SIMP SCTM¶
This SCTM was developed based on the National Institute of Standards and Technology (NIST) Specical Publication 800-53 (Revision 3) controls that SIMP currently meets. Empty contents means SIMP does not meet that control. Implementations are free to take these tables and use them as a starting point for any accreditation activities that follow NIST 800-53.
SIMP SCTM Technical Controls¶
Table: SIMP SCTM
SIMP SCTM Operational Controls¶
| Control ID | Control Name | Control Family | SIMP Implementation Method |
|---|---|---|---|
| AT-1 | Security Awareness and Training Policy and Procedures | Awareness and Training | |
| AT-2(1) | Security Awareness (Control Enhancement) | Awareness and Training | |
| AT-3 | Security Training | Awareness and Training | |
| AT-3(1) | Security Training (Control Enhancement) | Awareness and Training | |
| AT-3(2) | Security Training (Control Enhancement) | Awareness and Training | |
| AT-4 | Security Training Records | Awareness and Training | |
| AT-5 | Contacts with Security Groups and Associations | Awareness and Training | |
| CM-1 | Configuration Management Policy and Procedures | Configuration Management | |
| CM-2 | Baseline Configuration | Configuration Management | SIMP has strictly enforced version control during development. The baseline files for SIMP are kept and maintained in a git repository. Files are packaged and a series of auto tests are performed on each release. Once released, there is a version number associated for distribution. Additionally, custom puppet modules are in the form of RPMs and have version numbers associated with them. All documentation is also built with source code. |
| CM-2(1) | Baseline Configuration (Control Enhancement) | Configuration Management | |
| CM-2(2) | Baseline Configuration (Control Enhancement) | Configuration Management | SIMP has strictly enforced version control during development. The baseline files for SIMP are kept and maintained in a git repository. Files are packaged and a series of auto tests are performed on the release. Once released, there is a version number associated for distribution. All documentation is also built with source code. |
| CM-2(3) | Baseline Configuration (Control Enhancement) | Configuration Management | All old versions of SIMP remain in the code repository. |
| CM-2(4) | Baseline Configuration (Control Enhancement) | Configuration Management | |
| CM-2(5) | Baseline Configuration (Control Enhancement) | Configuration Management |
|
| CM-2(6) | Baseline Configuration (Control Enhancement) | Configuration Management | As a project, SIMP is developmental only. The environments where it is tested is up to the implementation. Development testing is performed on SIMP in environments that have a code base frozen. |
| CM-3 | Configuration Change Control | Configuration Management | |
| CM-3(1) | Configuration Change Control (Control Enhancement) | Configuration Management | |
| CM-3(2) | Configuration Change Control (Control Enhancement) | Configuration Management | |
| CM-3(3) | Configuration Change Control (Control Enhancement) | Configuration Management | Configuration changes in SIMP are automated using a combination of puppet, yum, and rsync. While not all files on an operating system are managed by those mechanisms, many are. Changes to critical files that are managed by puppet, revert back to their original state. These mechanisms were not meant to defeat an attack by a malicious insider. |
| CM-3(4) | Configuration Change Control (Control Enhancement) | Configuration Management | |
| CM-4 | Security Impact Analysis | Configuration Management | All features or bugs in SIMP are vetted through the development process by being placed on the product backlog and discussed with the entire team. There is a security representative on the SIMP team that is part of that vetting process. |
| CM-4(1) | Security Impact Analysis (Control Enhancement) | Configuration Management | |
| CM-4(2) | Security Impact Analysis (Control Enhancement) | Configuration Management | |
| CM-5 | Access Restrictions for Change | Configuration Management | SIMP can only meet the enforcement part of this control. The remainder must be met by the environment that SIMP is implemented in. Changes to a SIMP based systems are enforced with built in Unix/LDAP groups. Only someone with sudo or sudosh access (usually an admin group) can apply changes to the environment |
| CM-5(1) | Access Restrictions for Change (Control Enhancement) | Configuration Management | SIMP can only meet the enforcement part of this control. The remainder must be met by the environment that SIMP is implemented in. Changes to a SIMP based systems are enforced with built in Unix/LDAP groups. Only someone with sudo or sudosh access (usually an admin group) can apply changes to the environment |
| CM-5(2) | Access Restrictions for Change (Control Enhancement) | Configuration Management | |
| CM-5(3) | Access Restrictions for Change (Control Enhancement) | Configuration Management | Redhat and Centos packages are signed with gpg keys. Those keys are vendor specific. Package installation occurs only when those gpgkeys are validate using the installed gpg public keys for the operating system. SIMP specific RPMS that were developed are signed using keys generate by the development team. |
| CM-5(4) | Access Restrictions for Change (Control Enhancement) | Configuration Management | |
| CM-5(5) | Access Restrictions for Change (Control Enhancement) | Configuration Management | |
| CM-5(6) | Access Restrictions for Change (Control Enhancement) | Configuration Management | |
| CM-5(7) | Access Restrictions for Change (Control Enhancement) | Configuration Management | Most of the critical files that are managed by puppet cannot be permanently changed on a puppet client without disabling puppet and rsync. If they are changed, puppet will revert them back to their original state. |
| CM-6 | Configuration Settings | Configuration Management | Part “d” of this control is met my SIMP. The others are not. SIMP uses puppet to monitor changes to configuration settings. If changes to puppet controlled settings are manually made, they revert back to their original state. |
| CM-6(1) | Configuration Settings (Control Enhancement) | Configuration Management | The puppet master is the central point of management for a SIMP system. While not required, the puppet master usually hosts a kickstart server so that clients are built the same every time. |
| CM-6(2) | Configuration Settings (Control Enhancement) | Configuration Management | Puppet is not intended to be a security mechanism to prevent unauthorized changes to files. For files that are managed by puppet that changed, they will revert back to their original state. This control is really about protecting from unauthorized changes so access control to the puppet master should suffice to meet it. Changes to files are audited using auditd. Puppet changes are also audited. It’s up to the implementation to perform altering on those changes. |
| CM-6(3) | Configuration Settings (Control Enhancement) | Configuration Management | This control is not fully met by SIMP. It’s important to point out that SIMP does provide logging of events to syslog. It’s currently up to the implementation to alert on those events. |
| CM-7 | Least Functionality | Configuration Management | There isn’t an explicit list of services that SIMP denies. Instead, it was built to provide only the essential functionality. Additional services get added only as needed. |
| CM-7(1) | Least Functionality (Control Enhancement) | Configuration Management | |
| CM-7(2) | Least Functionality (Control Enhancement) | Configuration Management | Applications can be installed, but new services will not run unless first registered with puppet. Additionally, puppet modules must be modified to ensure that IPtables opens up the necessary services. Minimally, for a service to remain active, it must be registered with puppet or the svckill.rb script will stop them.To be clear, there is nothing in SIMP that prevents the installation of RPMs (from the command line or YUM). |
| CM-7(3) | Least Functionality (Control Enhancement) | Configuration Management | The registration process for ports, protocols, and services are handled via puppet. |
| CM-8 | Information System Component Inventory | Configuration Management | |
| CM-8(1) | Information System Component Inventory (Control Enhancement) | Configuration Management | |
| CM-8(2) | Information System Component Inventory (Control Enhancement) | Configuration Management | To the extent possible, puppet tracks clients that are within it’s control. It’s not meant to be a true inventory mechanism. |
| CM-8(3) | Information System Component Inventory (Control Enhancement) | Configuration Management | |
| CM-8(4) | Information System Component Inventory (Control Enhancement) | Configuration Management | |
| CM-8(5) | Information System Component Inventory (Control Enhancement) | Configuration Management | |
| CM-8(6) | Information System Component Inventory (Control Enhancement) | Configuration Management | |
| CM-9 | Configuration Management Plan | Configuration Management | |
| CM-9(1) | Configuration Management Plan (Control Enhancement) | Configuration Management | |
| CP-1 | Contingency Planning Policy and Procedures | Contingency Planning | |
| CP-2 | Contingency Plan | Contingency Planning | |
| CP-2(1) | Contingency Plan (Control Enhancement) | Contingency Planning | |
| CP-2(2) | Contingency Plan (Control Enhancement) | Contingency Planning | |
| CP-2(3) | Contingency Plan (Control Enhancement) | Contingency Planning | |
| CP-2(4) | Contingency Plan (Control Enhancement) | Contingency Planning | |
| CP-2(5) | Contingency Plan (Control Enhancement) | Contingency Planning | |
| CP-2(6) | Contingency Plan (Control Enhancement) | Contingency Planning | |
| CP-3 | Contingency Training | Contingency Planning | |
| CP-3(1) | Contingency Training (Control Enhancement) | Contingency Planning | |
| CP-3(2) | Contingency Training (Control Enhancement) | Contingency Planning | |
| CP-4 | Contingency Plan Testing and Exercises | Contingency Planning | |
| CP-4(1) | Contingency Plan Testing and Exercises (Control Enhancement) | Contingency Planning | |
| CP-4(2) | Contingency Plan Testing and Exercises (Control Enhancement) | Contingency Planning | |
| CP-4(3) | Contingency Plan Testing and Exercises (Control Enhancement) | Contingency Planning | |
| CP-6 | Alternate Storage Site | Contingency Planning | |
| CP-6(1) | Alternate Storage Site (Control Enhancement) | Contingency Planning | |
| CP-6(2) | Alternate Storage Site (Control Enhancement) | Contingency Planning | |
| CP-6(3) | Alternate Storage Site (Control Enhancement) | Contingency Planning | |
| CP-7 | Alternate Processing Site | Contingency Planning | |
| CP-7(1) | Alternate Processing Site (Control Enhancement) | Contingency Planning | |
| CP-7(2) | Alternate Processing Site (Control Enhancement) | Contingency Planning | |
| CP-7(3) | Alternate Processing Site (Control Enhancement) | Contingency Planning | |
| CP-7(4) | Alternate Processing Site (Control Enhancement) | Contingency Planning | |
| CP-7(5) | Alternate Processing Site (Control Enhancement) | Contingency Planning | |
| CP-8 | Telecommunications Services | Contingency Planning | |
| CP-8(1) | Telecommunications Services (Control Enhancement) | Contingency Planning | |
| CP-8(2) | Telecommunications Services (Control Enhancement) | Contingency Planning | |
| CP-8(3) | Telecommunications Services (Control Enhancement) | Contingency Planning | |
| CP-8(4) | Telecommunications Services (Control Enhancement) | Contingency Planning | |
| CP-9 | Information System Backup | Contingency Planning | The BackupPC module is not currently available in SIMP 5.0. |
| CP-9(1) | Information System Backup (Control Enhancement) | Contingency Planning | |
| CP-9(2) | Information System Backup (Control Enhancement) | Contingency Planning | |
| CP-9(3) | Information System Backup (Control Enhancement) | Contingency Planning | |
| CP-9(5) | Information System Backup (Control Enhancement) | Contingency Planning | |
| CP-9(6) | Information System Backup (Control Enhancement) | Contingency Planning | |
| CP-10 | Information System Recovery and Reconstitution | Contingency Planning | The BackupPC module is not currently available in SIMP 5.0. |
| CP-10(1) | Information System Recovery and Reconstitution (Control Enhancement) | Contingency Planning | |
| CP-10(2) | Information System Recovery and Reconstitution (Control Enhancement) | Contingency Planning | |
| CP-10(3) | Information System Recovery and Reconstitution (Control Enhancement) | Contingency Planning | |
| CP-10(4) | Information System Recovery and Reconstitution (Control Enhancement) | Contingency Planning | |
| CP-10(5) | Information System Recovery and Reconstitution (Control Enhancement) | Contingency Planning | |
| CP-10(6) | Information System Recovery and Reconstitution (Control Enhancement) | Contingency Planning | |
| IR-1 | Incident Response Policy and Procedures | Incident Response | |
| IR-2 | Incident Response Training | Incident Response | |
| IR-2(1) | Incident Response Training (Control Enhancement) | Incident Response | |
| IR-2(2) | Incident Response Training (Control Enhancement) | Incident Response | |
| IR-3 | Incident Response Testing and Exercises | Incident Response | |
| IR-3(1) | Incident Response Testing and Exercises (Control Enhancement) | Incident Response | |
| IR-4 | Incident Handling | Incident Response | |
| IR-4(1) | Incident Handling (Control Enhancement) | Incident Response | |
| IR-4(2) | Incident Handling (Control Enhancement) | Incident Response | If an implementation chooses, they can leverage puppet’s ability to reconfigure systems as part of incident response. While puppet is not intended to be a security product, its features can help provide security functionality such as dynamic reconfigurations. |
| IR-4(3) | Incident Handling (Control Enhancement) | Incident Response | |
| IR-4(4) | Incident Handling (Control Enhancement) | Incident Response | |
| IR-4(5) | Incident Handling (Control Enhancement) | Incident Response | |
| IR-5 | Incident Monitoring | Incident Response | |
| IR-5(1) | Incident Monitoring (Control Enhancement) | Incident Response | |
| IR-6 | Incident Reporting | Incident Response | |
| IR-6(1) | Incident Reporting (Control Enhancement) | Incident Response | |
| IR-6(2) | Incident Reporting (Control Enhancement) | Incident Response | |
| IR-7 | Incident Response Assistance | Incident Response | |
| IR-7(1) | Incident Response Assistance (Control Enhancement) | Incident Response | |
| IR-8 | Incident Response Plan | Incident Response | |
| MA-1 | System Maintenance Policy and Procedures | Maintenance | |
| MA-2 | Controlled Maintenance | Maintenance | |
| MA-2(1) | Controlled Maintenance (Control Enhancement) | Maintenance | |
| MA-2(2) | Controlled Maintenance (Control Enhancement) | Maintenance | |
| MA-3 | Maintenance Tools | Maintenance | |
| MA-3(1) | Maintenance Tools (Control Enhancement) | Maintenance | |
| MA-3(2) | Maintenance Tools (Control Enhancement) | Maintenance | |
| MA-3(3) | Maintenance Tools (Control Enhancement) | Maintenance | |
| MA-3(4) | Maintenance Tools (Control Enhancement) | Maintenance | |
| MA-4 | Non-Local Maintenance | Maintenance | Remote maintenance can be performed on SIMP using SSH or direct console access. SSH sessions are tracked and logged using the security features built into SIMP. Console access requires someone to have access to the physical (or virtual) console along with the root password. Auditing of those actions also occurs in accordance with the configured audit policy. It’s up to the implementation to decide how to distribute authentication information for remote maintenance. |
| MA-4(1) | Non-Local Maintenance (Control Enhancement) | Maintenance | Remote maintenance can be performed on SIMP using SSH or direct console access. SSH sessions are tracked and logged using the security features built into SIMP. Console access requires someone to have access to the physical (or virtual) console along with the root password. Audting of those actions also occurs in accordance with the configured audit policy. It’s up to the implementation to decide how to distribute authentication information for remote maintenance |
| MA-4(2) | Non-Local Maintenance (Control Enhancement) | Maintenance | |
| MA-4(3) | Non-Local Maintenance (Control Enhancement) | Maintenance | |
| MA-4(4) | Non-Local Maintenance (Control Enhancement) | Maintenance | |
| MA-4(5) | Non-Local Maintenance (Control Enhancement) | Maintenance | |
| MA-4(6) | Non-Local Maintenance (Control Enhancement) | Maintenance | Remote maintenance is performed using SSH. SSH inherently provides confidentiality and integrity of data while in transit. |
| MA-4(7) | Non-Local Maintenance (Control Enhancement) | Maintenance | |
| MA-5 | Maintenance Personnel | Maintenance | |
| MA-5(1) | Maintenance Personnel (Control Enhancement) | Maintenance | |
| MA-5(2) | Maintenance Personnel (Control Enhancement) | Maintenance | |
| MA-5(3) | Maintenance Personnel (Control Enhancement) | Maintenance | |
| MA-5(4) | Maintenance Personnel (Control Enhancement) | Maintenance | |
| MA-6 | Timely Maintenance | Maintenance | |
| MP-1 | Media Protection Policy and Procedures | Media Protection | |
| MP-2 | Media Access | Media Protection | |
| MP-2(1) | Media Access (Control Enhancement) | Media Protection | |
| MP-2(2) | Media Access (Control Enhancement) | Media Protection | |
| MP-4 | Media Storage | Media Protection | |
| MP-5 | Media Transport | Media Protection | |
| MP-5(1) | Media Transport (Control Enhancement) | Media Protection | |
| MP-5(2) | Media Transport (Control Enhancement) | Media Protection | |
| MP-5(3) | Media Transport (Control Enhancement) | Media Protection | |
| MP-5(4) | Media Transport (Control Enhancement) | Media Protection | |
| MP-6 | Media Sanitization | Media Protection | |
| MP-6(1) | Media Sanitization (Control Enhancement) | Media Protection | |
| MP-6(2) | Media Sanitization (Control Enhancement) | Media Protection | |
| MP-6(3) | Media Sanitization (Control Enhancement) | Media Protection | |
| MP-6(4) | Media Sanitization (Control Enhancement) | Media Protection | |
| MP-6(5) | Media Sanitization (Control Enhancement) | Media Protection | |
| MP-6(6) | Media Sanitization (Control Enhancement) | Media Protection | |
| PE-1 | Physical and Environmental Protection Policy and Procedures | Physical and Environmental Protection | |
| PE-2 | Physical Access Authorizations | Physical and Environmental Protection | |
| PE-2(1) | Physical Access Authorizations (Control Enhancement) | Physical and Environmental Protection | |
| PE-2(2) | Physical Access Authorizations (Control Enhancement) | Physical and Environmental Protection | |
| PE-2(3) | Physical Access Authorizations (Control Enhancement) | Physical and Environmental Protection | |
| PE-3 | Physical Access Control | Physical and Environmental Protection | |
| PE-3(1) | Physical Access Control (Control Enhancement) | Physical and Environmental Protection | |
| PE-3(2) | Physical Access Control (Control Enhancement) | Physical and Environmental Protection | |
| PE-3(3) | Physical Access Control (Control Enhancement) | Physical and Environmental Protection | |
| PE-3(4) | Physical Access Control (Control Enhancement) | Physical and Environmental Protection | |
| PE-3(5) | Physical Access Control (Control Enhancement) | Physical and Environmental Protection | |
| PE-3(6) | Physical Access Control (Control Enhancement) | Physical and Environmental Protection | |
| PE-4 | Access Control for Transmission Medium | Physical and Environmental Protection | |
| PE-5 | Access Control for Output Devices | Physical and Environmental Protection | |
| PE-6 | Monitoring Physical Access | Physical and Environmental Protection | |
| PE-6(1) | Monitoring Physical Access (Control Enhancement) | Physical and Environmental Protection | |
| PE-6(2) | Monitoring Physical Access (Control Enhancement) | Physical and Environmental Protection | |
| PE-7 | Visitor Control | Physical and Environmental Protection | |
| PE-7(1) | Visitor Control (Control Enhancement) | Physical and Environmental Protection | |
| PE-7(2) | Visitor Control (Control Enhancement) | Physical and Environmental Protection | |
| PE-8 | Access Records | Physical and Environmental Protection | |
| PE-8(1) | Access Records (Control Enhancement) | Physical and Environmental Protection | |
| PE-8(2) | Access Records (Control Enhancement) | Physical and Environmental Protection | |
| PE-9 | Power Equipment and Power Cabling | Physical and Environmental Protection | |
| PE-9(1) | Power Equipment and Power Cabling (Control Enhancement) | Physical and Environmental Protection | |
| PE-9(2) | Power Equipment and Power Cabling (Control Enhancement) | Physical and Environmental Protection | |
| PE-10 | Emergency Shutoff | Physical and Environmental Protection | |
| PE-10(1) | Emergency Shutoff (Control Enhancement) | Physical and Environmental Protection | |
| PE-11 | Emergence Power | Physical and Environmental Protection | |
| PE-11(1) | Emergence Power (Control Enhancement) | Physical and Environmental Protection | |
| PE-11(2) | Emergence Power (Control Enhancement) | Physical and Environmental Protection | |
| PE-12 | Emergency Lighting | Physical and Environmental Protection | |
| PE-12(1) | Emergency Lighting (Control Enhancement) | Physical and Environmental Protection | |
| PE-13 | Fire Protection | Physical and Environmental Protection | |
| PE-13(1) | Fire Protection (Control Enhancement) | Physical and Environmental Protection | |
| PE-13(2) | Fire Protection (Control Enhancement) | Physical and Environmental Protection | |
| PE-13(3) | Fire Protection (Control Enhancement) | Physical and Environmental Protection | |
| PE-13(4) | Fire Protection (Control Enhancement) | Physical and Environmental Protection | |
| PE-14 | Temperature and Humidity Controls | Physical and Environmental Protection | |
| PE-14(1) | Temperature and Humidity Controls (Control Enhancement) | Physical and Environmental Protection | |
| PE-14(2) | Temperature and Humidity Controls (Control Enhancement) | Physical and Environmental Protection | |
| PE-15 | Water Damage Protection | Physical and Environmental Protection | |
| PE-15(1) | Water Damage Protection (Control Enhancement) | Physical and Environmental Protection | |
| PE-16 | Delivery and Removal | Physical and Environmental Protection | |
| PE-17 | Alternate Work Site | Physical and Environmental Protection | |
| PE-18 | Location of Information System Components | Physical and Environmental Protection | |
| PE-18(1) | Location of Information System Components (Control Enhancement) | Physical and Environmental Protection | |
| PE-19 | Information Leakage | Physical and Environmental Protection | |
| SI-1 | System and Information Integrity Policy and Procedures | System and Information Integrity | |
| SI-2(1) | Flaw Remediation (Control Enhancement) | System and Information Integrity | Patches that are part of the software base for SIMP are tested within the development environment. There is automated testing that is constantly being extended to test more features. There are times that patches to the base operating system (Centos or RedHat) are needed to resolve issues in SIMP. Those are also tested at build time, but require additional testing by implementations as patches are released from vendors. It’s also important to note that SIMP is packaged and delivered decoupled with the operating system source files. It’s up to the implementation to test vendor specific patches that are not part of the SIMP code base. Flaws are tracked using the software project management tool Redmine. |
| SI-2(2) | Flaw Remediation (Control Enhancement) | System and Information Integrity | |
| SI-2(3) | Flaw Remediation (Control Enhancement) | System and Information Integrity | |
| SI-2(4) | Flaw Remediation (Control Enhancement) | System and Information Integrity | SIMP uses the yellowdog update manager (YUM) to deliver software patches to clients. Each installation usually has at least one YUM repository. There is also a cronjob running that runs once per day. It’s the responsibility of the implementation to get patches to the yum server. Once they are there, the cron job will perform a yum update and the patches will be applied. |
| SI-3 | Malicious Code Protection | System and Information Integrity | SIMP has modules available for mcafee and ClamAV. The ClamAV. Implementations need need to provide their own version of the mcafee software for the module to work. That module comes with the ability to sync dat updates to clients via rsync. The modulde does NOT specify how often and what files systems should be scanned. SIMP also implements the open source tool chkrootkit that comes installed by default. |
| SI-3(1) | Malicious Code Protection (Control Enhancement) | System and Information Integrity | The provided anti-virus modules are installed via puppet modules. Those modules include the ability to sycn data file updates via rsync. Therefore, all management of malicious code detection is done centrally. |
| SI-3(2) | Malicious Code Protection (Control Enhancement) | System and Information Integrity | |
| SI-3(3) | Malicious Code Protection (Control Enhancement) | System and Information Integrity | |
| SI-3(4) | Malicious Code Protection (Control Enhancement) | System and Information Integrity | |
| SI-3(5) | Malicious Code Protection (Control Enhancement) | System and Information Integrity | |
| SI-3(6) | Malicious Code Protection (Control Enhancement) | System and Information Integrity | |
| SI-4 | Information System Monitoring Tools and Techniques | System and Information Integrity | |
| SI-4(1) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(2) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(3) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(4) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(5) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(6) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(7) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(8) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(9) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(10) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(11) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(12) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(13) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(14) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(15) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(16) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(17) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-5 | System Alerts, Advisories, and Directives | System and Information Integrity | The only part of the control (a) that is met by SIMP, is the tracking of security alerts for products that are part of the code base. The development team subscribes to message boards for the main products (puppet) that are part of the packaging. RedHat/Centos advisories are also tracked out of necessity but since ALL the OS files are not part of SIMP delivery, patches are not our direct responsibility. |
| SI-5(1) | System Alerts, Advisories, and Directives (Control Enhancement) | System and Information Integrity | |
| SI-6 | Security Functionality Verification | System and Information Integrity | SIMP comes with an optional module to install and perform regular runs of the SCAP-Security-Guide (the checks for RHEL 7 are not yet complete/finalized). Doing so will report (for a user defined frequency) OVAL results of security settings of a host against SSG recommendations. |
| SI-6(1) | Security Functionality Verification (Control Enhancement) | System and Information Integrity | SIMP comes with an optional module to install and perform regular runs of the SCAP-Security-Guide. Doing so will report (for a user defined frequency) OVAL results of security settings of a host against SSG recommendations. |
| SI-6(2) | Security Functionality Verification (Control Enhancement) | System and Information Integrity | SIMP comes with an optional module to install and perform regular runs of the SCAP-Security-Guide. Doing so will report (for a user defined frequency) OVAL results of security settings of a host against SSG recommendations. |
| SI-6(3) | Security Functionality Verification (Control Enhancement) | System and Information Integrity | SIMP comes with an optional module to install and perform regular runs of the SCAP-Security-Guide. Doing so will report (for a user defined frequency) OVAL results of security settings of a host against SSG recommendations. |
| SI-7 | Software and Information Integrity | System and Information Integrity | SIMP comes with AIDE installed. Puppet also serves the purpose of checking the integrity of files. During each client run, a change in file integrity means the file needs to be restored to it’s original state. |
| SI-7(1) | Software and Information Integrity (Control Enhancement) | System and Information Integrity | AIDE baselines are not performed beyond initial install unless otherwise configured. Implementations can re-baseline the database. |
| SI-7(2) | Software and Information Integrity (Control Enhancement) | System and Information Integrity | |
| SI-7(3) | Software and Information Integrity (Control Enhancement) | System and Information Integrity | AIDE is managed by puppet and is therefore centrally managed. |
| SI-7(4) | Software and Information Integrity (Control Enhancement) | System and Information Integrity | |
| SI-8 | Spam Protection | System and Information Integrity | |
| SI-8(1) | Spam Protection (Control Enhancement) | System and Information Integrity | |
| SI-8(2) | Spam Protection (Control Enhancement) | System and Information Integrity | |
| SI-9 | Information Input Restrictions | System and Information Integrity | |
| SI-10 | Information Input Validation | System and Information Integrity | |
| SI-11 | Error Handling | System and Information Integrity | |
| SI-13 | Predictable Failure Prevention | System and Information Integrity | |
| SI-13(1) | Predictable Failure Prevention (Control Enhancement) | System and Information Integrity | |
| SI-13(2) | Predictable Failure Prevention (Control Enhancement) | System and Information Integrity | |
| SI-13(3) | Predictable Failure Prevention (Control Enhancement) | System and Information Integrity | |
| SI-13(4) | Predictable Failure Prevention (Control Enhancement) | System and Information Integrity |
Table: SIMP SCTM
SIMP SCTM Management Controls¶
| Control ID | Control Name | Control Family | SIMP Implementation Method |
|---|---|---|---|
| AT-1 | Security Awareness and Training Policy and Procedures | Awareness and Training | |
| AT-2(1) | Security Awareness (Control Enhancement) | Awareness and Training | |
| AT-3 | Security Training | Awareness and Training | |
| AT-3(1) | Security Training (Control Enhancement) | Awareness and Training | |
| AT-3(2) | Security Training (Control Enhancement) | Awareness and Training | |
| AT-4 | Security Training Records | Awareness and Training | |
| AT-5 | Contacts with Security Groups and Associations | Awareness and Training | |
| CM-1 | Configuration Management Policy and Procedures | Configuration Management | |
| CM-2 | Baseline Configuration | Configuration Management | SIMP has strictly enforced version control during development. The baseline files for SIMP are kept and maintained in a git repository. Files are packaged and a series of auto tests are performed on each release. Once released, there is a version number associated for distribution. Additionally, custom puppet modules are in the form of RPMs and have version numbers associated with them. All documentation is also built with source code. |
| CM-2(1) | Baseline Configuration (Control Enhancement) | Configuration Management | |
| CM-2(2) | Baseline Configuration (Control Enhancement) | Configuration Management | SIMP has strictly enforced version control during development. The baseline files for SIMP are kept and maintained in a git repository. Files are packaged and a series of auto tests are performed on the release. Once released, there is a version number associated for distribution. All documentation is also built with source code. |
| CM-2(3) | Baseline Configuration (Control Enhancement) | Configuration Management | All old versions of SIMP remain in the code repository. |
| CM-2(4) | Baseline Configuration (Control Enhancement) | Configuration Management | |
| CM-2(5) | Baseline Configuration (Control Enhancement) | Configuration Management |
|
| CM-2(6) | Baseline Configuration (Control Enhancement) | Configuration Management | As a project, SIMP is developmental only. The environments where it is tested is up to the implementation. Development testing is performed on SIMP in environments that have a code base frozen. |
| CM-3 | Configuration Change Control | Configuration Management | |
| CM-3(1) | Configuration Change Control (Control Enhancement) | Configuration Management | |
| CM-3(2) | Configuration Change Control (Control Enhancement) | Configuration Management | |
| CM-3(3) | Configuration Change Control (Control Enhancement) | Configuration Management | Configuration changes in SIMP are automated using a combination of puppet, yum, and rsync. While not all files on an operating system are managed by those mechanisms, many are. Changes to critical files that are managed by puppet, revert back to their original state. These mechanisms were not meant to defeat an attack by a malicious insider. |
| CM-3(4) | Configuration Change Control (Control Enhancement) | Configuration Management | |
| CM-4 | Security Impact Analysis | Configuration Management | All features or bugs in SIMP are vetted through the development process by being placed on the product backlog and discussed with the entire team. There is a security representative on the SIMP team that is part of that vetting process. |
| CM-4(1) | Security Impact Analysis (Control Enhancement) | Configuration Management | |
| CM-4(2) | Security Impact Analysis (Control Enhancement) | Configuration Management | |
| CM-5 | Access Restrictions for Change | Configuration Management | SIMP can only meet the enforcement part of this control. The remainder must be met by the environment that SIMP is implemented in. Changes to a SIMP based systems are enforced with built in Unix/LDAP groups. Only someone with sudo or sudosh access (usually an admin group) can apply changes to the environment |
| CM-5(1) | Access Restrictions for Change (Control Enhancement) | Configuration Management | SIMP can only meet the enforcement part of this control. The remainder must be met by the environment that SIMP is implemented in. Changes to a SIMP based systems are enforced with built in Unix/LDAP groups. Only someone with sudo or sudosh access (usually an admin group) can apply changes to the environment |
| CM-5(2) | Access Restrictions for Change (Control Enhancement) | Configuration Management | |
| CM-5(3) | Access Restrictions for Change (Control Enhancement) | Configuration Management | Redhat and Centos packages are signed with gpg keys. Those keys are vendor specific. Package installation occurs only when those gpgkeys are validate using the installed gpg public keys for the operating system. SIMP specific RPMS that were developed are signed using keys generate by the development team. |
| CM-5(4) | Access Restrictions for Change (Control Enhancement) | Configuration Management | |
| CM-5(5) | Access Restrictions for Change (Control Enhancement) | Configuration Management | |
| CM-5(6) | Access Restrictions for Change (Control Enhancement) | Configuration Management | |
| CM-5(7) | Access Restrictions for Change (Control Enhancement) | Configuration Management | Most of the critical files that are managed by puppet cannot be permanently changed on a puppet client without disabling puppet and rsync. If they are changed, puppet will revert them back to their original state. |
| CM-6 | Configuration Settings | Configuration Management | Part “d” of this control is met my SIMP. The others are not. SIMP uses puppet to monitor changes to configuration settings. If changes to puppet controlled settings are manually made, they revert back to their original state. |
| CM-6(1) | Configuration Settings (Control Enhancement) | Configuration Management | The puppet master is the central point of management for a SIMP system. While not required, the puppet master usually hosts a kickstart server so that clients are built the same every time. |
| CM-6(2) | Configuration Settings (Control Enhancement) | Configuration Management | Puppet is not intended to be a security mechanism to prevent unauthorized changes to files. For files that are managed by puppet that changed, they will revert back to their original state. This control is really about protecting from unauthorized changes so access control to the puppet master should suffice to meet it. Changes to files are audited using auditd. Puppet changes are also audited. It’s up to the implementation to perform altering on those changes. |
| CM-6(3) | Configuration Settings (Control Enhancement) | Configuration Management | This control is not fully met by SIMP. It’s important to point out that SIMP does provide logging of events to syslog. It’s currently up to the implementation to alert on those events. |
| CM-7 | Least Functionality | Configuration Management | There isn’t an explicit list of services that SIMP denies. Instead, it was built to provide only the essential functionality. Additional services get added only as needed. |
| CM-7(1) | Least Functionality (Control Enhancement) | Configuration Management | |
| CM-7(2) | Least Functionality (Control Enhancement) | Configuration Management | Applications can be installed, but new services will not run unless first registered with puppet. Additionally, puppet modules must be modified to ensure that IPtables opens up the necessary services. Minimally, for a service to remain active, it must be registered with puppet or the svckill.rb script will stop them.To be clear, there is nothing in SIMP that prevents the installation of RPMs (from the command line or YUM). |
| CM-7(3) | Least Functionality (Control Enhancement) | Configuration Management | The registration process for ports, protocols, and services are handled via puppet. |
| CM-8 | Information System Component Inventory | Configuration Management | |
| CM-8(1) | Information System Component Inventory (Control Enhancement) | Configuration Management | |
| CM-8(2) | Information System Component Inventory (Control Enhancement) | Configuration Management | To the extent possible, puppet tracks clients that are within it’s control. It’s not meant to be a true inventory mechanism. |
| CM-8(3) | Information System Component Inventory (Control Enhancement) | Configuration Management | |
| CM-8(4) | Information System Component Inventory (Control Enhancement) | Configuration Management | |
| CM-8(5) | Information System Component Inventory (Control Enhancement) | Configuration Management | |
| CM-8(6) | Information System Component Inventory (Control Enhancement) | Configuration Management | |
| CM-9 | Configuration Management Plan | Configuration Management | |
| CM-9(1) | Configuration Management Plan (Control Enhancement) | Configuration Management | |
| CP-1 | Contingency Planning Policy and Procedures | Contingency Planning | |
| CP-2 | Contingency Plan | Contingency Planning | |
| CP-2(1) | Contingency Plan (Control Enhancement) | Contingency Planning | |
| CP-2(2) | Contingency Plan (Control Enhancement) | Contingency Planning | |
| CP-2(3) | Contingency Plan (Control Enhancement) | Contingency Planning | |
| CP-2(4) | Contingency Plan (Control Enhancement) | Contingency Planning | |
| CP-2(5) | Contingency Plan (Control Enhancement) | Contingency Planning | |
| CP-2(6) | Contingency Plan (Control Enhancement) | Contingency Planning | |
| CP-3 | Contingency Training | Contingency Planning | |
| CP-3(1) | Contingency Training (Control Enhancement) | Contingency Planning | |
| CP-3(2) | Contingency Training (Control Enhancement) | Contingency Planning | |
| CP-4 | Contingency Plan Testing and Exercises | Contingency Planning | |
| CP-4(1) | Contingency Plan Testing and Exercises (Control Enhancement) | Contingency Planning | |
| CP-4(2) | Contingency Plan Testing and Exercises (Control Enhancement) | Contingency Planning | |
| CP-4(3) | Contingency Plan Testing and Exercises (Control Enhancement) | Contingency Planning | |
| CP-6 | Alternate Storage Site | Contingency Planning | |
| CP-6(1) | Alternate Storage Site (Control Enhancement) | Contingency Planning | |
| CP-6(2) | Alternate Storage Site (Control Enhancement) | Contingency Planning | |
| CP-6(3) | Alternate Storage Site (Control Enhancement) | Contingency Planning | |
| CP-7 | Alternate Processing Site | Contingency Planning | |
| CP-7(1) | Alternate Processing Site (Control Enhancement) | Contingency Planning | |
| CP-7(2) | Alternate Processing Site (Control Enhancement) | Contingency Planning | |
| CP-7(3) | Alternate Processing Site (Control Enhancement) | Contingency Planning | |
| CP-7(4) | Alternate Processing Site (Control Enhancement) | Contingency Planning | |
| CP-7(5) | Alternate Processing Site (Control Enhancement) | Contingency Planning | |
| CP-8 | Telecommunications Services | Contingency Planning | |
| CP-8(1) | Telecommunications Services (Control Enhancement) | Contingency Planning | |
| CP-8(2) | Telecommunications Services (Control Enhancement) | Contingency Planning | |
| CP-8(3) | Telecommunications Services (Control Enhancement) | Contingency Planning | |
| CP-8(4) | Telecommunications Services (Control Enhancement) | Contingency Planning | |
| CP-9 | Information System Backup | Contingency Planning | The BackupPC module is not currently available in SIMP 5.0. |
| CP-9(1) | Information System Backup (Control Enhancement) | Contingency Planning | |
| CP-9(2) | Information System Backup (Control Enhancement) | Contingency Planning | |
| CP-9(3) | Information System Backup (Control Enhancement) | Contingency Planning | |
| CP-9(5) | Information System Backup (Control Enhancement) | Contingency Planning | |
| CP-9(6) | Information System Backup (Control Enhancement) | Contingency Planning | |
| CP-10 | Information System Recovery and Reconstitution | Contingency Planning | The BackupPC module is not currently available in SIMP 5.0. |
| CP-10(1) | Information System Recovery and Reconstitution (Control Enhancement) | Contingency Planning | |
| CP-10(2) | Information System Recovery and Reconstitution (Control Enhancement) | Contingency Planning | |
| CP-10(3) | Information System Recovery and Reconstitution (Control Enhancement) | Contingency Planning | |
| CP-10(4) | Information System Recovery and Reconstitution (Control Enhancement) | Contingency Planning | |
| CP-10(5) | Information System Recovery and Reconstitution (Control Enhancement) | Contingency Planning | |
| CP-10(6) | Information System Recovery and Reconstitution (Control Enhancement) | Contingency Planning | |
| IR-1 | Incident Response Policy and Procedures | Incident Response | |
| IR-2 | Incident Response Training | Incident Response | |
| IR-2(1) | Incident Response Training (Control Enhancement) | Incident Response | |
| IR-2(2) | Incident Response Training (Control Enhancement) | Incident Response | |
| IR-3 | Incident Response Testing and Exercises | Incident Response | |
| IR-3(1) | Incident Response Testing and Exercises (Control Enhancement) | Incident Response | |
| IR-4 | Incident Handling | Incident Response | |
| IR-4(1) | Incident Handling (Control Enhancement) | Incident Response | |
| IR-4(2) | Incident Handling (Control Enhancement) | Incident Response | If an implementation chooses, they can leverage puppet’s ability to reconfigure systems as part of incident response. While puppet is not intended to be a security product, its features can help provide security functionality such as dynamic reconfigurations. |
| IR-4(3) | Incident Handling (Control Enhancement) | Incident Response | |
| IR-4(4) | Incident Handling (Control Enhancement) | Incident Response | |
| IR-4(5) | Incident Handling (Control Enhancement) | Incident Response | |
| IR-5 | Incident Monitoring | Incident Response | |
| IR-5(1) | Incident Monitoring (Control Enhancement) | Incident Response | |
| IR-6 | Incident Reporting | Incident Response | |
| IR-6(1) | Incident Reporting (Control Enhancement) | Incident Response | |
| IR-6(2) | Incident Reporting (Control Enhancement) | Incident Response | |
| IR-7 | Incident Response Assistance | Incident Response | |
| IR-7(1) | Incident Response Assistance (Control Enhancement) | Incident Response | |
| IR-8 | Incident Response Plan | Incident Response | |
| MA-1 | System Maintenance Policy and Procedures | Maintenance | |
| MA-2 | Controlled Maintenance | Maintenance | |
| MA-2(1) | Controlled Maintenance (Control Enhancement) | Maintenance | |
| MA-2(2) | Controlled Maintenance (Control Enhancement) | Maintenance | |
| MA-3 | Maintenance Tools | Maintenance | |
| MA-3(1) | Maintenance Tools (Control Enhancement) | Maintenance | |
| MA-3(2) | Maintenance Tools (Control Enhancement) | Maintenance | |
| MA-3(3) | Maintenance Tools (Control Enhancement) | Maintenance | |
| MA-3(4) | Maintenance Tools (Control Enhancement) | Maintenance | |
| MA-4 | Non-Local Maintenance | Maintenance | Remote maintenance can be performed on SIMP using SSH or direct console access. SSH sessions are tracked and logged using the security features built into SIMP. Console access requires someone to have access to the physical (or virtual) console along with the root password. Auditing of those actions also occurs in accordance with the configured audit policy. It’s up to the implementation to decide how to distribute authentication information for remote maintenance. |
| MA-4(1) | Non-Local Maintenance (Control Enhancement) | Maintenance | Remote maintenance can be performed on SIMP using SSH or direct console access. SSH sessions are tracked and logged using the security features built into SIMP. Console access requires someone to have access to the physical (or virtual) console along with the root password. Auditing of those actions also occurs in accordance with the configured audit policy. It’s up to the implementation to decide how to distribute authentication information for remote maintenance |
| MA-4(2) | Non-Local Maintenance (Control Enhancement) | Maintenance | |
| MA-4(3) | Non-Local Maintenance (Control Enhancement) | Maintenance | |
| MA-4(4) | Non-Local Maintenance (Control Enhancement) | Maintenance | |
| MA-4(5) | Non-Local Maintenance (Control Enhancement) | Maintenance | |
| MA-4(6) | Non-Local Maintenance (Control Enhancement) | Maintenance | Remote maintenance is performed using SSH. SSH inherently provides confidentiality and integrity of data while in transit. |
| MA-4(7) | Non-Local Maintenance (Control Enhancement) | Maintenance | |
| MA-5 | Maintenance Personnel | Maintenance | |
| MA-5(1) | Maintenance Personnel (Control Enhancement) | Maintenance | |
| MA-5(2) | Maintenance Personnel (Control Enhancement) | Maintenance | |
| MA-5(3) | Maintenance Personnel (Control Enhancement) | Maintenance | |
| MA-5(4) | Maintenance Personnel (Control Enhancement) | Maintenance | |
| MA-6 | Timely Maintenance | Maintenance | |
| MP-1 | Media Protection Policy and Procedures | Media Protection | |
| MP-2 | Media Access | Media Protection | |
| MP-2(1) | Media Access (Control Enhancement) | Media Protection | |
| MP-2(2) | Media Access (Control Enhancement) | Media Protection | |
| MP-4 | Media Storage | Media Protection | |
| MP-5 | Media Transport | Media Protection | |
| MP-5(1) | Media Transport (Control Enhancement) | Media Protection | |
| MP-5(2) | Media Transport (Control Enhancement) | Media Protection | |
| MP-5(3) | Media Transport (Control Enhancement) | Media Protection | |
| MP-5(4) | Media Transport (Control Enhancement) | Media Protection | |
| MP-6 | Media Sanitization | Media Protection | |
| MP-6(1) | Media Sanitization (Control Enhancement) | Media Protection | |
| MP-6(2) | Media Sanitization (Control Enhancement) | Media Protection | |
| MP-6(3) | Media Sanitization (Control Enhancement) | Media Protection | |
| MP-6(4) | Media Sanitization (Control Enhancement) | Media Protection | |
| MP-6(5) | Media Sanitization (Control Enhancement) | Media Protection | |
| MP-6(6) | Media Sanitization (Control Enhancement) | Media Protection | |
| PE-1 | Physical and Environmental Protection Policy and Procedures | Physical and Environmental Protection | |
| PE-2 | Physical Access Authorizations | Physical and Environmental Protection | |
| PE-2(1) | Physical Access Authorizations (Control Enhancement) | Physical and Environmental Protection | |
| PE-2(2) | Physical Access Authorizations (Control Enhancement) | Physical and Environmental Protection | |
| PE-2(3) | Physical Access Authorizations (Control Enhancement) | Physical and Environmental Protection | |
| PE-3 | Physical Access Control | Physical and Environmental Protection | |
| PE-3(1) | Physical Access Control (Control Enhancement) | Physical and Environmental Protection | |
| PE-3(2) | Physical Access Control (Control Enhancement) | Physical and Environmental Protection | |
| PE-3(3) | Physical Access Control (Control Enhancement) | Physical and Environmental Protection | |
| PE-3(4) | Physical Access Control (Control Enhancement) | Physical and Environmental Protection | |
| PE-3(5) | Physical Access Control (Control Enhancement) | Physical and Environmental Protection | |
| PE-3(6) | Physical Access Control (Control Enhancement) | Physical and Environmental Protection | |
| PE-4 | Access Control for Transmission Medium | Physical and Environmental Protection | |
| PE-5 | Access Control for Output Devices | Physical and Environmental Protection | |
| PE-6 | Monitoring Physical Access | Physical and Environmental Protection | |
| PE-6(1) | Monitoring Physical Access (Control Enhancement) | Physical and Environmental Protection | |
| PE-6(2) | Monitoring Physical Access (Control Enhancement) | Physical and Environmental Protection | |
| PE-7 | Visitor Control | Physical and Environmental Protection | |
| PE-7(1) | Visitor Control (Control Enhancement) | Physical and Environmental Protection | |
| PE-7(2) | Visitor Control (Control Enhancement) | Physical and Environmental Protection | |
| PE-8 | Access Records | Physical and Environmental Protection | |
| PE-8(1) | Access Records (Control Enhancement) | Physical and Environmental Protection | |
| PE-8(2) | Access Records (Control Enhancement) | Physical and Environmental Protection | |
| PE-9 | Power Equipment and Power Cabling | Physical and Environmental Protection | |
| PE-9(1) | Power Equipment and Power Cabling (Control Enhancement) | Physical and Environmental Protection | |
| PE-9(2) | Power Equipment and Power Cabling (Control Enhancement) | Physical and Environmental Protection | |
| PE-10 | Emergency Shutoff | Physical and Environmental Protection | |
| PE-10(1) | Emergency Shutoff (Control Enhancement) | Physical and Environmental Protection | |
| PE-11 | Emergence Power | Physical and Environmental Protection | |
| PE-11(1) | Emergence Power (Control Enhancement) | Physical and Environmental Protection | |
| PE-11(2) | Emergence Power (Control Enhancement) | Physical and Environmental Protection | |
| PE-12 | Emergency Lighting | Physical and Environmental Protection | |
| PE-12(1) | Emergency Lighting (Control Enhancement) | Physical and Environmental Protection | |
| PE-13 | Fire Protection | Physical and Environmental Protection | |
| PE-13(1) | Fire Protection (Control Enhancement) | Physical and Environmental Protection | |
| PE-13(2) | Fire Protection (Control Enhancement) | Physical and Environmental Protection | |
| PE-13(3) | Fire Protection (Control Enhancement) | Physical and Environmental Protection | |
| PE-13(4) | Fire Protection (Control Enhancement) | Physical and Environmental Protection | |
| PE-14 | Temperature and Humidity Controls | Physical and Environmental Protection | |
| PE-14(1) | Temperature and Humidity Controls (Control Enhancement) | Physical and Environmental Protection | |
| PE-14(2) | Temperature and Humidity Controls (Control Enhancement) | Physical and Environmental Protection | |
| PE-15 | Water Damage Protection | Physical and Environmental Protection | |
| PE-15(1) | Water Damage Protection (Control Enhancement) | Physical and Environmental Protection | |
| PE-16 | Delivery and Removal | Physical and Environmental Protection | |
| PE-17 | Alternate Work Site | Physical and Environmental Protection | |
| PE-18 | Location of Information System Components | Physical and Environmental Protection | |
| PE-18(1) | Location of Information System Components (Control Enhancement) | Physical and Environmental Protection | |
| PE-19 | Information Leakage | Physical and Environmental Protection | |
| SI-1 | System and Information Integrity Policy and Procedures | System and Information Integrity | |
| SI-2(1) | Flaw Remediation (Control Enhancement) | System and Information Integrity | Patches that are part of the software base for SIMP are tested within the development environment. There is automated testing that is constantly being extended to test more features. There are times that patches to the base operating system (Centos or RedHat) are needed to resolve issues in SIMP. Those are also tested at build time, but require additional testing by implementations as patches are released from vendors. It’s also important to note that SIMP is packaged and delivered decoupled with the operating system source files. It’s up to the implementation to test vendor specific patches that are not part of the SIMP code base. Flaws are tracked using the software project management tool Redmine. |
| SI-2(2) | Flaw Remediation (Control Enhancement) | System and Information Integrity | |
| SI-2(3) | Flaw Remediation (Control Enhancement) | System and Information Integrity | |
| SI-2(4) | Flaw Remediation (Control Enhancement) | System and Information Integrity | SIMP uses the yellowdog update manager (YUM) to deliver software patches to clients. Each installation usually has at least one YUM repository. There is also a cronjob running that runs once per day. It’s the responsibility of the implementation to get patches to the yum server. Once they are there, the cron job will perform a yum update and the patches will be applied. |
| SI-3 | Malicious Code Protection | System and Information Integrity | SIMP has modules available for mcafee and ClamAV. The ClamAV. Implementations need need to provide their own version of the mcafee software for the module to work. That module comes with the ability to sync dat updates to clients via rsync. The module does NOT specify how often and what files systems should be scanned. SIMP also implements the open source tool chkrootkit that comes installed by default. |
| SI-3(1) | Malicious Code Protection (Control Enhancement) | System and Information Integrity | The provided anti-virus modules are installed via puppet modules. Those modules include the ability to sycn data file updates via rsync. Therefore, all management of malicious code detection is done centrally. |
| SI-3(2) | Malicious Code Protection (Control Enhancement) | System and Information Integrity | |
| SI-3(3) | Malicious Code Protection (Control Enhancement) | System and Information Integrity | |
| SI-3(4) | Malicious Code Protection (Control Enhancement) | System and Information Integrity | |
| SI-3(5) | Malicious Code Protection (Control Enhancement) | System and Information Integrity | |
| SI-3(6) | Malicious Code Protection (Control Enhancement) | System and Information Integrity | |
| SI-4 | Information System Monitoring Tools and Techniques | System and Information Integrity | |
| SI-4(1) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(2) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(3) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(4) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(5) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(6) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(7) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(8) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(9) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(10) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(11) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(12) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(13) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(14) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(15) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(16) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-4(17) | Information System Monitoring Tools and Techniques (Control Enhancement) | System and Information Integrity | |
| SI-5 | System Alerts, Advisories, and Directives | System and Information Integrity | The only part of the control (a) that is met by SIMP, is the tracking of security alerts for products that are part of the code base. The development team subscribes to message boards for the main products (puppet) that are part of the packaging. RedHat/Centos advisories are also tracked out of necessity but since ALL the OS files are not part of SIMP delivery, patches are not our direct responsibility. |
| SI-5(1) | System Alerts, Advisories, and Directives (Control Enhancement) | System and Information Integrity | |
| SI-6 | Security Functionality Verification | System and Information Integrity | SIMP comes with an optional module to install and perform regular runs of the SCAP-Security-Guide (the checks for RHEL 7 are not yet complete/finalized). Doing so will report (for a user defined frequency) OVAL results of security settings of a host against SSG recommendations. |
| SI-6(1) | Security Functionality Verification (Control Enhancement) | System and Information Integrity | SIMP comes with an optional module to install and perform regular runs of the SCAP-Security-Guide. Doing so will report (for a user defined frequency) OVAL results of security settings of a host against SSG recommendations. |
| SI-6(2) | Security Functionality Verification (Control Enhancement) | System and Information Integrity | SIMP comes with an optional module to install and perform regular runs of the SCAP-Security-Guide. Doing so will report (for a user defined frequency) OVAL results of security settings of a host against SSG recommendations. |
| SI-6(3) | Security Functionality Verification (Control Enhancement) | System and Information Integrity | SIMP comes with an optional module to install and perform regular runs of the SCAP-Security-Guide. Doing so will report (for a user defined frequency) OVAL results of security settings of a host against SSG recommendations. |
| SI-7 | Software and Information Integrity | System and Information Integrity | SIMP comes with AIDE installed. Puppet also serves the purpose of checking the integrity of files. During each client run, a change in file integrity means the file needs to be restored to it’s original state. |
| SI-7(1) | Software and Information Integrity (Control Enhancement) | System and Information Integrity | AIDE baselines are not performed beyond initial install unless otherwise configured. Implementations can re-baseline the database. |
| SI-7(2) | Software and Information Integrity (Control Enhancement) | System and Information Integrity | |
| SI-7(3) | Software and Information Integrity (Control Enhancement) | System and Information Integrity | AIDE is managed by puppet and is therefore centrally managed. |
| SI-7(4) | Software and Information Integrity (Control Enhancement) | System and Information Integrity | |
| SI-8 | Spam Protection | System and Information Integrity | |
| SI-8(1) | Spam Protection (Control Enhancement) | System and Information Integrity | |
| SI-8(2) | Spam Protection (Control Enhancement) | System and Information Integrity | |
| SI-9 | Information Input Restrictions | System and Information Integrity | |
| SI-10 | Information Input Validation | System and Information Integrity | |
| SI-11 | Error Handling | System and Information Integrity | |
| SI-13 | Predictable Failure Prevention | System and Information Integrity | |
| SI-13(1) | Predictable Failure Prevention (Control Enhancement) | System and Information Integrity | |
| SI-13(2) | Predictable Failure Prevention (Control Enhancement) | System and Information Integrity | |
| SI-13(3) | Predictable Failure Prevention (Control Enhancement) | System and Information Integrity | |
| SI-13(4) | Predictable Failure Prevention (Control Enhancement) | System and Information Integrity | |
| Control ID | Control Name | Control Family | SIMP Implementation Method |
| Control ID | Control Name | Control Family | SIMP Implementation Method |
| CA-1 | Security Assessment and Authorization Policies | Security Assessment and Authorization | |
| CA-2 | Security Assessments | Security Assessment and Authorization | |
| CA-2(1) | Security Assessments (Control Enhancement) | Security Assessment and Authorization | |
| CA-2(2) | Security Assessments (Control Enhancement) | Security Assessment and Authorization | |
| CA-3 | Information System Connections | Security Assessment and Authorization | |
| CA-3(1) | Information System Connections (Control Enhancement) | Security Assessment and Authorization | |
| CA-3(2) | Information System Connections (Control Enhancement) | Security Assessment and Authorization | |
| CA-5 | Plan of Action and Milestones | Security Assessment and Authorization | |
| CA-5(1) | Plan of Action and Milestones (Control Enhancement) | Security Assessment and Authorization | |
| CA-6 | Security Authorization | Security Assessment and Authorization | |
| CA-7 | Continuous Monitoring | Security Assessment and Authorization | |
| CA-7(1) | Continuous Monitoring (Control Enhancement) | Security Assessment and Authorization | |
| CA-7(2) | Continuous Monitoring (Control Enhancement) | Security Assessment and Authorization | |
| Pl-1 | Security Planning Policy and Procedures | Planning | The SIMP installation manual provides instructions for the installation of the product in a manner that is compliant with a multitude of security controls. |
| PL-2 | System Security Plan | Planning | Security Plans are provided for specific implementations. The SIMP team will continue to develop security documentation that can be used as s resource for implementation specific System Security Plans. |
| PL-2(1) | System Security Plan (Control Enhancement) | Planning | TODO: Develop SIMP specific SSP. |
| PL-2(2) | System Security Plan (Control Enhancement) | Planning | |
| PL-4 | Rules of Behavior | Planning | |
| PL-4(1) | Rules of Behavior (Control Enhancement) | Planning | |
| PL-5 | Privacy Impact Assessment | Planning | |
| PL-6 | Security-Related Activity Planning | Planning | |
| PS-1 | Personnel Security Policy and Procedures | Planning | |
| PS-2 | Position Categorization | Planning | |
| PS-3(2) | Personnel Screening (Control Enhancement) | Planning | |
| RA-1 | Risk Assessment Policy and Procedures | Risk Assessment | |
| RA-2 | Security Categorization | Risk Assessment | |
| RA-3 | Risk Assessment | Risk Assessment | |
| RA-5 | Vulnerability Scanning | Risk Assessment | The SIMP team performs a variety of security testing as part of the development process. Compliance and configuration checking is done using SSG. SIMP makes every effort to address problems discovered by these tools. Some configuration settings will not align with tools since the product was meant to be used for operational settings where some security features cause a loss in functionality. Implementations have the option of further hardening their system further at the risk of losing some functionality. |
| RA-5(1) | Vulnerability Scanning (Control Enhancement) | Risk Assessment | SCAP-Security-Guide is the two primary tool used to check for suspected configuration errors. Puppet also continues to protect clients against unwanted changes. |
| RA-5(2) | Vulnerability Scanning (Control Enhancement) | Risk Assessment | SCAP-Security-Guide is the two primary tool used to check for suspected configuration errors. Puppet also continues to protect clients against unwanted changes. |
| RA-5(3) | Vulnerability Scanning (Control Enhancement) | Risk Assessment | Regular vulnerability scanning is performed during development of SIMP. |
| RA-5(4) | Vulnerability Scanning (Control Enhancement) | Risk Assessment | Part of the vulnerability scanning process determines what information can be determined by a malicious outside user. |
| RA-5(5) | Vulnerability Scanning (Control Enhancement) | Risk Assessment | The compliance tools require that privileged accounts be used to perform testing. |
| RA-5(6) | Vulnerability Scanning (Control Enhancement) | Risk Assessment | |
| RA-5(7) | Vulnerability Scanning (Control Enhancement) | Risk Assessment | Only part of this requirement is met. SIMP can detect when any software is installed via auditd and syslog. Services that are not registered with puppet will not operate without user intervention. Those changes are also audited. SIMP does not provide the ability to alert on those actions, however, Logstash filters or Elasticsearch queries can be applied if needed. |
| RA-5(8) | Vulnerability Scanning (Control Enhancement) | Risk Assessment | |
| RA-5(9) | Vulnerability Scanning (Control Enhancement) | Risk Assessment | |
| SA-1 | System and Services Acquisition Policy and Procedures | System and Service Acquisition | |
| SA-2 | Allocation of Resources | System and Service Acquisition | |
| SA-3 | Life Cycle Support | System and Service Acquisition | |
| SA-4 | Acquisitions | System and Service Acquisition | |
| SA-4(1) | Acquisitions (Control Enhancement) | System and Service Acquisition | |
| SA-4(2) | Acquisitions (Control Enhancement) | System and Service Acquisition | |
| SA-4(3) | Acquisitions (Control Enhancement) | System and Service Acquisition | |
| SA-4(4) | Acquisitions (Control Enhancement) | System and Service Acquisition | |
| SA-4(5) | Acquisitions (Control Enhancement) | System and Service Acquisition | |
| SA-4(6) | Acquisitions (Control Enhancement) | System and Service Acquisition | |
| SA-4(7) | Acquisitions (Control Enhancement) | System and Service Acquisition | |
| SA-5 | Information System Documentation | System and Service Acquisition | |
| SA-5(1) | Information System Documentation (Control Enhancement) | System and Service Acquisition | |
| SA-5(2) | Information System Documentation (Control Enhancement) | System and Service Acquisition | |
| SA-5(3) | Information System Documentation (Control Enhancement) | System and Service Acquisition | |
| SA-5(4) | Information System Documentation (Control Enhancement) | System and Service Acquisition | |
| SA-5(5) | Information System Documentation (Control Enhancement) | System and Service Acquisition | |
| SA-6 | Software Usage Restrictions | System and Service Acquisition | |
| SA-6 (1) | Software Usage Restrictions | System and Service Acquisition | |
| SA-7 | User Installed Software | System and Service Acquisition | |
| SA-8 | Security Engineering Principles | System and Service Acquisition | |
| SA-9 | External Information System Services | System and Service Acquisition | |
| SA-9(1) | External Information System Services (Control Enhancement) | System and Service Acquisition | |
| SA-10 | Developer Configuration Management | System and Service Acquisition | |
| SA-10(1) | Developer Configuration Management (Control Enhancement) | System and Service Acquisition | |
| SA-10(2) | Developer Configuration Management (Control Enhancement) | System and Service Acquisition | |
| SA-11 | Developer Security Testing | System and Service Acquisition | |
| SA-11(1) | Developer Security Testing (Control Enhancement) | System and Service Acquisition | |
| SA-11(2) | Developer Security Testing (Control Enhancement) | System and Service Acquisition | |
| SA-11(3) | Developer Security Testing (Control Enhancement) | System and Service Acquisition | |
| SA-12 | Supply Chain Protection | System and Service Acquisition | |
| SA-12(1) | Supply Chain Protection (Control Enhancement) | System and Service Acquisition | |
| SA-12(2) | Supply Chain Protection (Control Enhancement) | System and Service Acquisition | |
| SA-12(3) | Supply Chain Protection (Control Enhancement) | System and Service Acquisition | |
| SA-12(4) | Supply Chain Protection (Control Enhancement) | System and Service Acquisition | |
| SA-12(5) | Supply Chain Protection (Control Enhancement) | System and Service Acquisition | |
| SA-12(6) | Supply Chain Protection (Control Enhancement) | System and Service Acquisition | |
| SA-12(7) | Supply Chain Protection (Control Enhancement) | System and Service Acquisition | |
| SA-13 | Trustworthiness | System and Service Acquisition | |
| SA-14 | Critical Information System Components | System and Service Acquisition | |
| SA-14(1) | Critical Information System Components (Control Enhancement) | System and Service Acquisition |
Table: Management Controls