Key Security Indicators¶

The effectiveness of relevant cybersecurity education and training is persistently reviewed, including at least general training for all employees, role-specific training for employees in high risk roles, training for development and engineering staff on secure software delivery, and training for staff involved with incident response or disaster recovery.

Related SP 800-53 Controls: CP-3, IR-2, PS-6, AT-2, AT-2.2, AT-2.3, AT-3.5, AT-4, IR-2.3, AT-3, SR-11.1

Terms: Incident, Persistently, Vulnerability Response

Modifications to the cloud service offering are logged and monitored.

Related SP 800-53 Controls: AU-2, CM-3, CM-3.2, CM-4.2, CM-6, CM-8.3, MA-2

Terms: Cloud Service Offering

Changes to machine-based information resources are executed through the redeployment of version controlled resources rather than direct modification wherever reasonable.

Related SP 800-53 Controls: CM-2, CM-3, CM-5, CM-6, CM-7, CM-8.1, SI-3

Terms: Information Resource, Machine-Based (Information Resources)

The effectiveness of documented change management procedures is persistently reviewed.

Related SP 800-53 Controls: CM-3, CM-3.2, CM-3.4, CM-5, CM-7.1, CM-9

Terms: Persistently

Persistent testing and validation of changes throughout deployment is automated.

Related SP 800-53 Controls: CM-3, CM-3.2, CM-4.2, SI-2

Terms: Persistently, Validation

The functionality and privileges for infrastructure and services are strictly defined.

Related SP 800-53 Controls: CM-2, SI-3

Related SP 800-53 Controls: CA-2.1, CA-7.1

Terms: Information Resource, Machine-Based (Information Resources), Persistently

The use and configuration of third-party machine-based information resources is persistently compared against the original provider's best practices and guidance.

Related SP 800-53 Controls: AC-17.3, CM-2, PL-10

Terms: Information Resource, Machine-Based (Information Resources), Persistently

Machine-based information resources are persistently reviewed to ensure they have a minimal attack surface and that lateral movement is minimized if compromised.

Related SP 800-53 Controls: AC-17.3, AC-18.1, AC-18.3, AC-20.1, CA-9, SC-7.3, SC-7.4, SC-7.5, SC-7.8, SC-8, SC-10, SI-10, SI-11, SI-16

Terms: Information Resource, Machine-Based (Information Resources), Persistently

Machine-based information resources are persistently reviewed to ensure they are appropriately optimized for high availability and rapid recovery.

Terms: Information Resource, Machine-Based (Information Resources), Persistently

Machine-based information resources are persistently reviewed to ensure they are appropriately configured to limit inbound and outbound network traffic.

Related SP 800-53 Controls: AC-17.3, CA-9, CM-7.1, SC-7.5, SI-8

Terms: Information Resource, Machine-Based (Information Resources), Persistently

The effectiveness of protection against denial of service attacks and other unwanted activity for machine-based information resources is persistently reviewed.

Related SP 800-53 Controls: SC-5, SI-8, SI-8.2

Terms: Information Resource, Machine-Based (Information Resources), Persistently

Logical networking and related capabilities are used and persistently reviewed to enforce traffic flow controls.

Related SP 800-53 Controls: AC-12, AC-17.3, CA-9, SC-4, SC-7, SC-7.7, SC-8, SC-10

Terms: Persistently

The lifecycle and privileges of all accounts, roles, and groups are securely managed using automation.

Related SP 800-53 Controls: AC-2.2, AC-2.3, AC-2.13, AC-6.7, IA-4.4, IA-12, IA-12.2, IA-12.3, IA-12.5

Secure passwordless methods are used for user authentication and authorization when feasible, otherwise strong passwords with phishing-resistant MFA is used.

Related SP 800-53 Controls: AC-3, IA-5.1, IA-5.2, IA-5.6, IA-6, AC-2, IA-2, IA-2.1, IA-2.2, IA-2.8, IA-5, IA-8, SC-23

Identity and access management measures are used and persistently reviewed to ensure each user or device can only access the resources they need.

Related SP 800-53 Controls: AC-2.5, AC-2.6, AC-3, AC-4, AC-6, AC-12, AC-14, AC-17, AC-17.1, AC-17.2, AC-17.3, AC-20, AC-20.1, CM-2.7, CM-9, IA-2, IA-3, IA-4, IA-4.4, IA-5.2, IA-5.6, IA-11, PS-2, PS-3, PS-4, PS-5, PS-6, SC-4, SC-20, SC-21, SC-22, SC-23, SC-39, SI-3

Terms: Persistently

A least-privileged, role and attribute-based, and just-in-time security authorization model is used and persistently reviewed for all user and non-user accounts and services.

Related SP 800-53 Controls: AC-2, AC-2.1, AC-2.2, AC-2.3, AC-2.4, AC-2.6, AC-3, AC-4, AC-5, AC-6, AC-6.1, AC-6.2, AC-6.5, AC-6.7, AC-6.9, AC-6.10, AC-7, AC-20.1, AC-17, AU-9.4, CM-5, CM-7, CM-7.2, CM-7.5, CM-9, IA-4, IA-4.4, IA-7, PS-2, PS-3, PS-4, PS-5, PS-6, PS-9, RA-5.5, SC-2, SC-23, SC-39

Terms: Persistently

Appropriately secure authentication methods are used and persistently reviewed for non-user accounts and services.

Related SP 800-53 Controls: AC-2, AC-2.2, AC-4, AC-6.5, IA-3, IA-5.2, RA-5.5

Terms: Persistently

Accounts with privileged access are disabled or otherwise secured in response to suspicious activity.

Related SP 800-53 Controls: AC-2, AC-2.1, AC-2.3, AC-2.13, AC-7, PS-4, PS-8

Terms: Vulnerability Response

Incident after action reports are generated and lessons learned are persistently incorporated.

Related SP 800-53 Controls: IR-3, IR-4, IR-4.1, IR-8

Terms: Incident, Persistently

The effectiveness of documented incident response procedures is persistently reviewed.

Related SP 800-53 Controls: IR-4, IR-4.1, IR-6, IR-6.1, IR-6.3, IR-7, IR-7.1, IR-8, IR-8.1, SI-4.5

Terms: Incident, Persistently, Vulnerability Response

Past incidents are persistently reviewed for patterns or vulnerabilities that were not previously apparent or identified.

Related SP 800-53 Controls: IR-3, IR-4, IR-4.1, IR-5, IR-8

Terms: Incident, Persistently, Vulnerability

Related SP 800-53 Controls: SI-11

Terms: Persistently

The configuration of machine-based information resources, especially infrastructure as code, is persistently evaluated and tested.

Related SP 800-53 Controls: CA-7, CM-2, CM-6, SI-7.7

Terms: Information Resource, Machine-Based (Information Resources), Persistently

A list of information resources and event types that will be logged, monitored, and audited is maintained and persistently reviewed to ensure these activities occur.

Related SP 800-53 Controls: AC-2.4, AC-6.9, AC-17.1, AC-20.1, AU-2, AU-7.1, AU-12, SI-4.4, SI-4.5, SI-7.7

Terms: Information Resource, Persistently

A Security Information and Event Management (SIEM) or similar system(s) is used and persistently reviewed for centralized, tamper-resistant logging of events, activities, and changes.

Related SP 800-53 Controls: AC-17.1, AC-20.1, AU-2, AU-3, AU-3.1, AU-4, AU-5, AU-6.1, AU-6.3, AU-7, AU-7.1, AU-8, AU-9, AU-11, IR-4.1, SI-4.2, SI-4.4, SI-7.7

Terms: Persistently

Logs are persistently reviewed and audited.

Related SP 800-53 Controls: AC-2.4, AC-6.9, AU-2, AU-6, AU-6.1, SI-4, SI-4.4

Terms: Persistently

Authoritative sources are used to automatically generate real-time inventories of all information resources when needed.

Related SP 800-53 Controls: CM-2.2, CM-7.5, CM-8, CM-8.1, CM-12, CM-12.1, CP-2.8

Terms: Information Resource

Executive support for achieving the provider's security goals is persistently reviewed and demonstrated.

Terms: Persistently

The effectiveness of the provider's investments in achieving security goals is persistently reviewed.

Related SP 800-53 Controls: AC-5, CA-2, CP-2.1, CP-4.1, IR-3.2, PM-3, SA-2, SA-3, SR-2.1

Terms: Persistently

The effectiveness of building security and privacy considerations into the Software Development Lifecycle and aligning with CISA Secure By Design principles is persistently reviewed.

Related SP 800-53 Controls: AC-5, AU-3.3, CM-3.4, PL-8, PM-7, SA-3, SA-8, SC-4, SC-18, SI-10, SI-11, SI-16

Terms: Persistently

The effectiveness of the provider's vulnerability disclosure program is persistently reviewed.

Related SP 800-53 Controls: RA-5.11

Terms: Persistently, Vulnerability

The alignment of machine-based information resource backups with defined recovery objectives is persistently reviewed.

Related SP 800-53 Controls: CM-2.3, CP-6, CP-9, CP-10, CP-10.2, SI-12

Terms: Information Resource, Machine-Based (Information Resources), Persistently

The alignment of recovery plans with defined recovery objectives is persistently reviewed.

Related SP 800-53 Controls: CP-2, CP-2.1, CP-2.3, CP-4.1, CP-6, CP-6.1, CP-6.3, CP-7, CP-7.1, CP-7.2, CP-7.3, CP-8, CP-8.1, CP-8.2, CP-10, CP-10.2

Terms: Persistently

The desired Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) are persistently reviewed for alignment with the provider's business needs and capabilities.

Related SP 800-53 Controls: CP-2.3, CP-10

Terms: Persistently

The capability to recover from incidents and contingencies aligned with defined recovery objectives is persistently tested.

Related SP 800-53 Controls: CP-2.1, CP-2.3, CP-4, CP-4.1, CP-6, CP-6.1, CP-9.1, CP-10, IR-3, IR-3.2

Terms: Incident, Persistently

Persistently identify, review, and mitigate potential supply chain risks.

Related SP 800-53 Controls: AC-20, RA-3.1, SA-9, SA-10, SA-11, SA-15.3, SA-22, SI-7.1, SR-5, SR-6, CA-7.4, SC-18

Terms: Persistently

Third party software information resources are automatically monitored for upstream vulnerabilities using mechanisms that may include contractual notification requirements or active monitoring services.

Related SP 800-53 Controls: AC-20, CA-3, IR-6.3, PS-7, RA-5, SA-9, SI-5, SR-5, SR-6, SR-8

Terms: Information Resource, Vulnerability

The configuration of machine-based information resources is managed using automation and persistently reviewed for drift.

Related SP 800-53 Controls: AC-2.4, CM-2, CM-2.2, CM-2.3, CM-6, CM-7.1, PL-9, PL-10, SA-5, SI-5, SR-10

Terms: Drift, Information Resource, Machine-Based (Information Resources), Persistently

Management, protection, and regular rotation of digital keys, certificates, and other secrets is automated and persistently reviewed.

Related SP 800-53 Controls: AC-17.2, IA-5.2, IA-5.6, SC-12, SC-17

Terms: Persistently, Regularly

Information resources are persistently evaluated for opportunities to improve security and those improvements are persistently made.

Related SP 800-53 Controls: CM-7.1, CM-12.1, MA-2, PL-8, SC-7, SC-39, SI-2.2, SI-4, SR-10

Terms: Information Resource, Persistently

Related SP 800-53 Controls: SC-4

Terms: Federal Customer Data, Information Resource, Likely, Persistently

Related SP 800-53 Controls: SI-12.3, SI-18.4

Terms: Federal Customer Data, Promptly

Information is encrypted or otherwise secured from unwanted access or modification.

Related SP 800-53 Controls: AC-1, AC-17.2, CP-9.8, SC-8, SC-8.1, SC-13, SC-20, SC-21, SC-22, SC-23, SC-28, SC-28.1

Related SP 800-53 Controls: SC-23, SI-7.1

Terms: Information Resource, Machine-Based (Information Resources), Persistently, Validation

Use cryptographic methods to validate the integrity of machine-based information resources.

Related SP 800-53 Controls: CM-2.2, CM-8.3, SC-13, SC-23, SI-7, SI-7.1, SR-10

Terms: Information Resource, Machine-Based (Information Resources), Validation