|
56 | 56 |
|
57 | 57 | a. Identify the duties of individuals requiring separation. |
58 | 58 |
|
59 | | -b. Define system access authorizations to support separation of duties.}&{P}&{P}&{Principle of least privilege is applied. Some users have access to hosts that is unneeded.} \\ \hline |
| 59 | +b. Define system access authorizations to support separation of duties.}&{V}&{Y}&{Principle of least privilege is applied. Some users have access to hosts that is unneeded.} \\ \hline |
60 | 60 | {03.01.05 Least Privilege |
61 | 61 |
|
62 | 62 | a. Allow only authorized system access for users (or processes acting on behalf of users) that is necessary to accomplish assigned organizational tasks. |
|
65 | 65 |
|
66 | 66 | c. Review the privileges assigned to roles or classes of users [Assignment: organization-defined frequency] to validate the need for such privileges. |
67 | 67 |
|
68 | | -d. Reassign or remove privileges, as necessary.}&{N}&{P}&{Targeted sudo rules are needed for common operations. IPA controls sudo centrally } \\ \hline |
| 68 | +d. Reassign or remove privileges, as necessary.}&{V}&{Y}&{Targeted sudo rules are needed for common operations. IPA controls sudo centrally } \\ \hline |
69 | 69 | {03.01.06 Least Privilege – Privileged Accounts |
70 | 70 |
|
71 | 71 | a. Restrict privileged accounts on the system to [Assignment: organization-defined personnel or roles]. |
72 | 72 |
|
73 | 73 | b. Require that users (or roles) with privileged accounts use non-privileged accounts when accessing non-security functions or non-security information. |
74 | | - }&{P}&{N}&{These accounts were specifically target in the Gemini attack - we would rather not use this approach.} \\ \hline |
| 74 | + }&{V}&{W}&{These accounts were specifically target in the Gemini attack - we would rather not use this approach.} \\ \hline |
75 | 75 | {03.01.07 Least Privilege – Privileged Functions |
76 | 76 |
|
77 | 77 | a. Prevent non-privileged users from executing privileged functions. |
|
174 | 174 |
|
175 | 175 | 2. When required by system changes or following [Assignment: organization- defined events]. |
176 | 176 |
|
177 | | -b. Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].}&{P}&{Y}&{OUO training at SLAC, DMTN-199 training for commissioners, Specific training for satellite catalog handlers. |
| 177 | +b. Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].}&{V}&{Y}&{OUO training at SLAC, DMTN-199 training for commissioners, Specific training for satellite catalog handlers. |
178 | 178 |
|
179 | 179 | We would like to do more here like capture flag exercises for developers or blue/red teams events. |
180 | 180 |
|
|
308 | 308 |
|
309 | 309 | b. Apply the following security requirements to the systems or components when |
310 | 310 | the individuals return from travel: [Assignment: organization-defined security |
311 | | -requirements].}&{N}&{N}&{Though people self select to remove vaults and carry clean personal devices we do not have a strict policy nor do we have a list of high risk areas. In general there is no data on peoples machines so it is account/password vulnerability we would need to cover.} \\ \hline |
| 311 | +requirements].}&{N}&{Y}&{Though people self select to remove vaults and carry clean personal devices we do not have a strict policy nor do we have a list of high risk areas. In general there is no data on peoples machines so it is account/password vulnerability we would need to cover.} \\ \hline |
312 | 312 | {3.5 IDENTIFICATION AND AUTHENTICATION}&&& \\ \hline |
313 | 313 | {03.05.01 User Identification and Authentication |
314 | 314 |
|
|
758 | 758 |
|
759 | 759 | c. Receive a documented acknowledgement from individuals indicating that they have read, understand, and agree to abide by the rules of behavior before authorizing access to CUI and the system. |
760 | 760 |
|
761 | | -d. Review and update the rules of behavior [Assignment: organization-defined frequency].}&{P}&{Y}&{Need new AUP} \\ \hline |
| 761 | +d. Review and update the rules of behavior [Assignment: organization-defined frequency].}&{V}&{Y}&{Need new AUP} \\ \hline |
762 | 762 | {3.16. System and Services Acquisition}&&& \\ \hline |
763 | 763 | {03.16.01 Security Engineering Principles |
764 | 764 |
|
|
782 | 782 |
|
783 | 783 | b. Review and update the supply chain risk management plan [Assignment: organization-defined frequency]. |
784 | 784 |
|
785 | | -c. Protect the supply chain risk management plan from unauthorized disclosure.}&{N}&{N}&{Not applicable for this project.} \\ \hline |
| 785 | +c. Protect the supply chain risk management plan from unauthorized disclosure.}&{N}&{W}&{Not applicable for this project.} \\ \hline |
786 | 786 | {03.17.02 Acquisition Strategies, Tools, and Methods |
787 | 787 |
|
788 | | -Develop and implement acquisition strategies, contract tools, and procurement methods to identify, protect against, and mitigate supply chain risks. }&{N}&{N}&{Not applicable for this project.} \\ \hline |
| 788 | +Develop and implement acquisition strategies, contract tools, and procurement methods to identify, protect against, and mitigate supply chain risks. }&{N}&{W}&{Not applicable for this project.} \\ \hline |
789 | 789 | {03.17.03 Supply Chain Requirements and Processes |
790 | 790 |
|
791 | 791 | a. Establish a process for identifying and addressing weaknesses or deficiencies in the supply chain elements and processes. |
792 | 792 |
|
793 | | -b. Enforce the following security requirements to protect against supply chain risks to the system, system components, or system services and to limit the harm or consequences from supply chain-related events: [Assignment: organization- defined security requirements].}&{N}&{N}&{Not applicable for this project.} \\ \hline |
| 793 | +b. Enforce the following security requirements to protect against supply chain risks to the system, system components, or system services and to limit the harm or consequences from supply chain-related events: [Assignment: organization- defined security requirements].}&{N}&{W}&{Not applicable for this project.} \\ \hline |
794 | 794 | \textbf{Total NIST800-171 requirements}&\textbf{}&\textbf{98}& \\ \hline |
795 | | -\textbf{Total Rubin Intends to comply fully with }&\textbf{}&\textbf{91}& \\ \hline |
796 | | -\textbf{Total Rubin Intends not to comply with }&\textbf{}&\textbf{5}& \\ \hline |
797 | | -\textbf{Total Rubin Intends to partially comply with }&\textbf{}&\textbf{2}& \\ \hline |
| 795 | +\textbf{Total Rubin Intends to comply fully with }&\textbf{}&\textbf{94}& \\ \hline |
798 | 796 | \textbf{Total Rubin Complies with in 2024}&\textbf{}&\textbf{84}& \\ \hline |
799 | | -\textbf{Total Rubin Partially Complies with in 2024}&\textbf{}&\textbf{4}& \\ \hline |
| 797 | +\textbf{Total Rubin waivers requested }&\textbf{}&\textbf{4}& \\ \hline |
| 798 | +\textbf{Total Rubin variances in 2024}&\textbf{}&\textbf{5}& \\ \hline |
800 | 799 | \end{longtable} \normalsize |
0 commit comments