commensurate with the sensitivity level or classification
level and classification category of the information to
which they allow access.
(2) Passwords shall contain a minimum of eight
non-blank characters, shall be valid for no longer than
12 months and changed when compromised.
(3) Passwords shall be generated by a method
approved by the CSA. Password acceptability shall be
based on the method of generation, the length of the
password, password structure, and the size of the
password space. The password generation method, the
length of the password, and the size of the password
space shall be described in an attachment to the SSP.
(4) When an IS cannot prevent a password from being
echoed (e.g., in a half-duplex connection), an overprint
mask shall be printed before the password is entered to
conceal the typed password.
(5) User software, including operating system and other
security-relevant software, comes with a few standard
authenticators (e.g., SYSTEM, TEST, and MASTER)
and passwords already enrolled in the system. The
ISSO shall ensure that the passwords for all standard
authenticators are changed before allowing the general
user population access to the IS. The ISSO shall also
ensure that these passwords are changed after a new
system version is installed or after other action is taken
that might result in the restoration of these standard
passwords.
3.104. 8.304. Maintenance
3.104a. 8.304a. Cleared Have all maintenance personal been cleared to the
Maintenance highest classification level on the system and
Personnel been indoctrinated for all information processed on the
system?
When possible, will an appropriately cleared and
technically knowledgeable, facility employee be present
within the area where the maintenance is being
performed to ensure that security procedures are being
followed?
3.104b. 8.304b. Uncleared (or Are the following procedures followed when allowing
Lower-Cleared) access to the system by uncleared or lower-cleared
Maintenance maintenance personnel?
Personnel
(1) an appropriately cleared and technically qualified
escort monitors and records the maintenance person's
activities in a maintenance log. Uncleared maintenance
personnel must be U.S. citizens.
(2) System initiation and termination shall be performed
by the escort. In addition, keystroke monitoring shall be
performed during access to the system
(3) Prior to maintenance, the IS shall be completely
cleared and all non-volatile data storage media shall be
removed or physically disconnected and secured.
When a system cannot be cleared procedures, which
are identified in the SSP, shall be enforced to deny the
maintenance personnel visual and electronic access to

Page 2
 NISPOM Checklist

any classified data contained on the system.

3.105. 8.305. Malicious Code
Have policies and procedures to detect and deter
incidents caused by malicious code, such as viruses or
unauthorized modification to software, been
implemented?

Are all files checked for viruses before being introduced

on the IS and checked for other malicious code as
feasible?

Is the use of personal or public domain software

strongly discouraged? Each installation of such
software must be approved by the ISSM.
3.106. 8.306. Marking Hardware
, Output, and
Media
3.106a. 8.306a. Hardware Do all components of the IS, including input/output
Components devices that have the potential for retaining information,
terminals, stand-alone microprocessors, or word
processors used as terminals, bear a
conspicuous, external label that states the highest
classification level and most restrictive classification
category of the information accessible to the
component in the IS?
(If the CSA requires that labels be color coded to
indicate classification level they shall be orange for
Top Secret, red for Secret, blue for Confidential, and
green for unclassified.)
3.106b. 8.306b. Hard Copy Output Have methods been established for hard copy output
and Removable (paper, fiche, film, and other printed media) and
Media removable media to be marked with visible,
human-readable, external markings to the accreditation
level of the IS unless an appropriate classification
review has been conducted or in the case of media, the
information has been generated by a tested program
verified to produce consistent results and approved by
the CSA. Such programs will be tested on a statistical
basis to ensure continuing performance.
3.106c. 8.306c. Unclassified Is all unclassified media in the CSA-approved areas
Media marked as unclassified?
3.107. 8.307. Personnel
Security
For all personnel with system access, are system
security policies; and maintaining and monitoring the
confidentiality, integrity, and availability attributes that
are inherent within their IS. Duties, responsibilities,
privileges, and specific limitations of IS users, both
general and privileged, been specified in writing?

Are security duties distributed to preclude any one

individual from adversely affecting operations or the
integrity of the system?
3.108. 8.308. Physical
Security
3.108a. 8.308a. Safeguards Have safeguards been established that prevent or
detect unauthorized access to the IS and unauthorized
modification of the IS hardware and software? Hardware
integrity of the IS, including remote equipment, shall be
maintained at all times, even when all classified
information has been removed from the IS.
3.108b. 8.308b. Classified All classified processing takes place in a
Processing CSA-Approved area.
3.108c. 8.308c. Visual Access Are all devices that display or output information in
human-readable form positioned to prevent
unauthorized individuals from reading the information?
3.108d. 8.308d. Unescorted Do all personnel granted unescorted access to the
Access area containing the IS have an appropriate security
clearance?
3.109. 8.309. Protection of
Media
Has/Will media be protected to the level of
accreditation until an appropriate classification review
has been conducted.
3.110. 8.310. Review of
Output and Media
3.110a. 8.310a. Human readable An appropriate sensitivity and classification review shall
output review be performed on human-readable output before the
output is released outside the security boundary to
determine whether it is accurately marked with the
appropriate classification and applicable associated
security markings.
3.110b. 8.310b. Media Review Electronic output, such as files, to be released outside
the security boundary shall be verified by a
comprehensive review (in human-readable form) of all
data on the media including embedded text (e.g.,
headers and footer) before being released. Information
on media that is not in human-readable form (e.g.,
embedded graphs, sound, video, etc.) will be examined
for content using the appropriate software application.
CSA-approved random or representative sampling
techniques may be used to verify the proper marking of
large volumes of output.
3.111. 8.311. Configuration
Management

Page 3
 NISPOM Checklist

3.111a. 8.311a. Configuration Have processes been implemented to identify and

Documentation document the type, model and brand of system or
network component (e.g., workstation, personal
computer, or router), security-relevant software product
names and version or release numbers, and physical
location?
3.111b. 8.311b. System Have procedures been implemented to identify and
Connectivity document system connectivity, including any software
used for wireless communication, and any
communications media?
3.111c. 8.311c. Connection Is the sensitivity level of each connection or port
Sensitivity controlled by the Security Support Structure (SSS)
documented?
3.111d. 8.311d. CM Plan Has the facility CM program been documented in
a CM plan that includes the following?

(1) Formal change control procedures to ensure the

review and approval of security-relevant hardware and
software.
(2) Procedures for management of all documentation,
such as the SSP and security test plans, used to
ensure system security.
(3) Workable processes to implement, periodically test,
and verify the CM plan.
(4) A verification process to provide additional
assurance that the CM process is working effectively
and that changes outside the CM process are
technically or procedurally not permitted.
Section 4. Protection Measures

4.100. 8.400. Protection

Profiles (intro)

4.101. 8.401. Level of Concern

4.101a. 8.401a. Information Have the information sensitivity matrices (tables

Sensitivity 1, 2, and 3 in Section 4 of the NISPOM Chapter 8)
Matrices been used to establish the appropriate protection
levels for confidentiality, and the level of concern for
integrity, and availability?
(if contractually mandated)

(1) Has a determination of high, medium, or basic

been made for each of the three attributes:
confidentiality, integrity, and availability? It is not
necessary for the level of concern to be the same for all
attributes of the system.
(2) Has the highest level of concern for each category
been used when multiple applications on a system
result in different levels of concern for the categories of
confidentiality, integrity, and availability?
4.101b. 8.401b. Confidentiality What is the established Confidentiality Level of
Level of Concern Concern? ________________

In considering confidentiality, the principal question is

the necessity for supporting the classification levels
and the categories of information (e.g., Secret National
Security Information) on the system in question. The
Protection Level Table for Confidentiality (Table 4)
combines the processing environment with the level of
concern for confidentiality to provide a Protection Level.
The Protection Level is then applied to Table 5 to
provide a set of graded requirements to protect the
confidentiality of the information on the system.
4.101c. 8.401c. Integrity What is the established Integrity Level of
Level of Concern Concern? ________________

In considering integrity, the principal question is the

necessity for maintaining the integrity of the information
on the system in question.

4.101d. 8.401d. Availability What is the established Availability Level of

Level of Concern Concern? ________________

In considering availability, the principal consideration is

the need for the information on the system in question
to be available in a fixed time frame to accomplish a
mission.
4.102. 8.402. Protection Level

(Determined by the relationship between two

parameters: first, the clearance levels, formal access
approvals, and need-to-know of users; and second, the
level of concern based on the classification of the data
on a particular system.)

4.102a. 8.402a. Protection Do all users have all required approvals for access to
Level 1 all information on the system?
(all users must have all required clearances, formal
access approvals, and the need-to-know for all
information on the IS, i.e. dedicated mode.)

4.102b. 8.402b. Protection Do all users have all required clearances, and all
Level 2 required formal access approvals,but at least one user

Page 4
 NISPOM Checklist

lacks the need-to-know for some of the information on

the system? (i.e. a system high mode.)

4.102c. 8.402c. Protection Do all users have all required clearances, but at least
Level 3 one user lacks formal access approval for some of the
information on the system?(i.e. compartmented mode.)

4.102. 8.402. Appropriate What is the established Protection Level for the
Protection Level system? (based on the criteria above) ________________

4.103. 8.403. Protection

Profiles
The tables listed in section 8-403 of the NISPOM
chapter 8 represent Protection Profiles. Use these
tables to assist in determining the Level of Concern
and Protection Level of each system.
Section 5. Special Categories

5.100. 8.500. Overview

5.101. 8.501. Single-User,
Stand-alone
Is the system a single-user, stand-alone system?
Has the CSA approved administrative and
environmental protection measures for the system in
lieu of technical ones?

What are the specific administrative/environmental

measures that have been specified?
(or where are they defined)

(Systems that have one user at a time, are sanitized

between users and periods of different
classification/sensitivity, are periods processing
systems as covered below)
5.102. 8.502. Periods
Processing
5.102a. 8.502a. Periods Will the system be used for Periods Processing?
Processing (Periods processing provides the capability to either
have more than one user or group of users
(sequentially) on a single-user IS who do not have the
same need-to-know or who are authorized to access
different levels of information; or use an IS at more than
one protection level (sequentially).)
5.102b. 8.502b. Sanitization What specific sanitization procedures will be employed
after use. by each user before and after each use of the system?
5.102c. 8.502c. Sanitization What procedures for sanitization of all information
Between before transitioning from one period to the next
Periods (e.g., whenever there will be a new user(s) who does
not have an access authorization or need-to-know for
data processed during the previous period, changing
from one protection level to another) have been
established?
5.102d 8.502d. Media For Is there separate media for each period of processing?
Each Period Including copies of operating systems, utilities, and
applications software?
5.102e. 8.502e. Audit If there are multiple users of the system and the
system is not capable of automated logging, has the
CSA required manual logging?
(Audit trails are not required for single-user stand-alone
systems)
5.103. 8.503. Pure
Servers
5.103a. 8.503a. Specialized Specialized systems acting as pure servers in a
Systems network that do not fit the protection level criteria
may need fewer technical security countermeasures.

5.103b. 8.503b. The Does the system meet PL-3 security

Platform requirements? (minimum)
Are all users who use the guard/server application
limited to specific capabilities?
Does the guard application/server provide more
stringent technical protections appropriate for the
systems protection level and operational environment?
Are assurances appropriate to the level of concern
for the system implemented?
5.103c. 8.503c. Understanding Is it understood that a system with general users or
what is NOT that executes general user code are NOT “pure
a “Pure Server” servers”? (and must therefore meet all security
requirements specified for their protection level
and operational environment)
5.103d. 8.503d. The Is it understood that a system may be considered
Term “Pure a “pure server” even though it may not resemble
Server” what has been traditionally refered to as a server?
(i.e. a messaging system on a general purpose
computer platform could be accredited under this
section if it meets the requirements in 8.503b (above))
5.103e. 8.503e. Understanding Is it understood that the above mentioned technical
that these security requirements that have been eased do not
exceptions do imply any relaxation in other security requirements?
not imply (i.e. physical and communications requirements)
relaxation of Is it also understood that this easing of technical
other security requirements is predicated upon adequate application
requirements of physical security and other appropriate security
disciplines?

Page 5
 NISPOM Checklist

5.104. 8.504. Tactical, Has the CSA determined that this system is sufficiently
Embedded, incapable of alteration, and that the application(s)
Data-Acquisition, running on the system provide an adequate level of
and Special- security? (If so, the system does not have to meet
Purpose additional security requirements specified for
Systems more-general-purpose systems in this section)
5.105. 8.505. Systems with Provided that the systems includes an acceptable level
Group of individual accountability, shall group authenticators
Authenticators be used for broader access after the use of a unique
authenticator for initial authentication and will this be
documented in the SSP? (Group authenticators may
not be shared with anyone outside the group)
Section 6. Protection Requirements

6.100. 8.600. Introduction

Alternate Power Have the power requirements for each of the systems been
6.101. 8.601. Source (Power) determined? (None, Power 1 or Power 2)
Power 1 Have procedures to gracefully shutdown systems without the
6.101a. 8.601a. Requirements loss of data been developed and tested?
has this decision been documented?
Power 2 Have the time requirements to transfer the system to another
6.101b. 8.601b. Requirements power source for the hosted applications been documented?
within the required time been developed and tested?
6.102. 8.602. Audit Capability determined? (Audit 1, Audit2, Audit3 or Audit 4)
Audit 1
6.102a. 8.602a. Requirements Has the system been configured to create and maintain an
Automated Audit audit trail or log that includes the information located in Section
6.102a1. 8.602a1. Trail Creation 8.602.1a-1f of NIPSOM Chapter 8?
activities?
Audit Trail Have the contents of the audit trails been protected against
6.102a2. 8.602a2. Protection unauthorized access, modification, or deletion?
Audit Trail Is analysis of the audit trail performed at least weekly? Are
6.102a3. 8.602a3. Analysis relevant events from that analysis documented and reported?
System Security Plan (SSP)?
Audit Record Are audit records retained for at least on review cycle or as
6.102a4. 8.602a4. Retention required by the CSA?
Audit 2
6.102b. 8.602b. Requirements Is the system in compliance with the audit 1 requirements?
Individual Is periodic testing of individual accountability mechanisms
6.102b1. 8.602b1. Accountability conducted by the ISSO or ISSM?
Audit 3
6.102c. 8.602c. Requirements Is the system in compliance with the audit 2 requirements?
Automated Audit Is audit analysis and reporting scheduled and performed by
6.102c1. 8.602c1. Analysis automated tools?
Audit 4
6.102d. 8.602d. Requirements Is the system in compliance with the audit 3 requirements?
6.102d1. 8.602d1. user formal access permission?
Backup and
Restoration of Have the backup and recovery requirements for each of the
6.103. 8.603. Data (Backup) systems been determined? (backup 1, backup 2, backup 3)
Backup 1
6.103a. 8.603a. Requirements security-relevant information, including software tables and
Backup settings, such as router tables, software, and documentation,
6.103a1. 8.603a1. Procedures been
Has thedocumented?
frequency of backups been defined by the ISSM, with
Backup the assistance of the GCA, and documented in the backup
6.103a2. 8.603a2. Frequency procedures?
Backup 2
6.103b. 8.603b. Requirements Is the system compliant with backup 1 requirements?
Backup Media Is media containing backup files and backup documentation
6.103b1. 8.603b1. Storage stored at another location?
Verification of
Backup
6.103b2. 8.603b2. Procedures Is periodic verification of backup procedures preformed?
Backup 3
6.103c. 8.603c. Requirements Is the system compliant with backup 2 requirements?
Information
Restoration Is incremental and complete restoration of information from
6.103c1. 8.603c1. Testing backup media tested on an annual basis?
Changes to Data Have the integrity requirements for each of the systems been
6.104. 8.604. (Integrity) determined? (none, integrity 1 and integrity 2)
Integrity 1
6.104a. 8.604a. Requirements implemented to ensure that changes to the data and IS
Change software are executed only by authorized personnel or
6.104a1. 8.604a1. Procedures processes?
Integrity 2
6.104b. 8.604b. Requirements Is the system compliant with integrity 1 requirements?
6.104b1. 8.604b1. Transaction Log changes at all times?
Data
Transmission
6.105. 8.605. (Trans) access to the information may have un-escorted physical or
Trans 1 uncontrolled electronic access to the information or
6.105a. 8.605a. Requirements communications media (e.g., outside the system perimeter)?
Access Controls Have the access requirements for each of the systems been
6.106. 8.606. (Access) determined? (access 1, access 2, access 3)
Access 1
6.106a. 8.606a. Requirements
6.106a1. 8.606a1. Physical Access authorized personnel?
Access 2
6.106b. 8.606b. Requirements Is the system compliant with the access 1 requirements?
Discretionary Have discretionary access controls been implemented on the
6.106b1. 8.606b1. Access Controls system?
mechanisms?
Access 3
6.106c. 8.606c. Requirements Is the system compliant with the access 2 requirements?

Page 6
 NISPOM Checklist

6.106c1. 8.606c1. access approvals granted to another user?

6.106c2. 8.606c2. level of data?
Identification and
Authentication Have the I&A requirements for each of the systems been
6.107. 8.607. (I&A) determined? (I&A 1, I&A 2, I&A3, I&A 4 and I&A5)
I&A 1 Are there procedures that include provisions for uniquely
6.107a. 8.607a. Requirements identifying and authenticating the users?
I&A 2
6.107b. 8.607b. Requirements Is the system compliant with the I&A 1 requirements?
6.107b1. 8.607b1. Unique Identifiers auditable actions taken by the user?
Authenticators 8.607.b1 documented in the SSP?
I&A 3
6.107c. 8.607c. Requirements Is the system compliant with the I&A 2 requirements?
6.107c1. 8.607c1. attack)? tools to validate that the passwords are sufficiently
automated
I&A 4 strong to resist cracking and other attacks intended to discover
6.107d. 8.607d. Requirements the user's password?
I&A 5 If users are remotely accessing the IS, Is a strong
6.107e. 8.607e. Requirements authentication mechanism required.

Resource Control Have the ResrcCtrl requirements for each system been
6.108. 8.608. (ResrcCtrl) determined? (None or ResrcCtrl 1)
6.108. 8.608. ResrcCtrl 1 reallocated.

Session Controls Have the SessCtrl requirements for each system been
6.109. 8.609. (SessCtrl) determined? (SessCtrl 1 or SessCtrl 2)
SessCtrl 1
6.109a. 8.609a. Requirements
6.109a1. 8.609a1. User Notification prohibited and subject to criminal and civil penalties?
developed and approved by the CSA used?
Successive Logon Are successive logon attempts controlled as specified in section
6.109a2. 8.609a2. Attempts 8.609a2 ?
6.109a3. 8.609a3. System Entry conditions associated with the authenticated user’s profile?
anonymous file access?
SessCtrl 2
6.109b. 8.609b. Requirements Is the system
account, doescompliant with the
the IS provide SessCtrl capability
a protected 1 requirements?
to control
Multiple Login the number of logon sessions for each user ID, account, or
6.109b1. 8.609b1. Control specific port of entry?
Does the IS default to a single logon session?
6.109b2. 8.609b2. User Inactivity authenticator?
documented
of in the
the user’s last SSP?
logon; the location of the user at last logon;
and the number of unsuccessful logon attempts using this user
6.109b3. 8.609b3. Logon Notification ID since the last successful logon?
from the screen?
Security
Documentation
6.110. 8.610. (Doc)
Doc 1
6.110a. 8.610a. Requirements
6.110a1. 8.610a1. SSP of the responsible system owner, CSA, ISSM, and ISSO?
protocols?
formal access approval and need-to-know of IS users?
availability level of concern?
being met?
documentation shall be attached to the SSP?
vulnerabilities described?
connections to other systems, and an information flow diagram.
with other agencies?
criteria, and security requirements?
including risk assessment?
frequency of such testing?
the ISSM?
package and provide accreditation documentation?
Separation of
Function
Requirements If the system is Protection Level 3, are the functions of ISSO
6.111. 8.611. (Separation) and system manager performed by separate people?
System Recovery
6.112. 8.612. (SR)
SR 1 Are Procedures and IS features implemented to ensure that IS
6.112a. 8.612a. Requirements recovery is done in a controlled manner.
System
Assurance Have the SysAssur requirements for each system been
6.113. 8.613. (SysAssur) determined? (SysAssur1, SysAssur 2 or SysAssur 3)
SysAssur 1
6.113a. 8.613a. Requirements
Access to
Protection Is Access to hardware/software/firmware that perform systems
6.113a1. 8.613a1. Functions or security functions limited to authorized personnel?
SysAssur 2
6.113b. 8.613b. Requirements Is the system compliant with the SysAssur 2 requirements?
Protection Are the protections and provisions of the SysAssur
6.113b1. 8.613b1. Documentation documented?
Periodic Do features and procedures exist to periodically validate the
Validation of correct operation of the hardware, firmware, and software
6.113b2. 8.613b2. SysAssur elements of the SSS and are documented in the SSP?
SysAssur 3
6.113c. 8.613c. Requirements Is the system compliant with the SysAssur 3 requirements?
6.113c1. 8.613c1. SSS Isolation reading or modifying its code and data structures)?
Security Testing Have the test requirements for each system been determined?
6.114. 8.614. (Test) (Test 1, Test with
accordance 2 or Test3)
the approved SSP and that the security
Test 1 features, including access controls and configuration
6.114a. 8.614a. Requirements management, are implemented and operational?
Test 2
6.114b. 8.614b. Requirements Is the system compliant with the Test 1 requirements?
6.114b1. 8.614b1. operational?

Page 7
 NISPOM Checklist

Test 3
6.114c. 8.614c. Requirements Is the system compliant with the Test 2 requirements?
6.114c1. 8.614c1. Protection
ISSM Level are
develop functional?
a plan that identifies the facility's mission
essential applications and information, procedures for the
Disaster Recovery backup of all essential information and software on a regular
6.115. 8.615. Planning basis, and testing procedures?
Section 7. Interconnected Systems

Interconnected
Systems
7.100. 8.700. Management
7.100a. 8.700a. connected network requires a higher protection level?
7.100c. 8.700c. unit?
7.100d. 8.700d. requirements defined in section 8.700d1 – 8.700d3?
7.100e. 8.700e. 8.700e1 – 8.700e3?
Controlled
Interface
7.101. 8.701. Functions
Controlled
Interface
7.102. 8.702. Requirements
Adjudicated Does the CI monitor and enforce the protection requirements of
7.102a. 8.702a. Differences the network and adjudicate the differences in security policies?
Does the CI base its routing decisions on information that is
7.102b. 8.702b. Routing Decisions supplied or alterable only by the SSS?
Restrictive
Protection Does the CI support the protection requirements of the most
7.102c. 8.702c. Requirements restrictive of the attached networks or IS?
7.102d. 8.702d. User Code Is user code prohibited from running on the CI?
7.102e. 8.702e. Fail-Secure exposure to loss of integrity or availability?
Communication Does the CI ensure that communication policies and
7.102f. 8.702f. Limits connections that are not explicitly permitted are prohibited?
Only Privileged Do only privileged users, such as systems admins, have access
7.102g. 8.702g. Users to theeach
Has CI? CI been tested and evaluated to ensure that the CI,
Assurances for as implemented, can provide the separation required for the
7.103. 8.703. CI's system’s protection level?

Page 8
 NISPOM Checklist

Is this ok as is?

Page 9