800-53|PL-8

Title

INFORMATION SECURITY ARCHITECTURE

Description

The organization:

Supplemental

This control addresses actions taken by organizations in the design and development of information systems. The information security architecture at the individual information system level is consistent with and complements the more global, organization-wide information security architecture described in PM-7 that is integral to and developed as part of the enterprise architecture. The information security architecture includes an architectural description, the placement/allocation of security functionality (including security controls), security-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. In addition, the security architecture can include other important security-related information, for example, user roles and access privileges assigned to each role, unique security requirements, the types of information processed, stored, and transmitted by the information system, restoration priorities of information and information system services, and any other specific protection needs. In today's modern architecture, it is becoming less common for organizations to control all information resources. There are going to be key dependencies on external information services and service providers. Describing such dependencies in the information security architecture is important to developing a comprehensive mission/business protection strategy. Establishing, developing, documenting, and maintaining under configuration control, a baseline configuration for organizational information systems is critical to implementing and maintaining an effective information security architecture. The development of the information security architecture is coordinated with the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) to ensure that security controls needed to support privacy requirements are identified and effectively implemented. PL-8 is primarily directed at organizations (i.e., internally focused) to help ensure that organizations develop an information security architecture for the information system, and that the security architecture is integrated with or tightly coupled to the enterprise architecture through the organization-wide information security architecture. In contrast, SA-17 is primarily directed at external information technology product/system developers and integrators (although SA-17 could be used internally within organizations for in-house system development). SA-17, which is complementary to PL-8, is selected when organizations outsource the development of information systems or information system components to external entities, and there is a need to demonstrate/show consistency with the organization's enterprise architecture and information security architecture.

Reference Item Details

Related: Appendix J,CM-2,CM-6,PL-2,PM-7,SA-17,SA-5

Category: PLANNING

Family: PLANNING

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.3.1 Ensure 'Image Integrity' is correctCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.5.1 Ensure 'ASDM banner' is setCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.5.1 If SNMPv2 is in use, use a Complex Community StringCiscoCIS Cisco NX-OS L1 v1.1.0
1.5.2 Ensure 'EXEC banner' is setCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.5.3 Ensure 'LOGIN banner' is setCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.5.4 Ensure 'MOTD banner' is setCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.6.3 Ensure 'RSA key pair' is greater than or equal to 2048 bitsCiscoCIS Cisco ASA 9.x Firewall L2 v1.1.0
1.7 Ensure' WebDav' feature is disabledWindowsCIS IIS 10 v1.2.1 Level 1
1.8.1 Disable Power on Auto Provisioning (POAP)CiscoCIS Cisco NX-OS L2 v1.1.0
1.11.1 Ensure 'snmp-server group' is set to 'v3 priv'CiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.11.2 Ensure 'snmp-server user' is set to 'v3 auth SHA'CiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.11.3 Ensure 'snmp-server host' is set to 'version 3'CiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.11.4 Ensure 'SNMP traps' is enabledCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.11.5 Ensure 'SNMP community string' is not the default stringCiscoCIS Cisco ASA 9.x Firewall L1 v1.1.0
1.12 Ensure API Keys Only Exist for Active ServicesGCPCIS Google Cloud Platform v3.0.0 L2
1.13 Ensure API Keys Are Restricted To Use by Only Specified Hosts and AppsGCPCIS Google Cloud Platform v3.0.0 L2
1.14 Ensure API Keys Are Restricted to Only APIs That Application Needs AccessGCPCIS Google Cloud Platform v3.0.0 L2
1.15 Ensure API Keys Are Rotated Every 90 DaysGCPCIS Google Cloud Platform v3.0.0 L2
2.1.1 Ensure 'OSPF authentication' is enabledCiscoCIS Cisco ASA 9.x Firewall L2 v1.1.0
2.1.2 Ensure 'EIGRP authentication' is enabledCiscoCIS Cisco ASA 9.x Firewall L2 v1.1.0
2.1.3 Ensure 'BGP authentication' is enabledCiscoCIS Cisco ASA 9.x Firewall L2 v1.1.0
2.11 Ensure MySQL is Bound to an IP AddressMySQLDBCIS MySQL 5.7 Community Database L2 v2.0.0
2.11 Ensure MySQL is Bound to an IP AddressMySQLDBCIS MySQL 5.7 Enterprise Database L2 v2.0.0
2.14 Ensure MySQL is Bound to an IP AddressMySQLDBCIS MySQL 8.0 Enterprise Database L2 v1.3.0
2.14 Ensure MySQL is Bound to an IP AddressMySQLDBCIS MySQL 8.0 Community Database L2 v1.0.0
2.15 Ensure live restore is enabledUnixCIS Docker v1.7.0 L1 Docker - Linux
18.5.11.1 (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1
18.5.11.1 (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 Member Server Level 1 v3.3.1
18.5.11.2 (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1
18.5.11.2 (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'WindowsCIS Azure Compute Microsoft Windows Server 2019 v1.0.0 L1 DC
18.5.11.2 (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'WindowsCIS Azure Compute Microsoft Windows Server 2019 v1.0.0 L1 MS
18.5.11.2 (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.3.1
18.5.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'WindowsCIS Azure Compute Microsoft Windows Server 2022 v1.0.0 L1 DC
18.5.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'WindowsCIS Azure Compute Microsoft Windows Server 2022 v1.0.0 L1 MS
18.5.11.3 (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'WindowsCIS Azure Compute Microsoft Windows Server 2019 v1.0.0 L1 DC
18.5.11.3 (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'WindowsCIS Azure Compute Microsoft Windows Server 2019 v1.0.0 L1 MS
18.5.11.3 Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'WindowsCIS Azure Compute Microsoft Windows Server 2022 v1.0.0 L1 MS
18.5.11.3 Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'WindowsCIS Azure Compute Microsoft Windows Server 2022 v1.0.0 L1 DC
18.6.11.2 (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'WindowsCIS Windows Server 2012 R2 MS L1 v3.0.0
18.6.11.2 (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'WindowsCIS Windows Server 2012 R2 DC L1 v3.0.0
18.6.11.2 (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 L1 MS
18.6.11.2 (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'WindowsCIS Windows Server 2012 DC L1 v3.0.0
18.6.11.2 (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 L1 DC
18.6.11.2 (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'WindowsCIS Windows Server 2012 MS L1 v3.0.0
18.6.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 L1 MS
18.6.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 L1 DC
18.6.11.3 (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 L1 DC
18.6.11.3 (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2019 STIG v2.0.0 L1 MS
18.6.11.3 Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 L1 DC
18.6.11.3 Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2022 STIG v1.0.0 L1 MS