Scottish Pride Inc.
Office of Information Services
Scottish Pride Licensing Application (SPLA)
Continuous Monitoring Plan
Version 1.0
May 28, 2013
DOCUMENT CONTROL
Change Record
Date
Author
Version
Change Reference
Quality Review History
Date
Reviewer
Comments
Approval Sign-off
Name
Role
Signature
Page 2 of 20
Date
Scottish Pride
Scottish Pride Licensing Application
Continuous Monitoring Plan
Office of Information Services
TABLE OF CONTENTS
1
BACKGROUND .................................................................................................................................................4
1.1
1.2
1.3
1.4
1.5
2
REQUIREMENTS FOR CONTINUOUS MONITORING ............................................................................7
2.1
2.2
2.3
3
PURPOSE .......................................................................................................................................................4
SECURITY FRAMEWORK SYSTEM DEVELOPMENT LIFECYCLE (SDLC) .........................................................4
OBJECTIVE ....................................................................................................................................................5
RISK ..............................................................................................................................................................6
BENEFITS ......................................................................................................................................................6
CONFIGURATION MANAGEMENT AND CONTROL ..........................................................................................7
SECURITY CONTROL MONITORING ...............................................................................................................9
STATUS REPORTING AND DOCUMENTATION ............................................................................................... 11
SECURITY CONTROLS MONITORING .................................................................................................... 13
APPENDIX A – RESPONSIBILITIES .....................................................................................................................1
APPENDIX B – ANNUAL REQUIRED SECURITY CONTROLS .......................................................................1
APPENDIX C – YEAR-2 REQUIRED SECURITY CONTROLS .........................................................................1
APPENDIX D – YEAR-3 REQUIRED SECURITY CONTROLS .........................................................................1
LIST OF TABLES
Table 1: SPLA Security Controls Assessment ...................................................................................................... 14
LIST OF FIGURES
Figure 1: Security Framework System Development Life Cycle .........................................................................7
Page 3 of 20
Scottish Pride
Scottish Pride Licensing Application
Continuous Monitoring Plan
Office of Information Services
1 BACKGROUND
1.1 Purpose
Continuous monitoring is one of six steps in the Risk Management Framework
described in NIST Special Publication 800‐37, Revision 1, Applying the Risk
Management Framework (RMF) to Federal Information Systems (February 2010). (See
Figure 1 below). The purpose of a continuous monitoring program is to determine if the
complete set of planned, required, and deployed security controls within an
information system or inherited by the system continue to be effective over time in light
of the inevitable changes that occur. Continuous monitoring is an important activity in
assessing the security impacts on an information system resulting from planned and
unplanned changes to the hardware, software, firmware, or environment of operation.
Agency for Enterprise Information Technology Office of Information Security
(AEIT/OIS) highly recommends agencies implement best practices identified in Florida
Information Technology Resource Security Policies and Standards identified in 71A1.001-.010, F.A.C. by formally developing a Continuous Monitoring Plan in accordance
to NIST Special Publication (SP) 800-37 Revision 1. The Agencies must categorize all
systems, identify and resolve risks, develop low-level and moderate-level system
security plans, submit moderate-level systems for Security Authorization, perform
continuous monitoring, and conduct annual reviews on the effectiveness of all security
controls. This process, developed by NIST, is known as the Security Framework System
Development Lifecycle (SDLC).
1.2 Security Framework System Development Lifecycle (SDLC)
The process to comply with AEIT/OIS moderate-level system security is documented in
the Security Framework System Development Lifecycle in Figure 1. This SDLC
addresses the steps towards compliance with the Agency for Enterprise Information
Technology Office of Information Security (AEIT/OIS) directives on information
systems security and state and federal laws.
Risk Assessments (RA) are promulgated under the AEIT/OIS directives on information
systems security and the guidelines established by NIST Special Publication (SP) 800-30,
Risk Management Guide for Information Technology Systems. AEIT requires Scottish
Pride to implement a risk-based program for cost-effective Information Technology (IT).
All business processes operate with some level of risk and one of the most effective
ways to protect these business processes is through the implementation of effective
internal security controls, risk evaluation, and risk management (RM).
A risk assessment is required before initiating Step 1 of the Security Framework System
Development Lifecycle to establish a baseline indicating the risks to system resources
Page 4 of 20
Scottish Pride
Scottish Pride Licensing Application
Continuous Monitoring Plan
Office of Information Services
in the areas of Management, Operational, and Technical controls. Risks should be
assessed in the following areas: natural, environmental, human intentional and human
unintentional threats.
This plan only follows Step 8 in the Security Framework System Development
Lifecycle.




1.2.1
Step 1 System categorization was performed prior to the development of the SSP
Step’s 2-3 will be completed in the development of the SSP
Step 4 Comprehensive risk assessment will be performed by an independent
third-party assessor
Step 5 Certification and Accreditation package/approval will be performed by
an independent third-party authorizing authority identified by the CIO
Step 6 - Continuous Monitoring Plan
Step 6 is the development of the Continuous Monitoring Plan which provides oversight
and monitoring of the security controls in the information system on an ongoing basis.
The Continuous Monitoring Plan also describes the Agency’s procedural requirements
and responsibilities for implementation of the NIST SP 800-53 Revision 2, CA-7.
Continuous Monitoring security control for the Scottish Pride information system.
Continuous Monitoring begins after the system has been certified and accredited for
operations, and the activities in this plan are performed continuously throughout the
life cycle of the information system. The plan informs the CIO when changes occur that
may have an impact on the security of the system. The continuous monitoring plan will
include:





Continuous monitoring validation through spot checks, continuous scans, and
documentation updates
Configuration management and control processes for the information system
Security impact analysis on actual or proposed changes to the information
system
Assessment of selected security controls based on continuous monitoring
strategy
Security status reporting
1.3 Objective
The objective of the continuous monitoring plan is to develop a strategy and implement
a plan for the continuous monitoring of Scottish Pride Licensing Application (SPLA)
security control effectiveness taking into account any proposed/actual changes to the
Page 5 of 20
Scottish Pride
Scottish Pride Licensing Application
Continuous Monitoring Plan
Office of Information Services
information system or its environment of operation. Furthermore, the Continuous
Monitoring Plan should:





Be integrated into the agency’s SDLC processes
Address the security impacts on information systems resulting from changes to
the hardware, software, firmware, or operational environment
Provide an effective mechanism to update the SSP, RA reports, and POA&M
Track the security state of the information system on a continuous basis
Maintain the security authorization for the system over time in highly dynamic
environments of operation with changing threats, vulnerabilities, technologies,
and mission/business processes
1.4 Risk
Failure to meet compliance may put Scottish Pride in harm for further security issues.
Furthermore, non-compliance with AEIT/OIS directives and Florida Statutes create a
risk of losing critical program and system resource funding.
1.5 Benefits
With a compliant monitoring program, Scottish Pride becomes more efficient in their
operations, and most importantly, more secure. In addition to reaping the benefits of
strong controls and the ability to deliver continuous compliance with current and
emerging regulations, Scottish Pride will be able to:





Reduce risk, cost and increase efficiency
Create a consistent, agency-wide view of the current security posture; creating
ties between program activities such as assessment and remediation and
showing business unit managers at all agency levels exactly where they stand in
addressing security issues
Develop automated and integrated IT processes reducing burden on
administrative staff and improving business effectiveness
Improve agency planning and strategic decision making
Create and enforce configuration management standards, and identification of
risks to all systems
Page 6 of 20
Scottish Pride
Scottish Pride Licensing Application
Continuous Monitoring Plan
Office of Information Services
STEP 1
STEP 2
STEP 3
CATEGORIZE
Information Systems
SELECT
Security Controls
IMPLEMENT
Security Controls
FIPS 199/SP 800-60
FIPS 200/SP 800 -53
SP 800 Series
Define category of
information system
according to potential
impact of loss
Select minimum security
controls (i.e., safeguards
and countermeasures)
planned or in place to
protect the information
system
Implement security
controls in new or legacy
information systems;
implement security
configuration checklists
STEP 6
STEP 5
STEP 4
MONITOR
Security Controls
AUTHORIZE
Information Systems
ASSESS
Security Controls
SP 800 -53A
SP 800-37
Continuously track
changes to the
information system that
may affect security
controls and assesses
control effectiveness
Determine risk to
operations , assets , or
individuals and, if
acceptable, authorizes
information system
processing
SP 800-53A
Determine extent to which
the security controls are
implemented correctly,
operating as intended, and
producing desired outcome
with respect to meeting
security requirements
Figure 1: Risk Management Framework
2 REQUIREMENTS FOR CONTINUOUS MONITORING
Continuous Monitoring is composed of three tasks: (1) Configuration Management and
Control, (2) Security Control Monitoring, and (3) Status Reporting and Documentation.
The tasks can further be broken down into nine subtasks which are described below.
The goal of the Continuous Monitoring phase is to maintain SPLA’s authorization to
operate after certification and accreditation has been granted. This goal is achieved
through activities which provide ongoing, near-real time risk management and
operational security such as monitoring SPLA, ensuring SPLA operates in a secure
fashion and reporting status to appropriate Scottish Pride personnel.
2.1 Configuration Management and Control
Configuration Management and Control consists of developing SPLA’s monitoring
plan, monitoring SPLA for changes, and analyzing changes to determine security
impact. The System Owner shall implement the details of tasks involved in these
activities identified as:

Subtask 1: Security Control Monitoring Strategy - Develop a strategy for the
continuous monitoring of security control effectiveness and any proposed/actual
Page 7 of 20
Scottish Pride
Scottish Pride Licensing Application
Continuous Monitoring Plan
Office of Information Services
changes in SPLA including hardware, software, firmware, and surrounding
environment
o Establish a strict configuration management process to support continuous
monitoring activities
o Define the methodology for conducting security impact analyses to determine
the extent to which proposed changes to SPLA or its operating environment
will affect the security state of SPLA
o Determine how many subsets of security controls will be assessed during the
authorization period, which security controls will be included in each subset,
and the schedule according to which the security control subsets will be
assessed
o Determine the tools that will be used in assessing security controls. For
example, Security Content Automation Protocol (SCAP)-validated products
should be used to verify whether the security configuration settings of
various products comply with government standards, guidance, and policies
o Document the continuous monitoring strategy
o Obtain approval for the continuous monitoring plan and strategy from the
CIO and ISM

Subtask 2: System and Environment Changes - Analyze and document the
proposal or actual changes to SPLA (including hardware, software, firmware,
and surrounding environment) to determine the security impact of such changes
o Document any relevant information about proposed changes to the
hardware, software, and firmware components, SPLA’s operating
environment, or Scottish Pride’s policies, procedures, or guidance
o Document actual changes to SPLA collecting the same information as the
proposed changes so that the actual changes can be analyzed and appropriate
Scottish Pride personnel can determine whether or not the actual change can
remain in SPLA

Subtask 3: Security Impact Analysis - Determine the security impact of the
proposed or actual changes to SPLA or the environment of operation in
accordance with the security control monitoring strategy
o Analyze each proposed/actual change to SPLA to determine what impact, if
any, the change has on the security posture of the system
o Monitor compliance of SPLA component’s configuration. If SPLA contains
information technology components for which there exists SCAP-validated
tools, those tools should be used to monitor the component’s configuration
Page 8 of 20
Scottish Pride
Scottish Pride Licensing Application
Continuous Monitoring Plan
Office of Information Services
o Document the results of the security impact analysis and share the results
with the Information System Security Officer (ISSO), Information Security
Manager (ISM), and Chief Information Officer (CIO) using an approved
format
o Determine if remediation actions or other changes to SPLA are necessary
based on the security impact analysis, determine the impacts of the actions or
other changes, and document them in the Plan of Action and Milestones
(POA&M)
o If the analysis determines that there is a significant change requiring
reaccreditation of SPLA, report SPLA security status to the ISSO, CIO and
ISM
The first step is to establish a security control monitoring strategy to select which
security controls to monitor and how to monitor them effectively. Selection of security
controls for monitoring should take into consideration the importance of the security
control to SPLA and Scottish Pride. Monitoring of security controls can be done in
three ways:
1. Automated processes – Vulnerability Scanners, Web Application Scanners, Patch
Management software, Security Information and Event Management software
and Information Security Automation Program (ISAP) / Security Content
Automation Protocol (SCAP) tools
2. IT management systems – Information Technology Infrastructure Library (ITIL),
Capability Maturity Model Integration (CMMI) or other change management
solutions
3. Periodic audits – Auditing of sets of security controls on a regular basis
When a new or proposed change is identified, Scottish Pride security staff should
provide feedback to the ISSO when changes could affect the security state. Effort spent
identifying and analyzing changes should be commensurate with the security priority
of SPLA and the risk system changes might incur. Documentation of SPLA changes
should inform the System Owner and also be reflected in System Security Plan (SSP)
updates, POA&M updates, and status reports to other appropriate Scottish Pride
personnel.
2.2
Security Control Monitoring
SPLA Security Control Monitoring consists of the ongoing processes of security control
assessment and remediation actions. When security controls are identified as being
ineffective, before or during the Continuous Monitoring phase, they must be remediated. The remediation method used is the periodic review of a subset of system security
controls.
Page 9 of 20
Scottish Pride
Scottish Pride Licensing Application
Continuous Monitoring Plan
Office of Information Services
This method is a compliance requirement which can be simplified through good
documentation procedures and recognizing the best practices which achieve the goals
of Security Control Monitoring. The following tasks involved in these activities are:

Subtask 4: Ongoing Security Control Assessments - Assess a selected subset of
the security controls in SPLA or the environment of operation (including those
controls affected by changes to the system/environment) in accordance with the
continuous monitoring strategy
o The System Owner should:

Assign responsibility for assessing a subset of security controls to an
assessor who has an appropriate level of independence as defined by the
CIO and the knowledge, skills, and abilities to complete the assessment

Update the POA&M after the assessment has been completed based on
the updated security assessment report provided by the security control
assessor
o The security control assessor should:


Develop the security assessment plan that defines the appropriate
procedures from NIST SP 800-53A to assess the security controls

Obtain approval for the security assessment plan from the CIO

Conduct the security assessment in accordance with the agreed-upon
procedures, personnel, milestones, and schedule

Update the security assessment report with the information gained
during the assessment of the subset of security controls and submit it to
the System Owner, ISSO, and ISM
Subtask 5: Ongoing Remediation Actions - Conduct remediation actions based
on the results of the selected security control assessments and outstanding items
in the POA&M. The System Owner should initiate remediation actions based on
the findings produced during the continuous monitoring assessments of the
security controls, the outstanding items listed in the POA&M, and the results of
performing the activities required by the system’s security control (e.g.,
vulnerability scanning, contingency plan testing, incident response handling).
The System Owner should:
o Consult with the ISSO, ISM, and CIO and review each assessor finding and
determine the severity or seriousness of the finding and whether the finding
is significant enough to be worthy of further investigation or remedial
action
Page 10 of 20
Scottish Pride
Scottish Pride Licensing Application
Continuous Monitoring Plan
Office of Information Services
o Determine the appropriate steps required to correct any identified
weaknesses or deficiencies that require remediation efforts, establish an
implementation plan and schedule for the defined actions, and update the
POA&M with the planned remediation actions
o Assess SPLA after the remediation actions have been completed to
determine if the security controls remain effective after changes have been
implemented
o Update the POA&M with the current status when a remediation action has
been successfully completed
The System Owner needs to revisit, on a regular basis, the risk management activities
described in the Risk Management Framework Figure 1 (Page 3) to ensure the selection
of security controls remains appropriate for SPLA. The System Owner should:

Monitor events that occur throughout Scottish Pride and determine if those
events introduce or uncover new vulnerabilities or threats to SPLA

Determine whether the selected security controls remain sufficient to protect the
information and SPLA assets against the newly identified vulnerabilities and
threats

Reconfirm SPLA’s impact level and security category of SPLA and the
information processed, stored, or transmitted by SPLA and determine if they
should be changed

Consult with the ISSO, ISM, and CIO to determine if the authorization should be
updated
2.3 Status Reporting and Documentation
Status Reporting and Documentation consists of Critical Document Updates, Security
Status Reporting, Ongoing Risk Determination and Acceptance, and System Removal
and Decommissioning. The overall goal is to ensure that the documentation describing
the security status of SPLA does not become stale.
The POA&M is particularly important to keep current because it reflects a single aspect
of SPLA, the controls known to have been inadequate. The SSP should also be updated
on an ongoing basis to support the near real-time view of SPLA’s security posture.
When SPLA system status changes occur, they must be documented and presented to
the appropriate agency officials. Significant changes may require the ISSO to consider
whether the risk(s) presented requires reconsideration of the operating status of the
system. Additionally, these updates should be periodic and ensure all affected Scottish
Pride staff is aware of SPLA’s status. Details of tasks involved in these activities are:

Subtask 6: Critical Document Updates - Update the SSP, security assessment
report, and POA&M based on the results of the continuous monitoring process.
Page 11 of 20
Scottish Pride
Scottish Pride Licensing Application
Continuous Monitoring Plan
Office of Information Services
Continuous monitoring provides System Owners with an effective tool for
producing ongoing updates to SSPs, security assessment reports, and POA&Ms.
These documents are critical to understanding and explicitly accepting risk on a
day-to-day basis. The System Owner should:
o Ensure that the security control assessor updates the security assessment
report with the results of the security control assessments conducted during
the continuous monitoring phase
o Update the SSP and POA&M to identify changes to SPLA, the operating
environment, the security controls, and the implementation of the SPLA’s
security controls
o Preserve the original version of the documents so that they are available for
oversight, management, security control assessments, and auditing purposes
o Share the updated documentation with others

Subtask 7: Security Status Reporting - The System Owner should document the
results of the continuous monitoring activities in security status reports and
provide them to the ISSO, ISM, and CIO. The System Owner should:
o Describe the continuous monitoring activities and how the vulnerabilities
discovered during the security control assessments and security impact
analyses are being addressed
o Provide the security status reports to the ISSO, ISM, and CIO at appropriate
Scottish Pride defined frequencies

Subtask 8: Ongoing Risk Determination and Acceptance - Periodically review
the reported security status of SPLA and determine whether the risk to Scottish
Pride operations and assets, individuals, other organizations, or the Nation
remains acceptable. The System Owner should provide sufficient information to
the ISSO, ISM, and CIO for them to be able to make appropriate reauthorization
decisions. The ISSO, ISM, and CIO should:
o Review the updated security assessment report, SSP, POA&M, and security
status reports to determine whether the risk to the information and SPLA
remains acceptable
o Determine whether SPLA requires reauthorization
o Document the decision and forward it to the System Owner for appropriate
action

Subtask 9: System Removal and Decommissioning - Implement an Scottish
Pride approved SPLA decommissioning strategy, when needed, which executes
required actions when SPLA is removed from service. When SPLA is removed
from operation, the System Owner should ensure that all security controls
Page 12 of 20
Scottish Pride
Scottish Pride Licensing Application
Continuous Monitoring Plan
Office of Information Services
addressing SPLA decommissioning are implemented. The System Owner
should:
o Determine a decommissioning strategy for SPLA when SPLA is no longer
needed by Scottish Pride
o Keep users and application owners served by the decommissioned SPLA or
system components informed about the decommissioning activities and any
issues associated with their information or applications
o Sanitize or destroy SPLA components in accordance with applicable
regulations and guidance to remove system information from SPLA media so
that there is reasonable assurance that the information cannot be retrieved or
reconstructed
o Update Scottish Pride’s tracking and management systems to identify the
specific SPLA components that are being removed from the inventory
o
Record the decommissioned status of SPLA in the SSP and distribute the
document to appropriate individuals or agencies
3 SECURITY CONTROLS MONITORING
The following schedule in Table 1 shall be established by the System Owner for
continuous monitoring security control assessment to ensure that all controls requiring
assessment are covered and that all controls are assessed at least once during the threeyear accreditation cycle.


Year 1 – Full accreditation, all security controls assessed
Year 2 – All security controls required to be assessed annually (See Appendix B),
plus a subset of the remainder of security controls (See Appendix C) must be
assessed
 Year 3 – All security controls required to be assessed annually (See Appendix B),
plus a subset of security controls (See Appendix D) that were not assessed
during Year 2 must be assessed
As it is not feasible or cost-effective to monitor all of the security controls in SPLA on a
continuous basis, an appropriate subset of those controls for the annual assessment
shall be selected. The selection of a subset of security controls for continuous
monitoring assessment includes the following considerations:
 Annual Security Control Requirements – Those security controls that require
annual assessment as identified by NIST SP 800-53
 Significant changes to SPLA – A significant change to SPLA, or its operating
environment, may introduce new security vulnerabilities and may require a
more frequent assessment of select security controls
 External Influences – Activities outside the direct control of SPLA which may
impact security posture. Examples may include, but are not limited to,
organizational changes, new or modified policies, and newly identified threats or
vulnerabilities
Page 13 of 20
Scottish Pride
Scottish Pride Licensing Application
Continuous Monitoring Plan
Office of Information Services


Scottish Pride Requirements – Those security controls that Scottish Pride deems
essential to protecting SPLA may require increased attention, and more frequent
assessment
Plan of Action and Milestone (POA&M) Items – New or modified security
controls, implemented to remediate identified weaknesses, should be assessed
for effectiveness
Table 1: SPLA Security Controls Assessment
Control
Number
Control Name
Frequency
Access Control (AC)
AC-1
Access Control Policy and Procedures
Year 1
AC-2
Account Management
Year 1
AC-3
Access Enforcement
Year 1
Year 2
AC-4
Information Flow Enforcement
Year 1
Year 2
AC-5
Separation of Duties
Year 1
Year 3
AC-6
Least Privilege
Year 1
Year 3
AC-7
Unsuccessful Logon Attempts
Year 1
AC-8
System Use Notification
Year 1
Year 3
AC-11
Session Lock
Year 1
Year 3
AC-12
Session Termination
Year 1
Year 3
AC-13
Supervision and Review – Access Control
Year 1
AC-14
Permitted Actions w/o Identification or
Authentication
Year 1
AC-17
Remote Access
Year 1
AC-18
Wireless Access Restrictions
Year 1
Year 3
AC-19
Access Control for Portable and Mobile
Systems
Year 1
Year 3
AC-20
Use of External Information Systems
Year 1
Page 14 of 20
Year 2
Annual
Annual
Annual
Year 2
Annual
Year 2
Scottish Pride
Scottish Pride Licensing Application
Continuous Monitoring Plan
Office of Information Services
Awareness and Training (AT)
AT-1
Security Awareness and Training Policies
and Procedures
Year 1
Year 2
AT-2
Security Awareness
Year 1
Annual
AT-3
Security Training
Year 1
Annual
AT-4
Security Training Records
Year 1
Year 2
Audit and Accountability (AU)
AU-1
Audit and Accountability Policy and
Procedures
Year 1
Year 2
AU-2
Auditable Events
Year 1
Annual
AU-3
Content of Audit Records
Year 1
Annual
AU-4
Audit Storage Capacity
Year 1
Annual
AU-5
Response to Audit Processing Failures
Year 1
Annual
AU-6
Audit Monitoring, Analysis, and Reporting
Year 1
Annual
AU-7
Audit Reduction and Report Generation
Year 1
Annual
AU-8
Time Stamps
Year 1
Year 2
AU-9
Protection of Audit Information
Year 1
Year 2
AU-11
Audit Retention
Year 1
Annual
Certification, Accreditation, and Security Assessments (CA)
CA-1
Certification, Accreditation, and Security
Assessment Policies and Procedures
Year 1
Year 2
CA-2
Security Assessments
Year 1
Year 2
CA-3
Information System Connections
Year 1
Year 2
CA-4
Security Certification
Year 1
Year 2
CA-5
Plan of Action and Milestones
Year 1
Year 2
CA-6
Security Accreditation
Year 1
CA-7
Continuous Monitoring
Year 1
Year 3
Year 2
Configuration Management (CM)
CM-1
Configuration Management Policy and
Procedures
Year 1
CM-2
Baseline Configuration
Year 1
Annual
CM-3
Configuration Change Control
Year 1
Annual
CM-4
Monitoring Configuration Changes
Year 1
Annual
CM-5
Access Restrictions for Change
Year 1
Annual
CM-6
Configuration Settings
Year 1
Annual
Page 15 of 20
Year 2
Scottish Pride
Scottish Pride Licensing Application
Continuous Monitoring Plan
Office of Information Services
CM-7
Least Functionality
Year 1
Annual
CM-8
Information System Component Inventory
Year 1
Annual
Contingency Planning (CP)
CP-1
Contingency Management Policy and
Procedures
Year 1
Year 2
CP-2
Contingency Plan
Year 1
Annual
CP-3
Contingency Training
Year 1
Annual
CP-4
Contingency Plan Testing and Exercises
Year 1
Annual
CP-5
Contingency Plan Updates
Year 1
Annual
CP-6
Alternate Storage Sites
Year 1
Annual
CP-7
Alternate Processing Sites
Year 1
Annual
CP-8
Telecommunication Services
Year 1
Annual
CP-9
Information System Backup
Year 1
Annual
CP-10
Information System Recovery and
Reconstitution
Year 1
Annual
Identification and Authentication (IA)
IA-1
Identification and Authentication Policy
and Procedures
Year 1
Year 2
IA-2
User Identification and Authentication
Year 1
IA-3
Device Identification and Authentication
Year 1
IA-4
Identifier Management
Year 1
Annual
IA-5
Authenticator Management
Year 1
Annual
IA-6
Authenticator Feedback
Year 1
Annual
Year 3
Year 2
Incident Response (IR)
IR-1
Incident Response Policy and Procedures
Year 1
IR-2
Incident Response Training
Year 1
IR-3
Incident Response Testing and Exercises
Year 1
Year 2
IR-4
Incident Handling
Year 1
Year 2
IR-5
Incident Monitoring
Year 1
Annual
IR-6
Incident Reporting
Year 1
Annual
IR-7
Incident Response Assistance
Year 1
Page 16 of 20
Year 2
Annual
Year 2
Scottish Pride
Scottish Pride Licensing Application
Continuous Monitoring Plan
Office of Information Services
Maintenance (MA)
MA-1
System Maintenance Policy and Procedures
Year 1
Year 2
MA-2
Controlled Maintenance
Year 1
Annual
MA-3
Maintenance Tools
Year 1
Annual
MA-4
Remote Maintenance
Year 1
Annual
MA-5
Maintenance Personnel
Year 1
Annual
MA-6
Timely Maintenance
Year 1
Annual
Media Protection (MP)
MP-1
Media Protection Policy and Procedures
Year 1
Year 2
MP-2
Media Access
Year 1
Year 3
MP-4
Media Storage
Year 1
Year 3
MP-5
Media Transport
Year 1
Annual
MP-6
Media Sanitization and Disposal
Year 1
Annual
Physical and Environmental Protection PE)
PE-1
Physical and Environmental Protection
Policy Procedures
Year 1
PE-2
Physical Access Authorizations
Year 1
Annual
PE-3
Physical Access Control
Year 1
Annual
PE-5
Access Control for Display Medium
Year 1
PE-6
Monitoring Physical Access
Year 1
Annual
PE-7
Visitor Control
Year 1
Annual
PE-8
Access Records
Year 1
Year 2
PE-9
Power Equipment and Power Cabling
Year 1
Year 2
PE-10
Emergency Shutoff
Year 1
Year 2
PE-11
Emergency Power
Year 1
Year 2
PE-12
Emergency Lighting
Year 1
Annual
PE-13
Fire Protection
Year 1
Annual
PE-14
Temperature and Humidity Controls
Year 1
Annual
PE-16
Delivery and Removal
Year 1
Annual
PE-17
Alternate Work Site
Year 1
PE-18
Location of Information System
Components
Year 1
Page 17 of 20
Year 2
Year 2
Year 3
Year 2
Scottish Pride
Scottish Pride Licensing Application
Continuous Monitoring Plan
Office of Information Services
Planning (PL)
PL-1
Security Planning Policy and Procedures
Year 1
PL-2
System Security Plan
Year 1
PL-3
System Security Plan Update
Year 1
PL-4
Rules of Behavior
Year 1
PL-5
Privacy Impact Assessment
Year 1
PL-6
Security Related Activity Planning
Year 1
Year 2
Year 3
Year 2
Annual
Year 3
Annual
Personnel Security (PS)
PS-1
Personnel Security Policy and Procedures
Year 1
Year 2
PS-2
Position Categorization
Year 1
PS-3
Personnel Screening
Year 1
Annual
PS-4
Personnel Termination
Year 1
Annual
PS-5
Personal Transfer
Year 1
Annual
PS-6
Access Agreements
Year 1
Annual
PS-7
Third-Party Personnel Security
Year 1
Annual
PS-8
Personnel Sanctions
Year 1
Year 3
Year 3
Risk Assessment (RA)
RA-1
Risk Assessment Policy and Procedures
Year 1
Year 2
RA-2
Security Categorization
Year 1
Year 3
RA-3
Risk Assessment
Year 1
Year 3
RA-4
Risk Assessment Update
Year 1
Year 3
RA-5
Vulnerability Scanning
Year 1
Year 2
System and Services Acquisition (SA)
SA-1
System and Services Acquisition Policy and
Procedures
Year 1
Year 2
SA-2
Allocation of Resources
Year 1
Year 2
SA-3
Life Cycle Support
Year 1
Year 2
SA-4
Acquisitions
Year 1
SA-5
Information System Documentation
Year 1
Year 2
SA-6
Software Usage Restrictions
Year 1
Year 2
SA-7
User Installed Software
Year 1
SA-8
Security Engineering Principle
Year 1
SA-9
External Information System Services
Year 1
Year 3
SA-11
Developer Security Testing
Year 1
Year 3
Page 18 of 20
Annual
Annual
Year 2
Scottish Pride
Scottish Pride Licensing Application
Continuous Monitoring Plan
Office of Information Services
System and Communication Protection (SC)
SC-1
System and Communications Protection
Policy and Procedures
Year 1
Year 2
SC-2
Application Partitioning
Year 1
Year 2
SC-4
Information Remnance
Year 1
SC-5
Denial of Service Protection
Year 1
SC-7
Boundary Protection
Year 1
Annual
SC-8
Transmission Integrity
Year 1
Annual
SC-9
Transmission Confidentiality
Year 1
Year 3
SC-10
Network Disconnect
Year 1
Year 3
SC-14
Public Access Protections
Year 1
Year 3
SC-17
Public Key Infrastructure Certificates
Year 1
SC-18
Mobile Code
Year 1
Year 2
SC-19
Voice Over Internet Protocol
Year 1
Year 2
SC-20
Secure Name/Address Resolution Service
(Authoritative Source)
Year 1
Year 2
SC-22
Architecture and Provisioning for
Name/Address Resolution Service
Year 1
Year 2
SC-23
Session Authenticity
Year 1
Annual
Year 3
Annual
Year 3
System and Information Integrity (SI)
SI-1
System and Information Integrity Policy
and Procedures
Year 1
SI-2
Flaw Remediation
Year 1
SI-3
Malicious Code Protection
Year 1
SI-4
Information System Monitoring Tools and
Techniques
Year 1
Annual
SI-5
Security Alerts and Advisories
Year 1
Annual
SI-8
Spam and Spyware Protection
Year 1
Year 3
SI-9
Information Input Restrictions
Year 1
Year 3
SI-10
Information Input Accuracy, Completeness,
and Validity
Year 1
Annual
SI-11
Error Handling
Year 1
Annual
SI-12
Output Handling and Retention
Year 1
Annual
Page 19 of 20
Year 2
Annual
Year 3
Scottish Pride
Scottish Pride Licensing Application
Continuous Monitoring Plan
Office of Information Services
Additional Security Controls
Any critical volatile security controls, as determined by
the System Owner
Annual
The CIO may identify Agency security controls and/or
designate additional SPLA security controls for annual
assessment
Annual
Page 20 of 20
Scottish Pride
Scottish Pride Licensing Application
Continuous Monitoring
Office of Information Services
Plan
APPENDIX A – RESPONSIBILITIES
Title
System Owner
Information Systems
Security Officer (ISSO)
Information Security
Manager (ISM)
Role
Monitor
Supporter
Overseer
Responsibility

May designate a representative to perform continuous
monitoring security control assessments as required for the
annual report to the CIO

Develop and document a continuous monitoring strategy for
their information systems

Be responsible for continuous monitoring security control
assessment activities

Ensure resources are provided for the continuous monitoring
security control assessment activities for SPLA

Report to the ISSO, any significant changes made to SPLA that
may cause an impact to the security status and require a
reaccreditation of SPLA

Participate in the agency’s configuration management process

Establish and maintain an inventory of SPLA’s components

Conduct security impact analyses on all changes to SPLA

Conduct security assessments of security controls according to
their continuous monitoring strategies

Prepare and submit security status reports at the monthly

Conduct remediation activities as necessary to maintain the
current authorization status

Update the selection of security controls for SPLA when
events occur that indicate the baseline set of security controls
is no longer adequate to protect SPLA

Update critical security documents on a regular basis

Provide oversight to continuous monitoring security control
assessment activities for SPLA, ensuring completion and
reporting no later than July 31st of each fiscal year

Provide an assessment and recommendation to the System
Owner and CIO as to the need for reaccreditation as a result of
a reported or identified significant change to SPLA

Participate in the formal configuration management process

Support the information owner on the continuous monitoring
security control assessment procedures to complete security
responsibilities

Ensure Agency annual security controls are certified annually

Prepare and submit Agency metrics on continuous monitoring
security control assessments as required for the annual
Scottish Pride report satisfying auditing requirements

Participate in the formal configuration management process
Appendix A - 1
Scottish Pride
Scottish Pride Licensing Application
Continuous Monitoring
Office of Information Services
Plan
Title
Chief Information
Officer (CIO)
Role
Leader
Responsibility









User
Operations Manager
(GeoSol)
Advisor
Supporter
Ensure an effective continuous monitoring program is
established for the organization
Establish expectations/requirements for the agency’s
continuous monitoring process
Provide funding, personnel, and other resources to support
continuous monitoring
Maintain high-level communications and working group
relationships among agency entities
Ensure that information systems are covered by an approved
security plan, are authorized to operate, and are monitored
throughout the system development life cycle
Ensure completion of continuous monitoring security control
assessments on SPLA
Ensure Scottish Pride CIO designated and/or common
security controls are certified annually
Determine whether a significant change to SPLA requires
reaccreditation and advise the ISSO and ISM of such a
decision
Review SPLA security weaknesses reported that was
identified during the continuous monitoring security control
assessment activities

Identify changes to mission, business, or operational security
requirements
•
Report any weaknesses in, or new requirements for, SPLA
operations
•
Submit and justify system change requests to the through the
agency’s formal configuration management process
•
Support the information owner/information System Owner to
complete security responsibilities
•
Participate in the formal configuration management process
Appendix A - 2
Scottish Pride
Office of Information Services
Plan
Scottish Pride Licensing Application
Continuous Monitoring
APPENDIX B – ANNUAL REQUIRED SECURITY CONTROLS
The following security controls should be monitored annually:
AC-2
Access Controls (AC)
Account Management: Scottish Pride manages information system accounts, including
establishing, activating, modifying, reviewing, disabling, and removing accounts. Scottish
Pride reviews information system accounts annually.
AC-7
Unsuccessful Logon Attempts: The information system enforces a limit of three
consecutive invalid access attempts by a user during a 30 minute time period. The
information system automatically locks the account/node for 30 minutes for low systems
or until an appropriate security administrator manually intervenes to unlock accounts on
moderate and high systems when the maximum number of unsuccessful attempts is
exceeded.
AC-13
Supervision and Review—Access Control: Scottish Pride supervises and reviews the
activities of users with respect to the enforcement and usage of information system access
controls.
AC-17
Remote Access: Scottish Pride documents, monitors, and controls all methods of remote
access (e.g., dial-up, Internet) to the information system including remote access for
privileged functions. Appropriate Scottish Pride officials authorize each remote access
method for the information system and authorize only the necessary users for each access
method.
AT-2
AT-3
AU-2
Awareness and Training (AT)
Security Awareness: Scottish Pride ensures all users (including managers and senior
executives) are exposed to basic information system security awareness materials before
authorizing access to the system and at least annually thereafter.
Security Training: Scottish Pride identifies personnel with significant information system
security roles and responsibilities, documents those roles and responsibilities, and
provides appropriate information system security training before authorizing access to the
system and each year thereafter.
Audit and Accountability (AU)
Auditable Events: The information system generates audit records for events identified in
the Scottish Pride IT Security Handbook.
AU-3
Content of Audit Records: The information system captures sufficient information in
audit records to establish what events occurred, the sources of the events, and the
outcomes of the events.
AU-4
Audit Storage Capacity: Scottish Pride allocates sufficient audit record storage capacity
and configures auditing to prevent such capacity being exceeded.
Appendix B - 1
Scottish Pride
Office of Information Services
Plan
AU-5
Scottish Pride Licensing Application
Continuous Monitoring
Audit and Accountability (AU)
Response to Audit Processing Failures: In the event of an audit failure or audit storage
capacity being reached, the information system alerts appropriate Scottish Pride officials
and takes the following additional actions:
 Shutdown the system
 Overwrite the oldest audit records
 Stop generating audit records
AU-6
Audit Monitoring, Analysis, and Reporting: Scottish Pride regularly reviews/analyzes
audit records for indications of inappropriate or unusual activity, investigates suspicious
activity or suspected violations, report’s findings to appropriate officials, and takes
necessary actions.
AU-7
Audit Reduction and Report Generation: The information system provides an audit
reduction and report generation capability.
AU-11
Audit Retention: Scottish Pride retains audit logs in accordance with Scottish Pride
records retention policies, but at least for one year for high and moderate systems to
provide support for after-the-fact investigations of security incidents and to meet
regulatory and Scottish Pride information retention requirements.
CM-2
Configuration Management (CM)
Baseline Configuration: Scottish Pride develops, documents, and maintains a current,
baseline configuration of the information system and an inventory of the system’s
constituent components.
CM-3
Configuration Change Control: Scottish Pride documents and controls changes to the
information system. Appropriate Scottish Pride officials approve information system
changes in accordance with Scottish Pride policies and procedures.
CM-4
Monitoring Configuration Changes: Scottish Pride monitors changes to the information
system and conducts security impact analyses to determine the effects of the changes.
CM-5
Access Restrictions for Change: Scottish Pride enforces access restrictions associated with
changes to the information system.
CM-6
Configuration Settings: Scottish Pride configures the security settings of information
technology products to the most restrictive mode consistent with information system
operational requirements.
CM-7
Least Functionality: Scottish Pride configures the information system to provide only
essential capabilities and specifically prohibits and/or restricts the use of any protocol or
service that is not explicitly permitted.
Information System Component Inventory: Scottish Pride develops, documents, and
maintains a current inventory of the components of the information system and relevant
ownership information.
CM-8
Appendix B - 2
Scottish Pride
Office of Information Services
Plan
CP-1
Scottish Pride Licensing Application
Continuous Monitoring
Contingency Planning (CP)
Contingency Planning Policy and Procedures: Scottish Pride develops, disseminates, and
periodically reviews/updates: (1) a formal, documented, contingency planning policy that
addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal,
documented procedures to facilitate the implementation of the contingency planning
policy and associated contingency planning controls.
CP-2
Contingency Plan: Scottish Pride develops and implements a contingency plan for the
information system addressing contingency roles, responsibilities, assigned individuals
with contact information, and activities associated with restoring the system after a
disruption or failure. Designated officials within Scottish Pride review and approve the
contingency plan and distribute copies of the plan to key contingency personnel.
CP-3
Contingency Training: Scottish Pride trains personnel in their contingency roles and
responsibilities with respect to the information system and provides refresher training
annually.
CP-4
Contingency Plan Testing and Exercises: Scottish Pride tests the contingency plan for the
information system at least annually using to determine the plan’s effectiveness and
Scottish Pride’s readiness to execute the plan. System rated as high shall be tested at the
alternate processing site. Appropriate officials within Scottish Pride review the
contingency plan test results and initiate corrective actions.
CP-5
Contingency Plan Update: Scottish Pride reviews the contingency plan for the information
system once per year and revises the plan to address system/organizational changes or
problems encountered during plan implementation, execution, or testing.
CP-6
Alternate Storage Sites: Scottish Pride identifies an alternate storage site and initiates
necessary agreements to permit the storage of information system backup information.
CP-7
Alternate Processing Site: Scottish Pride identifies an alternate processing site and initiates
necessary agreements to permit the resumption of information system operations for
critical mission/business functions within 24 hours when the primary processing
capabilities are unavailable.
CP-8
Telecommunications Services: Scottish Pride identifies primary and alternate
telecommunications services to support the information system and initiates necessary
agreements to permit the resumption of system operations for critical mission/business
functions within 24 hours when the primary telecommunications capabilities are
unavailable.
CP-9
Information System Backup: Scottish Pride conducts backups of user-level and systemlevel information (including system state information) contained in the information system
according to backup schedules documented in the system contingency plan and stores
backup information at an appropriately secured location.
CP-10
Information System Recovery and Reconstitution: Scottish Pride employs mechanisms
with supporting procedures to allow the information system to be recovered and
reconstituted to the system’s original state after a disruption or failure.
Appendix B - 3
Scottish Pride
Office of Information Services
Plan
Scottish Pride Licensing Application
Continuous Monitoring
Identification and Authentication (IA)
IA-4
Identifier Management: Scottish Pride manages user identifiers by: (1) uniquely
identifying each user; (2) verifying the identity of each user; (3) receiving authorization to
issue a user identifier from an appropriate Scottish Pride official; (4) ensuring that the user
identifier is issued to the intended party; (5) disabling user identifier after 30 days of
inactivity; and (6) archiving user identifiers.
IA-5
Authenticator Management: Scottish Pride manages information system authenticators
(e.g., tokens, PKI certificates, biometrics, passwords, key cards) by: (1) defining initial
authenticator content; (2) establishing administrative procedures for initial authenticator
distribution, for lost/compromised, or damaged authenticators, and for revoking
authenticators; and (3) changing default authenticators upon information system
installation.
IA-6
Authenticator Feedback: The information system provides feedback to a user during an
attempted authentication and that feedback does not compromise the authentication
mechanism.
IR-2
Incident Response (IR)
Incident Response Training: Scottish Pride trains personnel in their incident response
roles and responsibilities with respect to the information system and provides refresher
training at least annually.
IR-5
Incident Monitoring: Scottish Pride tracks and documents information system security
incidents on an ongoing basis.
IR-6
Incident Reporting: Scottish Pride promptly reports incident information to appropriate
authorities.
MA-2
MA-3
Maintenance (MA)
Controlled Maintenance: Scottish Pride schedules, performs, and documents routine
preventative and regular maintenance on the components of the information system in
accordance with manufacturer or vendor specifications and/or Scottish Pride
requirements.
Maintenance Tools: Scottish Pride approves, controls, and monitors the use of information
system maintenance tools and maintains the tools on an ongoing basis.
MA-4
Remote Maintenance: Scottish Pride approves, controls, and monitors remotely executed
maintenance and diagnostic activities.
MA-5
Maintenance Personnel: Scottish Pride maintains a list of personnel authorized to perform
maintenance on the information system. Only authorized personnel perform maintenance
on the information system.
MA-6
Timely Maintenance: Scottish Pride obtains maintenance support and spare parts within
48 hours of failure.
Appendix B - 4
Scottish Pride
Office of Information Services
Plan
MP-5
MP-6
PE-2
Scottish Pride Licensing Application
Continuous Monitoring
Media Protection (MP)
Media Transport: Scottish Pride controls information system media (paper and electronic)
and restricts the pickup, receipt, transfer, and delivery of such media to authorized
personnel.
Media Sanitization and Disposal: Scottish Pride sanitizes information system digital
media using approved equipment, techniques, and procedures. Scottish Pride tracks,
documents, and verifies media sanitization actions and periodically tests sanitization
equipment/procedures to ensure correct performance.
Physical and Environmental Protection (PE)
Physical Access Authorizations: Scottish Pride develops and keeps current lists of
personnel with authorized access to facilities containing information systems (except for
those areas within the facilities officially designated as publicly accessible) and issues
appropriate authorization credentials (e.g., badges, identification cards, smart cards).
Designated officials within Scottish Pride review and approve the access list and
authorization credentials once a year.
PE-3
Physical Access Control: Scottish Pride controls all physical access points (including
designated entry/exit points) to facilities containing information systems (except for those
areas within the facilities officially designated as publicly accessible) and verifies
individual access authorizations before granting access to the facilities. Scottish Pride also
controls access to areas officially designated as publicly accessible, as appropriate, in
accordance with Scottish Pride’s assessment of risk.
PE-6
Monitoring Physical Access: Scottish Pride monitors physical access to information
systems to detect and respond to incidents.
PE-7
Visitor Control: Scottish Pride controls physical access to information systems by
authenticating visitors before authorizing access to facilities or areas other than areas
designated as publicly accessible.
PE-12
Emergency Lighting: Scottish Pride employs and maintains automatic emergency lighting
systems that activate in the event of a power outage or disruption and that cover
emergency exits and evacuation routes.
PE-13
Fire Protection: Scottish Pride employs and maintains fire suppression and detection
devices/systems that can be activated in the event of a fire.
PE-14
Temperature and Humidity Controls: Scottish Pride regularly maintains within
acceptable levels and monitors the temperature and humidity within facilities containing
information systems.
PE-16
Delivery and Removal: Scottish Pride controls information system-related items (i.e.,
hardware, firmware, software) entering and exiting the facility and maintains appropriate
records of those items.
Appendix B - 5
Scottish Pride
Office of Information Services
Plan
Scottish Pride Licensing Application
Continuous Monitoring
Planning (PL)
PL-3
System Security Plan Update: Scottish Pride reviews the security plan for the information
system annually and revises the plan to address system/organizational changes or
problems identified during plan implementation or security control assessments.
PL-4
Rules of Behavior: Scottish Pride establishes and makes readily available to all
information system users a set of rules that describes their responsibilities and expected
behavior with regard to information system usage. Scottish Pride receives signed
acknowledgement from users indicating that they have read, understand, and agree to
abide by the rules of behavior, before authorizing access to the information system.
PL-6
Security-Related Activity Planning: Scottish Pride plans and coordinates security-related
activities affecting the information system before conducting such activities in order to
reduce the impact on Scottish Pride operations (i.e., mission, functions, image, and
reputation), Scottish Pride assets, and individuals.
Personal Security (PS)
PS-3
Personnel Screening: Scottish Pride screens individuals requiring access to Scottish Pride
information and information systems before authorizing access.
PS-4
Personnel Termination: When employment is terminated, Scottish Pride terminates
information system access, conducts exit interviews, ensures the return of all Scottish Pride
information system-related property (e.g., keys, identification cards, building passes), and
ensures that appropriate personnel have access to official records created by the terminated
employee that are stored on Scottish Pride information systems.
PS-5
Personnel Transfer: Scottish Pride reviews information systems/facilities access
authorizations when individuals are reassigned or transferred to other positions within
Scottish Pride and initiates appropriate actions (e.g., reissuing keys, identification cards,
building passes; closing old accounts and establishing new accounts; and changing system
access authorizations).
PS-6
Access Agreements: Scottish Pride completes appropriate access agreements (e.g.,
nondisclosure agreements, acceptable use agreements, rules of behavior, conflict-of-interest
agreements) for individuals requiring access to Scottish Pride information and information
systems before authorizing access.
PS-7
Third-Party Personnel Security: Scottish Pride establishes personnel security requirements
for third-party providers (e.g., service bureaus, contractors, and other organizations
providing information system development, information technology services, outsourced
applications, network and security management) and monitors provider compliance to
ensure adequate security.
Appendix B - 6
Scottish Pride
Office of Information Services
Plan
Scottish Pride Licensing Application
Continuous Monitoring
System and Services Acquisition (SA)
SA-4
Acquisitions: Scottish Pride includes security requirements and/or security specifications,
either explicitly or by reference, in information system acquisition contracts based on an
assessment of risk.
SA-7
User Installed Software: Scottish Pride enforces explicit rules governing the downloading
and installation of software by users.
SC-4
System and Communication Protection (SC)
Information Remnance: The information system prevents unauthorized and unintended
information transfer via shared system resources.
SC-7
Boundary Protection: The information system monitors and controls communications at
the external boundary of the information system and at key internal boundaries within the
system.
SC-17
Public Key Infrastructure Certificates: Scottish Pride develops and implements a
certificate policy and certification practice statement for the issuance of public key
certificates used in the information system.
SI-2
System and Information Integrity (SI)
Flaw Remediation: Scottish Pride identifies, reports, and corrects information system
flaws.
SI-4
Information System Monitoring Tools and Techniques: Scottish Pride employs tools and
techniques to monitor events on the information system, detect attacks, and provide
identification of unauthorized use of the system.
SI-5
Security Alerts and Advisories: Scottish Pride receives information system security
alerts/advisories on a regular basis, issues alerts/advisories to appropriate personnel, and
takes appropriate actions in response.
SI-10
Information Input Accuracy, Completeness, and Validity: The information system
checks information inputs for accuracy, completeness, and validity.
SI-11
Error Handling: The information system identifies and handles error conditions in an
expeditious manner.
SI-12
Output Handling and Retention: Scottish Pride handles and retains output from the
information system in accordance with Scottish Pride policy and operational requirements.
Appendix B - 7
Scottish Pride
Office of Information Services
Plan
Scottish Pride Licensing Application
Continuous Monitoring
APPENDIX C – YEAR-2 REQUIRED SECURITY CONTROLS
Year 2 monitoring should include all security controls required to be assessed annually
(See Appendix B), plus a subset of the remainder of security controls below must be
assessed.
AC-1
Access Controls (AC)
Access Control Policy and Procedures: Scottish Pride develops, disseminates, and
periodically reviews/updates: (1) a formal, documented, access control policy that
addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal,
documented procedures to facilitate the implementation of the access control policy and
associated access controls.
AC-3
Access Enforcement: The information system enforces assigned authorizations for
controlling access to the system in accordance with applicable policy.
AC-4
Information Flow Enforcement: The information system enforces assigned authorizations
for controlling the flow of information within the system and between interconnected
systems in accordance with applicable policy.
AC-14
Permitted Actions w/o Identification or Authentication: Scottish Pride identifies specific
user actions that can be performed on the information system without identification or
authentication.
AC-20
Use of External Information Systems: Scottish Pride restricts the use of personally owned
information systems for official U.S. Government business involving the processing,
storage, or transmission of federal information.
AT-1
AT-4
Awareness and Training (AT)
Security Awareness and Training Policy and Procedures: Scottish Pride develops,
disseminates, and periodically reviews/updates: (1) a formal, documented, security
awareness and training policy that addresses purpose, scope, roles, responsibilities, and
compliance; and (2) formal, documented procedures to facilitate the implementation of the
security awareness and training policy and associated security awareness and training
controls.
Security Training Records: Scottish Pride documents and monitors individual information
system security training activities including basic security awareness training and specific
information system security training.
Appendix C - 1
Scottish Pride
Office of Information Services
Plan
AU-1
Scottish Pride Licensing Application
Continuous Monitoring
Audit and Accountability (AU)
Audit and Accountability Policy and Procedures: Scottish Pride develops, disseminates,
and periodically reviews/updates: (1) a formal, documented, audit and accountability
policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2)
formal, documented procedures to facilitate the implementation of the audit and
accountability policy and associated audit and accountability controls.
AU-8
Time Stamps: The information system provides time stamps for use in audit record
generation.
AU-9
Protection of Audit Information: The information system protects audit information and
audit tools from unauthorized access, modification, and deletion.
Certification, and Accreditation, and Security Assessments(CA)
CA-1
CA-2
CA-3
CA-4
CA-5
CA-7
Certification, Accreditation, and Security Assessment Policies and Procedures: Scottish
Pride develops, disseminates, and periodically reviews/updates: (1) formal, documented,
security assessment and certification and accreditation policies that address purpose,
scope, roles, responsibilities, and compliance; and (2) formal, documented procedures to
facilitate the implementation of the security assessment and certification and accreditation
policies and associated assessment, certification, and accreditation controls.
Security Assessments: Scottish Pride conducts an assessment of the security controls in the
information system annually to determine the extent to which the controls are
implemented correctly, operating as intended, and producing the desired outcome with
respect to meeting the security requirements for the system.
Information System Connections: Scottish Pride authorizes all connections from the
information system to other information systems outside of the accreditation boundary
and monitors/controls the system interconnections on an ongoing basis. Appropriate
Scottish Pride officials approve information system interconnection agreements.
Security Certification: Scottish Pride conducts an assessment of the security controls in the
information system to determine the extent to which the controls are implemented
correctly, operating as intended, and producing the desired outcome with respect to
meeting the security requirements for the system.
Plan of Action and Milestones: Scottish Pride develops and updates quarterly, a POA&M
for the information system that documents Scottish Pride’s planned, implemented, and
evaluated remedial actions to correct any deficiencies noted during the assessment of the
security controls and to reduce or eliminate known vulnerabilities in the system.
Continuous Monitoring: Scottish Pride monitors the security controls in the information
system on an ongoing basis.
Appendix C - 2
Scottish Pride
Office of Information Services
Plan
CM-1
CP-1
Scottish Pride Licensing Application
Continuous Monitoring
Configuration Management (CM)
Configuration Management Policy and Procedures: Scottish Pride develops,
disseminates, and periodically reviews/updates: (1) a formal, documented, configuration
management policy that addresses purpose, scope, roles, responsibilities, and compliance;
and (2) formal, documented procedures to facilitate the implementation of the
configuration management policy and associated configuration management controls.
Contingency Planning (CP)
Contingency Planning Policy and Procedures: Scottish Pride develops, disseminates, and
periodically reviews/updates: (1) a formal, documented, contingency planning policy that
addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal,
documented procedures to facilitate the implementation of the contingency planning
policy and associated contingency planning controls.
Identification and Authentication (IA)
IA-1
Identification and Authentication Policy and Procedures: Scottish Pride develops,
disseminates, and periodically reviews/updates: (1) a formal, documented, identification
and authentication policy that addresses purpose, scope, roles, responsibilities, and
compliance; and (2) formal, documented procedures to facilitate the implementation of the
identification and authentication policy and associated identification and authentication
controls.
IA-3
Device Identification and Authentication: The information system identifies and
authenticates specific devices before establishing a connection.
IR-1
Incident Response (IR)
Incident Response Policy and Procedures: Scottish Pride develops, disseminates, and
periodically reviews/updates: (1) a formal, documented, incident response policy that
addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal,
documented procedures to facilitate the implementation of the incident response policy
and associated incident response controls.
IR-3
Incident Response Testing and Exercises: Scottish Pride tests the incident response
capability for the information system at least annually using automated mechanisms for
high systems to determine the incident response effectiveness and documents the results.
IR-4
Incident Handling: Scottish Pride implements an incident handling capability for security
incidents that includes preparation, detection and analysis, containment, eradication, and
recovery.
IR-7
Incident Response Assistance: Scottish Pride provides an incident support resource that
offers advice and assistance to users of the information system for the handling and
reporting of security incidents. The support resource is an integral part of Scottish Pride’s
incident response capability.
Appendix C - 3
Scottish Pride
Office of Information Services
Plan
MA-1
MP-1
PE-1
Scottish Pride Licensing Application
Continuous Monitoring
Maintenance (MA)
System Maintenance Policy and Procedures: Scottish Pride develops, disseminates, and
periodically reviews/updates: (1) a formal, documented, information system maintenance
policy that addresses purpose, scope, roles, responsibilities, and compliance; and (2)
formal, documented procedures to facilitate the implementation of the information system
maintenance policy and associated system maintenance controls.
Media Protection (MP)
Media Protection Policy and Procedures: Scottish Pride develops, disseminates, and
periodically reviews/updates: (1) a formal, documented, media protection policy that
addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal,
documented procedures to facilitate the implementation of the media protection policy
and associated media protection controls.
Physical and Environmental Protection (PE)
Physical and Environmental Protection Policy and Procedures: Scottish Pride develops,
disseminates, and periodically reviews/updates: (1) a formal, documented, physical and
environmental protection policy that addresses purpose, scope, roles, responsibilities, and
compliance; and (2) formal, documented procedures to facilitate the implementation of the
physical and environmental protection policy and associated physical and environmental
protection controls.
PE-5
Access Control for Display Medium: Scottish Pride controls physical access to
information system devices that display information to prevent unauthorized individuals
from observing the display output.
PE-8
Access Records: Scottish Pride maintains a visitor access log to facilities (except for those
areas within the facilities officially designated as publicly accessible) that includes: (1)
name and organization of the person visiting; (2) signature of the visitor; (3) form of
identification; (4) date of access; (5) time of entry and departure; (6) purpose of visit; and
(7) name and organization of person visited. Visitor logs are reviewed at closeout,
maintained on file, and available for further review for one year.
PE-9
Power Equipment and Power Cabling: Scottish Pride protects power equipment and
power cabling for the information system from damage and destruction.
PE-10
Emergency Shutoff: For specific locations within a facility containing concentrations of
information system resources (e.g., data centers, server rooms, mainframe rooms),Scottish
Pride provides the capability of shutting off power to any information technology
component that may be malfunctioning (e.g., due to an electrical fire) or threatened (e.g.,
due to a water leak) without endangering personnel by requiring them to approach the
equipment.
PE-11
Emergency Power: Scottish Pride provides a short-term uninterruptible power supply to
facilitate an orderly shutdown of the information system in the event of a primary power
source loss.
PE-18
Location of Information System Components: Scottish Pride positions information
Appendix C - 4
Scottish Pride
Office of Information Services
Plan
Scottish Pride Licensing Application
Continuous Monitoring
system components within the facility to minimize potential damage from physical and
environmental hazards and to minimize the opportunity for unauthorized access.
Planning (PL)
PL-1
Security Planning Policy and Procedures: Scottish Pride develops, disseminates, and
periodically reviews/updates: (1) a formal, documented, security planning policy that
addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal,
documented procedures to facilitate the implementation of the security planning policy
and associated security planning controls.
Personal Security (PS)
PS-1
RA-1
RA-5
Personnel Security Policy and Procedures: Scottish Pride develops, disseminates, and
periodically reviews/updates: (1) a formal, documented, personnel security policy that
addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal,
documented procedures to facilitate the implementation of the personnel security policy
and associated personnel security controls.
Risk Assessment (RA)
Risk Assessment Policy and Procedures: Scottish Pride develops, disseminates, and
periodically reviews/updates: (1) a formal, documented risk assessment policy that
addresses purpose, scope, roles, responsibilities, and compliance; and (2) formal,
documented procedures to facilitate the implementation of the risk assessment policy and
associated risk assessment controls.
Vulnerability Scanning: Using appropriate vulnerability scanning tools and techniques,
Scottish Pride scans for vulnerabilities in the information system every six months or when
significant new vulnerabilities affecting the system are identified and reported.
System and Services Acquisition (SA)
SA-1
System and Services Acquisition Policy and Procedures: Scottish Pride develops,
disseminates, and periodically reviews/updates: (1) a formal, documented, system and
services acquisition policy that addresses purpose, scope, roles, responsibilities, and
compliance; and (2) formal, documented procedures to facilitate the implementation of the
system and services acquisition policy and associated system and services acquisition
controls.
SA-2
Allocation of Resources: Scottish Pride determines, documents, and allocates as part of its
capital planning and investment control process the resources required to protect the
system.
SA-3
Life Cycle Support: Scottish Pride manages the information system using a system
development life cycle methodology that includes information security considerations.
SA-5
Information System Documentation: Scottish Pride ensures that adequate documentation
for the information system and its constituent components are available, protected when
required, and distributed to authorized personnel.
Appendix C - 5
Scottish Pride
Office of Information Services
Plan
Scottish Pride Licensing Application
Continuous Monitoring
SA-6
Software Usage Restrictions: Scottish Pride complies with software usage restrictions.
SA-8
Security Engineering Principles: Scottish Pride designs and implements the information
system using security engineering principles.
System and Communication Protection (SC)
System & Communications Protection Policy & Procedures: Scottish Pride develops,
disseminates, and periodically reviews/updates: (1) a formal, documented, system and
communications protection policy that addresses purpose, scope, roles, responsibilities,
and compliance; and (2) formal, documented procedures to facilitate the implementation of
the system and communications protection policy and associated system and
communications protection controls.
SC-1
SC-2
Application Partitioning: The information system separates user functionality (including
user interface services) from information system management functionality.
SC-18
Mobile Code: Scottish Pride: (1) establishes usage restrictions and implementation
guidance for mobile code technologies based on the potential to cause damage to the
information system if used maliciously; and (2) documents, monitors, and controls the use
of mobile code within the information system. Appropriate Scottish Pride officials
authorize the use of mobile code.
Voice Over Internet Protocol: Scottish Pride: (1) establishes usage restrictions and
implementation guidance for Voice Over Internet Protocol (VOIP) technologies based on
the potential to cause damage to the information system if used maliciously; and (2)
documents, monitors, and controls the use of VOIP within the information system.
Appropriate Scottish Pride officials authorize the use of VOIP.
SC-19
SC-20
Secure Name/Address Resolution Service (Authoritative Source): The information
system that provides name/address resolution service provides additional data origin and
integrity artifacts along with the authoritative data it returns in response to resolution
queries.
SC-22
Architecture and Provisioning For Name/Address Resolution Service: The information
systems that collectively provide name/address resolution service for Scottish Pride are
fault tolerant and implement role separation.
SI-1
System and Information Integrity (SI)
System and Information Integrity Policy and Procedures: Scottish Pride develops,
disseminates, and periodically reviews/updates: (1) a formal, documented, system and
information integrity policy that addresses purpose, scope, roles, responsibilities, and
compliance; and (2) formal, documented procedures to facilitate the implementation of the
system and information integrity policy and associated system and information integrity
controls.
Appendix C - 6
Scottish Pride
Office of Information Services
Plan
Scottish Pride Licensing Application
System Security
APPENDIX D – YEAR-3 REQUIRED SECURITY CONTROLS
Year 3 monitoring should include all security controls required to be assessed annually
(See Appendix B), plus a subset of security controls below that were not assessed
during Year 2 must be assessed.
AC-5
Access Controls (AC)
Separation of Duties: The information system enforces separation of duties through
assigned access authorizations.
AC-6
Least Privilege: The information system enforces the most restrictive set of
rights/privileges or accesses needed by users (or processes acting on behalf of users) for
the performance of specified tasks.
AC-8
System Use Notification: The information system displays an approved, system use
notification message before granting system access informing potential users: (1) that the
user is accessing a U.S. Government information system; (2) that system usage may be
monitored, recorded, and subject to audit; (3) that unauthorized use of the system is
prohibited and subject to criminal and civil penalties; and (4) that use of the system
indicates consent to monitoring and recording. The system use notification message
provides appropriate privacy and security notices (based on associated privacy and
security policies or summaries) and remains on the screen until the user takes explicit
actions to log on to the information system.
AC-12
Session Termination: The information system automatically terminates a session after ten
minutes of inactivity.
AC-18
Wireless Access Restrictions: Scottish Pride: (1) establishes usage restrictions and
implementation guidance for wireless technologies; and (2) documents, monitors, and
controls wireless access to the information system. Appropriate Scottish Pride officials
authorize the use of wireless technologies.
AC-19
Access Control for Portable and Mobile Systems: Scottish Pride: (1) establishes usage
restrictions and implementation guidance for portable and mobile devices; and (2)
documents, monitors, and controls device access to Scottish Pride networks. Appropriate
Scottish Pride officials authorize the use of portable and mobile devices.
Certification, and Accreditation, and Security Assessments(CA)
CA-6
Security Accreditation: Scottish Pride authorizes (i.e., accredits) the information system for
processing before operations and updates the authorization every 3 years. A senior
Scottish Pride official signs and approves the security accreditation.
Appendix D - 1
Scottish Pride
Office of Information Services
Plan
Scottish Pride Licensing Application
System Security
Identification and Authentication (IA)
IA-2
MP-2
MP-4
User Identification and Authentication: The information system uniquely identifies and
authenticates users (or processes acting on behalf of users).
Media Protection (MP)
Media Access: Scottish Pride ensures that only authorized users have access to information
in printed form or on digital media removed from the information system.
Media Storage: Scottish Pride physically controls and securely stores information system
media, both paper and electronic, based on the highest FIPS 199 security category of the
information recorded on the media.
Planning (PL)
PL-2
System Security Plan: Scottish Pride develops and implements a security plan for the
information system that provides an overview of the security requirements for the system
and a description of the security controls in place or planned for meeting those
requirements. Designated officials within Scottish Pride review and approve the plan.
PL-5
Privacy Impact Assessment: Scottish Pride conducts a privacy impact assessment on the
information system.
Personal Security (PS)
PS-2
Position Categorization: Scottish Pride assigns a risk designation to all positions and
establishes screening criteria for individuals filling those positions. Scottish Pride reviews
and revises position risk designations periodically in accordance with Office of Personnel
Management (OPM) guidance.
PS-8
Personnel Sanctions: Scottish Pride employs a formal sanctions process for personnel
failing to comply with established information security policies and procedures.
Appendix D - 2
Scottish Pride
Office of Information Services
Plan
RA-2
Scottish Pride Licensing Application
System Security
Risk Assessment (RA)
Security Categorization: Scottish Pride categorizes the information system and the
information processed, stored, or transmitted by the system in accordance with FIPS 199
and documents the results (including supporting rationale) in the system security plan.
Designated senior-level officials within Scottish Pride review and approve the security
categorizations.
RA-3
Risk Assessment: Scottish Pride conducts assessments of the risk and magnitude of harm
that could result from the unauthorized access, use, disclosure, disruption, modification, or
destruction of information and information systems that support the operations and assets
of the agency.
RA-4
Risk Assessment Update: Scottish Pride updates the risk assessment every three years or
whenever there are significant changes to the information system, the facilities where the
system resides, or other conditions that may impact the security or accreditation status of
the system.
System and Services Acquisition (SA)
SA-9
External Information System Services: Scottish Pride ensures that third-party providers of
information system services employ adequate security controls in accordance with
applicable federal laws, directives, policies, regulations, standards, guidance, and
established service level agreements. Scottish Pride monitors security control compliance.
SA-11
Developer Security Testing: The information system developer creates a security test and
evaluation plan, implements the plan, and documents the results. Developmental security
test results may be used in support of the security certification and accreditation process
for the delivered information system.
SC-5
System and Communication Protection (SC)
Denial of Service Protection: The information system protects against or limits the effects
of denial of service attacks on devices within Scottish Pride’s internal network.
SC-9
Transmission Confidentiality: The information system protects the confidentiality of
transmitted information.
SC-10
Network Disconnect: The information system terminates a network connection at the end
of a session or after ten minutes of inactivity.
SC-14
Public Access Protections: For publicly available systems, the information system protects
the integrity of the information and applications.
SC-23
Session Authenticity: The information system provides mechanisms to protect the
authenticity of communications sessions.
Appendix D - 3
Scottish Pride
Office of Information Services
Plan
SI-3
Scottish Pride Licensing Application
System Security
System and Information Integrity (SI)
Malicious Code Protection: The information system implements malicious code
protection that includes a capability for automatic updates.
SI-8
Spam and Spyware Protection: The information system implements spam and spyware
protection.
SI-9
Information Input Restrictions: Scottish Pride restricts the information input to the
information system to authorized personnel only.
Appendix D - 4