System and information integrity

Estimated reading time: 21 minutes

SI-1 System And Information Integrity Policy And Procedures

Description

The organization:

  1. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
    1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
    2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and
  2. Reviews and updates the current:
    1. System and information integrity policy [Assignment: organization-defined frequency]; and
    2. System and information integrity procedures [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Organization

SI-2 Flaw Remediation

Description

The organization:

  1. Identifies, reports, and corrects information system flaws;
  2. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;
  3. Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and
  4. Incorporates flaw remediation into the organizational configuration management process.

Control Information

Responsible role(s) - Organization

SI-2 (1) Central Management

Description

The organization centrally manages the flaw remediation process.

Control Information

Responsible role(s) - Organization

SI-2 (2) Automated Flaw Remediation Status

Description

The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation.

Control Information

Responsible role(s) - Organization

SI-2 (3) Time To Remediate Flaws / Benchmarks For Corrective Actions

Description

The organization:

  1. Measures the time between flaw identification and flaw remediation; and
  2. Establishes [Assignment: organization-defined benchmarks] for taking corrective actions.

Control Information

Responsible role(s) - Organization

SI-2 (5) Automatic Software / Firmware Updates

Description

The organization installs [Assignment: organization-defined security-relevant software and firmware updates] automatically to [Assignment: organization-defined information system components].

Control Information

Responsible role(s) - Organization

SI-2 (6) Removal Of Previous Versions Of Software / Firmware

Description

The organization removes [Assignment: organization-defined software and firmware components] after updated versions have been installed.

Control Information

Responsible role(s) - Organization

SI-3 Malicious Code Protection

Description

The organization:

  1. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;
  2. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;
  3. Configures malicious code protection mechanisms to:
    1. Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and
    2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and
  4. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.

Control Information

Responsible role(s) - Organization

SI-3 (1) Central Management

Description

The organization centrally manages malicious code protection mechanisms.

Control Information

Responsible role(s) - Organization

SI-3 (2) Automatic Updates

Description

The information system automatically updates malicious code protection mechanisms.

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Enterprise Edition Engine complete
Docker EE system

Implementation Details

Docker Enterprise Edition packages for supported underlying operating systems can only be obtained from Docker, Inc. The Docker EE repositories from which Docker EE packages are obtained are protected with official GPG keys. Each Docker package is also validated with a signature definition.

SI-3 (4) Updates Only By Privileged Users

Description

The information system updates malicious code protection mechanisms only when directed by a privileged user.

Control Information

Responsible role(s) - Organization

SI-3 (6) Testing / Verification

Description

The organization:

  1. Tests malicious code protection mechanisms [Assignment: organization-defined frequency] by introducing a known benign, non-spreading test case into the information system; and
  2. Verifies that both detection of the test case and associated incident reporting occur.

Control Information

Responsible role(s) - Organization

SI-3 (7) Nonsignature-Based Detection

Description

The information system implements nonsignature-based malicious code detection mechanisms.

Control Information

Responsible role(s) - Organization

SI-3 (8) Detect Unauthorized Commands

Description

The information system detects [Assignment: organization-defined unauthorized operating system commands] through the kernel application programming interface at [Assignment: organization-defined information system hardware components] and [Selection (one or more): issues a warning; audits the command execution; prevents the execution of the command].

Control Information

Responsible role(s) - Organization

SI-3 (9) Authenticate Remote Commands

Description

The information system implements [Assignment: organization-defined security safeguards] to authenticate [Assignment: organization-defined remote commands].

Control Information

Responsible role(s) - Organization

SI-3 (10) Malicious Code Analysis

Description

The organization:

  1. Employs [Assignment: organization-defined tools and techniques] to analyze the characteristics and behavior of malicious code; and
  2. Incorporates the results from malicious code analysis into organizational incident response and flaw remediation processes.

Control Information

Responsible role(s) - Organization

SI-4 Information System Monitoring

Description

The organization:

  1. Monitors the information system to detect:
    1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
    2. Unauthorized local, network, and remote connections;
  2. Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods];
  3. Deploys monitoring devices:
    1. Strategically within the information system to collect organization-determined essential information; and
    2. At ad hoc locations within the system to track specific types of transactions of interest to the organization;
  4. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
  5. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
  6. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and
  7. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]].

Control Information

Responsible role(s) - Organization

SI-4 (1) System-Wide Intrusion Detection System

Description

The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system.

Control Information

Responsible role(s) - Organization

SI-4 (2) Automated Tools For Real-Time Analysis

Description

The organization employs automated tools to support near real-time analysis of events.

Control Information

Responsible role(s) - Organization

SI-4 (3) Automated Tool Integration

Description

The organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination.

Control Information

Responsible role(s) - Organization

SI-4 (4) Inbound And Outbound Communications Traffic

Description

The information system monitors inbound and outbound communications traffic [Assignment: organization-defined frequency] for unusual or unauthorized activities or conditions.

Control Information

Responsible role(s) - Organization

SI-4 (5) System-Generated Alerts

Description

The information system alerts [Assignment: organization-defined personnel or roles] when the following indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators].

Control Information

Responsible role(s) - Organization

SI-4 (7) Automated Response To Suspicious Events

Description

The information system notifies [Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events and takes [Assignment: organization-defined least-disruptive actions to terminate suspicious events].

Control Information

Responsible role(s) - Organization

SI-4 (9) Testing Of Monitoring Tools

Description

The organization tests intrusion-monitoring tools [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Organization

SI-4 (10) Visibility Of Encrypted Communications

Description

The organization makes provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined information system monitoring tools].

Control Information

Responsible role(s) - Organization

SI-4 (11) Analyze Communications Traffic Anomalies

Description

The organization analyzes outbound communications traffic at the external boundary of the information system and selected [Assignment: organization-defined interior points within the system (e.g., subnetworks, subsystems)] to discover anomalies.

Control Information

Responsible role(s) - Organization

SI-4 (12) Automated Alerts

Description

The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [Assignment: organization-defined activities that trigger alerts].

Control Information

Responsible role(s) - Organization

SI-4 (13) Analyze Traffic / Event Patterns

Description

The organization:

  1. Analyzes communications traffic/event patterns for the information system;
  2. Develops profiles representing common traffic patterns and/or events; and
  3. Uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and the number of false negatives.

Control Information

Responsible role(s) - Organization

SI-4 (14) Wireless Intrusion Detection

Description

The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system.

Control Information

Responsible role(s) - Organization

SI-4 (15) Wireless To Wireline Communications

Description

The organization employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.

Control Information

Responsible role(s) - Organization

SI-4 (16) Correlate Monitoring Information

Description

The organization correlates information from monitoring tools employed throughout the information system.

Control Information

Responsible role(s) - Organization

SI-4 (17) Integrated Situational Awareness

Description

The organization correlates information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness.

Control Information

Responsible role(s) - Organization

SI-4 (18) Analyze Traffic / Covert Exfiltration

Description

The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) and at [Assignment: organization-defined interior points within the system (e.g., subsystems, subnetworks)] to detect covert exfiltration of information.

Control Information

Responsible role(s) - Organization

SI-4 (19) Individuals Posing Greater Risk

Description

The organization implements [Assignment: organization-defined additional monitoring] of individuals who have been identified by [Assignment: organization-defined sources] as posing an increased level of risk.

Control Information

Responsible role(s) - Organization

SI-4 (20) Privileged Users

Description

The organization implements [Assignment: organization-defined additional monitoring] of privileged users.

Control Information

Responsible role(s) - Organization

SI-4 (21) Probationary Periods

Description

The organization implements [Assignment: organization-defined additional monitoring] of individuals during [Assignment: organization-defined probationary period].

Control Information

Responsible role(s) - Organization

SI-4 (22) Unauthorized Network Services

Description

The information system detects network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes] and [Selection (one or more): audits; alerts [Assignment: organization-defined personnel or roles]].

Control Information

Responsible role(s) - Organization

SI-4 (23) Host-Based Devices

Description

The organization implements [Assignment: organization-defined host-based monitoring mechanisms] at [Assignment: organization-defined information system components].

Control Information

Responsible role(s) - Organization

SI-4 (24) Indicators Of Compromise

Description

The information system discovers, collects, distributes, and uses indicators of compromise.

Control Information

Responsible role(s) - Organization

SI-5 Security Alerts, Advisories, And Directives

Description

The organization:

  1. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis;
  2. Generates internal security alerts, advisories, and directives as deemed necessary;
  3. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and
  4. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.

Control Information

Responsible role(s) - Organization

SI-5 (1) Automated Alerts And Advisories

Description

The organization employs automated mechanisms to make security alert and advisory information available throughout the organization.

Control Information

Responsible role(s) - Organization

SI-6 Security Function Verification

Description

The information system:

  1. Verifies the correct operation of [Assignment: organization-defined security functions];
  2. Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]];
  3. Notifies [Assignment: organization-defined personnel or roles] of failed security verification tests; and
  4. [Selection (one or more): shuts the information system down; restarts the information system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered.

Control Information

Responsible role(s) - Organization

SI-6 (2) Automation Support For Distributed Testing

Description

The information system implements automated mechanisms to support the management of distributed security testing.

Control Information

Responsible role(s) - Organization

SI-6 (3) Report Verification Results

Description

The organization reports the results of security function verification to [Assignment: organization-defined personnel or roles].

Control Information

Responsible role(s) - Organization

SI-7 Software, Firmware, And Information Integrity

Description

The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information].

Control Information

Responsible role(s) - Organization

SI-7 (1) Integrity Checks

Description

The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events]; [Assignment: organization-defined frequency]].

Control Information

Responsible role(s) - Organization

SI-7 (2) Automated Notifications Of Integrity Violations

Description

The organization employs automated tools that provide notification to [Assignment: organization-defined personnel or roles] upon discovering discrepancies during integrity verification.

Control Information

Responsible role(s) - Organization

SI-7 (3) Centrally-Managed Integrity Tools

Description

The organization employs centrally managed integrity verification tools.

Control Information

Responsible role(s) - Organization

SI-7 (5) Automated Response To Integrity Violations

Description

The information system automatically [Selection (one or more): shuts the information system down; restarts the information system; implements [Assignment: organization-defined security safeguards]] when integrity violations are discovered.

Control Information

Responsible role(s) - Organization

SI-7 (6) Cryptographic Protection

Description

The information system implements cryptographic mechanisms to detect unauthorized changes to software, firmware, and information.

Control Information

Responsible role(s) - Organization

SI-7 (7) Integration Of Detection And Response

Description

The organization incorporates the detection of unauthorized [Assignment: organization-defined security-relevant changes to the information system] into the organizational incident response capability.

Control Information

Responsible role(s) - Organization

SI-7 (8) Auditing Capability For Significant Events

Description

The information system, upon detection of a potential integrity violation, provides the capability to audit the event and initiates the following actions: [Selection (one or more): generates an audit record; alerts current user; alerts [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined other actions]].

Control Information

Responsible role(s) - Organization

SI-7 (9) Verify Boot Process

Description

The information system verifies the integrity of the boot process of [Assignment: organization-defined devices].

Control Information

Responsible role(s) - Organization

SI-7 (10) Protection Of Boot Firmware

Description

The information system implements [Assignment: organization-defined security safeguards] to protect the integrity of boot firmware in [Assignment: organization-defined devices].

Control Information

Responsible role(s) - Organization

SI-7 (11) Confined Environments With Limited Privileges

Description

The organization requires that [Assignment: organization-defined user-installed software] execute in a confined physical or virtual machine environment with limited privileges.

Control Information

Responsible role(s) - Organization

SI-7 (12) Integrity Verification

Description

The organization requires that the integrity of [Assignment: organization-defined user-installed software] be verified prior to execution.

Control Information

Responsible role(s) - Organization

SI-7 (13) Code Execution In Protected Environments

Description

The organization allows execution of binary or machine-executable code obtained from sources with limited or no warranty and without the provision of source code only in confined physical or virtual machine environments and with the explicit approval of [Assignment: organization-defined personnel or roles].

Control Information

Responsible role(s) - Organization

SI-7 (14) Binary Or Machine Executable Code

Description

The organization:

  1. Prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code; and
  2. Provides exceptions to the source code requirement only for compelling mission/operational requirements and with the approval of the authorizing official.

Control Information

Responsible role(s) - Organization

SI-7 (15) Code Authentication

Description

The information system implements cryptographic mechanisms to authenticate [Assignment: organization-defined software or firmware components] prior to installation.

Control Information

Responsible role(s) - Organization

SI-7 (16) Time Limit On Process Execution W/O Supervision

Description

The organization does not allow processes to execute without supervision for more than [Assignment: organization-defined time period].

Control Information

Responsible role(s) - Organization

SI-8 Spam Protection

Description

The organization:

  1. Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and
  2. Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.

Control Information

Responsible role(s) - Organization

SI-8 (1) Central Management

Description

The organization centrally manages spam protection mechanisms.

Control Information

Responsible role(s) - Organization

SI-8 (2) Automatic Updates

Description

The information system automatically updates spam protection mechanisms.

Control Information

Responsible role(s) - Organization

SI-8 (3) Continuous Learning Capability

Description

The information system implements spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic.

Control Information

Responsible role(s) - Organization

SI-10 Information Input Validation

Description

The information system checks the validity of [Assignment: organization-defined information inputs].

Control Information

Responsible role(s) - Organization

SI-10 (1) Manual Override Capability

Description

The information system:

  1. Provides a manual override capability for input validation of [Assignment: organization-defined inputs];
  2. Restricts the use of the manual override capability to only [Assignment: organization-defined authorized individuals]; and
  3. Audits the use of the manual override capability.

Control Information

Responsible role(s) - Organization

SI-10 (2) Review / Resolution Of Errors

Description

The organization ensures that input validation errors are reviewed and resolved within [Assignment: organization-defined time period].

Control Information

Responsible role(s) - Organization

SI-10 (3) Predictable Behavior

Description

The information system behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.

Control Information

Responsible role(s) - Organization

SI-10 (4) Review / Timing Interactions

Description

The organization accounts for timing interactions among information system components in determining appropriate responses for invalid inputs.

Control Information

Responsible role(s) - Organization

SI-10 (5) Restrict Inputs To Trusted Sources And Approved Formats

Description

The organization restricts the use of information inputs to [Assignment: organization-defined trusted sources] and/or [Assignment: organization-defined formats].

Control Information

Responsible role(s) - Organization

SI-11 Error Handling

Description

The information system:

  1. Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and
  2. Reveals error messages only to [Assignment: organization-defined personnel or roles].

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Trusted Registry (DTR) complete
Docker EE system
Docker Enterprise Edition Engine complete
Docker EE system
Universal Control Plane (UCP) complete
Docker EE system

Implementation Details

All error messages generated via the configured logging mechanism of Docker Trusted Registry are displayed such that they meet the requirements of this control. Only users that are authorized the appropriate level of access can view these error messages.
All error messages generated via the logging mechanisms of the Docker Enterprise Edition engine are displayed such that they meet the requirements of this control. Only users that are authorized the appropriate level of access can view these error messages.
All error messages generated via the configured logging mechanism of Universal Control Plane are displayed such that they meet the requirements of this control. Only users that are authorized the appropriate level of access can view these error messages.

SI-12 Information Handling And Retention

Description

The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.

Control Information

Responsible role(s) - Organization

SI-13 Predictable Failure Prevention

Description

The organization:

  1. Determines mean time to failure (MTTF) for [Assignment: organization-defined information system components] in specific environments of operation; and
  2. Provides substitute information system components and a means to exchange active and standby components at [Assignment: organization-defined MTTF substitution criteria].

Control Information

Responsible role(s) - Organization

SI-13 (1) Transferring Component Responsibilities

Description

The organization takes information system components out of service by transferring component responsibilities to substitute components no later than [Assignment: organization-defined fraction or percentage] of mean time to failure.

Control Information

Responsible role(s) - Organization

SI-13 (3) Manual Transfer Between Components

Description

The organization manually initiates transfers between active and standby information system components [Assignment: organization-defined frequency] if the mean time to failure exceeds [Assignment: organization-defined time period].

Control Information

Responsible role(s) - Organization

SI-13 (4) Standby Component Installation / Notification

Description

The organization, if information system component failures are detected:

  1. Ensures that the standby components are successfully and transparently installed within [Assignment: organization-defined time period]; and
  2. [Selection (one or more): activates [Assignment: organization-defined alarm]; automatically shuts down the information system].

Control Information

Responsible role(s) - Organization

SI-13 (5) Failover Capability

Description

The organization provides [Selection: real-time; near real-time] [Assignment: organization-defined failover capability] for the information system.

Control Information

Responsible role(s) - Organization

SI-14 Non-Persistence

Description

The organization implements non-persistent [Assignment: organization-defined information system components and services] that are initiated in a known state and terminated [Selection (one or more): upon end of session of use; periodically at [Assignment: organization-defined frequency]].

Control Information

Responsible role(s) - Organization

SI-14 (1) Refresh From Trusted Sources

Description

The organization ensures that software and data employed during information system component and service refreshes are obtained from [Assignment: organization-defined trusted sources].

Control Information

Responsible role(s) - Organization

SI-15 Information Output Filtering

Description

The information system validates information output from [Assignment: organization-defined software programs and/or applications] to ensure that the information is consistent with the expected content.

Control Information

Responsible role(s) - Organization

SI-16 Memory Protection

Description

The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution.

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Enterprise Edition Engine complete
service provider hybrid

Implementation Details

Docker Enterprise Edition can be installed on the following operating systems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04 LTS+, SUSE Linux Enterprise 12+ and Windows Server 2016+. In order to meet the requirements of this control, reference the chosen operating system's security documentation for information regarding the protection of memory from unauthorized code execution.

SI-17 Fail-Safe Procedures

Description

The information system implements [Assignment: organization-defined fail-safe procedures] when [Assignment: organization-defined failure conditions occur].

Control Information

Responsible role(s) - Organization

standards, compliance, security, 800-53, System and information integrity