framework-mcp 1.3.6 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (43) hide show
  1. package/.claude/agents/mcp-developer.md +41 -0
  2. package/.claude/agents/project-orchestrator.md +43 -0
  3. package/.claude/agents/version-consistency-reviewer.md +50 -0
  4. package/COPILOT_INTEGRATION.md +49 -62
  5. package/DEPLOYMENT_GUIDE.md +48 -49
  6. package/MCP_INTEGRATION_GUIDE.md +96 -129
  7. package/MIGRATION_GUIDE_v1.4.0.md +190 -0
  8. package/README.md +149 -173
  9. package/RELEASE_NOTES_v1.3.7.md +275 -0
  10. package/RELEASE_NOTES_v1.4.0.md +178 -0
  11. package/SAFEGUARDS_VERIFICATION_LOG.md +157 -0
  12. package/dist/core/safeguard-manager.d.ts.map +1 -1
  13. package/dist/core/safeguard-manager.js +747 -1191
  14. package/dist/core/safeguard-manager.js.map +1 -1
  15. package/dist/index.d.ts +0 -1
  16. package/dist/index.d.ts.map +1 -1
  17. package/dist/index.js +1 -2
  18. package/dist/index.js.map +1 -1
  19. package/dist/interfaces/http/http-server.d.ts +0 -4
  20. package/dist/interfaces/http/http-server.d.ts.map +1 -1
  21. package/dist/interfaces/http/http-server.js +6 -113
  22. package/dist/interfaces/http/http-server.js.map +1 -1
  23. package/dist/interfaces/mcp/mcp-server.d.ts +0 -5
  24. package/dist/interfaces/mcp/mcp-server.d.ts.map +1 -1
  25. package/dist/interfaces/mcp/mcp-server.js +4 -120
  26. package/dist/interfaces/mcp/mcp-server.js.map +1 -1
  27. package/dist/shared/types.d.ts +0 -37
  28. package/dist/shared/types.d.ts.map +1 -1
  29. package/examples/example-usage.md +43 -38
  30. package/examples/llm-analysis-patterns.md +553 -0
  31. package/package.json +2 -3
  32. package/scripts/validate-documentation.sh +4 -4
  33. package/src/core/safeguard-manager.ts +729 -1173
  34. package/src/index.ts +1 -2
  35. package/src/interfaces/http/http-server.ts +6 -139
  36. package/src/interfaces/mcp/mcp-server.ts +4 -145
  37. package/src/shared/types.ts +0 -40
  38. package/swagger.json +64 -313
  39. package/dist/core/capability-analyzer.d.ts +0 -29
  40. package/dist/core/capability-analyzer.d.ts.map +0 -1
  41. package/dist/core/capability-analyzer.js +0 -568
  42. package/dist/core/capability-analyzer.js.map +0 -1
  43. package/src/core/capability-analyzer.ts +0 -708
@@ -202,42 +202,40 @@ export class SafeguardManager {
202
202
  assetType: ["end-user devices", "network devices", "IoT devices", "servers"],
203
203
  securityFunction: ["Identify"],
204
204
  governanceElements: [ // Orange - MUST be met
205
- "establish inventory process",
206
- "maintain inventory process",
207
- "documented process",
208
- "review and update bi-annually",
209
- "enterprise asset management policy"
205
+ "Establish",
206
+ "Maintain",
207
+ "Enterprise Asset Management Policy / Process",
208
+ "Review and update the inventory of all enterprise assets bi-annually, or more frequently"
210
209
  ],
211
210
  coreRequirements: [ // Green - The "what"
212
- "accurate inventory",
213
- "detailed inventory",
214
- "up-to-date inventory",
215
- "all enterprise assets",
216
- "potential to store or process data"
217
- ],
218
- subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
219
- "network address (if static)",
220
- "hardware address",
221
- "machine name",
222
- "enterprise asset owner",
223
- "department for each asset",
224
- "approved to connect to network",
225
- "end-user devices (portable and mobile)",
226
- "network devices",
227
- "non-computing/IoT devices",
228
- "servers",
229
- "physical connection",
230
- "virtual connection",
231
- "remote connection",
232
- "cloud environments",
233
- "regularly connected devices not under enterprise control"
234
- ],
235
- implementationSuggestions: [ // Gray - Implementation suggestions
236
- "MDM type tools for mobile devices",
237
- "enterprise and software asset management tool",
238
- "asset discovery tools",
239
- "DHCP logging",
240
- "passive discovery tools"
211
+ "accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data"
212
+ ],
213
+ subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
214
+ "Network Address (IF STATIC)",
215
+ "Hardware Address",
216
+ "Machine Name",
217
+ "Enterprise asset owner",
218
+ "Department for each asset",
219
+ "Asset has been approved to connect to the network",
220
+ "End-User Devices",
221
+ "Mobile",
222
+ "Portable",
223
+ "Network Devices",
224
+ "IOT Devices",
225
+ "Servers",
226
+ "Connected to Infrastructure",
227
+ "Physically",
228
+ "Virtually",
229
+ "Remotely",
230
+ "Those within cloud environments",
231
+ "Regularly Connected Devices - NOT Under Control of Enterprise",
232
+ "Detailed",
233
+ "Accurate",
234
+ "Up-to-date",
235
+ "Potential to store or process data"
236
+ ],
237
+ implementationSuggestions: [ // Gray - Implementation suggestions
238
+ "For mobile end-user devices, MDM type tools can support this process, where appropriate"
241
239
  ],
242
240
  relatedSafeguards: ["1.2", "1.3", "1.4", "1.5", "2.1", "3.2", "4.1", "5.1"],
243
241
  keywords: ["asset", "inventory", "device", "network", "mobile", "IoT", "server", "detailed", "accurate", "up-to-date"]
@@ -245,81 +243,72 @@ export class SafeguardManager {
245
243
  "5.1": {
246
244
  id: "5.1",
247
245
  title: "Establish and Maintain an Inventory of Accounts",
248
- description: "Establish and maintain an inventory of all accounts managed in the enterprise",
246
+ description: "Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.",
249
247
  implementationGroup: "IG1",
250
248
  assetType: ["users"],
251
249
  securityFunction: ["Identify"],
252
250
  governanceElements: [ // Orange - MUST be met
253
- "establish inventory process",
254
- "maintain inventory process",
255
- "validate all active accounts are authorized",
256
- "recurring schedule minimum quarterly",
257
- "account management policy"
251
+ "Establish and maintain an inventory of all accounts managed in the enterprise",
252
+ "The inventory must include both user and administrator accounts",
253
+ "At a minimum, should contain the person's name, username, start/stop dates, and department",
254
+ "Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently"
258
255
  ],
259
256
  coreRequirements: [ // Green - The "what"
260
- "inventory of all accounts",
261
- "user accounts",
262
- "administrator accounts",
263
- "managed in the enterprise"
257
+ "Inventory of Accounts"
264
258
  ],
265
259
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
266
- "person's name",
267
- "username",
268
- "start/stop dates",
269
- "department",
270
- "account status",
271
- "account type",
272
- "access rights",
273
- "last login date"
260
+ "Establish",
261
+ "Maintain",
262
+ "Validate that all active accounts are authorized",
263
+ "Recurring schedule",
264
+ "Must Include",
265
+ "At a minimum",
266
+ "Minimum Quarterly",
267
+ "More Frequently",
268
+ "User Accounts",
269
+ "Administrator Accounts",
270
+ "Name",
271
+ "Username",
272
+ "Start Stop Dates",
273
+ "Department"
274
274
  ],
275
275
  implementationSuggestions: [ // Gray - Implementation suggestions
276
- "identity and access management tool",
277
- "directory services",
278
- "automated account provisioning",
279
- "account lifecycle management",
280
- "role-based access control system"
276
+ "Account and Access Control Management",
277
+ "Identity and Access Management Tool"
281
278
  ],
282
- relatedSafeguards: ["1.1", "2.1", "5.2", "5.3", "5.4", "5.5", "5.6", "6.1", "6.2"],
283
- keywords: ["accounts", "inventory", "user", "administrator", "name", "username", "dates", "department", "quarterly"]
279
+ relatedSafeguards: ["1.1", "2.1", "5.2", "5.3", "5.4", "5.5", "5.6", "6.1", "6.2", "6.7", "12.8"],
280
+ keywords: ["establish", "maintain", "inventory", "accounts", "user", "administrator", "name", "username", "dates", "department", "quarterly", "validate", "authorized", "recurring"]
284
281
  },
285
282
  "6.3": {
286
283
  id: "6.3",
287
284
  title: "Require MFA for Externally-Exposed Applications",
288
- description: "Require all externally-exposed enterprise or third-party applications to enforce MFA",
285
+ description: "Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.",
289
286
  implementationGroup: "IG1",
290
287
  assetType: ["users"],
291
288
  securityFunction: ["Protect"],
292
289
  governanceElements: [ // Orange - MUST be met
293
- "require MFA enforcement",
294
- "policy for externally-exposed applications",
295
- "MFA compliance verification"
290
+ "Require",
291
+ "Account and Access Control Management",
292
+ "Multi-Factor Authentication Tool"
296
293
  ],
297
294
  coreRequirements: [ // Green - The "what"
298
- "multi-factor authentication",
299
- "all externally-exposed applications",
300
- "enterprise applications",
301
- "third-party applications",
302
- "enforce MFA where supported"
295
+ "all externally-exposed enterprise or third-party applications to enforce MFA",
296
+ "where supported"
303
297
  ],
304
298
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
305
- "authentication factors",
306
- "something you know (password)",
307
- "something you have (token)",
308
- "something you are (biometric)",
309
- "external access points",
310
- "application inventory",
311
- "exposure assessment"
299
+ "ALL Externally Exposed Applications",
300
+ "Enforce",
301
+ "Where supported"
312
302
  ],
313
303
  implementationSuggestions: [ // Gray - Implementation suggestions
314
- "directory service enforcement",
315
- "SSO provider enforcement",
316
- "multi-factor authentication tools",
317
- "SAML integration",
318
- "OAuth implementation",
319
- "conditional access policies"
304
+ "Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard",
305
+ "Directory service",
306
+ "SSO Provider",
307
+ "Account and Access Control Management",
308
+ "Multi-Factor Authentication Tool"
320
309
  ],
321
- relatedSafeguards: ["2.1", "4.1", "5.1", "6.1", "6.2"],
322
- keywords: ["MFA", "multi-factor", "authentication", "externally-exposed", "applications", "third-party", "SSO", "directory"]
310
+ relatedSafeguards: ["2.1", "4.1"],
311
+ keywords: ["require", "externally-exposed", "enterprise", "third-party", "applications", "enforce", "MFA", "supported", "directory", "service", "SSO", "provider"]
323
312
  },
324
313
  "7.1": {
325
314
  id: "7.1",
@@ -371,27 +360,17 @@ export class SafeguardManager {
371
360
  assetType: ["devices"],
372
361
  securityFunction: ["Respond"],
373
362
  governanceElements: [ // Orange - MUST be met
374
- "ensure process exists",
375
- "weekly basis requirement",
376
- "unauthorized asset handling policy"
363
+ "Ensure that a process exists to address unauthorized assets on a weekly basis"
377
364
  ],
378
365
  coreRequirements: [ // Green - The "what"
379
- "address unauthorized assets",
380
- "process to handle unauthorized devices",
381
- "weekly execution"
366
+ "Address Unauthorized Assets"
382
367
  ],
383
368
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
384
- "unauthorized asset detection",
385
- "asset classification",
386
- "response timeline",
387
- "documentation requirements"
369
+ "On a weekly basis",
370
+ "Ensure"
388
371
  ],
389
372
  implementationSuggestions: [ // Gray - Implementation suggestions
390
- "remove asset from network",
391
- "deny asset from connecting remotely",
392
- "quarantine asset",
393
- "automated response systems",
394
- "network access control"
373
+ "The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset"
395
374
  ],
396
375
  relatedSafeguards: ["1.1", "1.3"],
397
376
  keywords: ["unauthorized", "assets", "weekly", "remove", "deny", "quarantine", "process"]
@@ -399,79 +378,51 @@ export class SafeguardManager {
399
378
  "1.3": {
400
379
  id: "1.3",
401
380
  title: "Utilize an Active Discovery Tool",
402
- description: "Use an active discovery tool to identify assets connected to the enterprise's network",
381
+ description: "Utilize an active discovery tool to identify assets connected to the enterprise's network. Configure the active discovery tool to execute daily, or more frequently.",
403
382
  implementationGroup: "IG2",
404
383
  assetType: ["network"],
405
- securityFunction: ["Identify"],
384
+ securityFunction: ["Detect"],
406
385
  governanceElements: [ // Orange - MUST be met
407
- "use active discovery tool",
408
- "identify assets requirement",
409
- "network discovery policy",
410
- "discovery tool management"
386
+ "Utilize an active discovery tool to identify assets connected to the enterprise's network",
387
+ "Configure the active discovery tool to execute daily, or more frequently"
411
388
  ],
412
389
  coreRequirements: [ // Green - The "what"
413
- "active discovery tool",
414
- "identify assets connected to network",
415
- "enterprise network coverage",
416
- "asset discovery capability"
390
+ "Active discovery tool"
417
391
  ],
418
392
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
419
- "network scanning",
420
- "asset identification",
421
- "network mapping",
422
- "device fingerprinting",
423
- "service discovery",
424
- "port scanning",
425
- "protocol analysis",
426
- "network topology discovery"
393
+ "Utilize",
394
+ "Configure",
395
+ "Execute daily",
396
+ "Execute daily, or more frequently"
427
397
  ],
428
398
  implementationSuggestions: [ // Gray - Implementation suggestions
429
- "network discovery scanners",
430
- "SNMP-based discovery",
431
- "ping sweeps",
432
- "ARP table analysis",
433
- "network monitoring tools",
434
- "automated discovery systems"
435
399
  ],
436
400
  relatedSafeguards: ["1.1", "1.2", "1.4", "1.5"],
437
401
  keywords: ["active", "discovery", "tool", "identify", "assets", "network", "scanning", "mapping"]
438
402
  },
439
403
  "1.4": {
440
404
  id: "1.4",
441
- title: "Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Asset Inventory",
442
- description: "Use DHCP logging functionality to update the enterprise asset inventory",
405
+ title: "Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory",
406
+ description: "Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise's asset inventory. Review and use logs to update the enterprise's asset inventory weekly, or more frequently.",
443
407
  implementationGroup: "IG2",
444
408
  assetType: ["network"],
445
409
  securityFunction: ["Identify"],
446
410
  governanceElements: [ // Orange - MUST be met
447
- "use DHCP logging",
448
- "update asset inventory requirement",
449
- "DHCP log management policy",
450
- "inventory integration process"
411
+ "Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise's asset inventory",
412
+ "Review and use logs to update the enterprise's asset inventory weekly, or more frequently"
451
413
  ],
452
414
  coreRequirements: [ // Green - The "what"
453
- "DHCP logging functionality",
454
- "update enterprise asset inventory",
455
- "network device tracking",
456
- "IP address assignment logging"
415
+ "DHCP Logging on all DHCP servers",
416
+ "IPAM"
457
417
  ],
458
418
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
459
- "DHCP lease information",
460
- "IP address assignments",
461
- "MAC address mapping",
462
- "device hostnames",
463
- "lease duration tracking",
464
- "DHCP server logs",
465
- "network join events",
466
- "device identification data"
419
+ "Use",
420
+ "Review and Use Logs",
421
+ "Update asset inventory",
422
+ "Weekly",
423
+ "More Frequently"
467
424
  ],
468
425
  implementationSuggestions: [ // Gray - Implementation suggestions
469
- "DHCP server log analysis",
470
- "automated parsing tools",
471
- "inventory integration scripts",
472
- "SIEM integration",
473
- "log aggregation systems",
474
- "real-time monitoring"
475
426
  ],
476
427
  relatedSafeguards: ["1.1", "1.2", "1.3", "1.5"],
477
428
  keywords: ["DHCP", "logging", "update", "asset", "inventory", "IP", "address", "network", "tracking"]
@@ -479,39 +430,25 @@ export class SafeguardManager {
479
430
  "1.5": {
480
431
  id: "1.5",
481
432
  title: "Use a Passive Asset Discovery Tool",
482
- description: "Use a passive discovery tool to identify assets connected to the enterprise's network",
433
+ description: "Use a passive discovery tool to identify assets connected to the enterprise's network. Review and use scans to update the enterprise's asset inventory at least weekly, or more frequently.",
483
434
  implementationGroup: "IG3",
484
435
  assetType: ["network"],
485
- securityFunction: ["Identify"],
436
+ securityFunction: ["Detect"],
486
437
  governanceElements: [ // Orange - MUST be met
487
- "use passive discovery tool",
488
- "identify assets requirement",
489
- "passive monitoring policy",
490
- "discovery tool governance"
438
+ "Use a passive discovery tool to identify assets connected to the enterprise's network",
439
+ "Review and use scans to update the enterprise's asset inventory at least weekly, or more frequently"
491
440
  ],
492
441
  coreRequirements: [ // Green - The "what"
493
- "passive discovery tool",
494
- "identify assets connected to network",
495
- "non-intrusive asset identification",
496
- "network traffic analysis"
442
+ "Passive Discovery Tool"
497
443
  ],
498
444
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
499
- "network traffic monitoring",
500
- "passive packet analysis",
501
- "protocol identification",
502
- "device behavior analysis",
503
- "communication pattern analysis",
504
- "network flow analysis",
505
- "asset fingerprinting",
506
- "service identification"
507
- ],
508
- implementationSuggestions: [ // Gray - Implementation suggestions
509
- "network tap monitoring",
510
- "span port analysis",
511
- "flow analysis tools",
512
- "packet capture systems",
513
- "network behavior analysis",
514
- "passive scanning tools"
445
+ "Use",
446
+ "Review and Use scans",
447
+ "Update asset inventory",
448
+ "Weekly",
449
+ "More Frequently"
450
+ ],
451
+ implementationSuggestions: [ // Gray - Implementation suggestions
515
452
  ],
516
453
  relatedSafeguards: ["1.1", "1.2", "1.3", "1.4"],
517
454
  keywords: ["passive", "discovery", "tool", "identify", "assets", "network", "traffic", "monitoring", "non-intrusive"]
@@ -524,36 +461,32 @@ export class SafeguardManager {
524
461
  assetType: ["applications"],
525
462
  securityFunction: ["Identify"],
526
463
  governanceElements: [ // Orange - MUST be met
527
- "establish inventory process",
528
- "maintain inventory process",
529
- "detailed software inventory requirement",
530
- "licensed software tracking",
531
- "enterprise asset coverage"
464
+ "Establish and maintain a detailed inventory of all licensed software installed on enterprise assets",
465
+ "The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date",
466
+ "Review and update the software inventory bi-annually, or more frequently"
532
467
  ],
533
468
  coreRequirements: [ // Green - The "what"
534
- "detailed inventory",
535
- "all licensed software",
536
- "installed on enterprise assets",
537
- "software asset management",
538
- "comprehensive coverage"
469
+ "Detailed inventory of all licensed software",
470
+ "Installed on enterprise Assets"
539
471
  ],
540
472
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
541
- "software name",
542
- "version",
543
- "publisher",
544
- "install date",
545
- "business purpose",
546
- "supported vs. unsupported software",
547
- "authorized vs. unauthorized software",
548
- "licensing information",
549
- "installation location"
473
+ "Establish",
474
+ "Maintain",
475
+ "Must Document",
476
+ "Title",
477
+ "Publisher",
478
+ "Initial Install / Use Date",
479
+ "Business Purpose",
480
+ "URL",
481
+ "App Store(s)",
482
+ "App Version(s)",
483
+ "Deployment mechanism",
484
+ "Decomm. Date",
485
+ "Where appropriate",
486
+ "bi-annually",
487
+ "More Frequently"
550
488
  ],
551
489
  implementationSuggestions: [ // Gray - Implementation suggestions
552
- "software asset management tools",
553
- "automated discovery agents",
554
- "network-based scanning",
555
- "endpoint detection tools",
556
- "software metering solutions"
557
490
  ],
558
491
  relatedSafeguards: ["1.1", "2.2", "2.3", "2.4", "2.5", "2.6", "2.7"],
559
492
  keywords: ["software", "inventory", "licensed", "detailed", "enterprise", "assets", "applications"]
@@ -566,32 +499,24 @@ export class SafeguardManager {
566
499
  assetType: ["applications"],
567
500
  securityFunction: ["Identify"],
568
501
  governanceElements: [ // Orange - MUST be met
569
- "ensure only supported software authorized",
570
- "authorization designation process",
571
- "supported software verification",
572
- "software lifecycle management"
502
+ "Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise's mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently."
573
503
  ],
574
504
  coreRequirements: [ // Green - The "what"
575
- "currently supported software only",
576
- "designated as authorized",
577
- "software inventory integration",
578
- "support status verification"
505
+ "Currently supported software",
506
+ "Authorized in the software inventory"
579
507
  ],
580
508
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
581
- "software support status",
582
- "end-of-life identification",
583
- "vendor support agreements",
584
- "patch availability",
585
- "security update availability",
586
- "authorization workflows",
587
- "approval processes"
509
+ "Ensure",
510
+ "Determine if Authorized Software Is Currently Supported",
511
+ "If Unsupported",
512
+ "Determine Necessity for Business",
513
+ "Document Exception detailing mitigating controls",
514
+ "Document Residual risk acceptance",
515
+ "Review the software list",
516
+ "Monthly",
517
+ "More frequently"
588
518
  ],
589
519
  implementationSuggestions: [ // Gray - Implementation suggestions
590
- "vendor support databases",
591
- "automated support checking",
592
- "software lifecycle tracking",
593
- "end-of-life notifications",
594
- "authorization workflow tools"
595
520
  ],
596
521
  relatedSafeguards: ["2.1", "2.3", "2.4", "2.5", "2.6", "2.7"],
597
522
  keywords: ["supported", "software", "authorized", "designated", "inventory", "lifecycle", "end-of-life"]
@@ -599,36 +524,25 @@ export class SafeguardManager {
599
524
  "2.3": {
600
525
  id: "2.3",
601
526
  title: "Address Unauthorized Software",
602
- description: "Ensure that unauthorized software is either removed from use on enterprise assets or approved for use",
527
+ description: "Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.",
603
528
  implementationGroup: "IG1",
604
529
  assetType: ["applications"],
605
530
  securityFunction: ["Respond"],
606
531
  governanceElements: [ // Orange - MUST be met
607
- "ensure unauthorized software addressed",
608
- "removal or approval requirement",
609
- "unauthorized software handling policy"
532
+ "Ensure",
533
+ "Review monthly, or more frequently"
610
534
  ],
611
535
  coreRequirements: [ // Green - The "what"
612
- "unauthorized software identification",
613
- "removed from use",
614
- "approved for use",
615
- "enterprise assets coverage"
536
+ "unauthorized software is either removed from use on enterprise assets or receives a documented exception"
616
537
  ],
617
538
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
618
- "unauthorized software detection",
619
- "software classification",
620
- "approval workflows",
621
- "removal procedures",
622
- "business justification",
623
- "exception processes",
624
- "documentation requirements"
539
+ "Address Unauthorized Software",
540
+ "Remove from use",
541
+ "Document Exception",
542
+ "Monthly",
543
+ "More Frequently"
625
544
  ],
626
545
  implementationSuggestions: [ // Gray - Implementation suggestions
627
- "automated removal tools",
628
- "application control systems",
629
- "software whitelisting",
630
- "policy enforcement tools",
631
- "approval workflow systems"
632
546
  ],
633
547
  relatedSafeguards: ["2.1", "2.2", "2.4", "2.5", "2.6", "2.7"],
634
548
  keywords: ["unauthorized", "software", "removed", "approved", "enterprise", "assets", "address"]
@@ -636,37 +550,25 @@ export class SafeguardManager {
636
550
  "2.4": {
637
551
  id: "2.4",
638
552
  title: "Utilize Automated Software Inventory Tools",
639
- description: "Utilize automated software inventory tools, where possible, throughout the enterprise",
553
+ description: "Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software.",
640
554
  implementationGroup: "IG2",
641
555
  assetType: ["applications"],
642
- securityFunction: ["Identify"],
556
+ securityFunction: ["Detect"],
643
557
  governanceElements: [ // Orange - MUST be met
644
- "utilize automated tools",
645
- "where possible requirement",
646
- "throughout enterprise coverage",
647
- "automated inventory management"
558
+ "Utilize",
559
+ "when possible"
648
560
  ],
649
561
  coreRequirements: [ // Green - The "what"
650
- "automated software inventory tools",
651
- "enterprise-wide deployment",
652
- "comprehensive coverage",
653
- "automated discovery capability"
562
+ "software inventory tools",
563
+ "automate the discovery and documentation of installed software"
654
564
  ],
655
565
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
656
- "automated discovery agents",
657
- "network-based scanning",
658
- "agent-based collection",
659
- "real-time inventory updates",
660
- "centralized reporting",
661
- "integration capabilities",
662
- "deployment strategies"
566
+ "Automate Discovery",
567
+ "Automate Documentation",
568
+ "Installed Software",
569
+ "When possible"
663
570
  ],
664
571
  implementationSuggestions: [ // Gray - Implementation suggestions
665
- "endpoint agents",
666
- "network scanners",
667
- "SCCM integration",
668
- "vulnerability scanners",
669
- "asset management platforms"
670
572
  ],
671
573
  relatedSafeguards: ["2.1", "2.2", "2.3", "2.5", "2.6", "2.7"],
672
574
  keywords: ["automated", "software", "inventory", "tools", "enterprise", "deployment", "discovery"]
@@ -674,36 +576,30 @@ export class SafeguardManager {
674
576
  "2.5": {
675
577
  id: "2.5",
676
578
  title: "Allowlist Authorized Software",
677
- description: "Use technical controls, such as application allowlisting, to ensure that only authorized software can execute",
579
+ description: "Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.",
678
580
  implementationGroup: "IG2",
679
581
  assetType: ["applications"],
680
582
  securityFunction: ["Protect"],
681
583
  governanceElements: [ // Orange - MUST be met
682
- "use technical controls",
683
- "ensure only authorized execution",
684
- "allowlisting implementation requirement"
584
+ "Use",
585
+ "Ensure",
586
+ "Reassess bi-annually, or more frequently"
685
587
  ],
686
588
  coreRequirements: [ // Green - The "what"
687
589
  "technical controls",
688
- "application allowlisting",
689
- "only authorized software execution",
690
- "execution prevention"
590
+ "only authorized software can execute or be accessed"
691
591
  ],
692
592
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
693
- "allowlist management",
694
- "signature-based controls",
695
- "hash-based controls",
696
- "path-based controls",
697
- "certificate-based controls",
698
- "execution monitoring",
699
- "policy enforcement"
593
+ "Allowlist Authorized Software",
594
+ "Technical Controls",
595
+ "Execute",
596
+ "Accessed",
597
+ "Reassess",
598
+ "Bi-Annually",
599
+ "More Frequently"
700
600
  ],
701
601
  implementationSuggestions: [ // Gray - Implementation suggestions
702
- "application control software",
703
- "Windows AppLocker",
704
- "endpoint protection platforms",
705
- "code signing enforcement",
706
- "execution prevention tools"
602
+ "Application Allowlisting"
707
603
  ],
708
604
  relatedSafeguards: ["2.1", "2.2", "2.3", "2.4", "2.6", "2.7"],
709
605
  keywords: ["allowlist", "authorized", "software", "technical", "controls", "application", "execution"]
@@ -711,36 +607,34 @@ export class SafeguardManager {
711
607
  "2.6": {
712
608
  id: "2.6",
713
609
  title: "Allowlist Authorized Libraries",
714
- description: "Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so files, can load into a system process",
610
+ description: "Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so. files are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.",
715
611
  implementationGroup: "IG2",
716
612
  assetType: ["applications"],
717
613
  securityFunction: ["Protect"],
718
614
  governanceElements: [ // Orange - MUST be met
719
- "use technical controls",
720
- "ensure only authorized libraries",
721
- "system process protection requirement"
615
+ "Use",
616
+ "Ensure",
617
+ "Block unauthorized libraries from loading into a system process",
618
+ "Reassess bi-annually, or more frequently"
722
619
  ],
723
620
  coreRequirements: [ // Green - The "what"
724
621
  "technical controls",
725
622
  "only authorized software libraries",
726
- "dll ocx so files",
727
- "system process loading"
623
+ "are allowed to load into a system process"
728
624
  ],
729
625
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
730
- "library allowlisting",
731
- "dynamic link library control",
732
- "shared object control",
733
- "process injection prevention",
734
- "library loading monitoring",
735
- "signature verification",
736
- "integrity checking"
626
+ "Only authorized software libraries",
627
+ "Are allowed to load into a system process",
628
+ "Technical Controls",
629
+ "Block unauthorized libraries from loading into a system process",
630
+ "Reassess",
631
+ "Bi-Annually",
632
+ "More Frequently"
737
633
  ],
738
634
  implementationSuggestions: [ // Gray - Implementation suggestions
739
- "library control tools",
740
- "process monitoring solutions",
741
- "endpoint detection platforms",
742
- "kernel-level controls",
743
- "signature enforcement"
635
+ "Specific .dll files",
636
+ "Specific .ocx files",
637
+ "Specific .so files"
744
638
  ],
745
639
  relatedSafeguards: ["2.1", "2.2", "2.3", "2.4", "2.5", "2.7"],
746
640
  keywords: ["allowlist", "authorized", "libraries", "dll", "ocx", "so", "system", "process", "technical"]
@@ -748,36 +642,33 @@ export class SafeguardManager {
748
642
  "2.7": {
749
643
  id: "2.7",
750
644
  title: "Allowlist Authorized Scripts",
751
- description: "Use technical controls, such as digital signatures and version control systems, to ensure that only authorized scripts can execute",
645
+ description: "Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, files are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.",
752
646
  implementationGroup: "IG3",
753
647
  assetType: ["applications"],
754
648
  securityFunction: ["Protect"],
755
649
  governanceElements: [ // Orange - MUST be met
756
- "use technical controls",
757
- "ensure only authorized script execution",
758
- "script authorization requirement"
650
+ "Use",
651
+ "Ensure",
652
+ "Block unauthorized scripts from executing",
653
+ "Reassess bi-annually, or more frequently"
759
654
  ],
760
655
  coreRequirements: [ // Green - The "what"
761
656
  "technical controls",
762
- "digital signatures",
763
- "version control systems",
764
- "only authorized scripts execution"
657
+ "only authorized files are allowed to execute"
765
658
  ],
766
659
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
767
- "script allowlisting",
768
- "digital signature verification",
769
- "version control integration",
770
- "script integrity checking",
771
- "execution policy enforcement",
772
- "script source validation",
773
- "runtime monitoring"
660
+ "Only authorized files are allowed to execute",
661
+ "Technical Controls",
662
+ "Block unauthorized scripts from executing",
663
+ "Reassess",
664
+ "Bi-Annually",
665
+ "More Frequently"
774
666
  ],
775
667
  implementationSuggestions: [ // Gray - Implementation suggestions
776
- "PowerShell execution policies",
777
- "script signing infrastructure",
778
- "version control systems",
779
- "script execution monitors",
780
- "code signing certificates"
668
+ "Digital signatures",
669
+ "Version control",
670
+ "Specific .ps1 files",
671
+ "Specific .py files"
781
672
  ],
782
673
  relatedSafeguards: ["2.1", "2.2", "2.3", "2.4", "2.5", "2.6"],
783
674
  keywords: ["allowlist", "authorized", "scripts", "digital", "signatures", "version", "control", "execution"]
@@ -785,37 +676,32 @@ export class SafeguardManager {
785
676
  "3.1": {
786
677
  id: "3.1",
787
678
  title: "Establish and Maintain a Data Management Process",
788
- description: "Establish and maintain a data management process",
679
+ description: "Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
789
680
  implementationGroup: "IG1",
790
681
  assetType: ["data"],
791
682
  securityFunction: ["Govern"],
792
683
  governanceElements: [ // Orange - MUST be met
793
- "establish data management process",
794
- "maintain data management process",
795
- "documented data governance",
796
- "data management policy"
684
+ "Establish",
685
+ "Maintain",
686
+ "Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard"
797
687
  ],
798
688
  coreRequirements: [ // Green - The "what"
799
- "data management process",
800
- "data governance framework",
801
- "data handling procedures",
802
- "data lifecycle management"
689
+ "documented data management process",
690
+ "address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise"
803
691
  ],
804
692
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
805
- "data classification scheme",
806
- "data inventory procedures",
807
- "data retention policies",
808
- "data disposal procedures",
809
- "data handling standards",
810
- "data access controls",
811
- "data sharing agreements"
693
+ "Documented Data management process",
694
+ "Data Sensitivity",
695
+ "Data Owner",
696
+ "Data Handling",
697
+ "Data Retention Limits",
698
+ "Disposal Requirements",
699
+ "Retention Standards",
700
+ "Review and update documentation",
701
+ "Annually",
702
+ "When significant enterprise changes occur that could impact this Safeguard"
812
703
  ],
813
704
  implementationSuggestions: [ // Gray - Implementation suggestions
814
- "data governance platforms",
815
- "data discovery tools",
816
- "data classification tools",
817
- "policy management systems",
818
- "data lineage tracking"
819
705
  ],
820
706
  relatedSafeguards: ["3.2", "3.3", "3.4", "3.5", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "3.13", "3.14"],
821
707
  keywords: ["data", "management", "process", "establish", "maintain", "governance", "lifecycle"]
@@ -823,38 +709,28 @@ export class SafeguardManager {
823
709
  "3.2": {
824
710
  id: "3.2",
825
711
  title: "Establish and Maintain a Data Inventory",
826
- description: "Establish and maintain a data inventory, based on the enterprise's data management process",
712
+ description: "Establish and maintain a data inventory based on the enterprise's data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data.",
827
713
  implementationGroup: "IG1",
828
714
  assetType: ["data"],
829
715
  securityFunction: ["Identify"],
830
716
  governanceElements: [ // Orange - MUST be met
831
- "establish data inventory",
832
- "maintain data inventory",
833
- "based on data management process",
834
- "inventory management requirements"
717
+ "Establish",
718
+ "Maintain",
719
+ "Review and update inventory annually, at a minimum, with a priority on sensitive data"
835
720
  ],
836
721
  coreRequirements: [ // Green - The "what"
837
- "data inventory",
838
- "enterprise data coverage",
839
- "data asset identification",
840
- "data location tracking"
722
+ "data inventory based on the enterprise's data management process",
723
+ "inventory sensitive data, at a minimum"
841
724
  ],
842
725
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
843
- "data types",
844
- "data locations",
845
- "data owners",
846
- "data classifications",
847
- "data sensitivity levels",
848
- "data volumes",
849
- "data formats",
850
- "data repositories"
726
+ "Data Inventory",
727
+ "Based on Data Management process",
728
+ "Sensitive Data at a Minimum",
729
+ "Review and update inventory",
730
+ "Annually, at a minimum",
731
+ "Priority on sensitive data"
851
732
  ],
852
733
  implementationSuggestions: [ // Gray - Implementation suggestions
853
- "data discovery scanners",
854
- "database inventory tools",
855
- "file system crawlers",
856
- "cloud data discovery",
857
- "automated data cataloging"
858
734
  ],
859
735
  relatedSafeguards: ["1.1", "3.1", "3.3", "3.4", "3.5", "3.6", "3.7", "3.8", "3.9", "3.10", "3.11", "3.12", "3.13", "3.14"],
860
736
  keywords: ["data", "inventory", "enterprise", "management", "process", "identification", "tracking"]
@@ -862,37 +738,27 @@ export class SafeguardManager {
862
738
  "3.3": {
863
739
  id: "3.3",
864
740
  title: "Configure Data Access Control Lists",
865
- description: "Configure data access control lists based on a user's need to know",
741
+ description: "Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.",
866
742
  implementationGroup: "IG1",
867
743
  assetType: ["data"],
868
744
  securityFunction: ["Protect"],
869
745
  governanceElements: [ // Orange - MUST be met
870
- "configure access control lists",
871
- "based on need to know",
872
- "data access governance",
873
- "access control policy"
746
+ "Configure",
747
+ "Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications"
874
748
  ],
875
749
  coreRequirements: [ // Green - The "what"
876
- "data access control lists",
877
- "user need to know basis",
878
- "access restriction enforcement",
879
- "granular access controls"
750
+ "data access control lists based on a user's need to know"
880
751
  ],
881
752
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
882
- "user access requirements",
883
- "role-based permissions",
884
- "data sensitivity matching",
885
- "access review processes",
886
- "permission inheritance",
887
- "group-based access",
888
- "individual permissions"
753
+ "Data Access control lists",
754
+ "Based on \"Need to Know\"",
755
+ "ACLS - \"aka\" Access Permissions",
756
+ "Local",
757
+ "Remote File Systems",
758
+ "Applications",
759
+ "Databases"
889
760
  ],
890
761
  implementationSuggestions: [ // Gray - Implementation suggestions
891
- "file system ACLs",
892
- "database permissions",
893
- "application-level controls",
894
- "identity management systems",
895
- "access governance tools"
896
762
  ],
897
763
  relatedSafeguards: ["3.1", "3.2", "3.4", "3.5", "3.6", "5.1", "6.1", "6.2"],
898
764
  keywords: ["data", "access", "control", "lists", "need", "know", "user", "permissions"]
@@ -900,37 +766,26 @@ export class SafeguardManager {
900
766
  "3.4": {
901
767
  id: "3.4",
902
768
  title: "Enforce Data Retention",
903
- description: "Retain data according to the enterprise's data management process",
769
+ description: "Retain data according to the enterprise's documented data management process. Data retention must include both minimum and maximum timelines.",
904
770
  implementationGroup: "IG1",
905
771
  assetType: ["data"],
906
772
  securityFunction: ["Protect"],
907
773
  governanceElements: [ // Orange - MUST be met
908
- "retain data according to process",
909
- "enterprise data management process",
910
- "data retention governance",
911
- "retention policy enforcement"
774
+ "Retain",
775
+ "Enforce",
776
+ "must include both minimum and maximum timelines"
912
777
  ],
913
778
  coreRequirements: [ // Green - The "what"
914
- "data retention enforcement",
915
- "retention schedule compliance",
916
- "data lifecycle management",
917
- "retention period adherence"
779
+ "data according to the enterprise's documented data management process",
780
+ "Data retention"
918
781
  ],
919
782
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
920
- "retention schedules",
921
- "legal requirements",
922
- "business requirements",
923
- "retention categories",
924
- "disposal timelines",
925
- "archive procedures",
926
- "retention monitoring"
783
+ "Data Retention",
784
+ "Must Include",
785
+ "Minimum Timelines",
786
+ "Maximum timelines"
927
787
  ],
928
788
  implementationSuggestions: [ // Gray - Implementation suggestions
929
- "automated retention tools",
930
- "data lifecycle management",
931
- "archival systems",
932
- "retention scheduling tools",
933
- "compliance monitoring"
934
789
  ],
935
790
  relatedSafeguards: ["3.1", "3.2", "3.5", "3.6", "3.10"],
936
791
  keywords: ["data", "retention", "enterprise", "management", "process", "lifecycle", "schedule"]
@@ -938,37 +793,23 @@ export class SafeguardManager {
938
793
  "3.5": {
939
794
  id: "3.5",
940
795
  title: "Securely Dispose of Data",
941
- description: "Securely dispose of data as outlined in the enterprise's data management process",
796
+ description: "Securely dispose of data as outlined in the enterprise's data management process. Ensure the disposal process and method are commensurate with the data sensitivity.",
942
797
  implementationGroup: "IG1",
943
798
  assetType: ["data"],
944
799
  securityFunction: ["Protect"],
945
800
  governanceElements: [ // Orange - MUST be met
946
- "securely dispose data",
947
- "outlined in management process",
948
- "data disposal governance",
949
- "secure disposal policy"
801
+ "Securely dispose of data",
802
+ "Ensure"
950
803
  ],
951
804
  coreRequirements: [ // Green - The "what"
952
- "secure data disposal",
953
- "data management process alignment",
954
- "disposal method security",
955
- "data destruction assurance"
805
+ "as outlined in the enterprise's data management process",
806
+ "the disposal process and method are commensurate with the data sensitivity"
956
807
  ],
957
808
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
958
- "disposal methods",
959
- "data sanitization",
960
- "media destruction",
961
- "digital shredding",
962
- "disposal verification",
963
- "disposal documentation",
964
- "certificate of destruction"
809
+ "Securely dispose of data",
810
+ "Disposal process and method are commensurate with the data sensitivity"
965
811
  ],
966
812
  implementationSuggestions: [ // Gray - Implementation suggestions
967
- "data wiping tools",
968
- "media destruction services",
969
- "cryptographic erasure",
970
- "physical destruction",
971
- "disposal tracking systems"
972
813
  ],
973
814
  relatedSafeguards: ["3.1", "3.2", "3.4", "3.6", "3.10"],
974
815
  keywords: ["securely", "dispose", "data", "enterprise", "management", "process", "destruction"]
@@ -976,37 +817,24 @@ export class SafeguardManager {
976
817
  "3.6": {
977
818
  id: "3.6",
978
819
  title: "Encrypt Data on End-User Devices",
979
- description: "Encrypt data on end-user devices containing sensitive data",
820
+ description: "Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.",
980
821
  implementationGroup: "IG1",
981
822
  assetType: ["data"],
982
823
  securityFunction: ["Protect"],
983
824
  governanceElements: [ // Orange - MUST be met
984
- "encrypt data requirement",
985
- "end-user devices coverage",
986
- "sensitive data identification",
987
- "encryption policy enforcement"
825
+ "Encrypt"
988
826
  ],
989
827
  coreRequirements: [ // Green - The "what"
990
- "data encryption",
991
- "end-user devices",
992
- "sensitive data protection",
993
- "encryption implementation"
828
+ "data on end-user devices containing sensitive data"
994
829
  ],
995
830
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
996
- "full disk encryption",
997
- "file-level encryption",
998
- "encryption algorithms",
999
- "key management",
1000
- "device types coverage",
1001
- "mobile device encryption",
1002
- "laptop encryption"
831
+ "Data on end-user devices",
832
+ "Sensitive data"
1003
833
  ],
1004
834
  implementationSuggestions: [ // Gray - Implementation suggestions
1005
- "BitLocker encryption",
1006
- "FileVault encryption",
1007
- "third-party encryption tools",
1008
- "mobile device management",
1009
- "encryption key management"
835
+ "Windows Bitlocker",
836
+ "Apple FileVault",
837
+ "Linux dm-crypt"
1010
838
  ],
1011
839
  relatedSafeguards: ["1.1", "3.1", "3.2", "3.7", "3.8", "3.9", "3.11"],
1012
840
  keywords: ["encrypt", "data", "end-user", "devices", "sensitive", "protection", "encryption"]
@@ -1014,37 +842,30 @@ export class SafeguardManager {
1014
842
  "3.7": {
1015
843
  id: "3.7",
1016
844
  title: "Establish and Maintain a Data Classification Scheme",
1017
- description: "Establish and maintain a data classification scheme based on the sensitivity of data",
845
+ description: "Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as \"Sensitive,\" \"Confidential,\" and \"Public,\" and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard.",
1018
846
  implementationGroup: "IG2",
1019
847
  assetType: ["data"],
1020
848
  securityFunction: ["Identify"],
1021
849
  governanceElements: [ // Orange - MUST be met
1022
- "establish classification scheme",
1023
- "maintain classification scheme",
1024
- "based on data sensitivity",
1025
- "classification governance"
850
+ "Establish",
851
+ "Maintain",
852
+ "Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard"
1026
853
  ],
1027
854
  coreRequirements: [ // Green - The "what"
1028
- "data classification scheme",
1029
- "sensitivity-based classification",
1030
- "classification standards",
1031
- "data labeling system"
855
+ "overall data classification scheme for the enterprise",
856
+ "classify their data according to those labels"
1032
857
  ],
1033
858
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1034
- "classification levels",
1035
- "sensitivity criteria",
1036
- "classification labels",
1037
- "handling requirements",
1038
- "protection levels",
1039
- "access requirements",
1040
- "classification workflows"
859
+ "Data classification scheme",
860
+ "Classify their data according to labels",
861
+ "Review and update classification scheme",
862
+ "Annually",
863
+ "When significant enterprise changes occur that could impact this Safeguard"
1041
864
  ],
1042
865
  implementationSuggestions: [ // Gray - Implementation suggestions
1043
- "data classification tools",
1044
- "automated labeling",
1045
- "classification policies",
1046
- "sensitivity scanners",
1047
- "classification workflows"
866
+ "Sensitive",
867
+ "Confidential",
868
+ "Public"
1048
869
  ],
1049
870
  relatedSafeguards: ["3.1", "3.2", "3.3", "3.8", "3.9", "3.10", "3.11", "3.12"],
1050
871
  keywords: ["establish", "maintain", "data", "classification", "scheme", "sensitivity", "labeling"]
@@ -1052,37 +873,29 @@ export class SafeguardManager {
1052
873
  "3.8": {
1053
874
  id: "3.8",
1054
875
  title: "Document Data Flows",
1055
- description: "Document data flows for sensitive data",
876
+ description: "Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise's data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
1056
877
  implementationGroup: "IG2",
1057
878
  assetType: ["data"],
1058
879
  securityFunction: ["Identify"],
1059
880
  governanceElements: [ // Orange - MUST be met
1060
- "document data flows",
1061
- "sensitive data coverage",
1062
- "data flow documentation requirement",
1063
- "flow mapping governance"
881
+ "Document data flows",
882
+ "Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard"
1064
883
  ],
1065
884
  coreRequirements: [ // Green - The "what"
1066
- "data flow documentation",
1067
- "sensitive data flows",
1068
- "data movement tracking",
1069
- "flow visualization"
885
+ "Data flow documentation includes service provider data flows and should be based on the enterprise's data management process"
1070
886
  ],
1071
887
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1072
- "data sources",
1073
- "data destinations",
1074
- "processing locations",
1075
- "data transformations",
1076
- "data transit paths",
1077
- "integration points",
1078
- "data boundaries"
888
+ "Document data flows",
889
+ "Enterprise Data Flows",
890
+ "Service Provider Data Flows",
891
+ "Review and update documentation",
892
+ "Annually",
893
+ "When significant enterprise changes occur that could impact this Safeguard"
1079
894
  ],
1080
895
  implementationSuggestions: [ // Gray - Implementation suggestions
1081
- "data lineage tools",
1082
- "flow mapping software",
1083
- "data discovery tools",
1084
- "process documentation",
1085
- "network flow analysis"
896
+ "Data management systems",
897
+ "Data flow mapping tools",
898
+ "Service provider documentation"
1086
899
  ],
1087
900
  relatedSafeguards: ["3.1", "3.2", "3.7", "3.9", "3.10", "3.11"],
1088
901
  keywords: ["document", "data", "flows", "sensitive", "mapping", "tracking", "lineage"]
@@ -1090,37 +903,20 @@ export class SafeguardManager {
1090
903
  "3.9": {
1091
904
  id: "3.9",
1092
905
  title: "Encrypt Data on Removable Media",
1093
- description: "Encrypt data on removable media",
906
+ description: "Encrypt Data on Removable Media",
1094
907
  implementationGroup: "IG2",
1095
908
  assetType: ["data"],
1096
909
  securityFunction: ["Protect"],
1097
910
  governanceElements: [ // Orange - MUST be met
1098
- "encrypt data requirement",
1099
- "removable media coverage",
1100
- "encryption policy enforcement",
1101
- "removable media governance"
911
+ "Encrypt Data on Removable Media"
1102
912
  ],
1103
913
  coreRequirements: [ // Green - The "what"
1104
- "data encryption",
1105
- "removable media",
1106
- "portable storage protection",
1107
- "encryption implementation"
1108
914
  ],
1109
915
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1110
- "USB drives",
1111
- "external hard drives",
1112
- "optical media",
1113
- "memory cards",
1114
- "encryption methods",
1115
- "key management",
1116
- "access controls"
916
+ "Data on Removable Media",
917
+ "Maintain"
1117
918
  ],
1118
919
  implementationSuggestions: [ // Gray - Implementation suggestions
1119
- "encrypted USB drives",
1120
- "device encryption tools",
1121
- "removable media controls",
1122
- "encryption management",
1123
- "key escrow systems"
1124
920
  ],
1125
921
  relatedSafeguards: ["3.1", "3.6", "3.7", "3.10", "3.11"],
1126
922
  keywords: ["encrypt", "data", "removable", "media", "portable", "storage", "USB"]
@@ -1128,37 +924,22 @@ export class SafeguardManager {
1128
924
  "3.10": {
1129
925
  id: "3.10",
1130
926
  title: "Encrypt Sensitive Data in Transit",
1131
- description: "Encrypt sensitive data in transit",
927
+ description: "Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).",
1132
928
  implementationGroup: "IG2",
1133
929
  assetType: ["data"],
1134
930
  securityFunction: ["Protect"],
1135
931
  governanceElements: [ // Orange - MUST be met
1136
- "encrypt sensitive data",
1137
- "in transit requirement",
1138
- "transmission encryption policy",
1139
- "transit encryption governance"
932
+ "Encrypt"
1140
933
  ],
1141
934
  coreRequirements: [ // Green - The "what"
1142
- "sensitive data encryption",
1143
- "data in transit",
1144
- "transmission protection",
1145
- "communication security"
935
+ "sensitive data in transit"
1146
936
  ],
1147
937
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1148
- "network protocols",
1149
- "encryption protocols",
1150
- "TLS/SSL implementation",
1151
- "VPN tunneling",
1152
- "secure communication channels",
1153
- "certificate management",
1154
- "key exchange"
938
+ "Sensitive data in transit"
1155
939
  ],
1156
940
  implementationSuggestions: [ // Gray - Implementation suggestions
1157
- "TLS encryption",
1158
- "VPN solutions",
1159
- "secure email gateways",
1160
- "encrypted file transfer",
1161
- "secure messaging systems"
941
+ "TLS",
942
+ "OpenSSH"
1162
943
  ],
1163
944
  relatedSafeguards: ["3.1", "3.7", "3.8", "3.11", "13.1", "13.2"],
1164
945
  keywords: ["encrypt", "sensitive", "data", "transit", "transmission", "TLS", "communication"]
@@ -1166,75 +947,53 @@ export class SafeguardManager {
1166
947
  "3.11": {
1167
948
  id: "3.11",
1168
949
  title: "Encrypt Sensitive Data at Rest",
1169
- description: "Encrypt sensitive data at rest",
950
+ description: "Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.",
1170
951
  implementationGroup: "IG2",
1171
952
  assetType: ["data"],
1172
953
  securityFunction: ["Protect"],
1173
954
  governanceElements: [ // Orange - MUST be met
1174
- "encrypt sensitive data",
1175
- "at rest requirement",
1176
- "storage encryption policy",
1177
- "rest encryption governance"
955
+ "Encrypt",
956
+ "meets the minimum requirement of this Safeguard"
1178
957
  ],
1179
958
  coreRequirements: [ // Green - The "what"
1180
- "sensitive data encryption",
1181
- "data at rest",
1182
- "storage protection",
1183
- "persistent data security"
959
+ "sensitive data at rest on servers, applications, and databases",
960
+ "Storage-layer encryption, also known as server-side encryption"
1184
961
  ],
1185
962
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1186
- "database encryption",
1187
- "file system encryption",
1188
- "application-level encryption",
1189
- "cloud storage encryption",
1190
- "backup encryption",
1191
- "key management systems",
1192
- "encryption algorithms"
963
+ "Encrypt Sensitive Data At Rest",
964
+ "Servers",
965
+ "Applications",
966
+ "Databases",
967
+ "Storage Layer (server side) encryption",
968
+ "Minimum Requirement"
1193
969
  ],
1194
970
  implementationSuggestions: [ // Gray - Implementation suggestions
1195
- "transparent data encryption",
1196
- "column-level encryption",
1197
- "file-level encryption",
1198
- "key management services",
1199
- "hardware security modules"
971
+ "Application layer (client-side) encryption",
972
+ "Where access to the data storage device(s) does not permit access to the plain-text data"
1200
973
  ],
1201
974
  relatedSafeguards: ["3.1", "3.6", "3.7", "3.9", "3.10", "11.1"],
1202
975
  keywords: ["encrypt", "sensitive", "data", "rest", "storage", "database", "persistent"]
1203
976
  },
1204
977
  "3.12": {
1205
978
  id: "3.12",
1206
- title: "Segment Data Processing and Storage Based on Classification",
1207
- description: "Segment data processing and storage based on the classification of the data",
1208
- implementationGroup: "IG3",
979
+ title: "Segment Data Processing and Storage Based on Sensitivity",
980
+ description: "Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.",
981
+ implementationGroup: "IG2",
1209
982
  assetType: ["data"],
1210
983
  securityFunction: ["Protect"],
1211
984
  governanceElements: [ // Orange - MUST be met
1212
- "segment data processing",
1213
- "segment data storage",
1214
- "based on classification",
1215
- "segmentation governance"
985
+ "Segment data processing and storage based on the sensitivity of the data",
986
+ "Do not process sensitive data on enterprise assets intended for lower sensitivity data"
1216
987
  ],
1217
988
  coreRequirements: [ // Green - The "what"
1218
- "data segmentation",
1219
- "processing segregation",
1220
- "storage segregation",
1221
- "classification-based separation"
1222
989
  ],
1223
990
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1224
- "network segmentation",
1225
- "logical separation",
1226
- "physical separation",
1227
- "processing environments",
1228
- "storage zones",
1229
- "access boundaries",
1230
- "isolation controls"
991
+ "Based on the sensitivity of data",
992
+ "Segment data processing (compute)",
993
+ "Segment Storage",
994
+ "Do not process sensitive data on enterprise assets intended for lower sensitivity data"
1231
995
  ],
1232
996
  implementationSuggestions: [ // Gray - Implementation suggestions
1233
- "network segmentation tools",
1234
- "virtualization platforms",
1235
- "container isolation",
1236
- "zone-based architecture",
1237
- "micro-segmentation"
1238
997
  ],
1239
998
  relatedSafeguards: ["3.1", "3.7", "12.1", "12.2", "12.3"],
1240
999
  keywords: ["segment", "data", "processing", "storage", "classification", "separation", "isolation"]
@@ -1242,37 +1001,29 @@ export class SafeguardManager {
1242
1001
  "3.13": {
1243
1002
  id: "3.13",
1244
1003
  title: "Deploy a Data Loss Prevention Solution",
1245
- description: "Deploy a data loss prevention solution on assets containing sensitive data",
1004
+ description: "Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise's data inventory.",
1246
1005
  implementationGroup: "IG3",
1247
1006
  assetType: ["data"],
1248
1007
  securityFunction: ["Protect"],
1249
1008
  governanceElements: [ // Orange - MUST be met
1250
- "deploy DLP solution",
1251
- "assets containing sensitive data",
1252
- "data loss prevention requirement",
1253
- "DLP governance"
1009
+ "Implement",
1010
+ "Update Data Inventory"
1254
1011
  ],
1255
1012
  coreRequirements: [ // Green - The "what"
1256
- "data loss prevention solution",
1257
- "sensitive data assets",
1258
- "data leakage prevention",
1259
- "data exfiltration controls"
1013
+ "automated tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider"
1260
1014
  ],
1261
1015
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1262
- "endpoint DLP",
1263
- "network DLP",
1264
- "email DLP",
1265
- "web DLP",
1266
- "cloud DLP",
1267
- "content inspection",
1268
- "policy enforcement"
1016
+ "Automated DLP Tool",
1017
+ "Identify all sensitive Data",
1018
+ "Stored",
1019
+ "Processed",
1020
+ "Transmitted",
1021
+ "Onsite Data",
1022
+ "Remote Service Provider",
1023
+ "Update Data Inventory"
1269
1024
  ],
1270
1025
  implementationSuggestions: [ // Gray - Implementation suggestions
1271
- "DLP platforms",
1272
- "content analysis engines",
1273
- "policy management systems",
1274
- "incident response integration",
1275
- "monitoring and alerting"
1026
+ "Host-based Data loss Prevention (DLP) tool"
1276
1027
  ],
1277
1028
  relatedSafeguards: ["3.1", "3.7", "3.8", "3.10", "3.11"],
1278
1029
  keywords: ["deploy", "data", "loss", "prevention", "solution", "sensitive", "DLP"]
@@ -1280,37 +1031,23 @@ export class SafeguardManager {
1280
1031
  "3.14": {
1281
1032
  id: "3.14",
1282
1033
  title: "Log Sensitive Data Access",
1283
- description: "Log sensitive data access, including modification and disposal",
1034
+ description: "Log sensitive data access, including modification and disposal.",
1284
1035
  implementationGroup: "IG3",
1285
1036
  assetType: ["data"],
1286
1037
  securityFunction: ["Detect"],
1287
1038
  governanceElements: [ // Orange - MUST be met
1288
- "log sensitive data access",
1289
- "including modification disposal",
1290
- "data access logging requirement",
1291
- "access monitoring governance"
1039
+ "Log"
1292
1040
  ],
1293
1041
  coreRequirements: [ // Green - The "what"
1294
- "sensitive data access logging",
1295
- "modification logging",
1296
- "disposal logging",
1297
- "comprehensive access tracking"
1042
+ "sensitive data access, including modification and disposal"
1298
1043
  ],
1299
1044
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1300
- "access events",
1301
- "user identification",
1302
- "timestamp recording",
1303
- "operation type logging",
1304
- "data identification",
1305
- "source system logging",
1306
- "audit trail maintenance"
1045
+ "Sensitive Data access",
1046
+ "Access",
1047
+ "Modification",
1048
+ "Disposal"
1307
1049
  ],
1308
1050
  implementationSuggestions: [ // Gray - Implementation suggestions
1309
- "database audit logs",
1310
- "file access monitoring",
1311
- "SIEM integration",
1312
- "log management platforms",
1313
- "activity monitoring tools"
1314
1051
  ],
1315
1052
  relatedSafeguards: ["3.1", "3.7", "3.8", "8.1", "8.2"],
1316
1053
  keywords: ["log", "sensitive", "data", "access", "modification", "disposal", "audit"]
@@ -1318,914 +1055,733 @@ export class SafeguardManager {
1318
1055
  "4.1": {
1319
1056
  id: "4.1",
1320
1057
  title: "Establish and Maintain a Secure Configuration Process",
1321
- description: "Establish and maintain a secure configuration process for enterprise assets and software",
1058
+ description: "Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
1322
1059
  implementationGroup: "IG1",
1323
- assetType: ["devices", "applications"],
1060
+ assetType: ["end-user devices", "network devices", "IoT devices", "servers", "applications"],
1324
1061
  securityFunction: ["Govern"],
1325
1062
  governanceElements: [ // Orange - MUST be met
1326
- "establish secure configuration process",
1327
- "maintain secure configuration process",
1328
- "enterprise assets and software coverage",
1329
- "configuration management governance"
1063
+ "Establish",
1064
+ "Maintain",
1065
+ "Documented Secure Configuration Process",
1066
+ "Review and update documentation",
1067
+ "Annually",
1068
+ "When significant enterprise changes occur that could impact this Safeguard"
1330
1069
  ],
1331
1070
  coreRequirements: [ // Green - The "what"
1332
- "secure configuration process",
1333
- "configuration management framework",
1334
- "standardized configuration procedures",
1335
- "configuration lifecycle management"
1071
+ "documented secure configuration process for enterprise assets",
1072
+ "documented secure configuration process for software"
1336
1073
  ],
1337
1074
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1338
- "configuration standards",
1339
- "baseline configurations",
1340
- "configuration templates",
1341
- "hardening procedures",
1342
- "configuration validation",
1343
- "change management integration",
1344
- "compliance checking"
1075
+ "Enterprise assets",
1076
+ "Software",
1077
+ "End-user devices",
1078
+ "Mobile",
1079
+ "Portable",
1080
+ "Non-computing/IoT devices",
1081
+ "Servers",
1082
+ "OS",
1083
+ "Applications"
1345
1084
  ],
1346
1085
  implementationSuggestions: [ // Gray - Implementation suggestions
1347
- "configuration management tools",
1348
- "policy management platforms",
1349
- "automated configuration systems",
1350
- "compliance scanning tools",
1351
- "baseline management systems"
1086
+ "Secure Configuration Policy / Process",
1087
+ "Configuration Management Tool"
1352
1088
  ],
1353
1089
  relatedSafeguards: ["1.1", "2.1", "4.2", "4.3", "4.4", "4.5", "4.6", "4.7", "4.8", "4.9", "4.10", "4.11", "4.12"],
1354
- keywords: ["establish", "maintain", "secure", "configuration", "process", "enterprise", "assets", "software"]
1090
+ keywords: ["establish", "maintain", "documented", "secure", "configuration", "process", "enterprise", "assets", "software", "review", "update"]
1355
1091
  },
1356
1092
  "4.2": {
1357
1093
  id: "4.2",
1358
1094
  title: "Establish and Maintain a Secure Configuration Process for Network Infrastructure",
1359
- description: "Establish and maintain a secure configuration process for network infrastructure",
1095
+ description: "Establish and maintain a documented secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
1360
1096
  implementationGroup: "IG1",
1361
- assetType: ["network"],
1097
+ assetType: ["network devices"],
1362
1098
  securityFunction: ["Govern"],
1363
1099
  governanceElements: [ // Orange - MUST be met
1364
- "establish network configuration process",
1365
- "maintain network configuration process",
1366
- "network infrastructure coverage",
1367
- "network security governance"
1100
+ "Establish",
1101
+ "Maintain",
1102
+ "Documented Secure Network Configuration Process",
1103
+ "Review and update documentation",
1104
+ "Annually",
1105
+ "When significant enterprise changes occur that could impact this Safeguard"
1368
1106
  ],
1369
1107
  coreRequirements: [ // Green - The "what"
1370
- "secure network configuration process",
1371
- "network infrastructure management",
1372
- "network security standards",
1373
- "network configuration lifecycle"
1108
+ "documented secure configuration process for network devices"
1374
1109
  ],
1375
1110
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1376
- "network device configurations",
1377
- "routing configurations",
1378
- "switching configurations",
1379
- "firewall configurations",
1380
- "wireless configurations",
1381
- "network segmentation",
1382
- "access control configurations"
1111
+ "Network devices"
1383
1112
  ],
1384
1113
  implementationSuggestions: [ // Gray - Implementation suggestions
1385
- "network configuration tools",
1386
- "network automation platforms",
1387
- "configuration templates",
1388
- "network compliance scanners",
1389
- "infrastructure as code"
1114
+ "Secure Configuration Policy / Process",
1115
+ "Configuration Management Tool"
1390
1116
  ],
1391
- relatedSafeguards: ["1.1", "4.1", "4.3", "4.4", "4.5", "12.1", "12.2"],
1392
- keywords: ["establish", "maintain", "secure", "configuration", "network", "infrastructure", "process"]
1117
+ relatedSafeguards: ["1.1", "2.1", "3.10", "4.1", "6.4", "8.1", "12.1", "12.2", "12.3", "12.4", "12.5", "13.3", "13.4", "13.6", "13.8", "13.9", "13.10"],
1118
+ keywords: ["establish", "maintain", "documented", "secure", "configuration", "network", "infrastructure", "process", "devices"]
1393
1119
  },
1394
1120
  "4.3": {
1395
1121
  id: "4.3",
1396
1122
  title: "Configure Automatic Session Locking on Enterprise Assets",
1397
- description: "Configure automatic session locking on enterprise assets after a defined period of inactivity",
1123
+ description: "Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period Must Not Exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.",
1398
1124
  implementationGroup: "IG1",
1399
1125
  assetType: ["devices"],
1400
1126
  securityFunction: ["Protect"],
1401
1127
  governanceElements: [ // Orange - MUST be met
1402
- "configure automatic session locking",
1403
- "enterprise assets coverage",
1404
- "defined period requirement",
1405
- "session security policy"
1128
+ "Configure",
1129
+ "Period must not exceed for 15 Minutes",
1130
+ "Period must not exceed for 2 Minutes"
1406
1131
  ],
1407
1132
  coreRequirements: [ // Green - The "what"
1408
- "automatic session locking",
1409
- "defined inactivity period",
1410
- "session timeout enforcement",
1411
- "unauthorized access prevention"
1133
+ "automatic session locking on enterprise assets after a defined period of inactivity",
1134
+ "general purpose operating systems",
1135
+ "mobile end-user devices"
1412
1136
  ],
1413
1137
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1414
- "timeout configurations",
1415
- "screen saver activation",
1416
- "workstation locking",
1417
- "mobile device locking",
1418
- "server console locking",
1419
- "application session timeouts",
1420
- "idle session detection"
1138
+ "Automatic Session Locking",
1139
+ "Period of inactivity",
1140
+ "General Purpose OSs",
1141
+ "Mobile end-user devices"
1421
1142
  ],
1422
1143
  implementationSuggestions: [ // Gray - Implementation suggestions
1423
- "group policy settings",
1424
- "mobile device management",
1425
- "screen saver configurations",
1426
- "application timeout settings",
1427
- "automated locking mechanisms"
1144
+ "Configuration Management Tool"
1428
1145
  ],
1429
- relatedSafeguards: ["1.1", "4.1", "4.2", "5.1", "6.1"],
1430
- keywords: ["configure", "automatic", "session", "locking", "enterprise", "assets", "inactivity", "timeout"]
1146
+ relatedSafeguards: ["4.1"],
1147
+ keywords: ["configure", "automatic", "session", "locking", "enterprise", "assets", "inactivity", "period", "minutes", "mobile", "operating", "systems"]
1431
1148
  },
1432
1149
  "4.4": {
1433
1150
  id: "4.4",
1434
1151
  title: "Implement and Manage a Firewall on Servers",
1435
- description: "Implement and manage a firewall on servers",
1152
+ description: "Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.",
1436
1153
  implementationGroup: "IG1",
1437
1154
  assetType: ["devices"],
1438
1155
  securityFunction: ["Protect"],
1439
1156
  governanceElements: [ // Orange - MUST be met
1440
- "implement firewall on servers",
1441
- "manage firewall on servers",
1442
- "server protection requirement",
1443
- "firewall management governance"
1157
+ "Implement",
1158
+ "Manage",
1159
+ "Where Supported"
1444
1160
  ],
1445
1161
  coreRequirements: [ // Green - The "what"
1446
- "firewall implementation",
1447
- "firewall management",
1448
- "server protection",
1449
- "network traffic filtering"
1162
+ "firewall on servers"
1450
1163
  ],
1451
1164
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1452
- "firewall rules configuration",
1453
- "port access control",
1454
- "protocol filtering",
1455
- "traffic monitoring",
1456
- "rule optimization",
1457
- "logging configuration",
1458
- "exception management"
1165
+ "Server Firewall"
1459
1166
  ],
1460
1167
  implementationSuggestions: [ // Gray - Implementation suggestions
1461
- "host-based firewalls",
1462
- "operating system firewalls",
1463
- "third-party firewall software",
1464
- "firewall management tools",
1465
- "centralized rule management"
1168
+ "Virtual Firewall",
1169
+ "OS Firewall",
1170
+ "Third Party Firewall",
1171
+ "Firewall",
1172
+ "Configuration Management Tool"
1466
1173
  ],
1467
- relatedSafeguards: ["1.1", "4.1", "4.2", "4.5", "12.1", "13.1"],
1468
- keywords: ["implement", "manage", "firewall", "servers", "protection", "filtering", "rules"]
1174
+ relatedSafeguards: ["4.1"],
1175
+ keywords: ["implement", "manage", "firewall", "servers", "virtual", "operating", "system", "third-party", "agent"]
1469
1176
  },
1470
1177
  "4.5": {
1471
1178
  id: "4.5",
1472
1179
  title: "Implement and Manage a Firewall on End-User Devices",
1473
- description: "Implement and manage a firewall on end-user devices",
1180
+ description: "Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.",
1474
1181
  implementationGroup: "IG1",
1475
1182
  assetType: ["devices"],
1476
1183
  securityFunction: ["Protect"],
1477
1184
  governanceElements: [ // Orange - MUST be met
1478
- "implement firewall on end-user devices",
1479
- "manage firewall on end-user devices",
1480
- "end-user device protection",
1481
- "firewall policy enforcement"
1185
+ "Implement",
1186
+ "Manage",
1187
+ "Default deny rule that drops all traffic",
1188
+ "Except Explicitly Allowed"
1482
1189
  ],
1483
1190
  coreRequirements: [ // Green - The "what"
1484
- "firewall implementation",
1485
- "firewall management",
1486
- "end-user device protection",
1487
- "personal firewall deployment"
1191
+ "host-based firewall or port-filtering tool on end-user devices"
1488
1192
  ],
1489
1193
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1490
- "desktop firewall configuration",
1491
- "laptop firewall configuration",
1492
- "mobile device firewall",
1493
- "application-based rules",
1494
- "network profile management",
1495
- "exception handling",
1496
- "centralized management"
1194
+ "Host-based Firewall",
1195
+ "Port Filtering Tool",
1196
+ "End User Devices",
1197
+ "Services",
1198
+ "Ports"
1497
1199
  ],
1498
1200
  implementationSuggestions: [ // Gray - Implementation suggestions
1499
- "Windows Defender Firewall",
1500
- "macOS firewall",
1501
- "third-party endpoint firewalls",
1502
- "mobile device management",
1503
- "centralized firewall management"
1201
+ "Firewall",
1202
+ "Configuration Management Tool"
1504
1203
  ],
1505
- relatedSafeguards: ["1.1", "4.1", "4.2", "4.4", "5.1"],
1506
- keywords: ["implement", "manage", "firewall", "end-user", "devices", "personal", "protection"]
1204
+ relatedSafeguards: ["4.1"],
1205
+ keywords: ["implement", "manage", "host-based", "firewall", "port-filtering", "end-user", "devices", "default-deny", "explicitly", "allowed"]
1507
1206
  },
1508
1207
  "4.6": {
1509
1208
  id: "4.6",
1510
1209
  title: "Securely Manage Enterprise Assets and Software",
1511
- description: "Securely manage enterprise assets and software",
1512
- implementationGroup: "IG2",
1210
+ description: "Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled- Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.",
1211
+ implementationGroup: "IG1",
1513
1212
  assetType: ["devices", "applications"],
1514
1213
  securityFunction: ["Protect"],
1515
1214
  governanceElements: [ // Orange - MUST be met
1516
- "securely manage enterprise assets",
1517
- "securely manage software",
1518
- "secure management practices",
1519
- "asset and software governance"
1215
+ "Do not use insecure management protocols",
1216
+ "Unless operationally essential"
1520
1217
  ],
1521
1218
  coreRequirements: [ // Green - The "what"
1522
- "secure asset management",
1523
- "secure software management",
1524
- "management security controls",
1525
- "administrative access protection"
1219
+ "Securely manage enterprise assets and software"
1526
1220
  ],
1527
1221
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1528
- "administrative access controls",
1529
- "privileged account management",
1530
- "secure remote management",
1531
- "management interface protection",
1532
- "configuration change controls",
1533
- "management tool security",
1534
- "secure maintenance procedures"
1222
+ "Securely manage enterprise assets and software"
1535
1223
  ],
1536
1224
  implementationSuggestions: [ // Gray - Implementation suggestions
1537
- "privileged access management",
1538
- "secure remote access tools",
1539
- "configuration management systems",
1540
- "change management platforms",
1541
- "secure administration protocols"
1225
+ "Manage configuration through version-controlled Infrastructure-as-Code (IaC)",
1226
+ "Accessing administrative interfaces over secure network protocols",
1227
+ "SSH",
1228
+ "HTTPS",
1229
+ "Telnet (Teletype Network)",
1230
+ "HTTP",
1231
+ "Configuration Management Tool"
1542
1232
  ],
1543
- relatedSafeguards: ["1.1", "2.1", "4.1", "4.7", "5.1", "5.4"],
1544
- keywords: ["securely", "manage", "enterprise", "assets", "software", "administrative", "privileged"]
1233
+ relatedSafeguards: ["4.1", "12.3"],
1234
+ keywords: ["securely", "manage", "enterprise", "assets", "software", "infrastructure-as-code", "administrative", "interfaces", "SSH", "HTTPS", "protocols"]
1545
1235
  },
1546
1236
  "4.7": {
1547
1237
  id: "4.7",
1548
1238
  title: "Manage Default Accounts on Enterprise Assets and Software",
1549
- description: "Manage default accounts on enterprise assets and software",
1550
- implementationGroup: "IG2",
1551
- assetType: ["devices", "applications"],
1239
+ description: "Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.",
1240
+ implementationGroup: "IG1",
1241
+ assetType: ["devices", "applications", "users"],
1552
1242
  securityFunction: ["Protect"],
1553
1243
  governanceElements: [ // Orange - MUST be met
1554
- "manage default accounts",
1555
- "enterprise assets coverage",
1556
- "software coverage",
1557
- "default account governance"
1244
+ "Manage"
1558
1245
  ],
1559
1246
  coreRequirements: [ // Green - The "what"
1560
- "default account management",
1561
- "account security controls",
1562
- "default credential elimination",
1563
- "account hardening"
1247
+ "default accounts on enterprise assets and software"
1564
1248
  ],
1565
1249
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1566
- "default password changes",
1567
- "default account disabling",
1568
- "vendor default credentials",
1569
- "system account management",
1570
- "service account management",
1571
- "account enumeration prevention",
1572
- "credential strength requirements"
1250
+ "Default accounts",
1251
+ "Enterprise assets",
1252
+ "Software",
1253
+ "Root",
1254
+ "Administrator",
1255
+ "Other pre-configured vendor accounts"
1573
1256
  ],
1574
1257
  implementationSuggestions: [ // Gray - Implementation suggestions
1575
- "credential management tools",
1576
- "account discovery scanners",
1577
- "password management systems",
1578
- "automated account hardening",
1579
- "vulnerability scanners"
1258
+ "Disabling",
1259
+ "Unusable",
1260
+ "Configuration Management Tool"
1580
1261
  ],
1581
- relatedSafeguards: ["1.1", "2.1", "4.1", "4.6", "5.1", "5.2", "5.3"],
1582
- keywords: ["manage", "default", "accounts", "enterprise", "assets", "software", "credentials", "passwords"]
1262
+ relatedSafeguards: ["4.1"],
1263
+ keywords: ["manage", "default", "accounts", "enterprise", "assets", "software", "root", "administrator", "pre-configured", "vendor", "disabling", "unusable"]
1583
1264
  },
1584
1265
  "4.8": {
1585
1266
  id: "4.8",
1586
1267
  title: "Uninstall or Disable Unnecessary Services on Enterprise Assets and Software",
1587
- description: "Uninstall or disable unnecessary services on enterprise assets and software",
1268
+ description: "Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.",
1588
1269
  implementationGroup: "IG2",
1589
1270
  assetType: ["devices", "applications"],
1590
1271
  securityFunction: ["Protect"],
1591
1272
  governanceElements: [ // Orange - MUST be met
1592
- "uninstall unnecessary services",
1593
- "disable unnecessary services",
1594
- "enterprise assets coverage",
1595
- "service minimization governance"
1273
+ "Uninstall",
1274
+ "Disable"
1596
1275
  ],
1597
1276
  coreRequirements: [ // Green - The "what"
1598
- "unnecessary service removal",
1599
- "service disabling",
1600
- "attack surface reduction",
1601
- "minimal service deployment"
1277
+ "unnecessary services on enterprise assets and software"
1602
1278
  ],
1603
1279
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1604
- "service inventory",
1605
- "service necessity assessment",
1606
- "running services analysis",
1607
- "port closure requirements",
1608
- "daemon management",
1609
- "startup service control",
1610
- "service hardening"
1280
+ "Unnecessary Services",
1281
+ "Enterprise assets",
1282
+ "Software",
1283
+ "Unused file sharing service",
1284
+ "Web application module",
1285
+ "Service function"
1611
1286
  ],
1612
1287
  implementationSuggestions: [ // Gray - Implementation suggestions
1613
- "service management tools",
1614
- "port scanning tools",
1615
- "configuration baselines",
1616
- "system hardening guides",
1617
- "automated service management"
1288
+ "Configuration Management Tool"
1618
1289
  ],
1619
- relatedSafeguards: ["1.1", "2.1", "4.1", "4.9", "4.10"],
1620
- keywords: ["uninstall", "disable", "unnecessary", "services", "enterprise", "assets", "minimization", "hardening"]
1290
+ relatedSafeguards: ["4.1"],
1291
+ keywords: ["uninstall", "disable", "unnecessary", "services", "enterprise", "assets", "software", "unused", "file", "sharing", "web", "application", "module", "function"]
1621
1292
  },
1622
1293
  "4.9": {
1623
1294
  id: "4.9",
1624
1295
  title: "Configure Trusted DNS Servers on Enterprise Assets",
1625
- description: "Configure trusted DNS servers on enterprise assets",
1296
+ description: "Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers.",
1626
1297
  implementationGroup: "IG2",
1627
1298
  assetType: ["devices"],
1628
1299
  securityFunction: ["Protect"],
1629
1300
  governanceElements: [ // Orange - MUST be met
1630
- "configure trusted DNS servers",
1631
- "enterprise assets coverage",
1632
- "DNS security requirement",
1633
- "trusted DNS governance"
1301
+ "Configure"
1634
1302
  ],
1635
1303
  coreRequirements: [ // Green - The "what"
1636
- "trusted DNS server configuration",
1637
- "DNS security controls",
1638
- "secure name resolution",
1639
- "DNS poisoning prevention"
1304
+ "trusted DNS servers on enterprise assets"
1640
1305
  ],
1641
1306
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1642
- "DNS server selection",
1643
- "DNS filtering implementation",
1644
- "malicious domain blocking",
1645
- "DNS over HTTPS configuration",
1646
- "DNS over TLS configuration",
1647
- "internal DNS management",
1648
- "DNS monitoring"
1307
+ "Trusted DNS Servers",
1308
+ "Enterprise assets"
1649
1309
  ],
1650
1310
  implementationSuggestions: [ // Gray - Implementation suggestions
1651
- "secure DNS services",
1652
- "DNS filtering solutions",
1653
- "internal DNS servers",
1654
- "DNS security tools",
1655
- "network-level DNS controls"
1311
+ "Configuring assets to use enterprise-controlled DNS servers",
1312
+ "Reputable externally accessible DNS servers",
1313
+ "Configuration Management Tool"
1656
1314
  ],
1657
- relatedSafeguards: ["1.1", "4.1", "4.2", "4.8", "13.1"],
1658
- keywords: ["configure", "trusted", "DNS", "servers", "enterprise", "assets", "secure", "resolution"]
1315
+ relatedSafeguards: ["4.1", "8.6", "9.2"],
1316
+ keywords: ["configure", "trusted", "DNS", "servers", "enterprise", "assets", "enterprise-controlled", "reputable", "externally", "accessible"]
1659
1317
  },
1660
1318
  "4.10": {
1661
1319
  id: "4.10",
1662
1320
  title: "Enforce Automatic Device Lockout on Portable End-User Devices",
1663
- description: "Enforce automatic device lockout on portable end-user devices",
1321
+ description: "Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.",
1664
1322
  implementationGroup: "IG2",
1665
1323
  assetType: ["devices"],
1666
1324
  securityFunction: ["Protect"],
1667
1325
  governanceElements: [ // Orange - MUST be met
1668
- "enforce automatic device lockout",
1669
- "portable end-user devices",
1670
- "lockout policy enforcement",
1671
- "device security governance"
1326
+ "Enforce",
1327
+ "Where supported",
1328
+ "Do not allow more than 20 Failed Authentication Attempts",
1329
+ "No more than 10 Failed Authentication Attempts"
1672
1330
  ],
1673
1331
  coreRequirements: [ // Green - The "what"
1674
- "automatic device lockout",
1675
- "portable device protection",
1676
- "unauthorized access prevention",
1677
- "device lock enforcement"
1332
+ "automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices"
1678
1333
  ],
1679
1334
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1680
- "mobile device lockout",
1681
- "laptop lockout policies",
1682
- "tablet lockout configuration",
1683
- "biometric lockout options",
1684
- "PIN/password lockout",
1685
- "failed attempt thresholds",
1686
- "lockout duration settings"
1335
+ "Automatic Device Lockout",
1336
+ "Predetermined threshold of local failed authentication attempts",
1337
+ "Portable end-user devices",
1338
+ "Laptops",
1339
+ "Tablets and smartphones"
1687
1340
  ],
1688
1341
  implementationSuggestions: [ // Gray - Implementation suggestions
1689
- "mobile device management",
1690
- "device policy enforcement",
1691
- "biometric authentication",
1692
- "automated lockout systems",
1693
- "device compliance tools"
1342
+ "Microsoft® InTune Device Lock",
1343
+ "Apple® Configuration Profile maxFailedAttempts",
1344
+ "Configuration Management Tool"
1694
1345
  ],
1695
- relatedSafeguards: ["1.1", "4.3", "4.5", "5.1", "6.1"],
1696
- keywords: ["enforce", "automatic", "device", "lockout", "portable", "end-user", "devices", "mobile"]
1346
+ relatedSafeguards: ["4.1"],
1347
+ keywords: ["enforce", "automatic", "device", "lockout", "portable", "end-user", "devices", "failed", "authentication", "attempts", "laptops", "tablets", "smartphones", "InTune", "Apple"]
1697
1348
  },
1698
1349
  "4.11": {
1699
1350
  id: "4.11",
1700
1351
  title: "Enforce Remote Wipe Capability on Portable End-User Devices",
1701
- description: "Enforce remote wipe capability on portable end-user devices",
1352
+ description: "Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise.",
1702
1353
  implementationGroup: "IG2",
1703
1354
  assetType: ["devices"],
1704
1355
  securityFunction: ["Protect"],
1705
1356
  governanceElements: [ // Orange - MUST be met
1706
- "enforce remote wipe capability",
1707
- "portable end-user devices",
1708
- "remote wipe governance",
1709
- "device data protection policy"
1357
+ "When deemed appropriate"
1710
1358
  ],
1711
1359
  coreRequirements: [ // Green - The "what"
1712
- "remote wipe capability",
1713
- "portable device data protection",
1714
- "emergency data removal",
1715
- "lost device security"
1360
+ "Remotely wipe enterprise data from enterprise-owned portable end-user devices"
1716
1361
  ],
1717
1362
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1718
- "mobile device wipe",
1719
- "laptop remote wipe",
1720
- "tablet data removal",
1721
- "selective wipe capabilities",
1722
- "full device wipe options",
1723
- "wipe trigger mechanisms",
1724
- "wipe verification"
1363
+ "Remotely Wipe enterprise data",
1364
+ "Portable end-user devices",
1365
+ "Lost devices",
1366
+ "Stolen devices",
1367
+ "When an individual no longer supports the enterprise"
1725
1368
  ],
1726
1369
  implementationSuggestions: [ // Gray - Implementation suggestions
1727
- "mobile device management",
1728
- "remote wipe solutions",
1729
- "cloud-based device management",
1730
- "enterprise mobility management",
1731
- "device tracking systems"
1370
+ "Configuration Management Tool"
1732
1371
  ],
1733
- relatedSafeguards: ["1.1", "3.5", "4.10", "5.1"],
1734
- keywords: ["enforce", "remote", "wipe", "capability", "portable", "end-user", "devices", "data", "removal"]
1372
+ relatedSafeguards: ["4.1"],
1373
+ keywords: ["remotely", "wipe", "enterprise", "data", "enterprise-owned", "portable", "end-user", "devices", "lost", "stolen", "individual", "no", "longer", "supports"]
1735
1374
  },
1736
1375
  "4.12": {
1737
1376
  id: "4.12",
1738
- title: "Separate Enterprise Workloads from Untrusted Networks",
1739
- description: "Separate enterprise workloads from untrusted networks",
1377
+ title: "Separate Enterprise Workspaces on Mobile End-User Devices",
1378
+ description: "Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or AndroidTM Work Profile to separate enterprise applications and data from personal applications and data.",
1740
1379
  implementationGroup: "IG3",
1741
- assetType: ["network"],
1380
+ assetType: ["devices", "data"],
1742
1381
  securityFunction: ["Protect"],
1743
1382
  governanceElements: [ // Orange - MUST be met
1744
- "separate enterprise workloads",
1745
- "from untrusted networks",
1746
- "network separation requirement",
1747
- "workload isolation governance"
1383
+ "Ensure",
1384
+ "Where Supported"
1748
1385
  ],
1749
1386
  coreRequirements: [ // Green - The "what"
1750
- "enterprise workload separation",
1751
- "untrusted network isolation",
1752
- "network boundary controls",
1753
- "secure network architecture"
1387
+ "separate enterprise workspaces are used on mobile end-user devices"
1754
1388
  ],
1755
1389
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1756
- "network segmentation",
1757
- "VLAN separation",
1758
- "subnet isolation",
1759
- "firewall boundaries",
1760
- "DMZ implementation",
1761
- "air gap controls",
1762
- "network access controls"
1390
+ "Separate enterprise workspaces",
1391
+ "On Mobile Devices",
1392
+ "Enterprise Applications",
1393
+ "Enterprise Data",
1394
+ "Personal Applications",
1395
+ "Personal Data"
1763
1396
  ],
1764
1397
  implementationSuggestions: [ // Gray - Implementation suggestions
1765
- "network segmentation tools",
1766
- "VLAN management systems",
1767
- "next-generation firewalls",
1768
- "network access control systems",
1769
- "micro-segmentation platforms"
1398
+ "Apple® Configuration Profile",
1399
+ "AndroidTM Work Profile",
1400
+ "Configuration Management Tool"
1770
1401
  ],
1771
- relatedSafeguards: ["4.1", "4.2", "4.4", "12.1", "12.2", "12.3"],
1772
- keywords: ["separate", "enterprise", "workloads", "untrusted", "networks", "isolation", "segmentation"]
1402
+ relatedSafeguards: ["4.1"],
1403
+ keywords: ["separate", "enterprise", "workspaces", "mobile", "end-user", "devices", "Apple", "Configuration", "Profile", "Android", "Work", "Profile", "applications", "data", "personal"]
1773
1404
  },
1774
1405
  "5.2": {
1775
1406
  id: "5.2",
1776
1407
  title: "Use Unique Passwords",
1777
- description: "Use unique passwords for all enterprise assets",
1408
+ description: "Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA.",
1778
1409
  implementationGroup: "IG1",
1779
1410
  assetType: ["users"],
1780
1411
  securityFunction: ["Protect"],
1781
1412
  governanceElements: [ // Orange - MUST be met
1782
- "use unique passwords",
1783
- "all enterprise assets",
1784
- "password uniqueness requirement",
1785
- "password governance policy"
1413
+ "Use unique passwords for all enterprise assets",
1414
+ "Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA"
1786
1415
  ],
1787
1416
  coreRequirements: [ // Green - The "what"
1788
- "unique passwords",
1789
- "password uniqueness enforcement",
1790
- "no password reuse",
1791
- "distinct credentials"
1417
+ "Unique Passwords"
1792
1418
  ],
1793
1419
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1794
- "password complexity requirements",
1795
- "password history tracking",
1796
- "password reuse prevention",
1797
- "account-specific passwords",
1798
- "service account passwords",
1799
- "system account passwords",
1800
- "password strength validation"
1420
+ "Use",
1421
+ "At a minimum",
1422
+ "All Enterprise Assets",
1423
+ "8-character password for accounts using MFA",
1424
+ "14-character password for accounts not using MFA"
1801
1425
  ],
1802
1426
  implementationSuggestions: [ // Gray - Implementation suggestions
1803
- "password management systems",
1804
- "password policy enforcement",
1805
- "active directory policies",
1806
- "password generators",
1807
- "credential vaults"
1427
+ "Account and Access Control Management",
1428
+ "Password Management Tool"
1808
1429
  ],
1809
- relatedSafeguards: ["5.1", "5.3", "5.4", "5.5", "5.6"],
1810
- keywords: ["unique", "passwords", "enterprise", "assets", "password", "reuse", "complexity"]
1430
+ relatedSafeguards: ["5.1"],
1431
+ keywords: ["use", "unique", "passwords", "enterprise", "assets", "8-character", "14-character", "MFA", "minimum"]
1811
1432
  },
1812
1433
  "5.3": {
1813
1434
  id: "5.3",
1814
1435
  title: "Disable Dormant Accounts",
1815
- description: "Delete or disable any dormant accounts after a period of 45 days of inactivity",
1436
+ description: "Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.",
1816
1437
  implementationGroup: "IG1",
1817
1438
  assetType: ["users"],
1818
1439
  securityFunction: ["Protect"],
1819
1440
  governanceElements: [ // Orange - MUST be met
1820
- "delete or disable dormant accounts",
1821
- "45 days inactivity period",
1822
- "dormant account management",
1823
- "account lifecycle governance"
1441
+ "Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported"
1824
1442
  ],
1825
1443
  coreRequirements: [ // Green - The "what"
1826
- "dormant account identification",
1827
- "account deletion or disabling",
1828
- "inactivity period monitoring",
1829
- "automated account management"
1444
+ "Dormant Accounts"
1830
1445
  ],
1831
1446
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1832
- "account activity monitoring",
1833
- "login tracking",
1834
- "last access timestamps",
1835
- "account status management",
1836
- "deactivation procedures",
1837
- "account archival processes",
1838
- "reactivation workflows"
1447
+ "Disable",
1448
+ "Delete",
1449
+ "Period of 45 days of inactivity",
1450
+ "Where Supported"
1839
1451
  ],
1840
1452
  implementationSuggestions: [ // Gray - Implementation suggestions
1841
- "identity management systems",
1842
- "automated account lifecycle tools",
1843
- "activity monitoring solutions",
1844
- "account governance platforms",
1845
- "directory service automation"
1453
+ "Account and Access Control Management",
1454
+ "Identity and Access Management Tool"
1846
1455
  ],
1847
- relatedSafeguards: ["5.1", "5.2", "5.4", "5.5", "5.6"],
1848
- keywords: ["disable", "dormant", "accounts", "45", "days", "inactivity", "delete", "lifecycle"]
1456
+ relatedSafeguards: ["5.1"],
1457
+ keywords: ["delete", "disable", "dormant", "accounts", "45", "days", "inactivity", "supported"]
1849
1458
  },
1850
1459
  "5.4": {
1851
1460
  id: "5.4",
1852
1461
  title: "Restrict Administrator Privileges to Dedicated Administrator Accounts",
1853
- description: "Restrict administrator privileges to dedicated administrator accounts on enterprise assets",
1462
+ description: "Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account.",
1854
1463
  implementationGroup: "IG1",
1855
1464
  assetType: ["users"],
1856
1465
  securityFunction: ["Protect"],
1857
1466
  governanceElements: [ // Orange - MUST be met
1858
- "restrict administrator privileges",
1859
- "dedicated administrator accounts",
1860
- "enterprise assets coverage",
1861
- "privilege separation governance"
1467
+ "Restrict administrator privileges to dedicated administrator accounts on enterprise assets",
1468
+ "Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account"
1862
1469
  ],
1863
1470
  coreRequirements: [ // Green - The "what"
1864
- "administrator privilege restriction",
1865
- "dedicated admin accounts",
1866
- "privilege separation",
1867
- "role-based access control"
1471
+ "Administrator Privileges",
1472
+ "Dedicated Admin Accounts"
1868
1473
  ],
1869
1474
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1870
- "privileged account identification",
1871
- "admin account separation",
1872
- "regular user accounts",
1873
- "privilege escalation controls",
1874
- "admin account monitoring",
1875
- "privileged access workflows",
1876
- "least privilege enforcement"
1475
+ "Restrict",
1476
+ "Enterprise assets",
1477
+ "User's primary, non-privileged account",
1478
+ "General Computing Activities"
1877
1479
  ],
1878
1480
  implementationSuggestions: [ // Gray - Implementation suggestions
1879
- "privileged access management",
1880
- "role-based access control systems",
1881
- "admin account management tools",
1882
- "privilege escalation monitoring",
1883
- "just-in-time access"
1481
+ "Account and Access Control Management",
1482
+ "Identity and Access Management Tool",
1483
+ "Such as",
1484
+ "Internet browsing",
1485
+ "Email",
1486
+ "Productivity suite use"
1884
1487
  ],
1885
- relatedSafeguards: ["4.6", "5.1", "5.2", "5.3", "5.5", "5.6", "6.1", "6.2"],
1886
- keywords: ["restrict", "administrator", "privileges", "dedicated", "accounts", "enterprise", "assets", "privileged"]
1488
+ relatedSafeguards: ["4.1", "5.1"],
1489
+ keywords: ["restrict", "administrator", "privileges", "dedicated", "accounts", "enterprise", "assets", "general", "computing", "browsing", "email", "productivity"]
1887
1490
  },
1888
1491
  "5.5": {
1889
1492
  id: "5.5",
1890
1493
  title: "Establish and Maintain an Inventory of Service Accounts",
1891
- description: "Establish and maintain an inventory of service accounts",
1494
+ description: "Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.",
1892
1495
  implementationGroup: "IG2",
1893
1496
  assetType: ["users"],
1894
1497
  securityFunction: ["Identify"],
1895
1498
  governanceElements: [ // Orange - MUST be met
1896
- "establish service account inventory",
1897
- "maintain service account inventory",
1898
- "service account governance",
1899
- "inventory management requirements"
1499
+ "Establish and maintain an inventory of service accounts",
1500
+ "The inventory, at a minimum, must contain department owner, review date, and purpose",
1501
+ "Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently"
1900
1502
  ],
1901
1503
  coreRequirements: [ // Green - The "what"
1902
- "service account inventory",
1903
- "service account identification",
1904
- "account classification",
1905
- "service account tracking"
1504
+ "Inventory of Service Accounts"
1906
1505
  ],
1907
1506
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1908
- "service account names",
1909
- "associated services",
1910
- "account purposes",
1911
- "account owners",
1912
- "privilege levels",
1913
- "account dependencies",
1914
- "credential management"
1507
+ "Establish",
1508
+ "Maintain",
1509
+ "At a Minimum Must Contain",
1510
+ "Perform service account reviews to validate that all active accounts are authorized",
1511
+ "On a recurring schedule",
1512
+ "Department Owner",
1513
+ "Review date",
1514
+ "Purpose",
1515
+ "At a minimum quarterly",
1516
+ "More frequently",
1517
+ "Or"
1915
1518
  ],
1916
1519
  implementationSuggestions: [ // Gray - Implementation suggestions
1917
- "service account discovery tools",
1918
- "identity management platforms",
1919
- "account inventory systems",
1920
- "automated discovery agents",
1921
- "credential scanning tools"
1520
+ "Account and Access Control Management",
1521
+ "Identity and Access Management Tool"
1922
1522
  ],
1923
- relatedSafeguards: ["1.1", "2.1", "5.1", "5.2", "5.3", "5.4", "5.6"],
1924
- keywords: ["establish", "maintain", "inventory", "service", "accounts", "identification", "tracking"]
1523
+ relatedSafeguards: ["5.1"],
1524
+ keywords: ["establish", "maintain", "inventory", "service", "accounts", "department", "owner", "review", "date", "purpose", "quarterly", "validate", "authorized"]
1925
1525
  },
1926
1526
  "5.6": {
1927
1527
  id: "5.6",
1928
1528
  title: "Centralize Account Management",
1929
- description: "Centralize account management through a directory service or identity provider",
1529
+ description: "Centralize account management through a directory or identity service.",
1930
1530
  implementationGroup: "IG2",
1931
1531
  assetType: ["users"],
1932
- securityFunction: ["Protect"],
1532
+ securityFunction: ["Govern"],
1933
1533
  governanceElements: [ // Orange - MUST be met
1934
- "centralize account management",
1935
- "directory service or identity provider",
1936
- "centralized management requirement",
1937
- "identity governance"
1534
+ "Centralize account management through a directory or identity service"
1938
1535
  ],
1939
1536
  coreRequirements: [ // Green - The "what"
1940
- "centralized account management",
1941
- "directory service integration",
1942
- "identity provider deployment",
1943
- "unified account control"
1537
+ "Account Management"
1944
1538
  ],
1945
1539
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1946
- "directory service implementation",
1947
- "identity provider integration",
1948
- "single sign-on capabilities",
1949
- "federated identity management",
1950
- "account provisioning automation",
1951
- "centralized authentication",
1952
- "identity synchronization"
1540
+ "Centralize",
1541
+ "Directory Service",
1542
+ "Identity Service",
1543
+ "Or"
1953
1544
  ],
1954
1545
  implementationSuggestions: [ // Gray - Implementation suggestions
1955
- "Active Directory services",
1956
- "LDAP directories",
1957
- "cloud identity providers",
1958
- "identity management platforms",
1959
- "federation services"
1546
+ "Account and Access Control Management",
1547
+ "Identity and Access Management Tool"
1960
1548
  ],
1961
- relatedSafeguards: ["5.1", "5.2", "5.3", "5.4", "5.5", "6.1", "6.2", "6.3"],
1962
- keywords: ["centralize", "account", "management", "directory", "service", "identity", "provider"]
1549
+ relatedSafeguards: ["5.1", "6.6", "6.7", "12.5"],
1550
+ keywords: ["centralize", "account", "management", "directory", "service", "identity"]
1963
1551
  },
1964
1552
  "6.1": {
1965
1553
  id: "6.1",
1966
1554
  title: "Establish an Access Granting Process",
1967
- description: "Establish and follow a process for granting access to enterprise assets upon new hire, promotion, or role change",
1555
+ description: "Establish and follow a documented process, preferably automated, for granting access to enterprise assets upon new hire or role change of a user.",
1968
1556
  implementationGroup: "IG1",
1969
1557
  assetType: ["users"],
1970
- securityFunction: ["Protect"],
1558
+ securityFunction: ["Govern"],
1971
1559
  governanceElements: [ // Orange - MUST be met
1972
- "establish access granting process",
1973
- "follow access granting process",
1974
- "new hire promotion role change coverage",
1975
- "access governance framework"
1560
+ "Establish",
1561
+ "Follow",
1562
+ "Account and Access Control Management",
1563
+ "Account and Credential Management Policy/Process",
1564
+ "Documentation"
1976
1565
  ],
1977
1566
  coreRequirements: [ // Green - The "what"
1978
- "access granting process",
1979
- "new hire access provisioning",
1980
- "promotion access updates",
1981
- "role change access management"
1567
+ "documented process",
1568
+ "granting access to enterprise assets"
1982
1569
  ],
1983
1570
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1984
- "access request workflows",
1985
- "manager approval processes",
1986
- "role-based access assignment",
1987
- "access provisioning procedures",
1988
- "onboarding access checklists",
1989
- "access documentation requirements",
1990
- "approval audit trails"
1571
+ "preferably automated",
1572
+ "upon new hire",
1573
+ "role change of a user",
1574
+ "New Hire",
1575
+ "Role Change",
1576
+ "Enterprise assets"
1991
1577
  ],
1992
1578
  implementationSuggestions: [ // Gray - Implementation suggestions
1993
- "identity governance platforms",
1994
- "access request systems",
1995
- "workflow automation tools",
1996
- "role-based provisioning systems",
1997
- "approval workflow tools"
1579
+ "Account and Access Control Management",
1580
+ "Account and Credential Management Policy/Process"
1998
1581
  ],
1999
- relatedSafeguards: ["5.1", "5.4", "5.6", "6.2", "6.3", "6.4", "6.5", "6.6", "6.7", "6.8"],
2000
- keywords: ["establish", "access", "granting", "process", "new", "hire", "promotion", "role", "change"]
1582
+ relatedSafeguards: ["5.1", "6.7", "6.8"],
1583
+ keywords: ["establish", "follow", "documented", "process", "automated", "granting", "access", "enterprise", "assets", "new", "hire", "role", "change"]
2001
1584
  },
2002
1585
  "6.2": {
2003
1586
  id: "6.2",
2004
1587
  title: "Establish an Access Revoking Process",
2005
- description: "Establish and follow a process for revoking access to enterprise assets upon termination, demotion, or role change",
1588
+ description: "Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.",
2006
1589
  implementationGroup: "IG1",
2007
1590
  assetType: ["users"],
2008
- securityFunction: ["Protect"],
1591
+ securityFunction: ["Govern"],
2009
1592
  governanceElements: [ // Orange - MUST be met
2010
- "establish access revoking process",
2011
- "follow access revoking process",
2012
- "termination demotion role change coverage",
2013
- "access revocation governance"
1593
+ "Establish",
1594
+ "Follow",
1595
+ "Account and Access Control Management",
1596
+ "Account and Credential Management Policy/Process",
1597
+ "Documentation"
2014
1598
  ],
2015
1599
  coreRequirements: [ // Green - The "what"
2016
- "access revoking process",
2017
- "termination access removal",
2018
- "demotion access reduction",
2019
- "role change access adjustment"
1600
+ "process",
1601
+ "revoking access to enterprise assets",
1602
+ "disabling accounts immediately"
2020
1603
  ],
2021
1604
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2022
- "termination procedures",
2023
- "access revocation checklists",
2024
- "account deactivation processes",
2025
- "credential recovery procedures",
2026
- "system access removal",
2027
- "physical access revocation",
2028
- "asset return procedures"
1605
+ "preferably automated",
1606
+ "upon termination",
1607
+ "rights revocation",
1608
+ "role change of a user",
1609
+ "Role Change",
1610
+ "Termination",
1611
+ "Rights revocation",
1612
+ "Enterprise assets",
1613
+ "Disabling accounts immediately"
2029
1614
  ],
2030
1615
  implementationSuggestions: [ // Gray - Implementation suggestions
2031
- "identity governance platforms",
2032
- "automated deprovisioning",
2033
- "HR system integration",
2034
- "access revocation workflows",
2035
- "termination checklist systems"
1616
+ "Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails",
1617
+ "Account and Access Control Management",
1618
+ "Account and Credential Management Policy/Process"
2036
1619
  ],
2037
- relatedSafeguards: ["5.1", "5.3", "5.4", "5.6", "6.1", "6.3", "6.4", "6.5", "6.6", "6.7", "6.8"],
2038
- keywords: ["establish", "access", "revoking", "process", "termination", "demotion", "role", "change"]
1620
+ relatedSafeguards: ["5.1", "6.7"],
1621
+ keywords: ["establish", "follow", "process", "automated", "revoking", "access", "enterprise", "assets", "disabling", "accounts", "termination", "rights", "revocation", "role", "change", "audit", "trails"]
2039
1622
  },
2040
1623
  "6.4": {
2041
1624
  id: "6.4",
2042
1625
  title: "Require MFA for Remote Network Access",
2043
- description: "Require MFA for remote network access",
1626
+ description: "Require MFA for remote network access.",
2044
1627
  implementationGroup: "IG1",
2045
1628
  assetType: ["users"],
2046
1629
  securityFunction: ["Protect"],
2047
1630
  governanceElements: [ // Orange - MUST be met
2048
- "require MFA for remote access",
2049
- "remote network access coverage",
2050
- "MFA enforcement policy",
2051
- "remote access governance"
1631
+ "Require",
1632
+ "Account and Access Control Management",
1633
+ "Multi-Factor Authentication Tool"
2052
1634
  ],
2053
1635
  coreRequirements: [ // Green - The "what"
2054
- "multi-factor authentication",
2055
- "remote network access",
2056
- "MFA enforcement",
2057
- "remote access security"
1636
+ "MFA",
1637
+ "remote network access"
2058
1638
  ],
2059
1639
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2060
- "VPN access controls",
2061
- "remote desktop authentication",
2062
- "cloud service access",
2063
- "mobile device access",
2064
- "authentication factors",
2065
- "MFA token management",
2066
- "backup authentication methods"
1640
+ "Remote Network Access"
2067
1641
  ],
2068
1642
  implementationSuggestions: [ // Gray - Implementation suggestions
2069
- "VPN with MFA integration",
2070
- "remote access gateways",
2071
- "cloud identity providers",
2072
- "MFA token systems",
2073
- "biometric authentication"
1643
+ "Account and Access Control Management",
1644
+ "Multi-Factor Authentication Tool"
2074
1645
  ],
2075
- relatedSafeguards: ["5.6", "6.1", "6.2", "6.3", "6.5", "6.6"],
2076
- keywords: ["require", "MFA", "remote", "network", "access", "multi-factor", "authentication", "VPN"]
1646
+ relatedSafeguards: ["4.2", "12.7"],
1647
+ keywords: ["require", "MFA", "remote", "network", "access", "multi-factor", "authentication"]
2077
1648
  },
2078
1649
  "6.5": {
2079
1650
  id: "6.5",
2080
1651
  title: "Require MFA for Administrative Access",
2081
- description: "Require MFA for administrative access to enterprise assets",
1652
+ description: "Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a service provider.",
2082
1653
  implementationGroup: "IG1",
2083
1654
  assetType: ["users"],
2084
1655
  securityFunction: ["Protect"],
2085
1656
  governanceElements: [ // Orange - MUST be met
2086
- "require MFA for administrative access",
2087
- "enterprise assets coverage",
2088
- "administrative access governance",
2089
- "MFA policy enforcement"
1657
+ "Require",
1658
+ "Account and Access Control Management",
1659
+ "Multi-Factor Authentication Tool"
2090
1660
  ],
2091
1661
  coreRequirements: [ // Green - The "what"
2092
- "multi-factor authentication",
2093
- "administrative access",
2094
- "privileged account protection",
2095
- "MFA enforcement"
1662
+ "MFA",
1663
+ "all administrative access accounts",
1664
+ "all enterprise assets"
2096
1665
  ],
2097
1666
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2098
- "administrator account protection",
2099
- "privileged access controls",
2100
- "system administration access",
2101
- "database administration access",
2102
- "network administration access",
2103
- "security administration access",
2104
- "emergency access procedures"
1667
+ "where supported",
1668
+ "All Admin Access Accounts",
1669
+ "All enterprise assets",
1670
+ "Onsite Management",
1671
+ "Service Provider",
1672
+ "Or"
2105
1673
  ],
2106
1674
  implementationSuggestions: [ // Gray - Implementation suggestions
2107
- "privileged access management",
2108
- "administrative MFA systems",
2109
- "just-in-time access",
2110
- "privileged session management",
2111
- "administrative workstations"
1675
+ "Account and Access Control Management",
1676
+ "Multi-Factor Authentication Tool"
2112
1677
  ],
2113
- relatedSafeguards: ["5.4", "5.6", "6.1", "6.2", "6.3", "6.4", "6.6"],
2114
- keywords: ["require", "MFA", "administrative", "access", "enterprise", "assets", "privileged", "protection"]
1678
+ relatedSafeguards: ["4.1"],
1679
+ keywords: ["require", "MFA", "administrative", "access", "accounts", "supported", "enterprise", "assets", "managed", "onsite", "service", "provider"]
2115
1680
  },
2116
1681
  "6.6": {
2117
1682
  id: "6.6",
2118
1683
  title: "Establish and Maintain an Inventory of Authentication and Authorization Systems",
2119
- description: "Establish and maintain an inventory of authentication and authorization systems",
1684
+ description: "Establish and maintain an inventory of the enterprise's authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently.",
2120
1685
  implementationGroup: "IG2",
2121
- assetType: ["applications"],
1686
+ assetType: ["software"],
2122
1687
  securityFunction: ["Identify"],
2123
1688
  governanceElements: [ // Orange - MUST be met
2124
- "establish auth system inventory",
2125
- "maintain auth system inventory",
2126
- "authentication authorization coverage",
2127
- "auth system governance"
1689
+ "Establish",
1690
+ "maintain",
1691
+ "Review and update",
1692
+ "Account and Access Control Management",
1693
+ "Account and Credential Management Policy/Process"
2128
1694
  ],
2129
1695
  coreRequirements: [ // Green - The "what"
2130
- "authentication system inventory",
2131
- "authorization system inventory",
2132
- "identity system tracking",
2133
- "access control system management"
1696
+ "inventory of the enterprise's authentication and authorization systems"
2134
1697
  ],
2135
1698
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2136
- "identity providers",
2137
- "authentication servers",
2138
- "authorization systems",
2139
- "single sign-on systems",
2140
- "directory services",
2141
- "access control lists",
2142
- "federation services"
1699
+ "including those hosted on-site or at a remote service provider",
1700
+ "at a minimum, annually, or more frequently",
1701
+ "Hosted on-site",
1702
+ "Remote Service Provider",
1703
+ "Or",
1704
+ "At a minimum Annually",
1705
+ "More frequently"
2143
1706
  ],
2144
1707
  implementationSuggestions: [ // Gray - Implementation suggestions
2145
- "identity system discovery tools",
2146
- "authentication inventory platforms",
2147
- "system catalog management",
2148
- "integration mapping tools",
2149
- "identity architecture documentation"
1708
+ "Account and Access Control Management",
1709
+ "Account and Credential Management Policy/Process"
2150
1710
  ],
2151
- relatedSafeguards: ["1.1", "2.1", "5.1", "5.6", "6.1", "6.2", "6.3", "6.4", "6.5", "6.7", "6.8"],
2152
- keywords: ["establish", "maintain", "inventory", "authentication", "authorization", "systems", "identity"]
1711
+ relatedSafeguards: ["1.1", "2.1", "3.3", "5.6", "6.7"],
1712
+ keywords: ["establish", "maintain", "inventory", "enterprise", "authentication", "authorization", "systems", "hosted", "onsite", "remote", "service", "provider", "review", "update", "annually"]
2153
1713
  },
2154
1714
  "6.7": {
2155
1715
  id: "6.7",
2156
1716
  title: "Centralize Access Control",
2157
- description: "Centralize access control for all enterprise assets through a directory service or SSO provider",
1717
+ description: "Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.",
2158
1718
  implementationGroup: "IG2",
2159
1719
  assetType: ["users"],
2160
1720
  securityFunction: ["Protect"],
2161
1721
  governanceElements: [ // Orange - MUST be met
2162
- "centralize access control",
2163
- "all enterprise assets",
2164
- "directory service or SSO provider",
2165
- "centralized control governance"
1722
+ "Centralize",
1723
+ "Account and Access Control Management",
1724
+ "Account and Credential Management Policy/Process",
1725
+ "Identity and Access Management Tool"
2166
1726
  ],
2167
1727
  coreRequirements: [ // Green - The "what"
2168
- "centralized access control",
2169
- "directory service integration",
2170
- "SSO provider deployment",
2171
- "unified access management"
1728
+ "access control",
1729
+ "all enterprise assets"
2172
1730
  ],
2173
1731
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2174
- "single sign-on implementation",
2175
- "directory service integration",
2176
- "federated authentication",
2177
- "centralized authorization",
2178
- "access policy management",
2179
- "identity federation",
2180
- "cross-platform integration"
1732
+ "through a directory service or SSO provider",
1733
+ "where supported",
1734
+ "Directory Service",
1735
+ "SSO Provider",
1736
+ "Or",
1737
+ "All enterprise assets",
1738
+ "Where Supported"
2181
1739
  ],
2182
1740
  implementationSuggestions: [ // Gray - Implementation suggestions
2183
- "Active Directory integration",
2184
- "SAML-based SSO",
2185
- "OAuth implementations",
2186
- "identity federation platforms",
2187
- "centralized access gateways"
1741
+ "Account and Access Control Management",
1742
+ "Account and Credential Management Policy/Process",
1743
+ "Identity and Access Management Tool"
2188
1744
  ],
2189
- relatedSafeguards: ["5.6", "6.1", "6.2", "6.3", "6.4", "6.5", "6.6", "6.8"],
2190
- keywords: ["centralize", "access", "control", "enterprise", "assets", "directory", "service", "SSO"]
1745
+ relatedSafeguards: ["4.1", "5.1", "5.6", "6.1", "6.2", "6.6", "12.5", "12.7"],
1746
+ keywords: ["centralize", "access", "control", "enterprise", "assets", "directory", "service", "SSO", "provider", "supported"]
2191
1747
  },
2192
1748
  "6.8": {
2193
1749
  id: "6.8",
2194
1750
  title: "Define and Maintain Role-Based Access Control",
2195
- description: "Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise",
1751
+ description: "Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.",
2196
1752
  implementationGroup: "IG3",
2197
1753
  assetType: ["users"],
2198
- securityFunction: ["Protect"],
1754
+ securityFunction: ["Govern"],
2199
1755
  governanceElements: [ // Orange - MUST be met
2200
- "define role-based access control",
2201
- "maintain role-based access control",
2202
- "determine access rights for each role",
2203
- "document access rights"
1756
+ "Define",
1757
+ "maintain",
1758
+ "Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently",
1759
+ "Account and Access Control Management",
1760
+ "Account and Credential Management Policy/Process",
1761
+ "Identity and Access management Tool"
2204
1762
  ],
2205
1763
  coreRequirements: [ // Green - The "what"
2206
1764
  "role-based access control",
2207
- "access rights determination",
2208
- "role documentation",
2209
- "RBAC implementation"
1765
+ "determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties"
2210
1766
  ],
2211
1767
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2212
- "role definitions",
2213
- "permission matrices",
2214
- "access entitlements",
2215
- "role hierarchies",
2216
- "job function mapping",
2217
- "segregation of duties",
2218
- "role certification processes"
1768
+ "Access rights",
1769
+ "Each Role",
1770
+ "Necessary",
1771
+ "Successfully carry out its assigned duties",
1772
+ "Determining",
1773
+ "Documenting",
1774
+ "At a minimum Annually",
1775
+ "More frequently",
1776
+ "Or"
2219
1777
  ],
2220
1778
  implementationSuggestions: [ // Gray - Implementation suggestions
2221
- "RBAC management systems",
2222
- "role mining tools",
2223
- "access certification platforms",
2224
- "permission analysis tools",
2225
- "role governance systems"
1779
+ "Account and Access Control Management",
1780
+ "Account and Credential Management Policy/Process",
1781
+ "Identity and Access management Tool"
2226
1782
  ],
2227
- relatedSafeguards: ["5.1", "5.4", "6.1", "6.2", "6.6", "6.7"],
2228
- keywords: ["define", "maintain", "role-based", "access", "control", "RBAC", "roles", "permissions"]
1783
+ relatedSafeguards: ["3.3", "4.1", "6.1"],
1784
+ keywords: ["define", "maintain", "role-based", "access", "control", "determining", "documenting", "rights", "necessary", "role", "enterprise", "duties", "perform", "reviews", "validate", "privileges", "authorized", "recurring", "annually"]
2229
1785
  },
2230
1786
  "7.2": {
2231
1787
  id: "7.2",