Detections
Analytics
CCI - DISA Control Correlation Identifier
Reference Details
Name: CCI - DISA Control Correlation Identifier
Reference Items
| Control | Description |
|---|---|
| CCI-000001 | The organization develops an access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
| CCI-000002 | Disseminate the organization-level; mission/business process-level; and/or system-level access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance to organization-defined personnel or roles. |
| CCI-000003 | Review and update the current access control policy for organization-defined frequency. |
| CCI-000004 | The organization develops procedures to facilitate the implementation of the access control policy and associated access controls. |
| CCI-000005 | Disseminate procedures to facilitate the implementation of the organization-level; mission/business process-level; and/or system-level access control policy and associated access controls to the organization-defined personnel or roles. |
| CCI-000006 | Review and update the current access control procedures for organization-defined frequency. |
| CCI-000007 | The organization manages information system accounts by identifying account types (i.e., individual, group, system, application, guest/anonymous, and temporary). |
| CCI-000008 | The organization establishes conditions for group membership. |
| CCI-000009 | The organization manages information system accounts by identifying authorized users of the information system and specifying access privileges. |
| CCI-000010 | Require approvals by organization-defined personnel or roles for requests to create accounts. |
| CCI-000011 | Create, enable, modify, disable, and remove system accounts in accordance with organization-defined procedures. |
| CCI-000012 | Review accounts for compliance with account management requirements per organization-defined frequency. |
| CCI-000013 | The organization manages information system accounts by notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes. |
| CCI-000014 | The organization manages information system accounts by granting access to the system based on a valid access authorization; intended system usage; and other attributes as required by the organization or associated missions/business functions. |
| CCI-000015 | Support the management of system accounts using (organization-defined automated mechanisms). |
| CCI-000016 | Automatically remove or disable temporary and emergency accounts after an organization-defined time-period for each type of account. |
| CCI-000017 | Disable accounts when the accounts have been inactive for the organization-defined time-period. |
| CCI-000018 | Automatically audit account creation actions. |
| CCI-000019 | Require that users log out in accordance with the organization-defined time-period of expected inactivity or description of when to log out. |
| CCI-000020 | The information system dynamically manages user privileges and associated access authorizations. |
| CCI-000021 | Enforce dual authorization for organization-defined privileged commands and/or other organization-defined actions. |
| CCI-000022 | The information system enforces one or more organization-defined nondiscretionary access control policies over an organization-defined set of users and resources. |
| CCI-000023 | The organization develops an organization-wide information security program plan that provides sufficient information about the program management controls and common controls (including specification of parameters for any assignment and selection operations either explicitly or by reference) to enable an implementation that is unambiguously compliant with the intent of the plan, and a determination of the risk to be incurred if the plan is implemented as intended. |
| CCI-000024 | Prevent access to organization-defined security-relevant information except during secure, non-operable system states. |
| CCI-000025 | The information system enforces information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions. |
| CCI-000026 | Use protected processing domains to enforce organization-defined information flow control policies as a basis for flow control decisions. |
| CCI-000027 | Enforce organization-defined information flow control policies. |
| CCI-000028 | Prevent encrypted information from bypassing organization-defined flow control mechanisms by employing organization-defined procedures or methods. |
| CCI-000029 | Enforce organization-defined limitations on embedding data types within other data types. |
| CCI-000030 | Enforce information flow control based on organization-defined metadata. |
| CCI-000031 | Enforce one-way information flows using hardware-based flow control mechanisms. |
| CCI-000032 | Enforce information flow control using organization-defined security policy filters as a basis for flow control decisions for organization-defined information flows. |
| CCI-000033 | The information system enforces the use of human review for organization-defined security policy filters when the system is not capable of making an information flow control decision. |
| CCI-000034 | Provide the capability for privileged administrators to enable and disable organization-defined security or privacy filters under organization-defined conditions. |
| CCI-000035 | Provide the capability for privileged administrators to configure the organization-defined security or privacy policy filters to support different security or privacy policies. |
| CCI-000036 | The organization separates organization-defined duties of individuals. |
| CCI-000037 | The organization implements separation of duties through assigned information system access authorizations. |
| CCI-000038 | The organization explicitly authorizes access to organization-defined security functions and security-relevant information. |
| CCI-000039 | Require that users of system accounts, or roles, with access to organization-defined security functions or security-relevant information, use non-privileged accounts or roles, when accessing nonsecurity functions. |
| CCI-000040 | The organization audits any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions. |
| CCI-000041 | Authorize network access to organization-defined privileged commands only for organization-defined compelling operational needs. |
| CCI-000042 | Document the rationale for authorized network access to organization-defined privileged commands in the security plan for the system. |
| CCI-000043 | Defines the maximum number of consecutive invalid logon attempts to the information system by a user during an organization-defined time period. |
| CCI-000044 | Enforce the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period. |
| CCI-000045 | The organization defines in the security plan, explicitly or by reference, the time period for lock out mode or delay period. |
| CCI-000046 | The organization selects either a lock out mode for the organization-defined time period or delays the next login prompt for the organization-defined delay period for information system responses to consecutive invalid access attempts. |
| CCI-000047 | The information system delays next login prompt according to the organization-defined delay algorithm, when the maximum number of unsuccessful attempts is exceeded, automatically locks the account/node for an organization-defined time period or locks the account/node until released by an Administrator IAW organizational policy. |
| CCI-000048 | Display an organization-defined system use notification message or banner to users before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines. |
| CCI-000049 | The organization defines a system use notification message or banner displayed before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: (i) users are accessing a U.S. Government information system; (ii) system usage may be monitored, recorded, and subject to audit; (iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and (iv) use of the system indicates consent to monitoring and recording. |
| CCI-000050 | Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system. |