| 3.4.1.a |
P |
Baseline Configuration |
| 3.4.1.a |
A |
Baseline Configuration Form |
| 3.4.1.a |
T |
Baseline Configuration Policy Training Material and Comprehension Quiz |
| 3.4.1.b |
P |
Hardware Software Firmware and Documentation in Baseline Configuration |
| 3.4.1.b |
T |
Hardware Software Firmware and Documentation in Baseline Configuration Policy Training Material and Comprehension Quiz |
| 3.4.1.c |
P |
Maintaining Baseline Configuration Throughout the System Development Life Cycle |
| 3.4.1.c |
T |
Maintaining Baseline Configuration Throughout the System Development Life Cycle Policy Training Material and Comprehension Quiz |
| 3.4.1.d |
P |
System Inventory Established |
| 3.4.1.d |
T |
System Inventory Established Policy Training Material and Comprehension Quiz |
| 3.4.1.e |
P |
Comprehensive System Inventory Management |
| 3.4.1.e |
T |
Comprehensive System Inventory Management Policy Training Material and Comprehension Quiz |
| 3.4.1.f |
P |
Maintenance of Inventory Throughout the System Development Life Cycle |
| 3.4.1.f |
T |
Maintenance of Inventory Throughout the System Development Life Cycle Policy Training Material and Comprehension Quiz |
| 3.4.2 |
P |
Security Configuration Enforcement Policy |
| 3.4.2.a |
P |
Security Configuration Settings for IT Products Included in the Baseline Configuration |
| 3.4.2.a |
T |
Security Configuration Settings for IT Products Included in the Baseline Configuration Training Material and Comprehension Quiz |
| 3.4.2.b |
P |
Security Configuration Settings for IT Products are Enforced |
| 3.4.2.b |
T |
Security Configuration Settings for IT Products are Enforced Training Material and Comprehension Quiz |
| 3.4.3 |
P |
Track, review, approve or disapprove, and log changes to organizational systems |
| 3.4.3.a |
P |
Changes to the system are tracked |
| 3.4.3.a |
T |
Changes to the system are tracked Training Material and Comprehension Quiz |
| 3.4.3.b |
P |
Changes to the system are reviewed |
| 3.4.3.b |
T |
Changes to the system are reviewed Training Material and Comprehension Quiz |
| 3.4.3.c |
P |
Changes to the system are approved or disapproved |
| 3.4.3.c |
T |
Approval or Disapproval of System Changes Training Material and Comprehension Quiz |
| 3.4.3.d |
P |
Changes to the system are logged |
| 3.4.3.d |
T |
Standard Operating Procedure (SOP) Training Material and Comprehension Quiz |
| 3.4.4 |
P |
Analyze the security impact of changes prior to implementation |
| 3.4.5 |
P |
Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems |
| 3.4.5.a |
P |
Physical Access Restrictions Associated with System Changes |
| 3.4.5.a |
T |
Physical Access Restrictions Associated with System Changes Policy Training Material and Comprehension Quiz |
| 3.4.5.b |
P |
Documenting Physical Access Restrictions Associated with System Changes |
| 3.4.5.b |
T |
Documenting Physical Access Restrictions Associated with System Changes Policy Training Material and Comprehension Quiz |
| 3.4.5.c |
P |
Approval of Physical Access Restrictions Associated with System Changes |
| 3.4.5.c |
T |
Approval of Physical Access Restrictions Associated with System Changes Policy Training Material and Comprehension Quiz |
| 3.4.5.d |
P |
Physical Access Restrictions Associated with Changes to the System |
| 3.4.5.d |
T |
Physical Access Restrictions Associated with Changes to the System Policy Training Material and Comprehension Quiz |
| 3.4.5.e |
P |
Logical Access Restrictions Associated with Changes to the System |
| 3.4.5.e |
T |
Logical Access Restrictions Associated with Changes to the System Policy Training Material and Comprehension Quiz |
| 3.4.5.f |
P |
Logical Access Restrictions Associated with Changes to the System of Documentation |
| 3.4.5.f |
T |
Logical Access Restrictions Associated with Changes to the System of Documentation Policy Training Material and Comprehension Quiz |
| 3.4.5.g |
P |
Logical Access Restrictions Associated with Changes to the System of Approval Process |
| 3.4.5.g |
T |
Logical Access Restrictions Associated with Changes to the System of Approval Process Policy Training Material and Comprehension Quiz |
| 3.4.5.h |
P |
Logical access restrictions associated with changes to the system are enforced |
| 3.4.5.h |
T |
Logical access restrictions associated with changes to the system Training Material and Comprehension Quiz |
| 3.4.6 |
P |
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities |
| 3.4.6.a |
P |
Essential system capabilities are defined based on the principle of least functionality |
| 3.4.6.a |
T |
Essential system capabilities are defined based on the principle of least functionality Training Material and Comprehension Quiz |
| 3.4.6.b |
P |
The system is configured to provide only the defined essential capabilities |
| 3.4.6.b |
T |
Essential Capabilities Configuration Notice Training Material and Comprehension Quiz |
| 3.4.7 |
P |
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services |
| 3.4.7.a |
P |
Essential Programs Are Defined Policy |
| 3.4.7.a |
T |
Essential Programs Are Defined Policy Training Material and Comprehension Quiz |
| 3.4.7.b |
P |
The Use of Nonessential Programs |
| 3.4.7.b |
T |
The Use of Nonessential Programs is Defined Training Material and Comprehension Quiz |
| 3.4.7.c |
P |
The Use of Nonessential Programs Is Restricted, Disabled, or Prevented as Defined Policy |
| 3.4.7.c |
T |
The Use of Nonessential Programs Is Restricted, Disabled, or Prevented as Defined Policy Training Material and Comprehension Quiz |
| 3.4.7.d |
P |
Essential Functions |
| 3.4.7.d |
T |
Essential Functions Training Material and Comprehension Quiz |
| 3.4.7.e |
P |
The Use of Nonessential Functions Is Defined Policy |
| 3.4.7.e |
T |
The Use of Nonessential Functions Is Defined Policy Training Material and Comprehension Quiz |
| 3.4.7.f |
P |
The Use of Nonessential Functions Is Restricted, Disabled, or Prevented |
| 3.4.7.f |
T |
The Use of Nonessential Functions Is Restricted, Disabled, or Prevented Training Material and Comprehension Quiz |
| 3.4.7.g |
P |
Essential Ports Are Defined Policy |
| 3.4.7.g |
T |
Essential Ports Are Defined Policy Training Material and Comprehension Quiz |
| 3.4.7.h |
P |
The Use of Nonessential Ports |
| 3.4.7.h |
T |
The Use of Nonessential Ports Training Material and Comprehension Quiz |
| 3.4.7.i |
P |
The Use of Nonessential Ports is Restricted, Disabled, or Prevented as Defined Policy |
| 3.4.7.i |
T |
The Use of Nonessential Ports is Restricted, Disabled, or Prevented as Defined Policy Training Material and Comprehension Quiz |
| 3.4.7.j |
P |
Essential Protocols |
| 3.4.7.j |
T |
Essential Protocols Training Material and Comprehension Quiz |
| 3.4.7.k |
P |
The Use of Nonessential Protocols is Defined Policy |
| 3.4.7.k |
T |
The Use of Nonessential Protocols is Defined Policy Training Material and Comprehension Quiz |
| 3.4.7.l |
P |
The Use of Nonessential Protocols is Restricted, Disabled, or Prevented |
| 3.4.7.l |
T |
The Use of Nonessential Protocols is Restricted, Disabled, or Prevented Training Material and Comprehension Quiz |
| 3.4.7.m |
P |
Essential Services Are Defined Policy |
| 3.4.7.m |
T |
Essential Services Are Defined Policy Training Material and Comprehension Quiz |
| 3.4.7.n |
P |
The Use of Nonessential Services |
| 3.4.7.n |
T |
The Use of Nonessential Services Training Material and Comprehension Quiz |
| 3.4.7.o |
P |
The Use of Nonessential Services is Restricted, Disabled, or Prevented as Defined Policy |
| 3.4.7.o |
T |
The Use of Nonessential Services is Restricted, Disabled, or Prevented as Defined Policy Training Material and Comprehension Quiz |
| 3.4.8.a |
P |
Application Whitelisting Policy |
| 3.4.8.a |
T |
Application Whitelisting Policy Training Material and Comprehension Quiz |
| 3.4.8.b |
P |
Approved and Prohibited Software Specification Policy |
| 3.4.8.b |
T |
Approved and Prohibited Software Specification Policy Training Material and Comprehension Quiz |
| 3.4.8.c |
P |
Software Execution Control Implementation Policy |
| 3.4.8.c |
T |
Software Execution Control Implementation Policy Training Material and Comprehension Quiz |
| 3.4.9.a |
P |
Policy for Controlling User Installation of Software |
| 3.4.9.a |
T |
Policy for Controlling User Installation of Software Training Material and Comprehension Quiz |
| 3.4.9.b |
P |
Installation of Software by Users is Controlled Based on the Established Policy |
| 3.4.9.b |
T |
Installation of Software by Users is Controlled Based on the Established Policy Training Material and Comprehension Quiz |
| 3.4.9.c |
P |
Whitelisting and Blacklisting for Authorized Software Execution |
| 3.4.9.c |
T |
Whitelisting and Blacklisting for Authorized Software Execution Training Material and Comprehension Quiz |
