Canadian Centre for Cyber Security News

<article data-history-node-id="7764" about="/en/news-events/g7-cybersecurity-working-group-statement-preparing-post-quantum-cryptography-migration" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><section><h2 id="Intro">Introduction</h2> <p>Quantum computers use quantum physics to process information and solve problems that are impractical to solve using current computing capabilities. Although these computers can be beneficial in fields like medicine and science, they also pose risks to cyber security with their ability to break public key cryptography (PKC). <abbr title="public key cryptography">PKC</abbr>, also known as asymmetric cryptography, is used to protect the confidentiality, integrity and authentication of communication and data. It also provides assurance that software and updates are from the organizations that you expect and have not been tampered with. The United States’ National Institute for Standards and Technology (NIST), in conjunction with experts from around the world, has chosen new algorithms that are resistant to a quantum attack in order to replace the existing vulnerable ones. This new field of cryptography is called post-quantum cryptography (PQC). The G7 Cybersecurity Working Group (G7 CWG) recognizes the challenges that transitioning to new algorithms bring to organizations and has developed this publication to provide practical advice to prepare for this important process. In addition to this publication, the G7 Cyber Expert Group (G7 CEG) has published a group statement on “<a href="https://home.treasury.gov/system/files/136/G7-CEG-Quantum-Roadmap.pdf">Advancing a Coordinated Roadmap for the Transition to Post-Quantum Cryptography in the Financial Sector</a>” which readers may find useful.</p> </section><section class="alert alert-info"><p>This document is not intended to be a source of cyber security advice, or any other kind of advice, and should not be treated as such. This publication does not supersede any guidance or regulatory requirements published by your national authorities and should not be treated as doing so.</p> </section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#Intro">Introduction</a></li> <li><a href="Audience">Audience and purpose</a></li> <li><a href="#Terminology">Terminology</a></li> <li><a href="#Project-prep">Project preparation</a> <ul><li><a href="#Governance">Governance</a></li> <li><a href="#Project-teams">Project teams</a></li> <li><a href="#Org-aware">Organizational awareness</a></li> <li><a href="#Budget-consider">Budget considerations</a></li> <li><a crypto-agil="" href="#">Cryptographic agility</a></li> </ul></li> <li><a href="#Plan-dev">Migration plan development</a> <ul><li><a href="#Id-crypto">Identifying cryptography</a></li> <li><a href="#Prioritization">Prioritization</a></li> <li><a href="#Transition">Transition</a></li> <li><a href="#Testing">Testing</a></li> <li><a href="#Documentation">Documentation</a></li> </ul></li> <li><a href="#Conclusion">Conclusion</a></li> <li><a href="#Appendix">Appendix</a> <ul><li><a href="consider-crypto-id">Considerations for identifying cryptography</a></li> <li><a href="#hybrid-crypto">Hybrid cryptography</a></li> <li><a href="#Operational-Tech">Operational and cloud technology considerations</a></li> <li><a href="#Cert">Certification</a></li> <li><a href="#info-sec">Information security management standards</a></li> </ul></li> </ul></details><section><h2 id="Audience">Audience and purpose</h2> <p>This publication provides recommendations to prepare organizations to transition to <abbr title="Post-quantum cryptography">PQC</abbr>. It has been developed by dedicated experts of the G7 CWG, including governments and their national cyber agencies. It is targeted at technical management of medium-to-large organizations to provide guidance on the types of work that could be performed during a typical transition project. The G7 CWG recognizes that organizations across the world have different structures and governance requirements, and that a single guidance publication cannot cover all organizations’ needs. As a result, this publication provides pragmatic approaches that can be adopted and modified by organizations to meet their goal of transitioning to <abbr title="Post-quantum cryptography">PQC</abbr>. In addition to this publication, the G7 CWG recommends that you review other relevant guidance from standards bodies as well as your national cyber agency. This publication should not supersede any guidance published by your national technical authority.</p> </section><section><h2 id="Terminology">Terminology</h2> <p>Most of the terminology used in this section comes from the European Commission’s <abbr title="Post-quantum cryptography">PQC</abbr> roadmap publication<sup id="fn1-rf"><a class="fn-lnk" href="#fn1">1</a></sup>. Any modifications or additions in this publication are due to changes in audience or are intended to add information relevant to this publication.</p> <dl><dt>Cryptographic agility (crypto agility)</dt> <dd>The design of cryptographic protocols and systems in a modular way that enables replacing the cryptographic components. This concept must not be confused with a requirement to negotiate the cipher suite during protocol execution.</dd> <dt>Cryptographic inventory</dt> <dd>A structured overview of cryptographic assets.</dd> <dt>Cryptographically relevant quantum computer (CRQC)</dt> <dd>A quantum computer that is powerful enough to solve factorization and discrete logarithm problems of sizes that are used in quantum-vulnerable cryptography today.</dd> <dt>Harvest now, decrypt later (HNDL) attack</dt> <dd>A scenario, where adversaries store encrypted data for decryption once a cryptographically relevant quantum computer emerges. This is a threat when the confidentiality of data needs to be protected for a long time period (for instance governmental data, sensitive personal data, trade or business secrets).</dd> <dt>Post-quantum cryptography (PQC)</dt> <dd>Asymmetric cryptographic algorithms that are developed and designed to be secure against traditional and quantum attacks.</dd> <dt>Post-quantum traditional (PQ/T) hybrid scheme</dt> <dd>A cryptographic scheme that incorporates at least 1 <abbr title="Post-quantum cryptography">PQC</abbr> algorithm and at least 1 traditional algorithm, where each component algorithm has the same cryptographic purpose as each other and as the overall scheme. An example of such scheme is the Internet Engineering Task Force’s (IETF) Request for Comments (RFC) on <a href="https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/16/">Hybrid key exchange in TLS1.3</a>, which provides a construction for combining a traditional key exchange (for example, elliptic curve Diffie-Hellman (ECDH) or finite field Diffie-Hellman (FFDH) key exchange) with post-quantum key encapsulation mechanisms (KEMs) to provide hybrid confidentiality for the Transport Layer Security (TLS) layer.</dd> <dt>Public key infrastructure (PKI)</dt> <dd>A framework for issuing, maintaining, and revoking public key certificates.</dd> <dt>Quantum attack</dt> <dd>Using a cryptographically relevant quantum computer running a quantum algorithm to attack a cryptographic algorithm.</dd> <dt>Quantum-safe</dt> <dd>Something that is expected to be secure against traditional and quantum attacks. This term also covers symmetric cryptography algorithms.</dd> <dt>Quantum-vulnerable</dt> <dd>Not quantum-safe. Cryptographic algorithms that are expected to be vulnerable to quantum attacks.</dd> <dt>Traditional</dt> <dd>Quantum-vulnerable (for cryptographic mechanisms) or non-quantum (for example, for attacks) depending on the context.</dd> </dl></section><section><h2 id="Project-prep">Project preparation</h2> <p>The following sections outline considerations for organizations when preparing to transition to <abbr title="Post-quantum cryptography">PQC</abbr>, including:</p> <ul><li>governance</li> <li>project teams</li> <li>organizational awareness</li> <li>budget</li> <li>crypto agility</li> </ul><p>Although this publication provides information on how to prepare organizations for the transition to <abbr title="Post-quantum cryptography">PQC</abbr>, this is not an exhaustive list, and your organization may have additional requirements that should be considered for your specific situation. In addition to this publication, you should also consult all guidance from your national cyber agency.</p> <div> <h3 id="Governance">Governance</h3> <p>When presenting <abbr title="Post-quantum cryptography">PQC</abbr> to senior leadership, the following points may secure their buy-in and allow them to understand their role during the transition. It is important that senior leadership takes an active role in the promotion of <abbr title="Post-quantum cryptography">PQC</abbr> in their organization. They should provide direction to technical leads on the scale and pace of <abbr title="Post-quantum cryptography">PQC</abbr> migration. In turn, technical teams should provide senior leadership with estimates on the costs and what can be delivered within a given timeframe. They should also provide regular updates to senior leadership on progress against the timeframe.</p> <p>Senior leaders are responsible for setting strategic priorities and allocating resources. It is important to note that <abbr title="Post-quantum cryptography">PQC</abbr> is not just a technical upgrade, but rather a core cyber security measure that should be integrated into existing organizational risk management processes and information security management systems (ISMS).</p> </div> <div> <h3>Timeframes</h3> <p>Unlike some cyber security threats which require rapid changes that can be disruptive and expensive, an advantage of <abbr title="Post-quantum cryptography">PQC</abbr> migration is its relatively long timeframe for implementation. Migration is expected to be completed in the private sector during the 2030s (specific dates will vary slightly by country; refer to your national guidelines for additional information). You should highlight to senior leadership that beginning a controlled migration early on will make migration more manageable and affordable.</p> <h4>Competition and excellence</h4> <p>Starting the <abbr title="Post-quantum cryptography">PQC</abbr> transition ahead of your competitors may signal to investors and customers that your organization is forward-thinking and takes cyber security seriously. To effectively engage senior leadership, you should stress the competitive advantage that early <abbr title="Post-quantum cryptography">PQC</abbr> adoption brings.</p> <h4>How to engage leadership</h4> <ul><li>Frame <abbr title="Post-quantum cryptography">PQC</abbr> as a business risk. For instance, emphasize the HNDL threat and the long-term impact on data confidentiality. You can also highlight that failure to act in a timely and structured manner may be more costly in the long run.</li> <li>Use the available resources from your national technical authority, including guidance relating to promoting cyber security to boards and executives. Highlight any deadlines for <abbr title="Post-quantum cryptography">PQC</abbr> completion.</li> <li>Position <abbr title="Post-quantum cryptography">PQC</abbr> migration as an opportunity for organizations to: <ul><li>modernize infrastructure</li> <li>improve resilience</li> <li>demonstrate their dedication to cyber security by making <abbr title="Post-quantum cryptography">PQC</abbr> a part of their “normal” cyber security upgrade and refresh cycles</li> </ul></li> </ul><h4>Practical steps</h4> <ul><li>Designate a board member accountable for <abbr title="Post-quantum cryptography">PQC</abbr> migration, including allocation of funding for the work. Where possible, this should be the member accountable for managing the wider cyber security risks of the organization. This individual should also be someone that is known to employees and with whom they can engage.</li> <li>Map cryptographic dependencies: Identify where <abbr title="public key cryptography">PKC</abbr> is used across systems and supply chains.</li> <li>Consider using consultants that specialize in <abbr title="Post-quantum cryptography">PQC</abbr> migration. Some countries have accreditation schemes for consultancies that have received training in this area.</li> <li>Join working groups: Collaborate with industry peers to share best practices and avoid duplication of effort. If these groups do not exist, consider establishing them to demonstrate leadership in your sector.</li> <li>Track progress: Use metrics to measure leadership awareness and decision-making impact.</li> </ul></div> <div> <h3 id="Project-teams">Project teams</h3> <p>To prepare for the transition to <abbr title="Post-quantum cryptography">PQC</abbr>, it is recommended that organizations develop teams to oversee the work. Project teams should consist of stakeholders throughout the organization and include at least 1 member from senior management to lend necessary support. Although much of the work to be performed is technical, it is beneficial to include stakeholders in non-technical areas, including finance, project management, procurement and any other relevant stakeholders.</p> <p>Below are a series of teams that your organization should consider standing up. This is not prescriptive, and you may find it works better to merge or exclude some of these teams based on your organization’s structure and requirements. You may also choose to outsource some of this work to consultants specializing in <abbr title="Post-quantum cryptography">PQC</abbr>. In this case, check if your national technical authority provides formal accreditation to these organizations.</p> <div> <h4>Executive governance and strategy team</h4> <p>This team will be the main driver of <abbr title="Post-quantum cryptography">PQC</abbr> migration within an organization. The purpose of this team is to set direction, secure board-level buy-in, and align with relevant national timelines. It will also be responsible for briefing the board and ensuring that <abbr title="Post-quantum cryptography">PQC</abbr> remains a high priority on the organization’s agenda.</p> <p>Key roles:</p> <ul><li>Chief information security officer (CISO)</li> <li>Policy lead or <abbr title="Post-quantum cryptography">PQC</abbr> program lead</li> <li>Legal/compliance advisor</li> </ul><p><strong>Tip</strong>: Consider setting up a project management office (PMO) team (discussed below) that will support the governance and strategy team in coordinating <abbr title="Post-quantum cryptography">PQC</abbr> migration and the relevant project teams.</p> </div> <div> <h4>Cryptographic discovery and planning team</h4> <p>One of the first objectives your organization will need to deliver is a map of the systems which will need to be made <abbr title="Post-quantum cryptography">PQC</abbr>-compliant. This map should identify both internal systems and anything that is delivered by a third party. Once you have completed this discovery task, you should draft a migration plan.</p> <p>The purpose of this team will be to map cryptographic dependencies, assess risks and develop migration plans.</p> <p>Key roles:</p> <ul><li>Cryptography specialist</li> <li>Systems architect</li> <li>Asset discovery analyst</li> </ul><p><strong>Tip:</strong> Begin with a full discovery exercise to identify where <abbr title="public key cryptography">PKC</abbr> is used across systems, and don’t forget about your suppliers.</p> </div> <div> <h4>Technical implementation team</h4> <p>Once your organization has undertaken a discovery and mapping task, the next objective should be the implementation of <abbr title="Post-quantum cryptography">PQC</abbr> in discovered systems.</p> <p>The purpose of this group is to upgrade systems, integrate <abbr title="Post-quantum cryptography">PQC</abbr> algorithms and validate performance.</p> <p>Key roles:</p> <ul><li>Software engineers</li> <li>Network security engineers</li> <li>Infrastructure/development and operations (DevOps) leads</li> </ul></div> <div> <h4>Vendor and supply chain engagement team</h4> <p>During the discovery and mapping phase, it is likely that you will have identified that third-party systems will also need to be <abbr title="Post-quantum cryptography">PQC</abbr> compliant. It is therefore important to engage with suppliers as early as possible to ensure they can meet your <abbr title="Post-quantum cryptography">PQC</abbr> migration deadlines.</p> <p>The purpose of this group is to ensure that suppliers and other service providers are <abbr title="Post-quantum cryptography">PQC</abbr>-ready.</p> <p>Key roles:</p> <ul><li>Procurement lead</li> <li>Vendor risk manager</li> <li>Supply chain analyst</li> </ul><p><strong>Tip:</strong> If you supply other businesses, it is worth considering their demands for <abbr title="Post-quantum cryptography">PQC</abbr>-compliant services. Early <abbr title="Post-quantum cryptography">PQC</abbr> migration in your business may set you apart from your competitors.</p> </div> <div> <h4>Project management office (PMO)</h4> <p>As with all medium-to-large-scale projects, your organization may wish to consider a PMO team to oversee and coordinate the <abbr title="Post-quantum cryptography">PQC</abbr> migration plan, as well as the outputs and expectations from the other teams listed.</p> <p>The purpose of the PMO will be to oversee timelines, dependencies and reporting updates to the executive.</p> <p>Key roles:</p> <ul><li>Project manager</li> <li>Risk and issue manager</li> <li>Reporting analyst</li> </ul></div> </div> <div> <h3 id="Org-aware">Organizational awareness</h3> <p>As with most large projects, it is important that all affected stakeholders are aware of how <abbr title="Post-quantum cryptography">PQC</abbr> migration will impact them. It should be expected that the transition to <abbr title="Post-quantum cryptography">PQC</abbr> will affect most people in an organization and in varying ways, from the leadership who must oversee the work and provide the financing, to the employees who use the software and devices that will be transitioned.</p> <p>Your communication goals should be to:</p> <ul><li>inform senior leadership of the need to transition to <abbr title="Post-quantum cryptography">PQC</abbr> so that they can make necessary decisions for your organization. Discussion topics include the reason for the transition, estimated timelines, potential costs and other topics relevant to your organization.</li> <li>prepare teams within your organization that will be involved with the transition so that they are aware of their roles and responsibilities. Each team should use this information to develop or modify policies and procedures appropriately. For example, updating procurement policies to require the purchase of products that support <abbr title="Post-quantum cryptography">PQC</abbr>.</li> <li>inform members across the organization about what the transition to <abbr title="Post-quantum cryptography">PQC</abbr> is, why it is important and how it is expected to affect them and their work. This includes training on any new tools and policies that will be introduced during the transition.</li> </ul><p>Communications should continue throughout the project to ensure that all stakeholders are aware of the latest updates and can make relevant decisions.</p> </div> <div> <h3 id="Budget-consider">Budget considerations</h3> <p>When preparing for the transition to <abbr title="Post-quantum cryptography">PQC</abbr>, organizations should create a financial plan. Although some transition costs can be covered through natural lifecycling of infrastructure, additional funding resources may be needed to pay for the work. The following is a list of items that an organization should consider when budgeting. Your organization may require additional financial resources in addition to those listed below.</p> <div> <h4>New hardware</h4> <p>You may find that you need to replace existing hardware if your vendor no longer supports it or has no plans to transition it to <abbr title="Post-quantum cryptography">PQC</abbr>. Additionally, new hardware may be needed to test configurations of existing systems to validate that the changes introduced during the transition will work in your environment. When developing a specific budget for the transition, consider whether hardware can be replaced through natural lifecycle replacement and therefore can be excluded from this specific budget.</p> </div> <h4>Software</h4> <p>Software that uses <abbr title="public key cryptography">PKC</abbr> should be upgraded or replaced to use <abbr title="Post-quantum cryptography">PQC</abbr> algorithms. However, if your software vendor will support <abbr title="Post-quantum cryptography">PQC</abbr> and it is under a support contract, it may not be necessary to budget for replacement. Any changes to software should nonetheless be tested to ensure that it still meets the requirements of your organization.</p> <h4>Support contracts</h4> <p>Maintaining support contracts with vendors may be a good approach to upgrade product firmware and software. However, you should first communicate with your vendors to determine whether they will transition to <abbr title="Post-quantum cryptography">PQC</abbr> and will cover the <abbr title="Post-quantum cryptography">PQC</abbr> algorithms under existing contracts.</p> <h4>Employees and training</h4> <p>It may be necessary to train IT staff on how to use and appropriately configure any new or modified hardware and software to meet organizational requirements and to avoid introducing any vulnerabilities when deploying <abbr title="Post-quantum cryptography">PQC</abbr>. It may also be necessary to inform and educate other staff about new tools or changes to existing tools that may affect their work.</p> <h4>Contractors</h4> <p>For many organizations, transitioning to <abbr title="Post-quantum cryptography">PQC</abbr> may require more resources or cryptographic expertise than the organization has available. Augmenting staff with contractors during the transition may provide the necessary resources to complete the transition while limiting the impact on normal operations.</p> <h4>Outsourcing</h4> <p>Rather than augmenting your staff with contractors, you may wish to outsource the work to organizations that provide <abbr title="Post-quantum cryptography">PQC</abbr> transition expertise. You may wish to check whether your national technical authority provides formal accreditation of these organizations.</p> </div> <div> <h3 id="Crypto-agil">Cryptographic agility</h3> <p>Systems deploying cryptographic mechanisms cannot offer continuous security throughout their lifetimes. This is especially true when you consider the threat posed by state-of-the-art technology that is continuously evolving and becoming more advanced. When the underlying components of a system (or protocols) are rigid, any attempt to transition to a more secure design will always entail significant financial, time and organizational resources, while also making it harder to remain interoperable. For example, it took several decades to transition from the Data Encryption Standard (DES) block cipher to the Advanced Encryption Standard (AES), with <abbr title="National Institute for Standards and Technology">NIST</abbr> finally disallowing the use of the Triple Data Encryption Algorithm (TDEA) as of January 1, 2024.</p> <p>The concept of cryptographic agility is to design protocols and systems in a modular scheme, allowing for the reconfiguration or replacement of individual components. As the migration to <abbr title="Post-quantum cryptography">PQC</abbr> will require a significant overhaul of the current systems in use, there is a long-term security and financial gain to be had by integrating crypto agility into the current transition.</p> <p>The fundamental step to becoming cryptographically agile is the ability to detect weaknesses in deployed systems and to know where changes will need to be made. This leads to the requirement to build and continuously maintain and update a complete cryptographic inventory. This should remain a top priority going forward for all areas where cryptographic mechanisms are used.</p> <p>The way cryptographic agility is implemented and the requirements for achieving it depend on the specific context—whether at the vendor or purchaser level, or within a system or protocol. For purchasers, this involves considering crypto agility when buying products and maintaining regular communication with vendors and security experts to remain secure. For a system, this could include an efficient quantum-safe update mechanism for cryptographic components realized in software, firmware or field-programmable gate arrays (FPGAs). For a protocol, a cryptographically agile design should not only facilitate inserting and switching between new algorithms and suites but also incorporate identification methods which would allow for a simple inclusion of new algorithms/suites at a later date. Additionally, for algorithms themselves, such crypto agile designs should allow changes to the parameters which determine the security level provided.</p> <p>Deploying systems and protocols to be cryptographically agile provides various advantages beyond being prepared for the future. Along with offering long-term protection, crypto-agile systems and protocols can be applied in various countries and international organizations. It can also protect confidential information where there may be differing guidelines for parameters and algorithms, ensuring easier compliance for each use-case.</p> <p><a href="https://csrc.nist.gov/pubs/cswp/39/considerations-for-achieving-cryptographic-agility/2pd"><abbr title="National Institute for Standards and Technology">NIST</abbr>’s Cybersecurity White Paper (CSWP) 39</a> and <a href="https://www.cyber.gc.ca/en/guidance/guidance-becoming-cryptographically-agile-itsap40018">Canadian Centre for Cyber Security’s (CCCS) Guidance on becoming cryptographically agile</a> provide more detail on approaches to cryptographic agility.</p> </div> </section><section><h2 id="Plan-dev">Migration plan development</h2> <p>Your organization will most likely develop many plans during the <abbr title="Post-quantum cryptography">PQC</abbr> transition. From high-level plans covering the organization down to specific plans for transitioning individual systems, planning is critical to the success of the <abbr title="Post-quantum cryptography">PQC</abbr> transition. While developing plans, organizations should consider factors such as risk to data, impact on users both internally and externally, interoperability requirements, and service level agreements, as they will all have an effect on how you proceed. This section provides considerations for your organization. As with all subjects described in this publication, you should ensure that all <abbr title="Post-quantum cryptography">PQC</abbr> planning is tailored to your environment.</p> <div> <h3 id="Id-crypto">Identifying cryptography</h3> <p>Building a detailed cryptographic inventory is an important step in an organization’s quantum-readiness plan. This is one of the resource-intensive tasks, as many organizations lack visibility into where and how cryptography is used across systems, devices, network protocols and cloud services.</p> <p>In addition, identification of cryptography should be approached as an ongoing, iterative process, in which each cycle progressively refines the inventory and improves data accuracy. Ideally, this process should be repeated periodically to ensure that the information remains current and reliable.</p> <p>Organizations may start by leveraging existing asset inventory data, obtained as part of standard information security management practices, to identify systems, applications and data flows that depend on cryptographic functions. This will establish a foundation basis for assessing <abbr title="Post-quantum cryptography">PQC</abbr> migration needs and prioritizing remediation efforts.</p> <p>The cryptographic discovery and planning team, which is responsible for the cryptographic inventory, should allocate significant time and resources. Failure to identify a cryptographic asset at this stage may result in an unacceptable cyber security risk when <abbr title="Cryptographically relevant quantum computer">CRQC</abbr>s become available to malicious actors.</p> <p>The collected information should be as detailed as possible (algorithm, key length, usage, etc.), as it will determine whether a cryptographic asset is vulnerable to quantum attack. This will allow the organization to perform an adequate risk evaluation.</p> <p>The cryptographic inventory could be based on standard, machine-readable formats such as the Cryptographic Bill of Materials (CBOM). For more information, read <a href="cryto-inventory-bill">Cryptographic inventory and the <abbr title="Cryptographic Bill of Materials">CBOM</abbr></a> in the Appendix to this publication.</p> <p>While the primary focus of the transition is migrating traditional <abbr title="public key cryptography">PKC</abbr> to <abbr title="Post-quantum cryptography">PQC</abbr>, it is also valuable to identify where cryptography is used across all systems and supply chains (for example, symmetric algorithms, hash functions, etc.) even though it is unlikely to be in scope of <abbr title="Post-quantum cryptography">PQC</abbr> migration to further enhance cryptographic agility within the organization (see Cryptographic agility).</p> <div> <h4>Scenarios where cryptographic assets are used</h4> <p>A complete inventory requires investigating cryptographic assets in several different scenarios that can be grouped into the following 4 areas of research.</p> <div> <h5>Networked appliances and applications</h5> <p>These include systems that use cryptographic algorithms during the transmission of data. For example, TLS uses <abbr title="public key cryptography">PKC</abbr> to establish secure communication tunnels between systems. Networked appliances and applications include but are not limited to:</p> <ul><li>network devices: router, firewalls, virtual private network (VPN) gateways, etc.</li> <li>application servers: web, email, database, etc.</li> <li>messaging applications</li> </ul><p>In this scenario, at least the following widely deployed protocols must be assessed, as they rely on quantum-vulnerable cryptographic primitives (Rivest-Shamir-Adleman (RSA) or Elliptic Curve Digital Signature Algorithm (ECDSA) signatures and Diffie-Hellman and ECDH key exchange):</p> <ul><li>TLS: the backbone of secure web communications. Monitoring TLS traffic provides direct visibility into cipher suites, key lengths and certificate types currently in use.</li> <li>Secure Shell (SSH): critical for administrative access and automation. Assessing the configuration of both SSH servers and clients helps to map which algorithms are actively used for authentication and key negotiation.</li> <li>Authentication and authorization protocols: Open Authorization (OAuth), OpenID Connect (OIDC) and Security Assurance Markup Language (SAML) make use of digital signatures to verify authenticity and integrity of tokens<sup id="fn2-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup> and messages.</li> <li>Internet Protocol Security (IPsec), Internet Key Exchange (IKE): fundamental for VPNs and remote working environments.</li> <li>Email security protocols (S/MIME, PGP): widely used for ensuring confidentiality, authenticity and integrity of email.</li> </ul><p>In addition, particular attention should be paid to Internet-facing network services, as the exposure to the public network significantly increase the risk of an attack by a malicious actor (for example, HNDL attacks). See “<a href="#Prioritization">Prioritization</a>” below for more details.</p> </div> <div> <h5>Externally developed software and hardware</h5> <p>These are systems that your organization uses but which are not developed internally. They use cryptography, but not for transmitting data. For example, these may include software that relies primarily on <abbr title="public key cryptography">PKC</abbr>, such as:</p> <ul><li>digital signing and PKI software</li> <li>digital rights management (DRM) software</li> <li>Secure Boot and firmware integrity software</li> </ul><p>It may also include software that extensively uses symmetric cryptography to securely store data and may apply <abbr title="public key cryptography">PKC</abbr> for authentication and authorization, such as:</p> <ul><li>identity and access management (IAM), privileged access management (PAM) and key management systems (KMS)</li> <li>password managers</li> <li>database, file and disk encryption tools</li> </ul><p>Externally developed hardware devices include:</p> <ul><li>hardware security modules (HSMs)</li> <li>smart cards</li> <li>trusted platform modules (TPMs)</li> <li>specialized embedded devices <sup id="fn3-rf"><a class="fn-lnk" href="#fn3"><span class="wb-inv">Footnote </span>3</a></sup></li> </ul><!– footnote 3 –><p>In this case, since the source code of the applications or firmware is not available, identifying cryptographic components requires the cooperation of vendors that may provide a <abbr title="Cryptographic Bill of Materials">CBOM</abbr> or a Software Bill of Materials (SBOM). You can read more about <abbr title="Cryptographic Bill of Materials">CBOM</abbr> and <abbr title="Software Bill of Materials">SBOM</abbr>s in <a href="#cryto-inventory-bill">Cryptographic inventory and the Cryptographic Bill of Materials</a>, found in the Appendix. Alternatively, for legacy systems or when vendor support is not available, we recommend the use of vulnerability scanners and binary inspection utilities.</p> <p>Moreover, some applications could adopt cryptography for network transmissions as well as for other purposes and may need multiple approaches to understand the cryptography implemented.</p> </div> <div> <h5>Internally developed and open-source software</h5> <p>These consist of software that is developed inside your organization or software for which source code is available. This allows you to understand how cryptography is used.</p> <p>For many software projects, integrated development environments (IDE) plugins or source composition analysis (SCA) tools can help to identify the use of cryptographic primitives within the code and to develop a <abbr title="Software Bill of Materials">SBOM</abbr> which will list the components that make up the software. The migration of this software will require internal remediation actions to change configurations, code, application programming interfaces (APIs) or libraries.</p> </div> <div> <h5>Cloud services and externally managed systems</h5> <p>Particular attention must be paid to cloud services, especially within platform-as-a-service (PaaS) and software-as-a-service (SaaS) models, since organizations cannot directly identify or control the cryptography used and must therefore rely on attestations or certifications provided by the service provider. In this context, the cryptographic discovery and planning team should engage with cloud service providers to confirm whether their encryption algorithms and security controls are aligned with <abbr title="Post-quantum cryptography">PQC</abbr> transition strategies, as outlined in <a href="#Operational-Tech">Operational and cloud technology considerations</a>.</p> <p>Moreover, cloud services are often delivered over the public Internet, thus potentially exposing the organization’s data to malicious actors.</p> </div> </div> </div> <div> <h3 id="Prioritization">Prioritization</h3> <p>The complete migration to <abbr title="Post-quantum cryptography">PQC</abbr> will be a enormous effort and it cannot be accomplished in 1 step. Therefore, organizations must apply a method of prioritization to assess which systems are more vulnerable to the rising threats and to identify an order for the migration. The most reasonable way to perform this assessment will be to carry out a quantum risk analysis once an inventory of data assets and cryptographic tools has been produced.</p> <p>Risk assessment is a standard IT infrastructure technique to understand the vulnerabilities of a system and the impact of a potential breach. A quantum risk assessment should follow a similar methodology. In most cases, the functionality provided by the system will have an effect on which threats are relevant and the scope of the threat. Developing a risk assessment is not necessarily a task for one specific team, but rather an ongoing requirement throughout the <abbr title="Post-quantum cryptography">PQC</abbr> migration on which multiple teams may need to work in tandem.</p> <p>The table below provides the main considerations that need to be taken into account for prioritization within a <abbr title="Post-quantum cryptography">PQC</abbr> transition plan but it is not intended as a complete list. This approach is compatible with the approach described in the European Commission’s <a href="https://digital-strategy.ec.europa.eu/en/library/coordinated-implementation-roadmap-transition-post-quantum-cryptography">A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography</a>. An in-depth example of how to build a quantum risk assessment can be found in the Netherlands General Intelligence and Security Service’s <a href="https://english.aivd.nl/documents/2024/12/3/the-pqc-migration-handbook">The <abbr title="Post-quantum cryptography">PQC</abbr> Migration Handbook</a>.</p> <!– last updated –> <div> <div class="table-responsive"> <table class="table table-bordered"><thead><tr><th scope="col">Factor</th> <th scope="col">Description</th> <th scope="col">Considerations</th> </tr></thead><tbody><tr><th scope="row">Potential damage</th> <td>The damage that could occur if data was unprotected and obtained by an adversary.</td> <td>Data that is of high interest, such as financial, personally identifiable information (PII) and government-mandated records may be considered to be of high priority.</td> </tr><tr><th scope="row">Data lifespan</th> <td>The expected life that the data will be of value and/or should be protected.</td> <td>Data that is susceptible to HNDL attacks could be considered higher priority.</td> </tr><tr><th scope="row">Accessibility of the data</th> <td>Where the data is located that a threat actor could attempt to obtain and decrypt.</td> <td>Data that is exposed to open networks should be considered to have a higher priority than data that is locked securely (for example, offline, in protected zones, or over VPNs or secure websites).</td> </tr><tr><th scope="row">Time to migrate the system</th> <td>How long would it take to complete the migration of a system.</td> <td>The migration time for some cryptographic systems, such as PKIs, will take many years due to their complex structure. Therefore, organizations need to account for the time to migrate a system.</td> </tr></tbody></table></div> </div> <p>Because organizations have to work with restricted resources and potentially depend on external vendors, other factors could affect when specific transitions can take place. These additional factors could include:</p> <ul><li>availability of <abbr title="Post-quantum cryptography">PQC</abbr> products and services</li> <li>service level agreement requirements</li> <li>availability of human and financial resources</li> <li>external integration points (for example, inter-office VPNs, cloud providers)</li> </ul><p>Additionally, it may be beneficial to focus on a simple <abbr title="Post-quantum cryptography">PQC</abbr> upgrade at the beginning of the transition to understand the new cryptographic parameters and develop expertise before attempting larger, more complex upgrades.</p> <p>Once the appropriate factors have been decided upon, organizations will need to determine how to assign a quantum risk assessment. For simplicity, a qualitative scheme with 3 assessment levels such as low, medium and high should be sufficient for organizations to determine the order for the transition. In general, the higher the rating assigned, the higher the priority of migrating to <abbr title="Post-quantum cryptography">PQC</abbr>.</p> <p>The following 2 examples highlight cases where a high quantum risk assessment should be applied:</p> <ul><li>the protection of confidential data that needs to remain undisclosed for a long period of time</li> <li>the protection of software/firmware updates, for which migration could take a significant amount of time to complete</li> </ul><p><strong>Note:</strong> Timeframes for protecting data may differ based on individual nations’ jurisdiction.</p> <p>It is important for organizations to communicate with vendors to understand their plans. We recommend regular communication to ensure that, if their <abbr title="Post-quantum cryptography">PQC</abbr> product roadmaps have changed, you will be able to adjust your plans accordingly. You may discover that your current infrastructure will need to be replaced as either your vendor or the standardized protocols that your services use will not support <abbr title="Post-quantum cryptography">PQC</abbr> in the future. For example, <abbr title="Post-quantum cryptography">PQC</abbr> will only be available in TLS 1.3 and later. If your web services use TLS 1.2 for securing communications, you may have to:</p> <ul><li>upgrade the software</li> <li>upgrade the operating system that runs the software</li> <li>replace the infrastructure the service runs on</li> <li>deal with any combination of the above</li> </ul></div> <div> <h3 id="Transition">Transition</h3> <p>The transition phase is used to implement <abbr title="Post-quantum cryptography">PQC</abbr> on quantum-vulnerable systems. A plan for this phase will need to meet your organization’s requirements and consider items including, but not limited to, timelines, business operations and the priority of the data and systems that the cryptography protects.</p> <p>While developing the transition plan, we recommend that you perform tabletop exercises that will help identify any issues that may prevent a smooth transition to <abbr title="Post-quantum cryptography">PQC</abbr>. Determining potential issues early on will generally reduce costs, errors and the time to perform the transition, and may result in fewer issues during the upgrade process. When performing the transition, make sure to follow your organization’s change-management processes.</p> </div> <div> <h3 id="Testing">Testing</h3> <p>In addition to the testing that your organization already performs on your IT environments, you should consider adding <abbr title="Post-quantum cryptography">PQC</abbr> tests to your test plans. This will ensure that your IT environment continues to meet organizational requirements and also validate that the <abbr title="Post-quantum cryptography">PQC</abbr> has been implemented correctly. At minimum, your plans should:</p> <ul><li><strong>Ensure that the cryptographic products meet system requirements</strong><br /> Some devices use dedicated hardware or chip instruction extensions to improve the performance of traditional cryptography. Although initial testing shows some <abbr title="Post-quantum cryptography">PQC</abbr> processing is as fast as existing <abbr title="public key cryptography">PKC</abbr>, until dedicated hardware is available for <abbr title="Post-quantum cryptography">PQC</abbr>, it may perform more slowly than systems currently in use. Another consideration is that <abbr title="Post-quantum cryptography">PQC</abbr> key, ciphertexts and signatures are often larger than those produced with the existing <abbr title="public key cryptography">PKC</abbr> algorithms. Problems could arise from these larger sizes when using low bitrate or noisy network connections such as on radios. Due to these concerns, and possibly others, it is important to ensure that new or transitioned devices continue to meet the system’s prescribed requirements.</li> <li><strong>Validate interoperability</strong> Although a product may have been tested by a vendor, interoperability can fail between vendors based on different implementation assumptions. In situations where 2 or more products must work together to form a solution, it is important to perform testing to ensure that they will interoperate together.</li> <li><strong>Test configurations to enable <abbr title="Post-quantum cryptography">PQC</abbr></strong> Configuring a system to support <abbr title="Post-quantum cryptography">PQC</abbr> will often involve more than pressing a button or checking a box on a graphical interface. It may involve obtaining new cryptographic certificates as well as turning off cryptographic ciphers that you no longer wish to use. Having a plan to test varying configurations and verify that <abbr title="Post-quantum cryptography">PQC</abbr> algorithms are being used correctly will alleviate any mistakes that could leave your data and systems unprotected.</li> </ul></div> <div> <h3 id="Documentation">Documentation</h3> <p>During the transition, it is important to ensure that each change to any system is well documented. Relevant documentation includes but is not limited to:</p> <ul><li><strong>Business continuity plans (BCPs)</strong> As your environment changes, it is important to ensure that your BCP is kept up to date to ensure that it captures all the information necessary to continue business operations in the case of a disruption.</li> <li><strong>Configuration and use documentation</strong> The configuration, as well as any specific use instructions for each system, should be recorded. This includes any configurations made to support <abbr title="Post-quantum cryptography">PQC</abbr> and deprecate traditional cryptographic algorithms.</li> <li><strong>Information technology asset management (ITAM)</strong> Update the organization ITAM to record any changes to hardware and software, including removing any items that will no longer be needed after the transition.</li> <li><strong>Cryptographic information</strong> Cryptographic recommendations will continue to change as new technologies are developed. Ensuring that all cryptographic technologies used in your organization are properly recorded and secured is an important part of cryptographic agility and will aid in future cryptographic changes. More information on storing cryptographic information can be found in Cryptographic inventory and the Cryptographic Bill of Materials in the Appendix of this publication.</li> </ul></div> </section><section><h2 id="Conclusion">Conclusion</h2> <p>Although the transition to <abbr title="Post-quantum cryptography">PQC</abbr> will bring many challenges, including time, cost and complexity, the G7 CWG believes that it is an important part of protecting your organization’s information technology and data. The G7 CWG has published this guidance on important topics that we believe will help you prepare your organization during the transition. In addition to this publication, the G7 CWG recommends that you review other relevant guidance including that from standards bodies as well as your national cyber agency. Please note that the guidance presented in this publication is for informational purposes only and should be tailored to fit the needs of your organization.</p> </section><section><h2 id="Appendix">Appendix</h2> <p>This appendix provides additional information on select topics that may be on interest to the reader.</p> <h3 id="consider-crypto-id">Considerations for identifying cryptography</h3> <h4>Tools and methods for cryptographic discovery</h4> <p>You can use different categories of tools and techniques to identify cryptographic assets in different scenarios. In most cases, relying only on automated tools won’t be enough to exhaustively find cryptography in your environment, as the tools may miss something or provide false positives. It is necessary to combine automated and manual approaches (for example, tool output review, documentation analysis, vendor communications, internal discussions, etc.).</p> <p>The following sections outline different tools and techniques that you can use and their purposes.</p> <div> <p><strong>Network devices and applications</strong></p> <ul><li>Active network vulnerability scanners: to interrogate network services directly and list supported protocols, cipher suites, and key-exchange mechanisms, highlighting the use of weak or deprecated algorithms. For example, nmap, testssl.sh and openssl</li> <li>Passive monitoring and traffic analyzers: to capture and analyze live communications in order to observe which cryptographic protocols and algorithms are actually negotiated during sessions. For example, Wireshark and tcpdump</li> <li>Large-scale network scanning frameworks like Shodan or Censys.io can be employed to map cryptographic exposure of Internet-facing assets</li> </ul></div> <div> <p><strong>Externally developed software and hardware</strong></p> <ul><li>Binary and library inspection utilities: to analyze executables and verify dynamically linked cryptographic components and symbols</li> <li>Firmware inspection and analysis methods: to examine firmware images of embedded devices or accelerators for implemented algorithms and potential hardcoded keys</li> <li>System and hardware inventory utilities: to detect the presence of cryptographic accelerators, secure co-processors or dedicated modules integrated into servers and network appliances</li> </ul></div> <div> <p><strong>Internally developed and open-source software</strong></p> <ul><li>Source code analysis methods: to identify direct calls to cryptographic APIs, functions or hardcoded keys inside applications.</li> <li>Dependency and package inspection tools: to detect cryptographic libraries declared in project files or packages</li> <li>Static and dynamic analysis techniques: to examine compiled code for linked cryptographic components and functions</li> </ul></div> <p>It is important to note that most tools available (at the time of writing) were not originally designed to detect weaknesses specifically from a quantum-safe perspective. Their primary function is to identify outdated software versions, insecure configurations and vulnerable cryptographic implementations. However, they can still be effectively repurposed in the context of post-quantum migration, since they provide valuable insights on where traditional algorithms are deployed. By leveraging these existing tools, organizations can build an initial cryptographic inventory and highlight systems that are most exposed to quantum-related risks, even before dedicated <abbr title="Post-quantum cryptography">PQC</abbr>-focused discovery solutions become widely available.</p> <h4 id="crypto-inventory-bill">Cryptographic inventory and the Cryptographic Bill of Materials</h4> <p>There are different approaches for building and managing a cryptographic inventory, but adopting a structured, machine-readable representation of cryptographic assets, such as the <abbr title="Cryptographic Bill of Materials">CBOM</abbr>, is highly recommended.</p> <p><abbr title="Cryptographic Bill of Materials">CBOM</abbr> is a specialized extension of an <abbr title="Software Bill of Materials">SBOM</abbr><sup id="fn4-rf"><a class="fn-lnk" href="#fn4"><span class="wb-inv">Footnote </span>4</a></sup> that focuses exclusively on cryptographic assets. Essentially, it is a detailed list in a machine-readable format that describes cryptography in use along with metadata. It can track dependencies between algorithms and provide a way to associate both traditional and quantum security vulnerability scores with identified assets.</p> <p>Beyond its role as an inventory, the <abbr title="Cryptographic Bill of Materials">CBOM</abbr> helps increase the visibility of cryptographic assets across the organization and supports risks assessment. It allows organizations to evaluate quantum vulnerability, prioritize remediation and identify long-lived assets at risk of HNDL attacks.</p> <p>Furthermore, because the <abbr title="Cryptographic Bill of Materials">CBOM</abbr> can be easily updated throughout systems and applications lifecycles, it helps organizations maintain long-term consistency and control over their cryptographic assets</p> <!– Another footnote –> <h3 id="hybrid-crypto">Hybrid cryptography</h3> <p>In the context of the transition to <abbr title="Post-quantum cryptography">PQC</abbr>, hybrid or composite schemes may combine multiple cryptographic algorithms via suitable methods to achieve the desired security for the complete scheme, even if one of the components has been weakened or even broken. For signature schemes, this can be a method such as having 2 or more parallel implemented signature schemes and the complete signature is valid only when all signature components are valid. For key agreement schemes, multiple KEMs are combined to produce a single shared secret, in a so-called KEM-combiner. This tends to involve additional steps beyond computing the individual KEM components and leads to more complicated security analysis for the complete scheme.</p> <p>The typical use case currently involves combining a traditional, well-tested (albeit not quantum-secure) public key algorithm with a new <abbr title="Post-quantum cryptography">PQC</abbr> algorithm to form a post-quantum/traditional hybrid. If the <abbr title="Post-quantum cryptography">PQC</abbr> algorithm is appropriately implemented, such schemes provide potential protection against HNDL attacks, while maintaining the current level of security.</p> <p>Certain hybrid approaches could support long-term security while maintaining backwards compatibility or policy compliance and enabling the introduction of new algorithms across systems. You must carefully assess hybrid approaches to select the appropriate scheme for the desired need.</p> <h2 id="Operational-Tech">Operational and cloud technology considerations</h2> <p>Operational technology (OT) networks contain hardware and software that are used to control or monitor the physical world. They are often deployed in industrial or commercial settings to manage and monitor equipment, when doing it manually may not be practical – for example, managing high-voltage output of electrical generators. Although it is recommended that organizations transition their infrastructure to <abbr title="Post-quantum cryptography">PQC</abbr>, it may not be possible or feasible to transition machinery that is managed and controlled by OT due to cost or availability. For this reason, other options should be considered.</p> <p><strong>Segmentation:</strong> It may be possible to segment technologies that cannot be transitioned to <abbr title="Post-quantum cryptography">PQC</abbr> away from the OT network. This may mean air-gapping an individual device or placing it on an air-gapped network with other systems that cannot be transitioned. Air-gapping technologies reduce, but cannot completely eliminate, the risk of attacks by threat actors. Depending on the OT network design, OT devices may need to communicate outside of the air-gapped network, so segmentation may not be possible. OT networks that are already air-gapped will already provide this security.</p> <p><strong>Tunnelling:</strong> OT infrastructure that cannot be segmented can use tunnelling to protect data in transit. The OT system in question uses a device to perform <abbr title="Post-quantum cryptography">PQC</abbr> encryption on its behalf. Examples of this approach include placing a VPN in front of the device or having a reverse proxy server that supports <abbr title="Post-quantum cryptography">PQC</abbr>. This approach allows infrastructure to be reachable by the OT network, while protecting the network with <abbr title="Post-quantum cryptography">PQC</abbr>.</p> <p>Many major cloud providers have already started to publish their plans to transition to <abbr title="Post-quantum cryptography">PQC</abbr>. If organizations are using a cloud provider for their software or infrastructure, they should communicate with their providers to understand their plans and timelines. When using hybrid cloud environments (a combination of both private and public cloud infrastructure), it will be important to ensure that both clouds continue to work together during the transition. When engaging with new cloud providers, we recommend requiring as part of the procurement contract that the provider support <abbr title="Post-quantum cryptography">PQC</abbr>.</p> <h3>Cryptographic assets in operational technology</h3> <p>In OT environments, such as industrial control systems (ICS), cryptographic discovery poses additional challenges compared to traditional IT systems due to limited computational resources, legacy systems and vendor-specific implementations. Moreover, unlike traditional IT, many industrial processes support critical functions that cannot be interrupted, which further complicates analysis activities.</p> <p>In addition to involving the vendor, suitable approaches could include:</p> <ul><li>Passive network monitoring, to identify which cryptographic protocols and cipher suites are negotiated in ICS/SCADA traffic without impacting the continuity or the integrity of industrial operations,</li> <li>Firmware and configuration inspection, to verify embedded cryptographic mechanisms in programmable logic controllers (PLCs) and industrial systems,</li> </ul><h3 id="Cert">Certification</h3> <p>Certification is a recognition by an independent assessment body that a product meets certain criteria. This can include implementation, evaluation and security assessments, thereby ensuring a high level of security for users and developers in the cyber security landscape. A certification is accompanied by a level of assurance, which corresponds to the more or less thorough depth of the analysis carried out by the evaluator, in accordance with the sponsor’s security objectives. Countries or industry sectors may have distinct certification schemes, but some schemes may be mutually recognized or internationally accepted.</p> <p>For the client and beneficiaries, certification represents a guarantee, often provided by a third-party organization, of the quality, safety or security of a product that they can verify before purchasing it.</p> <p>The transition to <abbr title="Post-quantum cryptography">PQC</abbr> will be long and costly. <abbr title="Post-quantum cryptography">PQC</abbr> requirements will need to be included in tenders to ensure the security of products in the coming years.</p> <p>Countries and industry sectors that have policies or regulations requiring certification benefit when there are multiple certified products with <abbr title="Post-quantum cryptography">PQC</abbr> available on the market.</p> <p>Certification schemes should be adapted to include requirements for <abbr title="Post-quantum cryptography">PQC</abbr> as soon as possible. This will involve working with national authorities, centres of expertise and laboratories, as well as solution providers to update regulations, certification processes and products.</p> <h3 id="info-sec">Information security management standards</h3> <p>For organizations that use standards as part of managing of their information security, the following table associates sections within this document with relevant standards. You may wish to review the references when performing the transition to <abbr title="Post-quantum cryptography">PQC</abbr>. This is not an exhaustive list and the G7 CWG recognizes that your organization may use other standards in place of or in addition to the ones listed below.</p> <h4>Relevant Standards</h4> <!– <div class="panel panel-default"> <header class="panel-heading">Publication section</header> <div class="panel-body"> <ul class="list-unstyled"> <li><strong><a href="#Documentation">Documentation</a></strong> <ul> <li>Reference: <a href="https://www.iso.org/standard/27001">International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) Standard 27001:2022 Information security, cybersecurity and privacy protection&nbsp;— Information security management systems&nbsp;— Requirements</a> Annex A, Section 8.32 Change Management</li> </ul> </li> <li><strong><a href="#Id-crypto">Identifying cryptography</a></strong> <ul> <li>Reference: <a href="https://www.iso.org/standard/75652.html">ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection&nbsp;— Information security controls</a> Control 5.9 Inventory of Information &amp; Other Associated Assets</li> <li>Reference: <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/<abbr title="National Institute for Standards and Technology">NIST</abbr>.CSWP.29.pdf"><abbr title="National Institute for Standards and Technology">NIST</abbr> Cybersecurity Framework (PDF)</a> 2.0 Appendix A. CSF Core<br> Function IDENTIFY,<br> Category ASSET MANAGEMENT: ID.AM-01, ID.AM-02, ID.AM-03, ID.AM-04</li> </ul> </li> <li><strong><a href="#Testing">Testing</a></strong> <ul> <li>Reference: <a href="https://www.iso.org/standard/75652.html">ISO/IEC 27001:2022</a>,<br> Annex A, Section 8.29 Security Testing in Development and Acceptance<br> Annex A, Section 8.31 Separation of Development, Test and Production Environments</li> </ul> </li> </ul> </div> </div> </section> –> <table class="table table-bordered"><thead><tr><th scope="col">Publication section</th> <th scope="col">Reference</th> </tr></thead><tbody><tr><td><a href="#Documentation">Documentation</a></td> <td><a href="https://www.iso.org/fr/standard/27001">International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) Standard 27001:2022 Information security, cybersecurity and privacy protection — Information security management systems — Requirements</a> Annex A, Section 8.32 Change Management</td> </tr><tr><td><a href="#Id-crypto">Identifying cryptography</a></td> <td><a href="https://www.iso.org/fr/standard/75652.html">ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection — Information security controls</a> Control 5.9, Inventory of Information &amp; Other Associated Assets</td> </tr><tr><td><a href="#Id-crypto">Identifying cryptography</a></td> <td><a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf"><abbr title="National Institute for Standards and Technology">NIST</abbr> Cybersecurity Framework 2.0 (PDF)</a> Appendix A. CSF Core Function IDENTIFY,<br /> Category ASSET MANAGEMENT:<br /> ID.AM-01, ID.AM-02, ID.AM-03, ID.AM-04</td> </tr><tr><td><a href="#Testing">Testing</a></td> <td><a href="https://www.iso.org/fr/standard/75652.html">ISO/IEC 27001:2022 (en anglais seulement)</a>, Annex A, Section 8.29 Security Testing in Development and Acceptance<br /><a href="https://www.iso.org/fr/standard/75652.html">ISO/IEC 27001:2022 (en anglais seulement)</a>, Annex A, Section 8.31 Separation of Development, Test and Production Environments</td> </tr></tbody></table><aside class="wb-fnote" role="note"><h2 id="5">Footnotes</h2> <dl><dt>Footnote 1</dt> <dd id="fn1"> <p>European Commission. <a href="https://digital-strategy.ec.europa.eu/en/library/coordinated-implementation-roadmap-transition-post-quantum-cryptography">A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography</a>, June 2025.</p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote</span>1<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 2</dt> <dd id="fn2"> <p>JSON Web Tokens (JWTs) in case of OAuth 2.0 and OIDC.</p> <p class="fn-rtn"><a href="#fn2-rf"><span class="wb-inv">Return to footnote</span>2<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 3</dt> <dd id="fn3"> <p>Operational technology (OT) and industrial control systems (ICS) or supervisory control and data acquisition (SCADA) environments often rely on custom embedded devices.</p> <p class="fn-rtn"><a href="#fn3-rf"><span class="wb-inv">Return to footnote</span>3<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 4</dt> <dd id="fn4"> <p>Both CycloneDX and SPDX <abbr title="Software Bill of Materials">SBOM</abbr> standard formats have specific extensions for <abbr title="Cryptographic Bill of Materials">CBOM</abbr>.</p> <p class="fn-rtn"><a href="#fn4-rf"><span class="wb-inv">Return to footnote</span>4<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></section></div> </div> </div> </div> </div> </article>

<article data-history-node-id="6161" about="/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>May 2026</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Practitioner series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSP.40.111</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>May 2026 | Practitioner series</strong></p> </div> <!–pdf download–> <div class="col-md-12 mrgn-tp-md"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/itsp40111-cryptographic-algorithms-e.pdf">Cryptographic algorithms for unclassified, protected A, and protected B information (Version 5) – ITSP.40.111 (PDF, 868 KB)</a></p> </div> <h2 class="text-info" id="n1">Foreword</h2> <p>Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B information is an UNCLASSIFIED publication issued by the Head, Canadian Centre for Cyber Security (Cyber Centre) and provides an update to and supersedes the previously published version. For more information, email, or phone our Contact Centre at: <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a>, <a href="tel:+16139497048">(613) 949-7048</a> or <a href="tel:+18332923788">1-833-CYBER-88</a>.</p> <h2 class="text-info">Effective date</h2> <p>This publication takes effect on May 29, 2026.</p> <h2 class="text-info">Revision history</h2> <ol><li><strong>First release:</strong> August 2, 2016</li> <li><strong>Updated version (version 2):</strong> August 17, 2022</li> <li><strong>Updated version (version 3):</strong> March 19, 2024</li> <li><strong>Updated version (version 4):</strong> March 5, 2025</li> <li><strong>Updated version (version 5):</strong> May 29, 2026</li> </ol><section><h2 class="text-info">Overview</h2> <p>This publication identifies and describes recommended cryptographic algorithms and appropriate methods of use that organizations can implement to protect sensitive information. For Government of Canada (GC) departments and agencies, the guidance in this publication applies to UNCLASSIFIED, PROTECTED A and PROTECTED B information.</p> <p>Your organization’s ability to protect sensitive data and information is fundamental to the delivery of programs and services. Properly configured cryptography provides security mechanisms which can be used to protect the authenticity, confidentiality and integrity of information. Several algorithms may be required to satisfy your organization’s security requirements, and each algorithm should be selected and implemented to meet those requirements.</p> </section><section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#a1">1 Introduction</a> <ul class="lst-none"><li><a href="#a11">1.1 Practitioner notes</a></li> <li><a href="#a12">1.2 Policy drivers</a></li> <li><a href="#a13">1.3 Relationship to the <abbr title="information technology">IT</abbr> risk management process</a></li> </ul></li> <li><a href="#a2">2 Post quantum cryptography</a></li> <li><a href="#a3">3 Encryption algorithms</a> <ul class="lst-none"><li><a href="#a31">3.1 Advanced encryption standard algorithm</a></li> </ul></li> <li><a href="#a4">4 Encryption algorithm modes of operation</a> <ul class="lst-none"><li><a href="#a41">4.1 Protecting the confidentiality of information</a></li> <li><a href="#a42">4.2 Protecting the confidentiality and authenticity of information</a></li> </ul></li> <li><a href="#a5">5 Key establishment schemes</a> <ul class="lst-none"><li><a href="#a51">5.1 Rivest-Shamir-Adleman</a></li> <li><a href="#a52">5.2 Finite Field Cryptography Diffie-Hellman and Menezes-Qu-Vanstone</a></li> <li><a href="#a53">5.3 Elliptic Curve Cryptography Cofactor Diffie-Hellman and Menezes-Qu-Vanstone</a></li> <li><a href="#a54">5.4 Module-Lattice-Based Key-Encapsulation Mechanism</a></li> </ul></li> <li><a href="#a6">6 Digital signature schemes</a> <ul class="lst-none"><li><a href="#a61">6.1 Rivest-Shamir-Adelman</a></li> <li><a href="#a62">6.2 Digital Signature Algorithm</a></li> <li><a href="#a63">6.3 Elliptic Curve Digital Signature Algorithm</a></li> <li><a href="#a64">6.4 Edwards-Curve Digital Signature Algorithm</a></li> <li><a href="#a65">6.5 Module-Lattice-Based Digital Signature Algorithm</a></li> <li><a href="#a66">6.6 Stateless Hash-Based Signature Algorithm</a></li> <li><a href="#a67">6.7 Stateful hash-based signature schemes</a></li> </ul></li> <li><a href="#a7">7 Hash functions</a> <ul class="lst-none"><li><a href="#a71">7.1 Secure Hash Algorithm-1</a></li> <li><a href="#a72">7.2 Secure Hash Algorithm-2</a></li> <li><a href="#a73">7.3 Secure Hash Algorithm-3</a></li> </ul></li> <li><a href="#a8">8 Extendable output functions</a> <ul class="lst-none"><li><a href="#a81">8.1 SHAKE</a></li> </ul></li> <li><a href="#a9">9 Message Authentication Codes</a> <ul class="lst-none"><li><a href="#a91">9.1 Keyed-Hash Message Authentication Code</a></li> <li><a href="#a92">9.2 Cipher-based Message Authentication Code</a></li> <li><a href="#a93">9.3 Galois/Counter Mode Message Authentication Code</a></li> <li><a href="#a94">9.4 KECCAK Message Authentication Code</a></li> </ul></li> <li><a href="#a10">10 Key Derivation Functions</a> <ul class="lst-none"><li><a href="#a101">10.1 One-Step Key Derivation Function</a></li> <li><a href="#a102">10.2 Two-Step Key Derivation Function</a></li> <li><a href="#a103">10.3 Key Derivation using pseudorandom functions</a></li> <li><a href="#a104">10.4 Internet Key Exchange version 2 Key Derivation Function</a></li> <li><a href="#a105">10.5 Transport Layer Security version 1.2 Key Derivation Function</a></li> <li><a href="#a106">10.6 Secure Shell Key Derivation Function</a></li> <li><a href="#a107">10.7 Secure Real-time Transport Protocol Key Derivation Function</a></li> <li><a href="#a108">10.8 Trusted Platform Module Key Derivation Function</a></li> <li><a href="#a109">10.9 Password-based Key Derivation Function</a></li> </ul></li> <li><a href="#b11">11 Key wrap modes of operation</a> <ul class="lst-none"><li><a href="#b111">11.1 Advanced Encryption Standard Key Wrap</a></li> <li><a href="#b112">11.2 Advanced Encryption Standard Key Wrap with Padding</a></li> </ul></li> <li><a href="#b12">12 Random bit generators</a></li> <li><a href="#b13">13 Commercial technologies assurance programs</a></li> <li><a href="#b14">14 Summary</a></li> <li><a href="#fig1">Figure 1: <abbr title="information technology">Cyber security risk management process</abbr></a></li> <li><a href="#b15">Annex 1: Revisions</a></li> </ul></details></section><section><h2 class="text-info" id="a1">1 Introduction</h2> <p>Organizations rely on information technology (IT) systems to achieve business objectives. These interconnected systems can be the targets of serious threats and cyber attacks that threaten the availability, authenticity, confidentiality and integrity of the information assets. Compromised networks, systems or information can negatively affect business activities and may result in data breaches and financial loss.</p> <p>This publication helps IT practitioners choose and appropriately use cryptographic algorithms. When used with valid domain parameters and specific key lengths, the cryptographic algorithms listed in this publication are recommended cryptographic mechanisms for protecting the authenticity, confidentiality and integrity of sensitive UNCLASSIFIED, PROTECTED A and PROTECTED B information to the medium injury level, as defined in the Cyber Centre’s <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="40878ccb-9e7b-4370-9e97-631a42ac4a2d" href="/en/guidance/cyber-security-privacy-risk-management">Cyber security and privacy risk management: A lifecycle approach (ITSP.10.033)</a>. For requirements on the use of Cyber Centre-approved cryptography to protect PROTECTED C and classified information, email the Cyber Centre at <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a>.</p> <p>This publication complements the Treasury Board of Canada Secretariat (TBS) <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=26262">Guideline on Defining Authentication Requirements</a>. Organizations are responsible for determining their security objectives and requirements as part of their risk management framework.</p> <h3 id="a11">1.1 Practitioner notes</h3> <p>In this publication, the Cyber Centre makes recommendations for cryptographic algorithms and parameters. We also list algorithms that should be phased out. New applications should not use these algorithms. Where these algorithms are used in existing applications, they should be replaced with the recommended algorithms in this publication. For certain algorithms, we specify a date by which organizations should replace these algorithms. In other instances, organizations should replace these algorithms as soon as possible.</p> <p>When an algorithm requires a primitive, organizations should choose 1 of the algorithms recommended in this publication, unless otherwise specified. For example, a hash function from section <a href="#a72">7.2 Secure Hash Algorithm-2</a> should be used when using the Keyed-Hash Message Authentication Code (HMAC) from section <a href="#a91">9.1 Keyed-Hash Message Authentication Code</a>. When an algorithm requires a parameter, organizations should select 1 of the recommended parameters in the given reference for the algorithm, unless otherwise specified.</p> <h3 id="a12">1.2 Policy drivers</h3> <p>Addressing and countering cyber threats and network vulnerabilities are crucial steps in securing networks, data and assets. GC departments must implement <abbr title="information technology">IT</abbr> security policies and procedures in accordance with the <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=16578">Policy on Government Security</a>.</p> <h3 id="a13">1.3 Relationship to the <abbr title="information technology">IT</abbr> risk management process</h3> <p>The Cyber Centre’s <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="40878ccb-9e7b-4370-9e97-631a42ac4a2d" href="/en/guidance/cyber-security-privacy-risk-management">Cyber security and privacy risk management: A lifecycle approach (ITSP.10.033)</a> recommend that organizations undertake activities at 2 levels: the departmental level and the information system level.</p> <div class="panel panel-default col-md-12"> <div class="panel-body"> <figure><figcaption class="text-center" id="fig1"><strong>Figure 1: Cyber security risk management process</strong></figcaption><img alt="Figure 1 – Long description immediately follows" class="img-responsive center-block" src="/sites/default/files/images/itsp.40.111-fig1-e.png" /></figure><details><summary>Long description – Figure 1: Cyber security risk management process</summary><p>This figure describes the high-level departmental <abbr title="information technology">IT</abbr> security risk management process and associated activities, as well as the information system security risk management activities. It also highlights how the <abbr title="information technology">IT</abbr> security risk management activities at both levels act together in a continuous cycle to efficiently maintain and improve the security posture of departmental information systems.</p> <p>At the departmental level, the <abbr title="information technology">IT</abbr> security risk management activities conducted by the departmental security authorities (for example, CSO, ITSC) include:</p> <ul><li>define departmental <abbr title="information technology">IT</abbr> security needs and security controls</li> <li>deploy security controls</li> <li>monitor and assess performance of security controls – maintain authorization</li> <li>identify security control updates</li> </ul><p>The key deliverables of the deploy security controls activity are departmental control profiles and departmental <abbr title="information technology">IT</abbr> threat assessment reports. These deliverables are key inputs into the security risk management activities at the information system level.</p> <p>At the information system level, the <abbr title="information technology">IT</abbr> security risk management activities conducted by <abbr title="information technology">IT</abbr> project managers, security practitioners and developers include:</p> <ul><li>define <abbr title="information technology">IT</abbr> security needs and security controls</li> <li>design and develop or acquire information system with security</li> <li>integrate, test, and install information system with security</li> <li>operate, monitor, and maintain information systems with security</li> <li>securely dispose of <abbr title="information technology">IT</abbr> assets at retirement</li> </ul><p>Information from the operations and maintenance activities provide feed back into the monitor and assess activity at the departmental level. The <abbr title="information technology">IT</abbr> security performance feedback supports the maintain authorization activity under the monitor and assess.</p> </details></div> </div> <p>Departmental-level activities are integrated into the organization’s security program to plan, manage, assess and improve the management of <abbr title="information technology">IT</abbr> security-related risks faced by the organization. Cryptographic algorithms should be considered during the define, deploy, and monitor and assess stages of the risk management process. These activities are described in detail in <a href="/en/guidance/annex-1-departmental-it-security-risk-management-activities-itsg-33">Annex 1 – Departmental IT security risk management activities (ITSG-33)</a>.</p> <p>Information system-level activities are integrated into an information system lifecycle to ensure:</p> <ul><li><abbr title="information technology">IT</abbr> security needs of supported business activities are met</li> <li>appropriate security controls are implemented and operating as intended</li> <li>continued performance of the implemented security controls is assessed, reported back and acted upon to address any issues</li> </ul><p>Cryptographic algorithms should be considered during all information system-level activities. These activities are described in detail in <a href="https://www.cyber.gc.ca/en/guidance/annex-2-information-system-security-risk-management-activities-itsg-33">Annex 2 – Information system security risk management activities (ITSG-33)</a>.</p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="a2">2 Post quantum cryptography</h2> <p>In August 2024, the U.S. National Institute of Standards and Technology (NIST) published standards for 3 post-quantum algorithms which are secure against known attacks from a quantum computer:</p> <ul><li>Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) (see section <a href="#a54">5.4 Module-Lattice-Based Key-Encapsulation Mechanism</a>)</li> <li>Module-Lattice-Based Digital Signature Algorithm (ML-DSA) (see section <a href="#a65">6.5 Module-Lattice-Based Digital Signature Algorithm</a>)</li> <li>Stateless Hash-Based Digital Signature Algorithm (SLH-DSA) (see section <a href="#a66">6.6 Stateless Hash-Based Digital Signature Algorithm</a>)</li> </ul><p><abbr title="Module-Lattice-Based Key-Encapsulation Mechanism">ML-KEM</abbr> establishes shared key material between 2 parties over a public channel. It will replace the key establishment schemes in sections <a href="#a51">5.1 Rivest Shamir-Adleman</a>, <a href="#a52">5.2 Finite Field Cryptography Diffie-Hellman and Menezes-Qu-Vanstone</a>, and <a href="#a53">5.3 Elliptic Curve Cryptography Cofactor Diffie-Hellman and Menezes-Qu-Vanstone</a> for most use cases.</p> <p><abbr title="Module-Lattice-Based Digital Signature Algorithm">ML-DSA</abbr> and <abbr title="Stateless Hash-Based Digital Signature Algorithm">SLH-DSA</abbr> are digital signature schemes. <abbr title="Module-Lattice-Based Digital Signature Algorithm">ML-DSA</abbr> is a general-purpose, lattice-based, signature scheme and will replace the signature schemes in sections <a href="#a61">6.1 Rivest-Shamir-Adelman</a> to <a href="#a64">6.4 Edwards-Curve Digital Signature Algorithm</a> for most use cases. Hash-bashed signatures, including post-quantum stateful hash-based signature schemes and <abbr title="Stateless Hash-Based Digital Signature Algorithm">SLH-DSA</abbr>, rely on a different mathematical problem than <abbr title="Module-Lattice-Based Digital Signature Algorithm">ML-DSA</abbr>. Stateful hash-based signature schemes have the additional complexity that signature generation implementations must carefully manage an internal state. Mismanagement can result in a complete loss of security. <abbr title="Stateless Hash-Based Digital Signature Algorithm">SLH-DSA</abbr> does not require state management but has inferior performance and larger signatures than <abbr title="Module-Lattice-Based Digital Signature Algorithm">ML-DSA</abbr> and the stateful hash-bashed signature schemes.</p> <p>International standards bodies are incorporating these new post-quantum algorithms into network protocols. As new protocol standards become available, the Cyber Centre’s <a href="/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Guidance on securely configuring network protocols (ITSP.40.062)</a> will be updated to include post-quantum configurations. For more detailed information on how to prepare, read <a href="/en/guidance/preparing-your-organization-quantum-threat-cryptography-itsap00017">Preparing your organization for the quantum threat to cryptography (ITSAP.00.017)</a>.</p> <p>This version of ITSP.40.111 includes new phase-out dates for quantum-vulnerable key establishment schemes and digital signature schemes.</p> <p><strong>Organizations should only use post-quantum public-key encryption and signature schemes that comply with the final, published standards (as referenced in this publication) to protect information or systems.</strong></p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="a3">3 Encryption algorithms</h2> <p>The following section outlines the recommended encryption algorithms for protecting the confidentiality of UNCLASSIFIED, PROTECTED A, and PROTECTED B information.</p> <h3 id="a31">3.1 Advanced Encryption Standard algorithm</h3> <p>We recommend the Advanced Encryption Standard (AES) algorithm, as specified in <abbr title="National Institute of Standards and Technology">NIST</abbr> Federal Information Processing Standard (FIPS) <a href="https://csrc.nist.gov/pubs/fips/197/final">197: Advanced Encryption Standard</a>, with key lengths of 128, 192, and 256 bits.</p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="a4">4 Encryption algorithm modes of operation</h2> <p>The following section outlines the encryption algorithm modes of operation that we recommend for use with the <abbr title="Advanced Encryption Standard">AES</abbr> algorithm specified in section <a href="#a31">3.1 Advanced Encryption Standard algorithm</a>.</p> <h3 id="a41">4.1 Protecting the confidentiality of information</h3> <p>We recommend the following block cipher modes of operation for protecting the confidentiality of UNCLASSIFIED, PROTECTED A and PROTECTED B information, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/38/a/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> Special Publication (SP) 800-38A: Recommendation for Block Cipher Modes of Operation: Methods and Techniques</a>:</p> <ul><li>Electronic Codebook (ECB) mode is only suitable for situations in which a single block of data is being encrypted, or as specified in derived algorithms such as key wrapping (see section <a href="#b11">11 Key wrap modes of operation</a>). It should not be used for bulk data encryption</li> <li>Cipher Feedback (CFB)</li> <li>Output Feedback (OFB)</li> <li>Counter (CTR)</li> <li>Cipher Block Chaining (CBC) <ul><li>When using <abbr title="Cipher Block Chaining">CBC</abbr> mode with a plaintext input of bit length greater than or equal to the block size, a padding method must be used as described in Appendix A of <abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="special publication">SP</abbr> 800-38A. Protocols typically specify particular padding methods that may be used</li> <li>If no padding method is specified, we recommend the following modes from <a href="https://csrc.nist.gov/pubs/sp/800/38/a/sup/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="special publication">SP</abbr> 800-38A Addendum: Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for <abbr title="Cipher Block Chaining">CBC</abbr> Mode</a> <ul><li>CBC-CS1</li> <li>CBC-CS2</li> <li>CBC-CS3</li> </ul></li> </ul></li> </ul><p><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="special publication">SP</abbr> 800-38A lists several important requirements:</p> <ul><li><abbr title="Cipher Block Chaining">CBC</abbr> and <abbr title="Cipher Feedback">CFB</abbr> modes require unpredictable Initialization Vectors (IVs)</li> <li>For <abbr title="Output Feedback">OFB</abbr> mode, the <abbr title="Initialization Vectors">IV</abbr> must be a nonce that is unique to each execution of the encryption operation. It does not need to be unpredictable</li> <li><abbr title="Counter">CTR</abbr> mode requires a unique counter block for each block of plaintext ever encrypted under a given key, across all messages</li> </ul><p>For protecting data on storage devices, we recommend XTS-<abbr title="Advanced Encryption Standard">AES</abbr> mode as specified in <a href="https://csrc.nist.gov/pubs/sp/800/38/e/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-38E: Recommendation for Block Cipher Modes of Operation: The XTS-<abbr title="Advanced Encryption Standard">AES</abbr> Mode for Confidentiality on Storage Devices</a>.</p> <h3 id="a42">4.2 Protecting the confidentiality and authenticity of information</h3> <p>We recommend the following modes of operation for protecting the confidentiality and authenticity of UNCLASSIFIED, PROTECTED A and PROTECTED B information:</p> <ul><li>Counter with Cipher Block Chaining Message Authentication Code (CCM) as specified in <a href="https://csrc.nist.gov/pubs/sp/800/38/c/upd1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800–38C: Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality</a></li> <li>Galois/Counter Mode (GCM) as specified in <a href="https://csrc.nist.gov/pubs/sp/800/38/d/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-38D: Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and <abbr title="Galois/Counter Mode Message Authentication Code">GMAC</abbr></a></li> </ul></section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="a5">5 Key establishment schemes</h2> <p>A key establishment scheme is a procedure by which multiple participants create or obtain shared secrets, such as cryptographic keys. The following section outlines the key establishment schemes that we recommend for use with cryptographic algorithms for protecting UNCLASSIFIED, PROTECTED A and PROTECTED B information.</p> <h3 id="a51">5.1 Rivest-Shamir-Adleman</h3> <p>We recommend the Rivest-Shamir-Adleman (RSA)-based key-transport and key-agreement schemes, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/56/b/r2/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-56B Rev. 2: Recommendation for Pair-Wise Key-Establishment Schemes Using Integer Factorization Cryptography</a>, with an <abbr title="Rivest-Shamir-Adleman">RSA</abbr> modulus length of at least 2048 bits.</p> <p><strong>The <abbr title="Rivest-Shamir-Adleman">RSA</abbr> modulus length should be increased to at least 3072 bits by the end of 2030.</strong></p> <p><strong>The use of <abbr title="Rivest-Shamir-Adleman">RSA</abbr> without a post-quantum key establishment scheme should be phased out by the end of 2035.</strong></p> <h3 id="a52">5.2 Finite Field Cryptography Diffie-Hellman and Menezes-Qu-Vanstone</h3> <p>We recommend the Finite Field Cryptography (FFC) Diffie-Hellman (DH) and <abbr title="Finite Field Cryptography">FFC</abbr> Menezes-Qu-Vanstone (MQV)-based key-agreement schemes with valid domain parameters, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/56/a/r3/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-56A Rev. 3: Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography</a>. The field size (prime modulus parameter) should be at least 2048 bits.</p> <p><strong>The <abbr title="Finite Field Cryptography">FFC</abbr> field size should be increased to at least 3072 bits by the end of 2030.</strong></p> <p><strong>The use of <abbr title="Finite Field Cryptography">FFC</abbr> <abbr title="Diffie-Hellman">DH</abbr> and <abbr title="Finite Field Cryptography">FFC</abbr> <abbr title="Menezes-Qu-Vanstone">MQV</abbr> without a post-quantum key establishment scheme should be phased out by the end of 2035.</strong></p> <h3 id="a53">5.3 Elliptic curve cryptography Cofactor Diffie-Hellman and Menezes-Qu-Vanstone</h3> <p>We recommend the Elliptic Curve Cryptography (ECC) Cofactor Diffie-Hellman (ECC CDH) and <abbr title="Elliptic Curve Cryptography">ECC</abbr> <abbr title="Menezes-Qu-Vanstone">MQV</abbr>-based key-agreement schemes as specified in <a href="https://csrc.nist.gov/pubs/sp/800/56/a/r3/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-56A Rev. 3: Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography</a>. We recommend the following elliptic curves specified in <a href="https://csrc.nist.gov/pubs/sp/800/186/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-186: Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters</a>:</p> <ul><li>Curve P-224</li> <li>Curve P-256</li> <li>Curve P-384</li> <li>Curve P-521</li> </ul><p><strong>Curve P-224 should be phased out by the end of 2030.</strong> We no longer recommend binary curves specified in <a href="https://csrc.nist.gov/pubs/fips/186-4/final">Appendix D of <abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 186-4: Digital Signature Standard</a>.</p> <p><strong>All binary curves should be phased out by the end of 2030. A list of the curves to be phased out can be found in Section 3.3 of the <a href="https://csrc.nist.gov/pubs/sp/800/186/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-186: Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters</a></strong>.</p> <p><strong>The use of <abbr title="Elliptic Curve Cryptography">ECC</abbr> <abbr title="Cofactor Diffie-Hellman">CDH</abbr> and <abbr title="Elliptic Curve Cryptography">ECC</abbr> <abbr title="Menezes-Qu-Vanstone">MQV</abbr> without a post-quantum key establishment scheme should be phased out by the end of 2035.</strong></p> <h3 id="a54">5.4 Module-Lattice-Based Key-Encapsulation Mechanism</h3> <p>We recommend the Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) as a general-purpose, post-quantum key establishment scheme, as specified in <a href="https://csrc.nist.gov/pubs/fips/203/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard</a>, with the following parameters:</p> <ul><li>ML-KEM-512</li> <li>ML-KEM-768</li> <li>ML-KEM-1024</li> </ul></section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="a6">6 Digital signature schemes</h2> <p>The following section outlines the algorithms that we recommend for digital signature applications providing data integrity and data origin authentication of UNCLASSIFIED, PROTECTED A and PROTECTED B information. We also specify a digital signature scheme that was recommended in a previous version of this publication but should be phased out by the end of 2030.</p> <h3 id="a61">6.1 Rivest-Shamir-Adleman</h3> <p>We recommend the Rivest-Shamir-Adleman (RSA) digital signature algorithm, using RSASSA-PKCS1-v1.5 or RSASSA-PSS, as specified in <a href="https://csrc.nist.gov/pubs/fips/186-5/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 186-5: Digital Signature Standard</a> with an <abbr title="Rivest-Shamir-Adleman">RSA</abbr> modulus length of at least 2048 bits.</p> <p><strong>The <abbr title="Rivest-Shamir-Adleman">RSA</abbr> modulus length should be increased to at least 3072 bits by the end of 2030.</strong></p> <p><strong>The use of <abbr title="Rivest-Shamir-Adleman">RSA</abbr> without a post-quantum digital signature scheme should be phased out by the end of 2035.</strong></p> <h3 id="a62">6.2 Digital Signature Algorithm</h3> <p><strong>The use of Digital Signature Algorithm (DSA) should be phased out by the end of 2030.</strong></p> <p>We no longer recommend the <abbr title="Digital Signature Algorithm">DSA</abbr> as specified in <a href="https://csrc.nist.gov/pubs/fips/186-4/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 186-4: Digital Signature Standard</a> for new applications. Existing applications must use valid domain parameters for a field size (prime modulus parameter) of at least 2048 bits.</p> <h3 id="a63">6.3 Elliptic Curve Digital Signature Algorithm</h3> <p>We recommend the Elliptic Curve Digital Signature Algorithm (ECDSA) and deterministic <abbr title="Elliptic Curve Digital Signature Algorithm">ECDSA</abbr><sup id="fn1-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup> as specified in <a href="https://csrc.nist.gov/pubs/fips/186-5/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 186-5: Digital Signature Standard</a>. We recommend the following elliptic curves specified in <a href="https://csrc.nist.gov/pubs/sp/800/186/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-186: Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters</a>:</p> <ul><li>Curve P-224</li> <li>Curve P-256</li> <li>Curve P-384</li> <li>Curve P-521</li> </ul><p><strong>Curve P-224 should be phased out by the end of 2030.</strong></p> <p>We no longer recommend binary curves specified in Appendix D of <a href="https://csrc.nist.gov/pubs/fips/186-4/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 186-4: Digital Signature Standard</a>.</p> <p><strong>All binary curves should be phased out by the end of 2030.</strong> A list of the curves to be phased out can be found in section 3.3 of <a href="https://csrc.nist.gov/pubs/sp/800/186/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-186: Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters</a>.</p> <p><strong>The use of <abbr title="Elliptic Curve Digital Signature Algorithm">ECDSA</abbr> without a post-quantum digital signature scheme should be phased out by the end of 2035.</strong></p> <h3 id="a64">6.4 Edwards-Curve Digital Signature Algorithm</h3> <p>We recommend the Edwards-Curve Digital Signature Algorithm (EdDSA) as specified in <a href="https://csrc.nist.gov/pubs/fips/186-5/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 186-5: Digital Signature Standard</a> with the following elliptic curves specified in <a href="https://csrc.nist.gov/pubs/sp/800/186/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-186: Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters</a>:</p> <ul><li>Edwards25519</li> <li>Edwards448</li> </ul><p>We do not recommend the prehash version Hash<abbr title="Edwards-Curve Digital Signature Algorithm">EdDSA</abbr>.</p> <p><strong>The use of <abbr title="Edwards-Curve Digital Signature Algorithm">EdDSA</abbr> without a post-quantum digital signature scheme should be phased out by the end of 2035.</strong></p> <h3 id="a65">6.5 Module-Lattice-Based Digital Signature Algorithm</h3> <p>We recommend the Module-Lattice-Based Digital Signature scheme Algorithm (ML-DSA) as a general-purpose, post-quantum digital signature scheme as specified in <a href="https://csrc.nist.gov/pubs/fips/204/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 204: Module-Lattice-Based Digital Signature Standard</a> with the following parameters:</p> <ul><li>ML-DSA-44</li> <li>ML-DSA-65</li> <li>ML-DSA-87</li> </ul><h3 id="a66">6.6 Stateless Hash-Based Digital Signature Algorithm</h3> <p>We recommend the Stateless Hash-Based Digital Signature Algorithm (SLH-DSA) as a post-quantum digital signature scheme as specified in <a href="https://csrc.nist.gov/pubs/fips/205/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 205: Stateless Hash-Based Digital Signature Standard</a> with the following parameters:</p> <ul><li>SLH-DSA-SHA2-128s</li> <li>SLH-DSA-SHAKE-128s</li> <li>SLH-DSA-SHA2-128f</li> <li>SLH-DSA-SHAKE-128f</li> <li>SLH-DSA-SHA2-192s</li> <li>SLH-DSA-SHAKE-192s</li> <li>SLH-DSA-SHA2-192f</li> <li>SLH-DSA-SHAKE-192f</li> <li>SLH-DSA-SHA2-256s</li> <li>SLH-DSA-SHAKE-256s</li> <li>SLH-DSA-SHA2-256f</li> <li>SLH-DSA-SHAKE-256f</li> </ul><h3 id="a67">6.7 Stateful hash-based signature schemes</h3> <p>Stateful hash-based signature schemes are another family of post-quantum digital signature schemes. Implementations of signature generation for stateful hash-based signature schemes must carefully manage an internal state. This is an additional complexity in comparison to other types of digital signature schemes. Mismanagement of the internal state can result in a complete loss of security. Previously, we recommended stateful hash-based signatures when certain conditions applied, including when a post-quantum signature scheme must be implemented before general-purpose, post-quantum signature schemes were standardized. Although stateful hash-based signature schemes can still be used, the newly standardized post-quantum digital signature schemes <abbr title="Module-Lattice-Based Digital Signature Algorithm">ML-DSA</abbr> and <abbr title="Stateless Hash-Based Digital Signature Algorithm">SLH-DSA</abbr> do not require state management (sections <a href="#a65">6.5 Module-Lattice-Based Digital Signature Algorithm</a> and <a href="#a66">6.6 Stateless Hash-Based Digital Signature Algorithm</a>) and can be used in most situations where a digital signature scheme is needed. Stateful hash-based signatures should only be used when the signer is not required to rapidly produce signatures and is able to protect and manage private key state.</p> <p>If you are using stateful hash-based signatures, we recommend the following post-quantum digital signature schemes, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/208/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-208: Recommendation for Stateful Hash-based Signatures Scheme</a>, using one of the hash functions <abbr title="Secure Hash Algorithm">SHA</abbr>-256, <abbr title="Secure Hash Algorithm">SHA</abbr>-256/192, SHAKE256/256, or SHAKE256/192 specified in section 2.3 of <a href="https://csrc.nist.gov/pubs/sp/800/208/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-208: Recommendation for Stateful Hash-Based Signature Schemes</a>.</p> <ul><li>Leighton-Micali Signature (LMS)</li> <li>Hierarchical Signature System (HSS)</li> <li>eXtended Merkle Signature Scheme (XMSS)</li> <li>Multi-tree eXtended Merkle Signature Scheme (XMSS^MT)</li> </ul></section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="a7">7 Hash functions</h2> <p>A hash function is a procedure to transform a message of arbitrary length into an output, called a "digest", of fixed length. A secure (cryptographic) hash function should satisfy additional properties, such as "collision resistance", whereby it is infeasible to find distinct messages with the same digest. The following section outlines the recommended hash functions for use with the cryptographic algorithms specified in this publication for protecting UNCLASSIFIED, PROTECTED A and PROTECTED B information.</p> <h3 id="a71">7.1 Secure Hash Algorithm-1</h3> <p>We no longer recommend the use of Secure Hash Algorithm-1 (SHA-1), as specified in <a href="https://csrc.nist.gov/pubs/fips/180-4/upd1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 180-4: Secure Hash Standard</a>, which was previously approved for use with keyed-hash message authentication codes, key derivation functions (KDFs) and random bit generators (RBGs).</p> <p><strong><abbr title="Secure Hash Algorithm">SHA</abbr>-1 must not be used with digital signature schemes or with any applications that require collision resistance. <abbr title="Secure Hash Algorithm">SHA</abbr>-1 should be phased out for use in keyed-hash message authentication codes, <abbr title="key derivation functions">KDFs</abbr>, and <abbr title="random bit generators">RBGs</abbr>.</strong></p> <h3 id="a72">7.2 Secure Hash Algorithm-2</h3> <p>We recommend <abbr title="Secure Hash Algorithm">SHA</abbr>-224, <abbr title="Secure Hash Algorithm">SHA</abbr>-256, <abbr title="Secure Hash Algorithm">SHA</abbr>-384, <abbr title="Secure Hash Algorithm">SHA</abbr>-512, <abbr title="Secure Hash Algorithm">SHA</abbr>-512/224, and <abbr title="Secure Hash Algorithm">SHA</abbr>-512/256, as specified in <a href="https://csrc.nist.gov/pubs/fips/180-4/upd1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 180-4: Secure Hash Standard</a>, for use with digital signature schemes, keyed-hash message authentication codes, <abbr title="key derivation functions">KDFs</abbr> and <abbr title="random bit generators">RBGs</abbr>. The truncated hash function <abbr title="Secure Hash Algorithm">SHA</abbr>-256/192 specified in <a href="https://csrc.nist.gov/pubs/sp/800/208/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-208: Recommendation for Stateful Hash-Based Signature Schemes</a> is only recommended for use with the stateful hash-based signature schemes listed in section <a href="#a67">6.7 Stateful hash-based signature schemes</a>.</p> <p><strong><abbr title="Secure Hash Algorithm">SHA</abbr>-224 should be phased out by the end of 2030.</strong></p> <h3 id="a73">7.3 Secure Hash Alogorithm-3</h3> <p>We recommend <abbr title="Secure Hash Algorithm">SHA</abbr>3-224, <abbr title="Secure Hash Algorithm">SHA</abbr>3-256, <abbr title="Secure Hash Algorithm">SHA</abbr>3-384, and <abbr title="Secure Hash Algorithm">SHA</abbr>3-512, as specified in <a href="https://csrc.nist.gov/pubs/fips/202/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 202: <abbr title="Secure Hash Algorithm">SHA</abbr>-3 Standard: Permutation-Based Hash and Extendable-Output Functions</a>, for use with digital signature schemes, keyed-hash message authentication codes, <abbr title="key derivation functions">KDFs</abbr> and <abbr title="random bit generators">RBGs</abbr>.</p> <p><strong><abbr title="Secure Hash Algorithm">SHA</abbr>3-224 should be phased out by the end of 2030.</strong></p> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="a8">8 Extendable output functions</h2> <p>An extendable-output function (XOF) is a procedure to transform a message of arbitrary length into an output that can be extended to any desired length. A secure <abbr title="extendable-output function">XOF</abbr> should satisfy additional properties, such as "collision resistance", whereby it is infeasible to find distinct messages with the same output. The following section outlines 2 <abbr title="extendable-output functions">XOFs</abbr> that we recommend for use with select cryptographic algorithms specified in this publication for protecting UNCLASSIFIED, PROTECTED A and PROTECTED B information.</p> <h3 id="a81">8.1 SHAKE</h3> <p>We recommend SHAKE128, as specified in <a href="https://csrc.nist.gov/pubs/fips/202/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 202: <abbr title="Secure Hash Algorithm">SHA</abbr>-3 Standard: Permutation Based Hash and Extendable-Output Functions</a>, for use in the following:</p> <ul><li><abbr title="Module-Lattice-Based Key-Encapsulation Mechanism">ML-KEM</abbr> (section <a href="#a54">5.4 Module-Lattice-Based Key-Encapsulation Mechanism</a>)</li> <li>The digital signature schemes <ul><li><abbr title="Rivest-Shamir-Adleman">RSA</abbr> (section <a href="#a61">6.1 Rivest-Shamir-Adelman</a>)</li> <li><abbr title="Elliptic Curve Digital Signature Algorithm">ECDSA</abbr> (section <a href="#a63">6.3 Elliptic Curve Digital Signature Algorithm</a>)</li> <li><abbr title="Module-Lattice-Based Digital Signature Algorithm">ML-DSA</abbr> (section <a href="#a65">6.5 Module-Lattice-Based Digital Signature Algorithm</a>)</li> </ul></li> <li>KECCAK Message Authentication Code (KMAC) (section <a href="#a94">9.4 KECCAK Message Authentication Code</a>)</li> </ul><p>We recommend SHAKE256, as specified in <a href="https://csrc.nist.gov/pubs/fips/202/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 202: <abbr title="Secure Hash Algorithm">SHA</abbr>-3 Standard: Permutation Based Hash and Extendable-Output Functions</a>, for use in the following:</p> <ul><li><abbr title="Module-Lattice-Based Key-Encapsulation Mechanism">ML-KEM</abbr> (section <a href="#a54">5.4 Module-Lattice-Based Key-Encapsulation Mechanism</a>)</li> <li>The digital signature schemes <ul><li><abbr title="Rivest-Shamir-Adleman">RSA</abbr> (section <a href="#a61">6.1 Rivest-Shamir-Adelman</a>)</li> <li><abbr title="Elliptic Curve Digital Signature Algorithm">ECDSA</abbr> (section <a href="#a63">6.3 Elliptic Curve Digital Signature Algorithm</a>)</li> <li><abbr title="Edwards-Curve Digital Signature Algorithm">EdDSA</abbr> (section <a href="#a64">6.4 Edwards-Curve Digital Signature Algorithm</a>) with curve Edwards448</li> <li><abbr title="Module-Lattice-Based Digital Signature Algorithm">ML-DSA</abbr> (section <a href="#a65">6.5 Module-Lattice-Based Digital Signature Algorithm</a>)</li> <li><abbr title="Stateless Hash-Based Digital Signature Algorithm">SLH-DSA</abbr> (section <a href="#a66">6.6 Stateless Hash-Based Digital Signature Algorithm</a>)</li> <li>Stateful hash-based digital signature schemes (section <a href="#a67">6.7 Stateful hash-based signature schemes</a>)</li> </ul></li> <li><abbr title="KECCAK Message Authentication Code">KMAC</abbr> (section <a href="#a94">9.4 KECCAK Message Authentication Code</a>)</li> </ul><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="a9">9 Message authentication codes</h2> <p>A message authentication code (MAC) is a fixed-length tag used to verify the authenticity and integrity of a message. The following sections outline the <abbr title="Message Authentication Code">MAC</abbr> algorithms that we recommend for data integrity and data origin authentication of UNCLASSIFIED, PROTECTED A and PROTECTED B information.</p> <h3 id="a91">9.1 Keyed-Hash Message Authentication Code</h3> <p>We recommend Keyed-Hash Message Authentication Code (HMAC), as specified in <a href="https://csrc.nist.gov/pubs/fips/198-1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 198-1: The Keyed-Hash Message Authentication Code</a>, with a key length of at least 112 bits.</p> <p><strong>The key length should be increased to at least 128 bits by the end of 2030.</strong></p> <h3 id="a92">9.2 Cipher-based Message Authentication Code</h3> <p>We recommend Cipher-based Message Authentication Code (CMAC), as specified in <a href="https://csrc.nist.gov/pubs/sp/800/38/b/upd1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-38B: Recommendation for Block Cipher Modes of Operation: The <abbr title="Cipher-based Message Authentication Code">CMAC</abbr> Mode for Authentication</a>. <abbr title="Cipher-based Message Authentication Code">CMAC</abbr> is only recommended for use with the <abbr title="Advanced Encryption Standard">AES</abbr> algorithm as specified in section <a href="#a31">3.1 Advanced Encryption Standard algorithm</a>.</p> <h3 id="a93">9.3 Galois/Counter Mode Message Authentication Code</h3> <p>We recommend Galois/Counter Mode  Message Authentication Code (GMAC), as specified in <a href="https://csrc.nist.gov/pubs/sp/800/38/d/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-38D: Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and <abbr title="Galois/Counter Mode Message Authentication Code">GMAC</abbr></a>. <abbr title="Galois/Counter Mode Message Authentication Code">GMAC</abbr> is only recommended for use with the <abbr title="Advanced Encryption Standard">AES</abbr> algorithm as specified in section <a href="#a31">3.1 Advanced Encryption Standard algorithm</a>.</p> <h3 id="a94">9.4 KECCAK Message Authentication Code</h3> <p>We recommend KECCAK message authentication code (KMAC)128 and <abbr title="KECCAK Message Authentication Code">KMAC</abbr>256 as specified in <a href="https://csrc.nist.gov/pubs/sp/800/185/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-185: <abbr title="Secure Hash Algorithm">SHA</abbr>3-Derived Functions: cSHAKE, <abbr title="KECCAK Message Authentication Code">KMAC</abbr>, TupleHash and ParallelHash</a> with a key length of at least 112 bits.</p> <p><strong>The key length should be increased to at least 128 bits by the end of 2030.</strong></p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="a10">10 Key derivation functions</h2> <p>A <abbr title="Key Derivation Function">KDF</abbr> is a transformation of secret (as well as possibly non-secret) data into a cryptographically strong secret key. The following sections outline the <abbr title="Key Derivation Functions">KDFs</abbr> that we recommend for the derivation of cryptographic keys from key establishment or pre-shared secrets, used for protecting UNCLASSIFIED, PROTECTED A and PROTECTED B information.</p> <h3 id="a101">10.1 One-Step Key Derivation Function</h3> <p>We recommend the one-step <abbr title="Key Derivation Function">KDF</abbr>, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/56/c/r2/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-56C Rev. 2: Recommendation for Key-Derivation Methods in Key-Establishment Schemes</a>.</p> <h3 id="a102">10.2 Two-Step Key Derivation Function</h3> <p>We recommend the two-step, extraction-then-expansion, key derivation procedure, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/56/c/r2/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-56C Rev. 2: Recommendation for Key-Derivation Methods in Key-Establishment Schemes</a>. Note that the <abbr title="Hash Message Authentication Code">HMAC</abbr>-based extract-and-expand Key Derivation Function (HKDF) function used in the Transport Layer Security (TLS) version 1.3 protocol follows this specification.</p> <h3 id="a103">10.3 Key derivation using pseudorandom functions</h3> <p>We recommend the <abbr title="Key Derivation Functions">KDFs</abbr> using pseudorandom functions as specified in <a href="https://csrc.nist.gov/pubs/sp/800/108/r1/upd1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-108 Rev. 1: Recommendation for Key Derivation Using Pseudorandom Functions</a>.</p> <h3 id="a104">10.4 Internet Key Exchange version 2 Key Derivation Function</h3> <p>When used in the context of the Internet Key Exchange version 2 (IKEv2) protocol, we recommend the <abbr title="Internet Key Exchange version 2">IKEv2</abbr> <abbr title="Key Derivation Function">KDF</abbr>, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/135/r1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-135 Rev. 1: Recommendation for Existing Application-Specific Key Derivation Functions</a>.</p> <h3 id="a105">10.5 Transport Layer Security version 1.2 Key Derivation Function</h3> <p>When used in the context of the <abbr title="Transport Layer Security">TLS</abbr> version 1.2 protocol, we recommend the <abbr title="Transport Layer Security">TLS</abbr> 1.2 <abbr title="Key Derivation Function">KDF</abbr>, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/135/r1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-135 Rev. 1: Recommendation for Existing Application-Specific Key Derivation Functions</a>.</p> <h3 id="a106">10.6 Secure Shell Key Derivation Function</h3> <p>When used in the context of the Secure Shell (SSH) protocol, we recommend the <abbr title="Secure Shell">SSH</abbr> <abbr title="Key Derivation Function">KDF</abbr>, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/135/r1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-135 Rev. 1: Recommendation for Existing Application-Specific Key Derivation Functions</a>.</p> <h3 id="a107">10.7 Secure Real-time Transport Protocol Key Derivation Function</h3> <p>When used in the context of the Secure Real-time Transport Protocol (SRTP), we recommend the <abbr title="Secure Real-time Transport Protocol">SRTP</abbr> <abbr title="Key Derivation Function">KDF</abbr>, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/135/r1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-135 Rev. 1: Recommendation for Existing Application-Specific Key Derivation Functions</a>.</p> <h3 id="a108">10.8 Trusted Platform Module Key Derivation Function</h3> <p>When used in the context of a Trusted Platform Module (TPM) session, we recommend the <abbr title="Trusted Platform Module">TPM</abbr> <abbr title="Key Derivation Function">KDF</abbr>, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/135/r1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-135 Rev. 1: Recommendation for Existing Application-Specific Key Derivation Functions</a>.</p> <h3 id="a109">10.9 Password-based Key Derivation Function</h3> <p>For protected data on storage devices, we recommend the Password-based <abbr title="Key Derivation Function">KDF</abbr>, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/132/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-132: Recommendation for Password-Based Key Derivation: Part 1: Storage Applications</a>, using a password of at least 12 characters. For more information on passwords and passphrases, read the Cyber Centre’s <a href="https://www.cyber.gc.ca/en/guidance/best-practices-passphrases-and-passwords-itsap30032">Best practices for passphrases and passwords (ITSAP.30.032)</a>.</p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="b11">11 Key wrap modes of operation</h2> <p>The following sections outline the key wrap modes of operation that we recommend for key wrapping to protect the confidentiality and integrity of cryptographic keys used for protecting UNCLASSIFIED, PROTECTED A and PROTECTED B information.</p> <h3 id="b111">11.1 Advanced Encryption Standard Key Wrap</h3> <p>When input is known to always be a multiple of 64-bits, we recommend the <abbr title="Advanced Encryption Standard">AES</abbr> Key Wrap mode, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/38/f/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-38F: Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping</a>.</p> <h3 id="b112">11.2 Advanced Encryption Standard Key Wrap with Padding</h3> <p>When input is not a multiple of 64-bits, we recommend the <abbr title="Advanced Encryption Standard">AES</abbr> Key Wrap with Padding mode, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/38/f/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-38F: Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping</a>.</p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="b12">12 Random bit generators</h2> <p>An <abbr title="Random Bit Generator">RBG</abbr> produces a sequence of bits (0 or 1) which appear statistically independent and unbiased. We recommend <abbr title="Random Bit Generators">RBGs</abbr> as specified in <a href="https://csrc.nist.gov/pubs/sp/800/90/c/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-90C: Recommendation for Random Bit Generator (RBG) Constructions</a>. These constructions employ an entropy source and a Deterministic Random Bit Generator (DRBG).</p> <p>A <abbr title="Deterministic Random Bit Generator">DRBG</abbr> always produces the same output sequence when given the same initial seed. We recommend the following <abbr title="Deterministic Random Bit Generators">DRBGs</abbr>, as specified in <a href="https://csrc.nist.gov/pubs/sp/800/90/a/r1/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-90A Rev. 1: Recommendation for Random Number Generation Using Deterministic Random Bit Generators</a>, for producing random bits for cryptographic applications that protect UNCLASSIFIED, PROTECTED A and PROTECTED B information:</p> <ul><li>Hash_DRBG</li> <li>HMAC_DRBG</li> <li>CTR_DRBG</li> </ul><p>The entropy source for <abbr title="Random Bit Generator">RBG</abbr> constructions and the initial seed for a <abbr title="Deterministic Random Bit Generator">DRBG</abbr> should comply with <a href="https://csrc.nist.gov/pubs/sp/800/90/b/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-90B Recommendations for Entropy Sources Used for Random Bit Generation</a> and should be assessed to be at least 112 bits.</p> <p><strong>The assessed entropy of the initial seed for a <abbr title="Deterministic Random Bit Generator">DRBG</abbr> should be increased to at least 128 bits by the end of 2030.</strong></p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="b13">13 Commercial technologies assurance programs</h2> <p>In addition to using the cryptographic algorithms, parameters and key lengths recommended in this publication, we recommend the following to ensure a suitable level of cryptographic security:</p> <ul><li>Cryptographic algorithm implementations should be tested and validated under the <a href="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program"><abbr title="National Institute of Standards and Technology">NIST</abbr> Cryptographic Algorithm Validation Program (CAVP)</a></li> <li>Cryptographic modules should be tested and validated under the <a href="/en/tools-services/cryptographic-module-validation-program-cmvp">Cryptographic Module Validation Program (CMVP)</a> for compliance with <a href="https://csrc.nist.gov/pubs/fips/140-3/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 140-3: Security Requirements for Cryptographic Modules</a></li> <li><abbr title="information technology">IT</abbr> security products should be certified to the <a href="/en/tools-services/common-criteria">Common Criteria</a> Standard by a Certificate Authorizing Member of the Common Criteria Recognition Arrangement</li> </ul><p>Products containing cryptographic modules validated under the <abbr title="Cryptographic Module Validation Program">CMVP</abbr> are referenced on <a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all"><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Cryptographic Module Validation Program">CMVP</abbr>-validated modules lists</a> and are accompanied by a vendor-supplied, non-proprietary security policy document (read <a href="/en/selecting-cmvp-validated-product">Selecting a <abbr title="Cryptographic Module Validation Program">CMVP</abbr> validated product</a>). The security policy document specifies the cryptographic security provided by a module and describes its capabilities, protection and access controls. We recommend using the security policy document to select suitable cryptographic security products and to configure those products in <abbr title="Federal Information Processing Standards">FIPS</abbr>-approved modes of operation, as defined in <a href="https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf">Implementation Guidance for <abbr title="Federal Information Processing Standards">FIPS</abbr> PUB 140-3 and the Cryptographic Module Validation Program (PDF)</a>, to ensure that only the algorithms recommended by the Cyber Centre are used.</p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="b14">14 Summary</h2> <p>Cryptography provides security mechanisms which can be used to protect the authenticity, confidentiality and integrity of sensitive information. Several algorithms may be required to satisfy security requirements, and each algorithm should be selected and implemented to ensure these requirements are met. This publication provides guidance on the use of the cryptographic algorithms recommended by the Cyber Centre to protect UNCLASSIFIED, PROTECTED A and PROTECTED B information.</p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="b15">A.1 Revisions</h2> <p>The original version of this document was published in August 2016. The summary below lists notable changes in the most recent revision (version 5), as well as in previous versions.</p> <h3>A1.1 Version 5</h3> <ul><li>We updated section 2 to say that this document now includes phase-out dates for quantum-vulnerable key establishment schemes and digital signature schemes</li> <li>We added phase-out dates for the use of all quantum-vulnerable key establishment schemes and digital signature schemes. The phase-out dates can be found in each affected subsection: <ul><li>For key establishment schemes: <ul><li>Section 5.1 Rivest-Shamir-Adelman</li> <li>Section 5.2 Finite Field Cryptography Diffie-Hellman and Menezes-Qu-Vanstone</li> <li>Section 5.3 Elliptic curve cryptography Cofactor Diffie-Hellman and Menezes-Qu-Vanstone</li> </ul></li> <li>For digital signature schemes: <ul><li>Section 6.1 Rivest-Shamir-Adelman</li> <li>Section 6.3 Elliptic Curve Digital Signature Algorithm (ECDSA)</li> <li>Section 6.4 Edwards Curve Digital Signature Algorithm (EdDSA)</li> </ul></li> <li>In section 5.2, we removed the specific parameter-size set recommendations to align with field size phase-out requirements</li> <li>We renamed section 12 from "Deterministic Random Bit Generators" to "Random Bit Generators" and added new guidance on the use of RBGs and entropy sources for RBGs</li> <li>We modified the third bullet point in section 13 for clarity</li> </ul></li> </ul><h3>A.1.2 Version 4 (March 2025)</h3> <ul><li>We included the new NIST post-quantum standards: <ul><li><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 203 Module-Lattice-Based Key-Encapsulation Mechanism (<a href="#a54">Section 5.4</a>)</li> <li><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 204 Module-Lattice-Based Digital Signature Standard (<a href="#a65">Section 6.5</a>)</li> <li><abbr title="National Institute of Standards and Technology">NIST</abbr> <abbr title="Federal Information Processing Standards">FIPS</abbr> 205 Stateless Hash-Based Digital Signature Standard (<a href="#a66">Section 6.6</a>)</li> </ul></li> <li>We updated the section on post-quantum cryptography and moved it to Section 2</li> <li>In Section 3, Encryption algorithms, we removed the subsections on TDEA and CAST5, as all use of TDEA and CAST5 should have been phased out by the end of 2023</li> <li>In Section 6.7, Stateful Hash-Based Signature Schemes, we clarified guidance for use of stateful hash-based signatures with respect to other post-quantum signature schemes</li> <li>In Section 8.7, Hash functions, extendable output functions, we added <abbr title="Module-Lattice-Based Key-Encapsulation Mechanism">ML-KEM</abbr>, <abbr title="Module-Lattice-Based Digital Signature Algorithm">ML-DSA</abbr>, and <abbr title="Stateless Hash-Based Digital Signature Algorithm">SLH-DSA</abbr> to the list of algorithms that can use SHAKE. We also added the distinction that <abbr title="Stateless Hash-Based Digital Signature Algorithm">SLH-DSA</abbr> and <abbr title="Edwards-Curve Digital Signature Algorithm">EdDSA</abbr> only allow for SHAKE256, (and for <abbr title="Edwards-Curve Digital Signature Algorithm">EdDSA</abbr> it is only with curve Ed448)</li> <li>In Section 9.2, Cipher-based message authentication code, we removed the statement requiring a key length increase to at least 128 bits by 2023. Instead, we recommended that <abbr title="Cipher-based Message Authentication Code">CMAC</abbr> only be used with <abbr title="Advanced Encryption Standard">AES</abbr>, as TDEA and CAST5 have been removed</li> <li>In Section 11: Key wrap modes of operation, we removed the subsection on TDEA Key Wrap, as all use of TDEA should have been phased out by the end of 2023</li> <li>We removed the supporting content section. References are linked throughout the document, glossary items are either defined in the text or in the Cyber Centre glossary, and abbreviations are spelled out when they first appear in the document</li> </ul><h3>A.1.3 Version 3 (March 2024)</h3> <ul><li>We made various changes to align with <abbr title="Federal Information Processing Standards">FIPS</abbr> 186-5: <ul><li>In Section 4.3, <abbr title="Elliptic Curve Cryptography">ECC</abbr> <abbr title="Diffie-Hellman">DH</abbr> and <abbr title="Menezes-Qu-Vanstone">MQV</abbr> and Section 5.3 <abbr title="Elliptic Curve Digital Signature Algorithm">ECDSA</abbr>, we only recommend the use of 4 elliptic curves (Curve P-224, Curve P-256, Curve P-384 and Curve P-521). We added a note that Curve P-224 and all binary curves should be phased out by the end of 2030. In Section 5.3, we explicitly recommend deterministic <abbr title="Elliptic Curve Digital Signature Algorithm">ECDSA</abbr></li> <li>In Section 5, Digital signature schemes, we recommend phasing out DSA by the end of 2030, and added the new subsection 5.4 Edwards-Curve Digital Signature Algorithm</li> </ul></li> <li>We added a new section on <abbr title="extendable output functions">XOFs</abbr> (Section 7)</li> <li>In Section 8, Message authentication codes, we added the new subsection on <abbr title="KECCAK Message Authentication Code">KMAC</abbr> (Section 8.4)</li> <li>In Section 11, Deterministic random bit generators, we added the following requirements on the assessed entropy of the initial seed for a <abbr title="Deterministic Random Bit Generator">DRBG</abbr> <ul><li>The initial seed for a <abbr title="Deterministic Random Bit Generator">DRBG</abbr> should contain entropy assessed to be at least 112 bits. We recommend that additional entropy be periodically added to the <abbr title="Deterministic Random Bit Generator">DRBG</abbr> via the reseed function</li> <li>The assessed entropy of the initial seed for a <abbr title="Deterministic Random Bit Generator">DRBG</abbr> should be increased to at least 128 bits by the end of 2030</li> </ul></li> </ul><h3>A.1.4 Version 2 (August 2022)</h3> <ul><li>We updated language from "approved/discontinued" to "recommend/phase out"</li> <li>We replaced references to CSE with the Cyber Centre</li> <li>In Section 2: Encryption algorithms, we recommend phasing out CAST5 and TDEA by 2023. The 2016 version did not have a discontinuation date for CAST5, and version 2 recommended discontinuing TDEA by 2030. We also added a restriction that one key bundle should not be used to encrypt more than <span aria-hidden="true">2²⁰</span><span class="wb-inv">2 to the power of 20</span> 64-bit data blocks in TDEA</li> <li>In Section 3: Encryption algorithm modes of operation, we provided some additional guidance on the use of <abbr title="Electronic Codebook">ECB</abbr> mode, as well as recommendations for <abbr title="Initialization Vectors">IV</abbr> generation</li> <li>In Section 5: Digital signature schemes, we added a new subsection on Stateful Hash-based signature schemes</li> <li>In Section 6: Secure hash algorithms, we no longer recommend the use of <abbr title="Secure Hash Algorithm">SHA</abbr>-1, which was previously approved for use with HMACs, KDFs and RBGs. We added stronger wording (in bold) warning against its use for any application that requires collision resistance. We also added phase-out dates for <abbr title="Secure Hash Algorithm">SHA</abbr>-224 and <abbr title="Secure Hash Algorithm">SHA</abbr>3-224</li> <li>In Section 7: Message Authentication Codes, we updated the recommendation for the <abbr title="Cipher-based Message Authentication Code">CMAC</abbr> key length to be increased to at least 128 bits by the end of 2023 (we previously recommended 2030). We also added the statement "<abbr title="Galois/Counter Mode Message Authentication Code">GMAC</abbr> is only recommended for use with the Advanced Encryption Standard (AES) algorithm as specified in Section 2.1", which was not explicitly stated in the previous version</li> <li>In Section 8: Key Derivation Functions, we updated some of the wording. For example, Single-Step <abbr title="Key Derivation Functions">KDFs</abbr> and Extraction-Then-Expansion <abbr title="Key Derivation Functions">KDFs</abbr> are now referred to as One-Step and Two-Step <abbr title="Key Derivation Functions">KDFs</abbr> respectively (this is consistent with the referenced <abbr title="National Institute of Standards and Technology">NIST</abbr> standards). We removed the IKEv1 <abbr title="Key Derivation Function">KDF</abbr> and added a section for password-based <abbr title="Key Derivation Functions">KDFs</abbr></li> <li>In Section 9: Key Wrap Modes of Operation, we no longer recommend the Triple Data Encryption Algorithm Key Wrap (TKW). We also recommend a phase-out date of 2023 (previously 2030)</li> <li>In Section 11: Commercial Technologies Assurance Programs, we added a reference to the <abbr title="Cryptographic Algorithm Validation Program">CAVP</abbr> and to the common criteria program. We also added the Cyber Centre website as reference</li> <li>We added a new section entitled "Preparing for post-quantum cryptography" (Section 12)</li> </ul><aside class="wb-fnote" role="note"><h2 id="fn">Footnotes</h2> <dl><dt>Footnote 1</dt> <dd id="fn1"> <p>From <a href="https://csrc.nist.gov/pubs/sp/800/186/final"><abbr title="National Institute of Standards and Technology">NIST</abbr> SP 800-186</a>, Deterministic <abbr title="Elliptic Curve Digital Signature Algorithm">ECDSA</abbr> "is a variant of <abbr title="Elliptic Curve Digital Signature Algorithm">ECDSA</abbr>, where a per-message secret number is a function of the message that is signed, thereby resulting in a deterministic mapping of messages to signatures". Signature verification in deterministic <abbr title="Elliptic Curve Digital Signature Algorithm">ECDSA</abbr> is unchanged from <abbr title="Elliptic Curve Digital Signature Algorithm">ECDSA</abbr>.</p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote </span>1<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></section></div> </div> </div> </div> </div> </div> </div> </article>

Our top AI security actions are designed to help organizations of all sizes and sectors strengthen their cyber resilience.

This publication provides your organization with additional details on frontier AI, the associated risks and suggested mitigation measures to enhance your cyber security posture.

An international mobile subscriber identity (IMSI) catcher is a type of cell site simulator (CSS) that impersonates a legitimate cell tower to exploit connected mobile devices. It is important to understand how IMSI catchers work in order to detect them and protect your sensitive information from being compromised.

This publication provides information on how CSS devices work, the security risks you should consider, and the mitigation actions you can take to better protect from CSS exploitations.

<article data-history-node-id="569" about="/en/guidance/certifications-field-cyber-security" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–pdf download–> <div class="col-md-12 mrgn-tp-lg"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/certificationsfieldcybersecurity-2026-e.pdf">Certifications in the field of cyber security – 2026 (PDF, 829 KB)</a></p> </div> <h2 class="mrgn-tp-0">Foreword</h2> <p>The Certifications in the Field of Cyber Security is an <strong>unclassified</strong> publication. The guide provides information about many of the certifications available for prospective students and cyber security professionals. The intent is not to recommend any certification body or certification in particular, but to provide a listing of some of the different certifications that may help advance an individual’s career in the field of cyber security.</p> <p>Information is sourced from the websites of the certification bodies referenced in this guide.</p> <div class="alert alert-warning"> <p>Disclaimer: The Communications Security Establishment does not endorse or recommend any of the certification bodies or certifications listed in this document. Information provided is intended to be a general summary of publicly available information and is provided for informational purposes only.</p> </div> <section><h2>Revision history</h2> <ol><li>First release: November 2020</li> <li>New certifications added and training providers removed: July 2022</li> <li>Updated Rogers Cybersecure Catalyst information: April 2023</li> <li>Team name changed and new certifications added: November 2023</li> <li>Updated certifications and added OSDA: June 2024</li> <li>Removed Rogers Cybersecure Catalyst information: March 2026</li> </ol></section><div class="clearfix"> </div> <details><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#A">1.0 Introduction</a></li> <li><a href="#B">2.0 Globally Recognized certifications bodies</a></li> <li><a href="#C">3.0 Cyber Security certification listings and descriptions</a></li> <li><a href="#D">4.0 Cyber Security Certification Listings and Descriptions</a></li> <li><a href="#E">5.0 Supporting Content</a></li> </ul></details><section><h2 id="A">1.0 Introduction</h2> <p>There continues to be a growing demand for qualified cyber security professionals and practitioners in Canada and around the world. With the increasing need for cyber security professionals, the value of IT certification is also increasing. The right certification can give you an advantage over other job candidates. Organizations are looking for talent with superior training and real-world experience.</p> <p>Obtaining a certification demonstrates to future employers that an individual is competent, skilled, and experienced in certain areas. Additionally, given the time and financial investment that many certifications require, some employers see certification as a measure of commitment to a career in the field.</p> <p>Certifications are not only a great supplement to a professional’s other qualifications; it can also lead to a salary increase. According to a study conducted by Global Knowledge, an individual with a certification can earn up to 15% more than those without it <sup id="fn1-ref"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Note </span>1</a></sup>. Furthermore, maintaining certification often requires meeting continuing education requirements, ensuring that certificate holders are keeping up to date on the latest technologies and can continue to keep their organizations safe from emerging cyber security threats.</p> <h3>1.1 The Canadian Centre for Cyber Security</h3> <p>The Canadian Centre for Cyber Security (Cyber Centre), a part of the Communications Security Establishment, was officially launched in October 2018. The Cyber Centre’s Academic Outreach and Engagement team works with universities, colleges, educational associations, education ministerial boards and private sector educators to build cyber security talent and capacity in Canada. The team also works with educators to enhance the community’s understanding of cyber security. Its mission is to ensure Canada is a global leader in cyber security by elevating cyber education.</p> <h3>1.2 Purpose</h3> <p>The primary audience for this guide is prospective cyber security students or professionals looking to advance their careers in the field. The guide highlights some of the more in-demand, globally recognized certifications offered by providers around the world. A complete list of certifications can be found at the end of the guide (Tables 1 to 14).</p> <div class="alert alert-warning"> <p>Disclaimer: CSE does not endorse or recommend any of the certification bodies or certifications listed in this document. Information provided is intended to be a general summary of publicly available information and is provided for informational purposes only.</p> </div> <p>Every effort has been made to ensure accuracy of information, however, due to the dynamic nature of curricula and cyber security, this guide will be reviewed on a regular basis to ensure it reflects the most current certification offerings. New certifications and other suggested changes can be submitted by email to <a href="mailto:cyberskills-cybercompetences@cyber.gc.ca">cyberskills-cybercompetences@cyber.gc.ca</a>.</p> </section><div class="pull-right mrgn-tp-md small text-muted mrgn-bttm-md"><a href="#wb-tphp" title="Return to Top of page">Top of page</a></div> <section><h2 id="B">2.0 Globally recognized certifications bodies</h2> <p>The following highlights some of the more popular and well-known cyber certifications available, in alphabetical order. A more comprehensive list of certifications can be found in the attached tables.</p> <div class="alert alert-info"> <p>CSE is not endorsing, supporting, or promoting any of the following certifications or certification bodies. This guide is solely for information purposes and should only be a starting point for anyone interested in obtaining a certification. We recommend that individuals do more in-depth research, while considering their own interests and career goals, time commitments and financial resources, before deciding which certification is right for them.</p> </div> <p>It should also be noted that while most of the certification bodies are American, their certifications are recognized around the world. Furthermore, candidates can find training through local providers, and many of the certification exams can be written at local testing centres, such as Pearson VUE, or taken online in your own home.</p> <div class="btn-group mrgn-tp-sm mrgn-bttm-md"><button class="btn btn-primary wb-toggle" data-toggle="{&quot;selector&quot;: &quot;details&quot;, &quot;print&quot;: &quot;on&quot;, &quot;stateOn&quot;: &quot;on&quot;, &quot;stateOff&quot;: &quot;off&quot;, &quot;parent&quot;: &quot;#expands-collapse&quot;}" type="button">Expand | collapse all</button></div> <!– END TOGGLE Expand | collapse–> <div id="expands-collapse"> <details class="group" id="wb-auto-20"><summary><h3>2.1 CertNexus</h3> </summary><p>CertNexus offers certifications and micro-credentials in emerging technologies, such as Internet of Things (IoT), Artificial Intelligence (AI), and human-machine interfaces. Their four cyber security certifications are valid for three years.</p> <ul><li><strong>The Certified First Responder</strong> (CRF) certificate validates the knowledge and skills required to protect critical information and systems before, during, and after an incident.</li> <li><strong>Cyber Safe</strong> certification demonstrates that the holder can identify the most common risks involved in using mobile and cloud technologies, and to protect themselves and their organizations from cyber threats.</li> <li><strong>Cyber Secure Coder</strong> (CSC) certificate holders have learned about the vulnerabilities that undermine security, identification, and remediation of those vulnerabilities, as well as strategies for dealing with security defects.</li> <li>The <strong>IRBIZ</strong> micro-credential is for Information Technology (IT) leaders and executives who are responsible for complying with incident response legislation. Successfully completing the course and exam certifies that the candidate has the necessary skills to assess and respond to security threats, as well as operate a system and network security analysis platform.</li> </ul><p>A complete list of cyber security certifications offered by CertNexus can be found in <a href="#tab1">Section 5.1</a>.</p> </details><details class="group" id="wb-auto-21"><summary><h3>2.2 Cisco Systems</h3> </summary><p>Cisco Systems is a worldwide leader in networking hardware and solutions and most of today’s Internet traffic travels over Cisco-build network pathways. Obtaining one of their certifications demonstrates that you know how to work with Cisco solutions. There are five levels of certification in Cisco’s program:</p> <ul><li><strong>Entry</strong>: The starting point for individuals interested in starting a career as a networking professional.</li> <li><strong>Associate</strong>: Individuals master the essentials needed to launch a career and expand job possibilities with the latest technologies.</li> <li><strong>Professional</strong>: Individuals select a core technology track and a focused concentration exam to customize their professional level certification.</li> <li><strong>Expert</strong>: Certification is accepted worldwide as the most prestigious certification in the technology industry.</li> <li><strong>Architect</strong>: Demonstrates the architectural expertise of a network designer.</li> </ul><p>A complete list of cyber security certifications offered by Cisco Systems can be found in <a href="#tab2">Section 5.2</a>.</p> </details><details class="group" id="wb-auto-22"><summary><h3>2.3 Computing Technology Industry Association (CompTIA)</h3> </summary><p>The Computing Technology Industry Association (CompTIA) issues certifications in over 120 countries with over 2.2 million recipients. The organization also releases 50 industry studies each year tracking trends and changes. They offer numerous certifications covering a wide range of IT fields, including cyber security. The renewal process includes meeting continuing education requirements and paying the annual fees.</p> <ul><li><strong>CompTIA Advanced Security Practitioner</strong> (CASP+) is a performance-based certification for practitioners, rather than managers, at the advanced skill level of cyber security. CASP+ recipients have advanced-level knowledge of risk management, enterprise security operations and architecture, as well as research and collaboration.</li> <li><strong>CompTIA Cyber Security Analyst</strong> (CySA+) certification is a security analyst certification that covers advanced persistent threats in a post-2014 cyber security environment. It validates one’s expertise in security analytics, intrusion detection, and response.</li> <li><strong>CompTIA PenTest+</strong> is for cyber security professionals who are responsible for penetration testing and vulnerability management. Certification holders have demonstrated their up-to-date hands-on ability and knowledge to test devices in new environments, like cloud or mobile, as well as traditional desktops and servers.</li> <li><strong>CompTIA Security+</strong> is an entry-level certification. Certificate holders are experts in threat management, cryptography, identity management, security systems, security risk identification and mitigation, network access control, and security infrastructure. Candidates must have 2 years’ experience in network security and have already obtained their Network+ certification.</li> </ul><p>A complete list of cyber security certifications offered by CompTIA can be found in <a href="#tab3">Section 5.3</a>.</p> </details><details class="group" id="wb-auto-23"><summary><h3>2.4 Council for Registered Ethical Security Testers (CREST)</h3> </summary><p>The Council for Registered Ethical Security Testers (CREST) is a not-for-profit organization that provides internationally recognized certification and accreditation for companies and individuals. It has chapters in the United Kingdon (UK), United States (US), Australia, Singapore, and Hong Kong. They provide examinations in Penetration Testing, Threat Intelligence, Incident Response, Security Architecture. The Incident Response has been approved by Government Communications Headquarters (GCHQ). CREST exams have three levels of accreditation for individuals:</p> <ul><li><strong>Practitioner</strong> – Entry into profession</li> <li><strong>Registered</strong> – Competent to work independently without supervision</li> <li><strong>Certified</strong> – Technically competent to run major projects and teams</li> </ul><p>A complete list of cyber security certifications can be found in <a href="#tab4">Section 5.4</a>.</p> </details><details class="group" id="wb-auto-24"><summary><h3>2.5 Certified Wireless Network Professionals</h3> </summary><p>Certified Wireless Network Professionals (CWNP) is a vendor-neutral wireless local area network (WLAN) certification program. CWNP offers four levels of enterprise WLAN certifications, from novice to expert. Their certification programs prepare IT professionals and WLAN administrators to specify, design, and manage WLAN infrastructure and applications.</p> <ul><li><strong>Certified Wireless Network Expert</strong> (CWNE) is the highest-level certification in the CWNP program. Certificate holders have the most advanced skills available in today’s enterprise Wi-Fi market. Candidates must pass four certification exams, complete commercial WLAN deployments, provide three recommendations, meet experience and publication requirements, and pass a peer review by the CWNE Board of Advisors.</li> <li><strong>Certified Wireless Security Professional</strong> (CWSP) is a professional level WLAN certification for the CWNP program that validates an individual’s ability to assess the vulnerability of a network and help prevent attacks before they happen, perform WLAN security audits and implement compliance monitoring solutions, and design a network’s security architecture. Candidates must obtain Certified Wireless Network Administrator (CWNA) certification before they can earn CWNP certification.</li> </ul><p>A complete list of cyber security certifications offered by CWNP can be found in <a href="#tab5">Section 5.5</a>.</p> </details><details class="group" id="wb-auto-25"><summary><h3>2.6 EC Council</h3> </summary><p>EC Council is a cyber security technical certification board and operates in 145 countries. It is endorsed by the US Government, National Security Agency (NSA), and the Committee on National Security Systems (CNSS).</p> <ul><li>The <strong>Certified Ethical Hacker (ANSI)</strong> credential certifies one’s competence in the five phases of ethical hacking: reconnaissance, enumeration, gaining access, maintaining access, and covering tracks. Certification requires passing a 4-hour exam consisting of 125 questions.</li> <li>The <strong>Certified Ethical Hacker (Practical)</strong> designation targets the application of CEH skills to real-world security audit challenges and related scenarios. Candidates must complete a 6-hour exam featuring 20 case studies and obtain a 70% score.</li> <li>A <strong>Certified Ethical Hacker (Master)</strong> holds both the ANSI and Practical certifications.</li> <li>The <strong>Computer Hacking Forensics Investigator (CHFI)</strong> is another universally recognized certification that validates that the recipient is skilled in the areas of anti-hacking, digital forensics, and penetration testing.</li> <li>The <strong>Certified Network Defender (CND)</strong> certificate demonstrates a solid understanding of defensive security and the required expertise to secure data.</li> <li>The <strong>EC Council Disaster Recovery Professional (EDRP)</strong> certificate holders have the foundation for securing and restoring networks in the event of a disaster like malicious attacks.</li> </ul><p>A complete list of cyber security certifications offered by EC Council can be found in <a href="#tab6">Section 5.6</a>.</p> </details><details class="group" id="wb-auto-26"><summary><h3>2.7 Global Information Assurance Certification (GIAC)</h3> </summary><p>Global Information Assurance Certification (GIAC), founded by the SANS institute, specializes in technical and practical certification. Its certifications are linked to training courses provided by SANS and are recognized worldwide. Candidates for Expert Status certification are only required to pass an exam to obtain certification, which is valid for 4 years. To be eligible to renew at the end of the 4-year period, certificate holders must have 36 continuing education credits and pay the recertification fee or re-take the exam. Individuals wishing to pursue Gold Status certification must research and write a technical report or white paper. Gold Status indicates the holder has a deeper knowledge of a subject area.</p> <ul><li><strong>GIAC Security Essential Certification</strong> (GIAC) validates an individual’s knowledge information security beyond the simple terminology and concepts. Recipients are skilled in active defense, cryptography, security policy and plans, incident handling, securing networks, etc.</li> <li><strong>GIAC Certified Intrusion Analyst</strong> (GCIA) validates a practitioner’s knowledge of network and host monitoring, traffic analysis, and intrusion detection. Certificate holders are qualified to configure and monitor intrusion detection systems, and to analyze network traffic.</li> <li><strong>GIAC Certified Incident Handler</strong> (GCIH) demonstrates one’s ability to detect, respond, and resolve computer security incidents using a wide range of essential security skills. An individual with GCIH certification has a solid understanding of common cyber-attack techniques and how to defend against them.</li> </ul><p>A complete list of cyber security certifications offered by GIAC can be found in <a href="#tab7">Section 5.7</a>.</p> </details><details class="group" id="wb-auto-27"><summary><h3>2.8 Information Systems Audit and Control Association (ISACA)</h3> </summary><p>ISACA, formerly known as the Information Systems Audit and Control Association, is an international professional association focused on IT governance. It has more than 140,000 members and professionals holding ISACA certifications in 180 countries. Its 200+ chapters provide members with training, and networking and resource sharing opportunities.</p> <p>Candidates must pass written exams to obtain any of ISACA’s professional certifications, all of which are valid for three years. To maintain certification, credential holders are required to obtain at least 120 continuing professional education credits over the three-year period, and pay an annual membership fee, or re-take the exam. ISACA Cyber Security Certifications include the following:</p> <ul><li><strong>The Certified Information Security Manager</strong> (CISM) credential is aimed at leaders of Cyber Security teams, IT professionals responsible for managing, developing, and overseeing information security systems in enterprise-level applications, or for developing best organizational security practices. In addition to the written exam, candidates must have at least 5 years of security experience and submit a written application.</li> <li><strong>Certified in Risk and Information Systems Control</strong> (CRISC) certification demonstrates the ability to identify, evaluate, and respond to IT risks. Candidates must have 3 years of professional-level risk management and control experience and perform the tasks of at least two CRISC domains. For this certification, education is not an acceptable substitute for work experience.</li> <li><strong>Cyber Security Nexus Practitioner</strong> (CSX‑P) recognizes individuals who can act as first responders for security incidents. Created in 2015, tests one’s ability to perform globally validated cyber security covering the five core functions of the NIST Cyber Security Framework; Identify, Protect, Detect, Respond, and Recover. To obtain certification, candidates must pass a 4-hour performance-based exam consisting of simulated security incidents. At the end of the 3-year certification period, holders must take the latest version of the exam to recertify.</li> </ul><p>A complete list of cyber security certifications offered by ISACA can be found in <a href="#tab9">Section 5.9</a>.</p> </details><details class="group" id="wb-auto-28"><summary><h3>2.9 International Information System Security Certification Consortium (ISC2)</h3> </summary><p>The International Information Systems Security Certification Consortium, or (ISC)2, is a non-profit member organization that provides support to members with credentials, resources, and leadership to address cyber, information, software, and infrastructure security. It is a large IT Security organization, with more than 140,000 members worldwide, almost 6,000 of which are Canadian.</p> <p>(ISC)2 offers one of the most popular cyber security certifications:</p> <ul><li><strong>Certified Information Systems Security Professional</strong> (CISSP) designation is often required for the most in-demand cyber security jobs and is considered the ‘gold standard’ of security certifications. Requirements for this advanced level certification include a minimum of 5 years of experience in at least two of (ICS)2’s eight common body of knowledge domains, or 4 years of experience and a college degree or approved credentials. Candidates are also required to pass a 3-hour written exam. Re-certification is required every 3 years. To recertify, candidates must earn 120 continuing professional education credits within the three-year cycle and pay an annual fee.</li> </ul><p>A complete list of cyber security certifications offered by (ISC)2 can be found in <a href="#tab8">Section 5.8</a>.</p> </details><details class="group" id="wb-auto-29"><summary><h3>2.10 itSM Solutions</h3> </summary><p>Built around NIST Cyber Security Framework, itSM Solutions certifications validate that cybersecurity professionals have the baseline skills to design, build, test and manage a cybersecurity program using the NIST Cybersecurity Framework.</p> <ul><li><strong>NCSF Foundations</strong>: For executives, business and IT professionals who need a basic understanding of NCSF to perform their jobs</li> <li><strong>NCSF Practitioner</strong>: Teaches how to build and design a technology focused cyber security program and risk management program. Gives you a deeper understanding of the NCSF and how to adapt and operationalize it.</li> </ul><p>A complete list of cyber security certifications offered by itSM Solutions can be found in <a href="#tab10">Section 5.10</a>.</p> </details><details class="group" id="wb-auto-30"><summary><h3>2.11 McAffee Institute</h3> </summary><p>McAfee Institute offers several industry-recognized board certifications in the areas of cyber intelligence and investigations, digital forensics, and cryptocurrency investigations. Certificate holders come from some of the top law enforcement and government agencies like the U.S Air Force and Army, Federal Bureau of Investigation (FBI) and the New York Police Department (NYPD).</p> <ul><li><strong>Certified Cyber Intelligence Professional</strong> (CCIP) certification was developed in conjunction with the Department of Homeland Security’ National Cyber Security Workforce Framework. Certification demonstrates that an individual can identify persons of interest, conduct timely cyber investigations, and prosecute cyber criminals. Candidates must hold a bachelor’s degree or higher, and three years of experience in investigations, IT, fraud, law enforcement, forensics, criminal justice, law, and loss prevention.</li> </ul><p>A complete list of cyber security certifications offered by McAfee Institute can be found in <a href="#tab11">Section 5.11</a>.</p> </details><details class="group" id="wb-auto-31"><summary><h3>2.12 Offensive Security</h3> </summary><p>Offensive Security is an international company that provides security counselling and training for technology companies, including practical performance-based certification programs, virtual lab access, and open-source projects.</p> <ul><li><strong>Offensive Security Certified Professional</strong> (OSCP) certification is considered one of the hardest to obtain due to its difficult exam. Candidates are required to successfully attack and penetrate live machines in a safe, lab environment over a 24-hour period. Because of its hands-on nature, it is intended for penetration testers with strong technical and ethical hacking backgrounds. Prior to attempting the exam, candidates must complete the Penetration Testing training course offered by Offensive Security. Obtaining the certificate also qualifies the recipient for 40 (ISC)2 continuing education credits. Unlike many of the other cyber security certifications, the OSCP certificate never expires.</li> <li><strong>Security Operations and Defensive Analysis</strong> (OSDA) certification is tailored for IT professionals such as security operations centre analysts, threat intelligence analysts and others who are involved in safeguarding an organization’s IT environment. This certification encompasses several critical areas, including incident response, where candidates learn to effectively detect, respond to, and recover from security incidents. It also covers threat intelligence, which involves understanding and applying knowledge of emerging threats, and security monitoring, focusing on identifying suspicious activities through network and log analysis. Additionally, the certification delves into vulnerability management and cyber defense techniques, equipping professionals with the skills to assess, mitigate vulnerabilities, and implement robust defense strategies against cyber threats. You will also gain confidence configuring and monitoring a SIEM for active network attacks and be able to manually inspect logs to recognize normal and abnormal activity. The certification process requires participants to complete a comprehensive training course followed by a rigorous examination that tests both their theoretical knowledge and practical skills in these areas. Prior to attempting this certification, learners must have successfully completed Linux, Windows and Networks Basics courses from Offensive Security.</li> </ul><p>A complete list of cyber security certifications offered by Offensive Security can be found in <a href="#tab12">Section 5.12</a>.</p> </details><details class="group"><summary><h3>2.13 PECB</h3> </summary><p>PECB is a certification body that provides education and certification under International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 17024 (conformity assessment: general requirements for bodies operating certifications of individuals) on a wide variety of disciplines including information security and cloud security. They have a global network of distributers, trainers, and certified individuals in more than 150 countries. PECB is accredited by the International Accreditation Service (IAS) and the United Kingdom Accreditation Service (UKAS).</p> <ul><li><strong>Certified Lead Ethical Hacker</strong> credential demonstrates that you can lawfully assess the security of your organization’s systems and find their vulnerabilities.</li> </ul><p>A complete list of cyber security certifications offered by PECB can be found in <a href="#tab13">Section 5.13</a>.</p> </details><details class="group" id="wb-auto-32"><summary><h3>2.14 SECO Institute</h3> </summary><p><strong>Security &amp; Continuity Institute</strong> (SECO) is a European institute that offers high-level security and continuity certifications. The SECO certification program consists of seven different certification tracks, each focusing on a specific field of expertise, such as IT Security, Data Privacy, and Ethical Hacking. Tracks starts at the Foundation level, followed by Practitioner and Expert levels. Candidates can then apply for Certified Officer level certifications which are the highest achievable qualification in each certification track.</p> <ul><li><strong>Ethical Hacking Foundation</strong> (S‑EHF) is an entry-level certification for professionals seeking to enter the career field. Certificate holders understand the fundamentals of ethical hacking and can perform basic penetration testing. While there are no prerequisites, it is recommended that candidates have a basic understanding of Linux.</li> <li><strong>Ethical Hacking Practitioner</strong> (S‑EHP) is aimed at professionals who already have solid knowledge of ethical hacking basics. It is recommended that candidates obtain S-EHF certification first. Obtaining certification demonstrates that an individual has a full understanding of the penetration testing process and is familiar with common penetration testing techniques.</li> </ul><p>A complete list of cyber security certifications offered by SECO can be found in <a href="#tab14">Section 5.14</a>.</p> </details></div> </section><div class="pull-right mrgn-tp-md small text-muted mrgn-bttm-md"><a href="#wb-tphp" title="Return to Top of page">Top of page</a></div> <section><h2 id="C">3.0 Cyber Credentials Collaborative</h2> <p>Cyber Credentials Collaborative (C3) was created in 2011 to promote the benefits of certifications in the skills development of information security professionals around the world. C3 provides awareness of and advocacy for vendor-neutral credentials in information security, privacy, and other IT disciplines. By providing a forum for members to collaborate on issues of shared concern, C3 aims to advance IT careers, better prepare the workforce, and ensure that IT certifications are developed to meet the needs of government, private organizations, and educational institutions.</p> <p>The following listed certification bodies are all members of C3:</p> <ul><li>(ISC)2</li> <li>CertNexus</li> <li>CompTIA</li> <li>Global Information Assurance Certification</li> <li>ISACA</li> </ul></section><section><h2 id="D">4.0 Cyber Security certification listings and descriptions</h2> <p>The tables below offer a more fulsome list of the different cyber security certifications available to individuals, in alphabetical order <sup id="fn2-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup>.</p> <p>Prior to attempting a certification exam, candidates can purchase training (in-class, online, or self-paced courses) and other exam preparation materials, such as practice exams, through the vendors and training providers listed in the last column. Some vendors also offer course bundles that include exam fees. To find out more about certification training options and providers, please visit the certification body website.</p> <div class="btn-group mrgn-tp-sm mrgn-bttm-md"><button class="btn btn-primary wb-toggle" data-toggle="{&quot;selector&quot;: &quot;details&quot;, &quot;print&quot;: &quot;on&quot;, &quot;stateOn&quot;: &quot;on&quot;, &quot;stateOff&quot;: &quot;off&quot;, &quot;parent&quot;: &quot;#section2&quot;}" type="button">Expand | collapse all</button></div> <!– END TOGGLE Expand | collapse–> <div id="section2"> <details class="grouped" id="wb-auto-4"><summary><h3 id="tab1">4.1 CertNexus</h3> </summary><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified First Responder (CFR)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidate’s knowledge of analyzing threats, designing secure computing and network environments, proactively defecting networks and responding to/investigating cyber security incidents</li> <li>DoD approved (Directive 8140)</li> <li>Candidates should have 3-5 years of experience working in a computing environment protecting critical information systems before, during, and after an incident</li> <li>Exam consists of 100 multiple choice questions</li> <li>Valid for 3 years</li> <li>2 options for re-certification: <ul><li>Take the most recent version of the exam</li> <li>Earn 90 continuing educated credits within the 3 years and paying annual fees</li> </ul></li> </ul><h5>Intended candidates</h5> <ul><li>System Administrators</li> <li>Network Administrators</li> <li>Incident Responders</li> <li>Cyber Crime Investigators</li> <li>IT Auditors</li> <li>Security Analysts</li> <li>Network Analysts</li> <li>Information Systems Security Engineers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified IoT Security Practitioner (CIoTSP)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidate’s knowledge, skills, and ability to secure network environments for IoT devices, analyze vulnerabilities and determine reasonable controls against threats and effectively monitor IoT devices and respond to incidents</li> <li>Candidates should have a fundamental understanding of IoT ecosystems</li> <li>Exam consists of 100 multiple choice questions</li> </ul><h5>Intended candidates</h5> <ul><li>Network Administrators</li> <li>Software Development Engineer</li> <li>Solution Architects</li> <li>Cyber Security Analysts</li> <li>Web Developers</li> <li>Cloud Engineers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Cyber Secure Coder (CSC)</h4> </div> <h5>Certification overview</h5> <ul><li>Demonstrates that a candidate has learned about the vulnerabilities that undermine security, identification and remediation of those vulnerabilities, and strategies for dealing with security defects.</li> <li>Candidates should have some programming experience (developing desktop, mobile, web, or cloud applications)</li> <li>Exam consists of 80 multiple choice questions</li> <li>Valid for 3 years</li> </ul><h5>Intended candidates</h5> <ul><li>Lead Developers</li> <li>Junior Programmers</li> <li>Application Testers</li> <li>QA Testers</li> <li>Software Designers</li> <li>Software Architects</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">CyberSafe</h4> </div> <h5>Certification overview</h5> <ul><li>Validates that a candidate can identify the most common risks involved in using mobile and cloud technologies, and to protect themselves and their organizations from cyber threats</li> <li>No prerequisites for exam but candidates should have experience with basic technology (computers, smartphones, email, internet etc.)</li> <li>Exam is only 10 questions and has no time limit</li> </ul><h5>Intended candidates</h5> <ul><li>Non-technical computer end-users</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">IRBIZ micro credential</h4> </div> <h5>Certification overview</h5> <ul><li>Certifies that a candidate has the necessary skills to assess and respond to security threats, and operation a system and network security analysis platform.</li> <li>Candidates should have a general understanding of cyber security</li> <li>Exam consists of 10 multiple choice and true/false questions</li> <li>Valid for 3 years</li> </ul><h5>Intended candidates</h5> <ul><li>IT leaders and Executives responsible for incident response legislation compliance</li> </ul></details><details class="grouped" id="wb-auto-5"><summary><h3 id="tab2">4.2 Cisco Systems</h3> </summary><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Cisco Certified CyberOps Associate</h4> </div> <h5>Certification overview</h5> <ul><li>Certification prepares candidates to begin working with associate-level cybersecurity analysts within security operations centers</li> <li>No prerequisites</li> <li>DoD approved (Directive 8570)</li> <li>Candidates must pass two 2 exams to receive certification</li> <li>Valid for 3 years</li> <li>Recertification requires taking a recertification exam, or completing learning activities and 30 earning continuing education credits</li> </ul><h5>Intended candidates</h5> <ul><li>Cyber Security Analysts</li> <li>Security Operations Centre Team members</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Cisco Certified CyberOps Professional</h4> </div> <h5>Certification overview</h5> <ul><li>New certification introduced in 2021</li> <li>Validates a candidate’s knowledge of cloud computing security, risk management, and threat intelligence analysis</li> <li>No prerequisites</li> <li>Valid for 3 years</li> <li>Recertification requires advancing to the next level of certification, earning continuing education credits, or a combination of both</li> </ul><h5>Intended candidates</h5> <ul><li>Information Security Analysts</li> <li>Incident Responders</li> <li>Incident Managers</li> <li>Network Engineers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Cisco Certified Internetwork Expert (CCIE) Security</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidate’s knowledge of security infrastructure including network security, cloud security, content security, endpoint protection and detection, secure network access, visibility and enforcements</li> <li>No perquisites</li> <li>It is recommended that candidates have 5-7 years of experience of designing, deploying, operating and optimizing security technologies and solutions</li> <li>Certification requires passing a qualifying exam and an 8-hour hands-on lab exam</li> <li>Valid for 3 years</li> <li>Recertification requires advancing to the next level of certification, earning continuing education credits, or a combination of both</li> </ul><h5>Intended candidates</h5> <ul><li>Senior networking professionals with at least 5-7 years of experience</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Cisco Certified Network Professional (CCNP) Security</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidate’s knowledge of enterprise infrastructure, virtualization, assurance, security, and automation</li> <li>No perquisites</li> <li>It is recommended that candidates have 3-5 years of experience implementing security solutions</li> <li>Certification requires passing a core exam and a concentration exam.</li> <li>Valid for 3 years</li> <li>Recertification requires advancing to the next level of certification, earning continuing education credits, or a combination of both</li> </ul><h5>Intended candidates</h5> <ul><li>Professionals with 3-5 years of implementing security solutions</li> <li>Network engineers</li> <li>System engineers</li> <li>Network technicians</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Cisco Certified Support Technician (CCST) Cybersecurity</h4> </div> <h5>Certification overview</h5> <ul><li>New certification introduced in 2023</li> <li>Entry-level certification</li> <li>No prerequisites</li> <li>Validates a candidate’s skills and knowledge of entry-level cyber security concepts and topics including security principles, network security and endpoint security concepts, vulnerability assessment and risk management, and incident handling</li> <li>Certification does not expire and there is no need to recertify</li> </ul><h5>Intended candidates</h5> <ul><li>Late secondary and postsecondary students</li> <li>Students in technical schools</li> <li>Entry-level IT or networking professionals</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Cisco Certified Support Technician (CCST) Networking</h4> </div> <h5>Certification overview</h5> <ul><li>New certification introduced in 2023</li> <li>Entry-level certification</li> <li>No prerequisites</li> <li>Validates a candidate’s skills and knowledge of entry-level networking concepts and topics including how networks operate, including the devices, media, and protocols that enable network communications</li> <li>Certification does not expire and there is no need to recertify</li> </ul><h5>Intended candidates</h5> <ul><li>Late secondary and postsecondary students</li> <li>Students in technical schools</li> <li>Entry-level IT or networking professionals</li> </ul></details><details class="grouped" id="wb-auto-6"><summary><h3 id="tab3">4.3 CompTIA</h3> </summary><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Advanced Security Practitioner (CASP+)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced level certification</li> <li>The only performance-based certifications for practitioners rather than managers, at the advanced level of cyber security</li> <li>Validates advanced-level competency in risk management, enterprise security operations and architecture, research and collaboration, and integration of enterprise security</li> <li>DoD approved (Directive 8140/8570)</li> <li>Candidates require 10 years of experience in IT administration; 5 of which are hands-on technical security experience</li> <li>Exam consists of 90 multiple choice and performance-based questions</li> <li>Valid for 3 years</li> <li>Renewal requires obtaining 75 continuing education credits during the 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Security Architect</li> <li>Technical Lead Analyst</li> <li>Security Engineer</li> <li>Application Security Engineer</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Cyber Security Analyst (CySA+)</h4> </div> <h5>Certification overview</h5> <ul><li>Intermediate level cybersecurity analyst certification</li> <li>The most up to date security analyst certification covering advanced persistent threats in a post-2014 cyber security environment.</li> <li>Validates a candidate’s expertise in security analytics, intrusion detection, and response</li> <li>Candidates should have 3-4 years of information security or related experience, and Network+ or Security+ certification, or equivalent knowledge</li> <li>Approved by US Department of Defence</li> <li>Exam consists of 85 multiple choice and performance-based questions</li> <li>Valid for 3 years</li> <li>Renewal requires obtaining 60 continuing education credits during the 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>IT Security Analyst</li> <li>Security Operations Centre Analyst</li> <li>Cyber Security Specialist</li> <li>Threat Intelligence Analyst</li> <li>Security Engineer</li> <li>Cyber Security Analyst</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Network+</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidate’s knowledge and skills in designing and implementing functional networks</li> <li>Prerequisites are A+ certification and 9-12 months of networking experience</li> <li>Good to have for developing a career in IT infrastructure (troubleshooting, configuring, managing networks)</li> <li>Exam consists of 90 multiple choice and performance-based questions</li> <li>Valid for 3 years</li> <li>Renewal requires obtaining 30 continuing education credits during the 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Entry-level positions</li> <li>Junior Network Administrator</li> <li>Computer technician</li> <li>Junior System Engineer</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">PenTest+</h4> </div> <h5>Certification overview</h5> <ul><li>Intermediate level certification</li> <li>Validates a candidate’s ability and knowledge to test devices in new environments, like cloud or mobile, as well as traditional desktops and servers</li> <li>Candidates should have 3-4 years of hands-on information security or related experience</li> <li>Exam consists of a maximum of 85 multiple choice and performance-based questions</li> <li>Renewal requires obtaining 60 continuing education credits during the 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Penetration Tester</li> <li>Vulnerability Tester</li> <li>Security Analyst</li> <li>Network Security Operations</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Security+</h4> </div> <h5>Certification overview</h5> <ul><li>Entry-level certification</li> <li>Validates baseline cyber security skills needed to perform core security functions</li> <li>Certificate holders are experts in threat management, network access control, and security infrastructure.</li> <li>Candidates must have 2 years of experience in network security and obtained Network+ certification</li> <li>Valid for 3 years</li> <li>Renewal requires obtaining 50 continuing education credits during the 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Systems Administrator</li> <li>Network Administrator</li> <li>Security Administrator</li> <li>Penetration Tester</li> <li>Security Engineer</li> </ul></details><details class="grouped" id="wb-auto-7"><summary><h3 id="tab4">4.4 Council for Registered Ethical Security Testers (CREST)</h3> </summary><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Infrastructure Tester</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidate’s ability to assess a network for flaws and vulnerabilities at the network and operating system layer</li> <li>Exam consists of a multiple-choice written portion, and two 6hr hands-on practical components</li> <li>Valid for 3 years</li> <li>To recertify, candidates must re-write the exam</li> </ul><h5>Intended candidates</h5> <ul><li>System Administrators</li> <li>Penetration Testers</li> <li>Information Security Managers</li> <li>Incident Handlers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Web Application Tester</h4> </div> <h5>Certification overview</h5> <ul><li>Assesses a candidate’s ability to find vulnerabilities in bespoke web applications.</li> <li>Exam consists of a multiple-choice written portion, and two 6hr hands-on practical components</li> <li>Valid for 3 years</li> <li>To recertify, candidates must re-write the exam</li> </ul><h5>Intended candidates</h5> <ul><li>Penetration Testers</li> <li>Ethical Hackers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">CREST Certified Wireless Specialist (CCWS)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidate’s knowledge and skills in performing traditional wireless security reviews, RFID, Bluetooth and other wireless technologies</li> <li>Prerequisite is successful completion of one of the core CREST certification exams</li> <li>2-part exam: 120 multiple choice questions and practical tasks</li> <li>Valid for 3 years</li> <li>To recertify, candidates must re-write the exam</li> </ul><h5>Intended candidates</h5> <ul><li>Senior professionals</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Practitioner Security Analyst (CPSA)</h4> </div> <h5>Certification overview</h5> <ul><li>Entry-level certification</li> <li>Validates a candidate’s knowledge in assessing operating systems and common network services at a basic level</li> <li>Candidates must demonstrate that they have the knowledge to perform basic infrastructure and web application vulnerability scans and interpret the results to locate security vulnerabilities.</li> <li>Exam consists of multiple-choice questions</li> <li>Valid for 3 years</li> <li>To recertify, candidates must re-write the exam</li> </ul><h5>Intended candidates</h5> <ul><li>System Administrators</li> <li>Penetration Testers</li> <li>Information Security Managers</li> <li>Incident Handlers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Registered Penetration Tester (CRT)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidate’s ability to carry out basic vulnerability assessment and penetration testing tasks.</li> <li>During the exam, candidates are required to find known vulnerabilities across common network, application and database technologies; includes a multiple-choice section</li> <li>Pre-requisite is the CPSA certification</li> <li>Valid for 3 years</li> <li>To recertify, candidates must re-write the exam</li> </ul><h5>Intended candidates</h5> <ul><li>System Administrators</li> <li>Penetration Testers</li> <li>Information Security Managers</li> <li>Incident Handlers</li> </ul></details><details class="grouped" id="wb-auto-8"><summary><h3 id="tab5">4.5 Certified Wireless Network Professions (CWNP)</h3> </summary><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Wireless Network Expert (CWNE)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Less than 200 CWNE certificate holders in the world</li> <li>Validates that a candidate has mastered all the relevant to administer, install, configure, troubleshoot and design wireless networks, and has a deep understanding of protocol analysis, intrusion detection and prevention.</li> <li>Candidates are required to have 3-years of experience related to Wi-Fi networks</li> <li>Application requirements include endorsement from 3 people and written submissions (essays and publications)</li> <li>Candidates must pass 4 exams and complete commercial WLAN deployments</li> <li>Valid for 3 years</li> <li>Renewal requires paying a renewal fee and obtaining 60 continuing education credits over a 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Individuals in senior WLAN positions</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Wireless Security Professional (CWSP)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidate’s ability to assess the vulnerabilities of a network, help prevent attacks before they happen, perform WLAN security audits, and implement compliance monitoring solutions.</li> <li>Candidate must have already obtained Certified Wireless Network Administrator (CWNA) certification</li> <li>Exam consists of 60 multiple choice questions</li> <li>Valid for 3 years</li> <li>Recertification requires having valid CWNA certification and passing the current version of the exam or pass the CWNE exam.</li> </ul><h5>Intended candidates</h5> <ul><li>IT Networking Professionals</li> </ul></details><details class="grouped" id="wb-auto-9"><summary><h3 id="tab6">4.6 EC Council</h3> </summary><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Application Security Engineer (CASE)</h4> </div> <h5>Certification overview</h5> <ul><li>Two streams: JAVA and .NET</li> <li>Validates that a candidate has the critical security skills and knowledge required throughout a typical software development life cycle (SDLC), focusing on the importance of the implementation of secure methodologies and practices in today’s insecure operating environment</li> <li>Candidates seeking certification without official training are required to have 2 years of work experience in information security and must apply for exam eligibility</li> <li>Valid for 3 years</li> <li>Exams consist of 50 multiple choice questions</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>Individuals responsible for developing, testing, managing, or protecting wide area of applications</li> <li>Developers who want to become Application Security Engineers, Analysts or Testers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Chief Information Security Officer (CCISO)</h4> </div> <h5>Certification overview</h5> <ul><li>Program recognizes the real-world experience necessary to succeed at the highest executive levels of Information Security</li> <li>CCISO program is aimed at producing top-level information security executives</li> <li>Candidates seeking certification without official training are required to have at least 5 years of work experience in each of the 5 CCISO domains and must apply for exam eligibility</li> <li>Candidates attending official training require 5 years of work experience in at least 3 of the CCISO domains</li> <li>Exam consists of 150 multiple choice questions</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>Chief Information Security Officers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Cloud Security Engineer (CCSE)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidate’s ability to create and implement security policies to safeguard cloud infrastructure and applications</li> <li>Program provides both vendor-neutral and vendor-specific cloud security concepts</li> <li>Candidates seeking certification without official training are required to have at least 2 years of work experience information security and must apply for exam eligibility</li> <li>Exam consists of 125 multiple choice questions</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>Cloud Analysts</li> <li>Cyber Security Analysts</li> <li>Network Security Administrators</li> <li>Cloud Administrators and Engineers</li> <li>Network and Cloud Management Operations Professionals</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Cybersecurity Technician (CCT)</h4> </div> <h5>Certification overview</h5> <ul><li>Entry-level cyber security credential for individuals starting a career in cyber security or IT</li> <li>Validates a candidate’s hands-on technical skills</li> <li>No prerequisites</li> <li>Exam consists of 60 multiple choice questions and 10 practical scenarios</li> <li>Valid for 3 years</li> <li>CCT is not part of the EC-Council Continuing Education (ECE) scheme. To recertify, a candidate must take the exam again</li> </ul><h5>Intended candidates</h5> <ul><li>Individuals seeking entry-level cyber security or information security roles</li> <li>Cyber Security technicians</li> <li>Network Engineers and Administrators</li> <li>IT Support Specialists and Managers</li> <li>Network Technicians and Coordinators</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Ethical Hacker (CEH) – ANSI</h4> </div> <h5>Certification overview</h5> <ul><li>Entry-level credential</li> <li>Validates that a candidate knows how to look for weaknesses and vulnerabilities in target systems and use the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner to assess the security posture of a target system</li> <li>Candidates seeking certification without official training are required to have 2 years of work experience in information security and must apply for exam eligibility</li> <li>This credential certifies individuals in the specific network security discipline of ethical hacking from a vendor-neutral perspective</li> <li>Exam consists of 125 questions</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>Information Security Officers</li> <li>Information Assurance Security Officers, Managers, Engineers, or Specialists</li> <li>Site Administrators</li> <li>Information Security Auditors</li> <li>Risk/Threat/Vulnerability Analysts</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Ethical Hacker (CEH) – Master</h4> </div> <h5>Certification overview</h5> <ul><li>Candidate holds both the ANSI and Practical CEH certifications</li> <li>Meets GCHQ Certified Training standard</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>Security Officers</li> <li>IT Auditors</li> <li>Site Administrators</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Ethical Hacker (CEH) – Practical</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidate’s knowledge of ethical hacking techniques such as threat vector identification, network scanning, operating system (OS) detection, vulnerability analysis, system hacking, web application hacking, etc.</li> <li>No perquisites, but this certification is usually the next step after obtaining the CEH ANSI</li> <li>6-hour exam features 20 case studies</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>Information Security Analysts or Administrators</li> <li>Information Assurance Security Officers, Managers, Engineers, or Specialists</li> <li>Risk/Threat/Vulnerability Analysts</li> <li>System Administrators</li> <li>Network Administrators or Engineers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Network Defender (CND) – ANSI</h4> </div> <h5>Certification overview</h5> <ul><li>Demonstrates that a candidate has the required expertise to protect, detect, and respond to threats on the network</li> <li>Candidates seeking certification without official training are required to have 2 years of work experience in IT security and must apply for exam eligibility</li> <li>Exam consists of 100 multiple choice questions</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>Network and IT Administrators</li> <li>Data Security Analysts</li> <li>Security Operators</li> <li>Network Engineers and Technicians</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Penetration Testing Professional (CPENT)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidate’s ability to perform an effective penetration testing in an enterprise network environment that must be attacked, exploited, evaded, and defended</li> <li>No prerequisites</li> <li>24-hour exam consists of a 100% practical assessment within the cyber range and the submission of a Penetration Testing report</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>Penetration Testers</li> <li>Ethical Hackers</li> <li>Network Server and Firewall Administrators</li> <li>Risk Assessment Professionals</li> <li>Security Engineers and Analysts</li> <li>Information Security Consultants</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Secure Computer User (CSCU)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates that a candidate can identify information security threats and mitigate them effectively</li> <li>No prerequisites</li> <li>Exam consists of 50 multiple choice questions</li> <li>Valid for 3 years</li> <li>CSCU is not part of the EC-Council Continuing Education (ECE) scheme. To recertify, a candidate must take the exam again</li> </ul><h5>Intended candidates</h5> <ul><li>Anyone 13 and over who uses a computer for work, study, or play</li> <li>End-users</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified SOC Analyst (CSA)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidate’s comprehensive understanding of the tasks required as a SOC Analyst</li> <li>Program focuses on creating new career opportunities for candidates by providing them with in-demand technical skills, knowledge, and enhanced-level capabilities to dynamically contribute to a SOC team</li> <li>Candidates seeking certification without official training are required to have 1 year of work experience in information security and must apply for exam eligibility</li> <li>Exam consists of 100 multiple choice questions</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>Tier I and Tier II Security Operations Centre Analysts</li> <li>Cyber Security Analysts</li> <li>Network and Security Administrators</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Threat Intelligence Analyst (CTIA)</h4> </div> <h5>Certification overview</h5> <ul><li>Demonstrates that a candidate has the skills to identify and mitigate business risks by converting unknown internal and external threats into quantifiable threat entities and stop them in their tracks</li> <li>Candidates seeking certification without official training are required to have 2 years of work experience in information security and must apply for exam eligibility</li> <li>Exam consists of 50 multiple choice questions</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>Ethical Hackers</li> <li>Digital Forensic and Malware Analysts</li> <li>Threat Intelligent Analysts</li> <li>Incident Response Team Members</li> <li>SOC Professionals</li> <li>Security Practitioners, Engineers, Analysts, Architects, and Managers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Computer Hacking Forensics Investigator (CHFI) – ANSI</h4> </div> <h5>Certification overview</h5> <ul><li>Validates that a candidate has the necessary skills to proactively investigate complex security threats, allowing them to investigate, record, and report cybercrimes to prevent future attacks</li> <li>Lab-focused, vendor-neutral program</li> <li>Candidates seeking certification without official training must have 2 years of work experience in information security and must apply for exam eligibility</li> <li>Exam consists of 150 multiple choice questions</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>IT Managers</li> <li>Digital Forensic Service Providers</li> <li>Law enforcement personnel</li> <li>Defence and Security personnel</li> <li>Government Agencies</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Digital Forensics Essentials (DFE)</h4> </div> <h5>Certification overview</h5> <ul><li>Entry-level credential helps candidates increase their competency and expertise in digital forensics and information security skills, thereby adding value to their workplace and employer</li> <li>No prerequisites</li> <li>Exam consists of 75 multiple choice questions</li> <li>Valid for 3 years</li> <li>DFE is not part of the EC-Council Continuing Education (ECE) scheme. To recertify, a candidate must take the exam again</li> </ul><h5>Intended candidates</h5> <ul><li>Individuals seeking entry-level cyber security or information security roles</li> <li>Help Desk Technicians</li> <li>Network Administrators</li> <li>Network Technicians</li> <li>Computer Support Specialists</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">EC Council Disaster Recovery Professional (EDRP)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidate’s ability to plan, strategize, implement, and maintain a business continuity and disaster recovery plan</li> <li>Candidates seeking certification without official training must have at least 2 years of work experience in information security and must apply for exam eligibility</li> <li>Exam consists of 150 multiple choice questions</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>IT Directors and CISOs</li> <li>IT Risk Managers and Consultants</li> <li>Business Continuity and Disaster Recovery Consultants</li> <li>IT Professionals in Disaster Recovery, Business Continuity, and System Administration domains</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">EC-Council Certified Encryption Specialist (ECES)</h4> </div> <h5>Certification overview</h5> <ul><li>Entry-level certification that introduces professionals and students to the field of cryptography by learning the foundations of modern symmetric and key cryptography</li> <li>Candidates seeking certification without official training must have at least 1 year of related work experience in information security and must apply for exam eligibility</li> <li>Exam consists of 50 multiple choice questions</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>Cryptanalysts</li> <li>Cryptographers</li> <li>Ethical Hackers</li> <li>Penetration Testers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">EC-Council Certified Incident Handler (ECIH) – ANSI</h4> </div> <h5>Certification overview</h5> <ul><li>Validates that a candidate has the knowledge and skills to effectively handle post breach consequences by reducing impact of the incident from both a financial and reputational perspective</li> <li>Specialist-level program</li> <li>Candidates seeking certification without official training must have at least 1 year of work experience in information security and must apply for exam eligibility</li> <li>Exam consists of 100 multiple choice questions</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>Risk Assessment Handlers</li> <li>System Administrators and Engineers</li> <li>Network and IT Managers</li> <li>Application Security Engineers</li> <li>Cyber Forensic Investigators and Analysts</li> <li>SOC Analysts</li> <li>Penetration Testers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Ethical Hacking Essentials (EHE)</h4> </div> <h5>Certification overview</h5> <ul><li>Entry-level credential covers ethical hacking and penetration testing fundamentals and prepares learners for a career in cyber security</li> <li>No prerequisites</li> <li>Exam consists of 75 multiple choice questions</li> <li>Valid for 3 years</li> <li>ECE is not part of the EC-Council Continuing Education (ECE) scheme. To recertify, a candidate must take the exam again</li> </ul><h5>Intended candidates</h5> <ul><li>Individuals seeking entry-level cyber security or information security roles</li> <li>Help Desk Technicians</li> <li>Network Administrators</li> <li>Network Technicians</li> <li>Computer Support Specialists</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Industrial Control Systems and Supervisory Control and Data Acquisitions (ICS/SCADA) Cybersecurity</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidate’s knowledge of the foundations of security and ability to defend network architectures from attacks</li> <li>Candidates seeking certification without official training are required to have 1 year of work experience in information security and must apply for exam eligibility</li> <li>Exam consists of 75 multiple choice questions</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>System Administrators and Engineers</li> <li>SCADA Systems personnel</li> <li>Business System Analysts who support SCADA interfaces</li> <li>Security Consultants who perform security assessments of SCADA and/or ICS</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Industrial Control Systems and Supervisory Control and Data Acquisitions (ICS/SCADA) Cybersecurity</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidate’s knowledge of the foundations of security and ability to defend network architectures from attacks</li> <li>Candidates seeking certification without official training are required to have 1 year of work experience in information security and must apply for exam eligibility</li> <li>Exam consists of 75 multiple choice questions</li> <li>Valid for 3 years</li> <li>To recertify, you must earn 120 continuing education credits during the 3-year period and pay annual fees</li> </ul><h5>Intended candidates</h5> <ul><li>System Administrators and Engineers</li> <li>SCADA Systems personnel</li> <li>Business System Analysts who support SCADA interfaces</li> <li>Security Consultants who perform security assessments of SCADA and/or ICS</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Network Defense Essentials (NDE)</h4> </div> <h5>Certification overview</h5> <ul><li>Entry-level credential covers the fundamental concepts of information security and network defense, and is ideal for learners aspiring to pursue a career in cyber security</li> <li>No prerequisites</li> <li>Exam consists of 75 multiple choice questions</li> <li>Valid for 3 years</li> <li>NDE is not part of the EC-Council Continuing Education (ECE) scheme. To recertify, a candidate must take the exam again</li> </ul><h5>Intended candidates</h5> <ul><li>Individuals seeking entry-level cyber security or information security roles</li> <li>Help Desk Technicians</li> <li>Network Administrators</li> <li>Network Technicians</li> <li>Computer Support Specialists</li> </ul></details><details class="grouped" id="wb-auto-10"><summary><h3 id="tab7">4.7 Global Information Assurance Certification (GIAC)</h3> </summary><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Advanced Smartphone Forensics (GASF)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates a candidate is qualified to perform forensic examinations on devices such as mobile phones and tablets; and has an understanding of the fundamentals of mobile forensics, device file system analysis, mobile application behaviour, event artifact analysis and the identification and analysis of mobile device malware</li> <li>Valid for 4 years</li> <li>Exam consists of 75 questions</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Digital Forensic and Malware Analyst</li> <li>Cyber Defense Forensic Analysts and Investigators</li> <li>Penetration Testers</li> <li>Exploit Developers</li> <li>Threat Hunters</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Assessing and Auditing Wireless Networks (GAWN)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Demonstrates knowledge of the different security mechanisms for wireless networks, the tools and techniques used to evaluate and exploit weaknesses, and techniques used to analyze wireless networks.</li> <li>Exam consists of 75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Auditors</li> <li>Ethical Hackers</li> <li>Penetration Testers</li> <li>Network Security Professionals</li> <li>Wireless System Engineers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Certified Detection Analyst (GCDA)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates a candidate’s ability to collect, analyze, and tactically use modern network and endpoint data sources to detect malicious or unauthorized activity</li> <li>GCDA certificate holders are qualified for hands-on leadership positions that deal with Security Information and Event Management (SIEM)</li> <li>Exam consists of 75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Security Analysts</li> <li>Security Architects</li> <li>Senior Security Engineers</li> <li>Security Operations Centre Engineers and Analysts</li> <li>Cyber Threat Investigators</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Certified Enterprise Defender (GCED)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates a candidate’s knowledges and abilities in the areas of defensive network infrastructure, packet analysis, penetration testing, incident handling, and malware remove</li> <li>Exam consists of 115 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Incident Responders</li> <li>Penetration Testers</li> <li>Security Operations Centre Engineers and Analysts</li> <li>Network Security Professionals</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Certified Forensic Analyst (GCFA)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates that a candidate has the knowledge, skills, and ability to conduct formal incident investigations and handle advanced incident handling scenarios, such as internal and external data breach intrusions or advanced persistent threats.</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Incident Response Team Members</li> <li>Security Operations Centre Analysts</li> <li>Federal Agents and Law Enforcement Professionals</li> <li>Digital Forensics Analysts</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Certified Forensic Examiner (GCFE)</h4> </div> <h5>Certification overview</h5> <ul><li>Intermediate-level certification</li> <li>Validates a candidate’s knowledge of computer forensics analysis, including core skills needed to collect and analyze data from Windows systems</li> <li>Exam consists of 115 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Information Security professionals</li> <li>Law enforcement members</li> <li>Digital Forensics and Malware Analysts</li> <li>Cyber Defense Forensic Analysts and Investigators</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Certified Incident Handler (GCIH)</h4> </div> <h5>Certification overview</h5> <ul><li>Intermediate-level certification</li> <li>Demonstrates one’s ability to detect, respond, and resolve computer security incidents using a wide range of essential security skills</li> <li>Exam consists of 100-150 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Incident Response Team Members</li> <li>Cyber Defence Incident Responder</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Certified Intrusion Analyst (GCIA)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates a candidate’s knowledge of network and host monitoring traffic analysis, and intrusion detection</li> <li>Certificate holders are qualified to configure and monitor intrusion detection systems, and to analyze network traffic</li> <li>Exam consists of 100-150 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Individuals who are responsible for network and host monitoring, traffic analysis, or intrusion detection</li> <li>Threat Hunters</li> <li>Security Operations Centre Analysts</li> <li>Incident Response team members</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Certified Web Application Defender (GWEB)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Demonstrates that a candidate has mastered the security knowledge and skills needed to deal with common web application errors that lead to most security problems.</li> <li>Exam consists of 75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Application Developers</li> <li>Application Security Analysts</li> <li>Application Architects</li> <li>Penetration Testers</li> <li>Individuals in roles requiring PCI compliance</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Certified Windows Security Administrator (GCWN)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates a candidate’s ability to secure Windows clients and servers, and knowledge of configuring and managing the security of Microsoft operating systems and applications</li> <li>Exam consists of 75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Individuals responsible for installing, configuring, and securing Microsoft Windows clients and servers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Continuous Monitoring Certification (GMON)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates a candidate’s ability to deter intrusions and quickly detect anomalous activity</li> <li>Exam consists of 115 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Security Architects</li> <li>Security Operations Centre Analysts and Managers</li> <li>Technical Security manager</li> <li>Security Engineers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Critical Controls Certification (GCCC)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>The only certification that is based on the Critical Security Controls, a prioritized, risk-based approach to security.</li> <li>Validates a candidate’s knowledge and skills to implement and execute the Critical Security Controls recommended by the Council on Cybersecurity and perform audits based on the standard.</li> <li>No prerequisites</li> <li>Exam consists of 75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>IT Administrators</li> <li>DoD personnel</li> <li>Network Security Engineers</li> <li>Security Vendors</li> <li>Security Auditors, CIOs, and Risk Officers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Critical Infrastructure Protection (GCIP)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates a candidate has the knowledge and skills needed to understand the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) regulations and plan practical implementation strategies to achieve regulatory compliance.</li> <li>Exam consists of 75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Security Operations Analysts</li> <li>Team Leaders and Managers</li> <li>Incident Response Analysts</li> <li>ICS Cyber Security Practitioners</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Cyber Threat Intelligence (GCTI)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates a candidate’s ability to understand and analyze complex threat analysis scenarios; identify, create, and validate intelligence requirements through threat modelling.</li> <li>Exam consists of 75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Incident Response Team members</li> <li>Threat Hunters</li> <li>Intelligence Analysts</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Defending Advanced Threats (GDAT)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates that a candidate has advanced knowledge of how adversaries penetrate networks and what security controls are effective to stop them.</li> <li>Exam consists of 75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Security Architects</li> <li>Security Engineers</li> <li>Technical Security Managers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Defensible Security Architecture (GDSA)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates that a candidate’s real-world, hands-on skills dealing with network-centric and data-centric approaches to defensible security architecture, hardening applications across the Transmission Control Protocol/Internet Protocol (TSP/IP) stack, and secure environment creation with private, hybrid, or public clouds</li> <li>Exam consists of 75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Security Architects</li> <li>Network Engineers</li> <li>Security Analysts</li> <li>Cyber Threat Investigators</li> <li>Senior Security Engineers</li> <li>Security Analysts</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates a candidate’s ability to find and mitigate significant security flaws in systems and networks</li> <li>Exam consists of 55-75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Vulnerability Testers</li> <li>Security Analysts</li> <li>Vulnerability Assessment Analysts</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Information Security Fundamentals (GISF)</h4> </div> <h5>Certification overview</h5> <ul><li>Introductory-level certification</li> <li>Validates a candidate’s knowledge of security’s foundation, computer functions and networking, introductory level cryptography, and cyber security technologies</li> <li>Exam consists of 75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Management</li> <li>Information Security Officers</li> <li>System Administrators</li> <li>Professionals who need an introduction to cyber security fundamentals</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Information Security Professional (GISP)</h4> </div> <h5>Certification overview</h5> <ul><li>Intermediate-level certification for Managers and Leaders</li> <li>Validates a candidate’s knowledge of the 8 domains of cybersecurity knowledge, asset security, communications and network security, identity and access management, security and risk management, security assessment and testing, security engineering, security operations, and software development security.</li> <li>Candidate should have some experience in information systems and networking</li> <li>Exam consists of 250 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>System Administrators</li> <li>Security Administrators</li> <li>Network Administrators</li> <li>Security Managers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Mobile Device Security Analyst (GMOB)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates a candidate’s to properly secure mobile devices that are accessing vital information</li> <li>Demonstrates knowledge of assessing and managing mobile device and application security, and mitigating against malware and stolen devices</li> <li>Exam consists of 75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Information Security Analysts</li> <li>Penetration Testers</li> <li>Ethical Hackers</li> <li>Network and System Administrators</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Network Forensic Analyst (GNFA)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates a candidate’s ability to perform examinations employing network forensic artifact analysis</li> <li>Exam consists of 50 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Law Enforcement members</li> <li>Digital Forensic and Malware Analysts</li> <li>Cyber Defence Analysts</li> <li>Incident Response team members</li> <li>Security Operations Centre team members</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Penetration Tester (GPEN)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates a candidate’s ability to properly conduct a penetration test, using best practice techniques and methodologies</li> <li>Exam consists of up to 115 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Penetration Tester</li> <li>Exploit Developers</li> <li>Network Security personnel</li> <li>Ethical Hackers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Response and Industrial Defence (GRID)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Demonstrates that a candidate understands the Active Defence Approach, ICS-specific attacks, and how these attacks inform mitigation strategies</li> <li>Exam consists of 75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Industrial Control System Incident Response Team leads and members</li> <li>Security Operations Centre Team leads and Analysts</li> <li>Active Defenders</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Reverse Engineering Malware (GREM)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates a candidate’s knowledge and skills to reverse-engineer malware that targets common platforms such as Microsoft Windows and web browsers</li> <li>Exam consists of 75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>System and Network Administrators</li> <li>Auditors</li> <li>Security Managers</li> <li>Forensic Investigators</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Security Essentials Certification (GSEC)</h4> </div> <h5>Certification overview</h5> <ul><li>Entry-level certification</li> <li>Validates an individual’s knowledge of information security beyond simple terminology and concepts</li> <li>Recipients are skilled in active defense, cryptography, security policy and plans, incident handling and securing networks.</li> <li>Exam consists of 180 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Security Professionals</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Security Expert (GSE)</h4> </div> <h5>Certification overview</h5> <ul><li>Less than 250 GSE certificate holders in the world</li> <li>Validates that a candidate has mastered the wide variety of skills required by top security consultants and practitioners</li> <li>Pre-requisites are GSEC, GCIH, GCIA with 2 Gold certifications</li> <li>Exam consists of 2 parts: 24 VM-based hands-on questions and a practical lab</li> <li>Valid for 4 years</li> <li>Recertification requires taking the current version of the exam</li> <li>Renewing GSE certification renews all other active GIAC certifications</li> </ul><h5>Intended candidates</h5> <ul><li>Top Security Consultants and Practitioners</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Security Leadership (GSLC)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification for Managers and Leaders</li> <li>Validates a candidate’s knowledge of governance and technical controls focused on protecting, detecting, and responding to security issues.</li> <li>Exam consists of 115 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Managers/Supervisors of Information Security teams</li> <li>IT Managers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Systems and Network Auditor (GSNA)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification for Managers and Leaders</li> <li>Validates a candidate’s ability to apply basic risk analysis techniques and to conduct technical audits of essential information systems</li> <li>Exam consists of 115 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Technical staff responsible for securing and auditing information systems</li> <li>Auditors</li> <li>Network Administrators</li> <li>Managers of Audit or Security teams</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">GIAC Web Application Penetration Tester (GWAPT)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Validates a candidate’s ability to better secure organizations through penetration testing and thorough understanding of web application security issues.</li> <li>Demonstrates knowledge of web applications exploits and penetration testing methodologies</li> <li>Exam consists of 75 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Penetration Testers</li> <li>Vulnerability Testers</li> <li>Security Analysts</li> <li>Vulnerability Assessment Analysts</li> <li>Ethical Hackers</li> <li>Website Designers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Global Industrial Cyber Security Professional (GICSP)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Assesses a candidate’s base level of knowledge and understanding across a diverse set of professionals who engineer or support control systems and share responsibility for the security of these environments</li> <li>No perquisites</li> <li>Exam consists of 115 questions</li> <li>Valid for 4 years</li> <li>Renewal requires taking the current version of the exam; or obtaining 36 continuing education credits over the 4-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Security Engineers</li> <li>Industry Managers</li> <li>Security Analysts</li> </ul></details><details class="grouped" id="wb-auto-11"><summary><h3 id="tab8">4.8 International Information Systems Security Certification Consortium</h3> </summary><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Cloud Security Professional (CCSP)</h4> </div> <h5>Certification overview</h5> <ul><li>Co-developed with Cloud Security Alliance (CSA)</li> <li>Recognizes IT and information security leaders who have the knowledge and skills with cloud security architecture, design, operations, and service orchestration</li> <li>Candidates require a minimum of 5 years work related experience in IT; at least 3 of those years must be in information security and 1 year in one of the 6 domains of CCSP Common Body of Knowledge</li> <li>Exam consists of 125 multiple choice questions</li> <li>Valid for 3 years</li> <li>Recertification requires obtaining 90 continuing education credits during 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Enterprise Architect</li> <li>Systems Engineer</li> <li>Systems Architect</li> <li>Security Administrator</li> <li>IT and Information Security Leaders</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Information Systems Security Professional (CISSP)</h4> </div> <h5>Certification overview</h5> <ul><li>Advanced-level certification</li> <li>Candidates require a minimum of 5-years related work experience in at least 2 of the 8 (ISC)2 common body of knowledge of domains; or 4-years of work experience and a college degree or other approved credential</li> <li>Exam consists of 100-150 item computer adaptive testing</li> <li>Valid for 3 years</li> <li>Recertification requirements include obtaining 120 continuing professional education credits during the 3-year period</li> <li>Three concentrations are also available to those possessing valid CISSP certification: <ul><li>CISSP-ISSAP (Architecture)</li> <li>CISSP-ISSEP (Engineering)</li> <li>CISSP-ISSMP (Management)</li> </ul></li> </ul><h5>Intended candidates</h5> <ul><li>Chief Information Security Officer</li> <li>Chief Security Officer</li> <li>Security Analyst/Auditor</li> <li>Director of Security</li> <li>IT Director/Manager</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Healthcare Information Security and Privacy Practitioner (HCISPP)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates knowledge and skills to implement, manager, or assess security and privacy controls for healthcare and patient information</li> <li>Designed for practitioners and consultants in healthcare information security and privacy</li> <li>Candidates require a minimum of 2-years work experience</li> <li>Exam consists of 125 multiple choice questions</li> <li>Valid for 3 years</li> <li>Recertification requires obtaining 60 continuing education credits during the 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Compliance Officer</li> <li>Medical Records Supervisor</li> <li>Practice Manager</li> <li>Information Security Manager</li> <li>Health Information Manager</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Systems Security Certified Practitioner (SSCP)</h4> </div> <h5>Certification overview</h5> <ul><li>Global IT security certification</li> <li>Entry-level certification</li> <li>Demonstrates that the holder has the technical skills and knowledge to implement, monitor, and administer an IT infrastructure.</li> <li>Designed for practitioners in operational IT roles or in information security</li> <li>Candidates must have 1 year of cumulative work experience in one or more of the 7 domains of SSCP Common Body of Knowledge; a 1-year experience waiver will be granted to candidates who hold a bachelor’s or master’s degree in Cyber Security</li> <li>Exam consists of 125 multiple choice questions</li> <li>Valid for 3 years</li> <li>Recertification requires obtaining 60 continuing education credits during the 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Network Security Engineer</li> <li>Systems Administrator</li> <li>Security Analyst</li> <li>Systems/Network Analyst</li> <li>Security Consultant</li> <li>IT Administrators, Directors, or Managers</li> </ul></details><details class="grouped" id="wb-auto-12"><summary><h3 id="tab9">4.9 ISACA</h3> </summary><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Cybersecurity Practitioner (CSX‑P)</h4> </div> <h5>Certification overview</h5> <ul><li>New certification created in 2015</li> <li>Recognizes individuals who can act as first responders for security incidents</li> <li>The only certification that tests one’s ability to perform globally validated cyber security covering the 5 core functions of the NIST Cyber Security Framework; Identify, Protect, Detect, Respond, and Recover</li> <li>Candidates must pass a performance-based exam consisting of simulated security incidents.</li> <li>Valid for 3 years</li> <li>Recertification requirements include obtaining 120 hours of continuing professional education during 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Security Practitioners</li> <li>Incident Handlers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified in Risk and Information Systems Control (CRISC)</h4> </div> <h5>Certification overview</h5> <ul><li>Recognizes those who identify, evaluate, and manage risk through the development, implementation, and maintenance of information systems controls</li> <li>Candidates must have 3-years of professional-level risk management and control experience, no education substitutes</li> <li>Valid for 3 years</li> <li>Recertification requirements include obtaining 120 hours of continuing professional education during a 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>IT and Business professionals</li> <li>Risk and Compliance professionals</li> <li>Business Analysts</li> <li>Project Managers</li> <li>Security directors</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Information Security Manager (CISM)</h4> </div> <h5>Certification overview</h5> <ul><li>Management focused certification</li> <li>Recognizes candidates who manage, design, oversee, and assess an enterprise’s information security</li> <li>Candidates require a minimum of 5-years of information security experience gained within the 10-year period before writing the exam</li> <li>Written application is required</li> <li>Exam consists of 150 questions / 4 hours long</li> <li>Valid for 3 years</li> <li>Recertification requirements include obtaining 120 hours of continuing professional education during 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Information security managers and directors</li> <li>IT Security Analysts</li> <li>Risk Analysts</li> <li>IT Auditor</li> <li>Information Systems Security Manager</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Information Systems Auditor (CISA)</h4> </div> <h5>Certification overview</h5> <ul><li>Globally recognized certification</li> <li>Validates a candidate’s audit experience, skills and knowledge, and ability to assess vulnerabilities, report on compliance and institute controls within the enterprise</li> <li>Candidates require 5 years of professional information systems (IS) auditing, control or security work experience; some education substitutes</li> <li>Exam consists of 150 questions</li> <li>Certificate holders are required to take at least 120 hours of continuing education during the 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>IS audit control, assurance, and security professionals</li> </ul></details><details class="grouped" id="wb-auto-13"><summary><h3 id="tab10">4.10 itSM Solutions</h3> </summary><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">NIST Cyber Security Professional (NCSP) Foundation</h4> </div> <h5>Certification overview</h5> <ul><li>Entry-level certification</li> <li>Validates that a candidate has the knowledge and ability to operationalize the NIST Cyber Security Framework</li> <li>No prerequisites but basic computing skills and security knowledge are recommended</li> <li>Exam consists of 40 multiple choice questions</li> </ul><h5>Intended candidates</h5> <ul><li>Security, IT, Risk Management professionals</li> <li>Auditors</li> <li>Other professions who need to understand the basics of cyber security, the components of the NIST Cyber Security Framework and how it aligns to risk management</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">NCSP Practitioner</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidate’s skills and abilities to design, build, test, manage, improve a cyber security program based on NCSF</li> <li>Candidates must complete the NCSF Foundation training/exam before attempting the exam</li> <li>Exam consists of 65 multiple choice questions</li> </ul><h5>Intended candidates</h5> <ul><li>IT and Cyber Security Professionals</li> </ul></details><details class="grouped" id="wb-auto-14"><summary><h3 id="tab11">4.11 McAfee Institute</h3> </summary><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Counterintelligence Threat Analyst (CCTA)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidate’s ability to identify and investigate cyber criminals, conduct cyber counterintelligence investigations to mitigate threats, and investigate and prosecute hackers and cyber criminals</li> <li>Prerequisites: Bachelor’s degree or higher and 3 years of experience in a related field, or associate degree and 4 years of experience</li> <li>Candidates must pass a background check</li> <li>Exam consists of 200 questions</li> <li>Valid for 2 years</li> <li>To renew, candidates must pay a renewal fee and obtain continuing education credits</li> </ul><h5>Intended candidates</h5> <ul><li>Individuals in cyber security, law enforcement, loss prevention roles</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Cyber Intelligence Investigator (CCII)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidate’s ability to conduct cyber investigations, utilize methodologies to prosecute cyber criminals, apply mobile and digital forensics, recognize fraud and hacking, and develop intelligence gathering.</li> <li>Perquisites: Bachelor’s degree or higher and 1 year of experience in a related field, or an associate degree and 2 years of experience</li> <li>Candidates must pass a background check</li> <li>Exam consists of 200 questions</li> <li>Valid for 2 years</li> <li>To renew, candidates must pay a renewal fee and obtain continuing education credits</li> </ul><h5>Intended candidates</h5> <ul><li>Individuals in cyber security, law enforcement, loss prevention roles</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Cyber Intelligence Professional (CCIP)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidate’s ability to conduct cyber investigations, utilize methodologies to prosecute cyber criminals, design and implement a cyber program, understand mobile and digital forensics, and recognize fraud and hacking</li> <li>Perquisites: Bachelor’s degree or higher and 3 years of experience in a related field, or an associate degree and 4 years of experience</li> <li>Candidates must pass a background check</li> <li>Exam consists of 200 questions</li> <li>Valid for 2 years</li> <li>To renew, candidates must pay a renewal fee and obtain continuing education credits</li> </ul><h5>Intended candidates</h5> <ul><li>Individuals in cyber security, law enforcement, loss prevention roles</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Expert in Cyber Investigations (CECI)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidate’s ability to recognize and identify cyber criminals, conduct cyber counterintelligence investigations to mitigate threats, protect an organization’s assets and information, and investigate and prosecute hackers and cybercriminals</li> <li>Prerequisites: Bachelor’s degree or higher and 4 years of experience in a related field, or an associate degree and 6 years of experience</li> <li>Candidates must pass a background check</li> <li>Exam consists of 200 true/false, multiple choice, and scenario-based questions.</li> <li>Valid for 2 years</li> <li>To renew, candidates must pay a renewal fee and obtain continuing education credits</li> </ul><h5>Intended candidates</h5> <ul><li>Individuals in cyber security, law enforcement, loss prevention roles</li> </ul></details><details class="grouped" id="wb-auto-15"><summary><h3 id="tab12">4.12 Offensive Security</h3> </summary><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Offensive Security Certified Expert (OSCE)</h4> </div> <h5>Certification overview</h5> <ul><li>Demonstrates that a candidate has a mastery of advanced penetration testing skills; analyze, correct, modify, and port exploit code; and craft binaries to evade antivirus software</li> <li>Candidates should have prior knowledge of Windows exploitation techniques, Linux experience, and a solid understanding of TCP/IC and networking</li> <li>Candidates must complete the Cracking the Perimeter course before attempting exam</li> <li>Exam has a 48-hour time limit and consists of hands on penetration testing in an isolated virtual private network (VPN); must also submit a comprehensive test report</li> </ul><h5>Intended candidates</h5> <ul><li>Penetration Testers</li> <li>Security Professionals</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Offensive Security Certified Professional (OSCP)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates the knowledge and skills needed to identify vulnerabilities and execute organized attacks in a controlled and focused manner</li> <li>Intended for penetration testers with strong technical and ethical hacking backgrounds, and a solid understanding of TCP/IP networking</li> <li>Candidates must first complete the Penetration Testing training course</li> <li>Certification is hard to obtain due to its notoriously difficult exam</li> <li>Candidates must pass a 24-hour exam where they are required to attack and penetrate live machines in a safe lab environment; must also submit a comprehensive penetration test report</li> <li>Certification never expires</li> </ul><h5>Intended candidates</h5> <ul><li>Penetration Testers</li> <li>Network Administrators</li> <li>Network Security Professionals</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Offensive Security Exploitation Expert (OSEE)</h4> </div> <h5>Certification overview</h5> <ul><li>Requires significant time investment</li> <li>Validates a candidate’s ability to analyze vulnerable software, find problematic code, develop sophisticated exploits under various modern Windows operating systems</li> <li>Candidates should have experience in developing windows exploits and understand how to operate a debugger</li> <li>Candidates must complete the Advanced Windows Exploitation course before attempting the exam</li> <li>Candidates should obtain OSCE certification first</li> <li>Exam consists of developing and documenting exploits during a 72-hour period; must also submit a comprehensive penetration test report</li> <li>Certification qualifies the recipient for 40 (ISC)2 continuing education credits</li> <li>Certification never expires</li> </ul><h5>Intended candidates</h5> <ul><li>Penetration Testers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Offensive Security Web Expert (OSWE)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates that a candidate has practical knowledge of web application assessment and hacking process; and ability to review advanced source code in web applications, identify vulnerabilities, and exploit them</li> <li>Candidates should have familiarity with coding languages and Linux, ability to write scripts, experience with web proxies, a general understanding of web app attack vectors, theory and practice, and a solid understanding of TCP/IP and networking</li> <li>Candidates are required to take the Advanced Web Attacks and Exploitation course before attempting the exam</li> <li>48-hour exam consisting of hands-on web application assessment in an isolated VPN network; successful candidates must also submit an assessment report</li> <li>Certification never expires</li> </ul><h5>Intended candidates</h5> <ul><li>Penetration Testers</li> <li>Web Application Security Specialists</li> <li>Software Engineers</li> <li>Web Developers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Offensive Security Wireless Professional (OSWP)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidate’s ability to identify existing encryptions and vulnerabilities in Institute of Electronic Engineers (IEEE) 802.11 networks, circumvent security restrictions and recover encryption keys in use</li> <li>Candidates must have a solid understanding of TCP/IP and the Open Systems Interconnections (OSI) model, familiarity with Linux</li> <li>Candidates must complete the Offensive Security Wireless Attacks course before attempting the exam</li> <li>4-hour exam requires that candidate to conduct wireless info gathering, and implement various attacks to get access to the target networks; must also submit a penetration test report</li> <li>Certification never expires</li> </ul><h5>Intended candidates</h5> <ul><li>Network Administrators</li> <li>Penetration Testers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Security Operations and Defensive Analysis (OSDA)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates candidates can recognize common methodologies for end-to-end attack chains (MITRE ATT&amp;CK® framework)</li> <li>Candidates can conduct guided audits of compromised systems across multiple operating systems</li> <li>Candidates will demonstrate ability using a SIEM to identify and assess an attack as it unfolds live</li> <li>Validates candidates can manually inspect logs in order to be able to recognize both normal and abnormal or benign and malicious activity</li> <li>Certification must be renewed every three years</li> </ul><h5>Intended candidates</h5> <ul><li>Penetration Testers</li> <li>Network Security Professionals</li> </ul></details><details class="grouped"><summary><h3 id="tab13">4.13 PECB</h3> </summary><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Lead Ethical Hacker</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidate’s knowledge of information gathering tools and techniques, threat modeling and vulnerability identification, exploitation techniques, reporting, etc.</li> <li>Candidates are required to have knowledge of information security concepts and principles and advanced skills in operating systems</li> <li>Candidates are required to have 2 years of penetration testing and cyber security experience</li> <li>Candidates are required to sign the PECB Code of Ethics and the PECB CLEH Code of Conduct</li> <li>6-hour open book exam consists of 2 parts: the candidate must first compromise 2 or more target machines through penetration testing, then document the process in a written report</li> <li>Valid for 3 years</li> </ul><p>Renewal requirements include demonstrating that you have are still performing tasks related to the certification, meeting the required number of Continuing Professional Development (CPD) credits, and paying the annual maintenance fee</p> <h5>Intended candidates</h5> <ul><li>Individuals responsible for the security of information systems</li> <li>Information Security team members</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Computer Forensics Foundation</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidate’s knowledge of the fundamental principles and concepts of computer forensics and computer forensics processes</li> <li>No prerequisites</li> <li>Candidates are required to sign the PECB Code of Ethics</li> <li>1-hour open book exam consists of 5 essay type questions Valid for 3 years</li> <li>Renewal requirements include demonstrating that you have are still performing tasks related to the certification, meeting the required number of Continuing Professional Development (CPD) credits, and paying the annual maintenance fee</li> </ul><h5>Intended candidates</h5> <ul><li>Individuals interested in pursuing a career in Computer Forensics</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">ISO/IEC 27032 Foundation</h4> </div> <h5>Certification overview</h5> <ul><li>Validates an individual’s knowledge of the fundamental cyber security principles and concepts, and understanding of the approaches, methods, and techniques used in cyber security</li> <li>No prerequisites</li> <li>Candidates are required to sign the PECB Code of Ethics</li> <li>1 hour exam consists of 40 multiple choice questions</li> <li>Valid for 3 years</li> <li>Renewal requirements include demonstrating that you have are still performing tasks related to the certification, meeting the required number of Continuing Professional Development (CPD) credits, and paying the annual maintenance fee</li> </ul><h5>Intended candidates</h5> <ul><li>Cyber security and Information Security professionals</li> <li>Individuals interested in pursuing a career in cyber security</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">ISO/IEC 27032 Lead Cybersecurity Manager</h4> <ul><li>Certified Provisional</li> <li>Certified</li> <li>Certified Lead</li> <li>Certified Senior Lead</li> </ul></div> <h5>Certification overview</h5> <ul><li>Validates a candidate’s knowledge of the fundamental principles and concepts of cyber security, roles and responsibilities of stakeholders, cyber security risk management, attack mechanisms and cybersecurity controls, information sharing and coordination, integrating a cyber security program in business continuity management, and cyber security incident management and performance measurement</li> <li>Candidates are required to have a fundamental understanding of ISO/IEC 27032 and comprehensive knowledge of cyber security</li> <li>Candidates are required to sign the PECB Code of Ethics</li> <li>3-hour open book exam consists of 12 essay type questions</li> <li>Candidates who pass the exam can apply for 1 of 4 credentials based on the number of years of work experience, cyber security experience, and total number of hours of cyber security activities</li> <li>Valid for 3 years</li> <li>Renewal requirements include demonstrating that you have are still performing tasks related to the certification, meeting the required number of Continuing Professional Development (CPD) credits, and paying the annual maintenance fee</li> </ul><h5>Intended candidates</h5> <ul><li>Cyber security and Information Security Professionals</li> <li>Individuals responsible for developing and/or managing a cyber security program</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Lead Forensics Examiner</h4> <ul><li>Certified Provisional</li> <li>Certified</li> <li>Certified Lead</li> </ul></div> <h5>Certification overview</h5> <ul><li>Validates a candidate’s knowledge of the fundamental principles and concepts of computer forensics, digital forensics lab requirements, computer crime investigation and forensics examinations, and maintaining chain of evidence</li> <li>Candidates are required to have knowledge of computer forensics</li> <li>Candidates are required to sign the PECB Code of Ethics</li> <li>3-hour exam open book exam consists of 14 essay type questions</li> <li>Candidates who pass the exam can apply for 1 of 3 credentials (based on the number of years of work experience, cyber security experience, and total number of hours of forensics activities</li> <li>Valid for 3 years</li> <li>Renewal requirements include demonstrating that you have are still performing tasks related to the certification, meeting the required number of Continuing Professional Development (CPD) credits, and paying the annual maintenance fee</li> </ul><h5>Intended candidates</h5> <ul><li>Computer Forensics specialists and consultants</li> <li>Cyber Security professionals</li> <li>Cyber Intelligence Analysts</li> <li>Law Enforcement professionals</li> <li>Electronic Data Analysts</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Lead Pen Test Professional</h4> <ul><li>Certified Provisional</li> <li>Certified</li> <li>Certified Lead</li> </ul></div> <h5>Certification overview</h5> <ul><li>Validates a candidate’s knowledge of the fundamental principles and concepts in penetration testing, technical foundation of penetration testing, testing types, and analyzing results and the reporting process</li> <li>Candidates are required to have a fundamental understanding of penetration testing and comprehensive knowledge of cyber security</li> <li>Candidates are required to sigh the PECB Code of Ethics</li> <li>3-hour exam consists of 150 multiple choice questions</li> <li>Candidates who pass the exam can apply for 1 of 3 credentials (based on the number of years of work experience, pen testing experience, and total number of hours of pen testing activities</li> <li>Valid for 3 years</li> <li>Renewal requirements include demonstrating that you have are still performing tasks related to the certification, meeting the required number of Continuing Professional Development (CPD) credits, and paying the annual maintenance fee</li> </ul><h5>Intended candidates</h5> <ul><li>IT Professionals</li> <li>Auditors</li> <li>IT and Risk Mangers</li> <li>Penetration Testers</li> <li>Ethical Hackers</li> </ul></details><details class="grouped" id="wb-auto-16"><summary><h3 id="tab14">4.14 SECO Institute</h3> </summary><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Certified Ethical Hacker (S‑EHE)</h4> </div> <h5>Certification overview</h5> <ul><li>Program is currently being re-designed</li> </ul><h5>Intended candidates</h5> <ul><li>N/A</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Dark Web Foundations</h4> </div> <h5>Certification overview</h5> <ul><li>Entry-level certification</li> <li>Developed by the Netherlands Organisation for Applied Scientific Research in collaboration with the International Criminal Police Organization (INTERPOL)</li> <li>Demonstrates that a candidate understands how to use the dark web in a secure way</li> <li>Exam consists of 40 multiple choice questions</li> <li>Valid for 3 years</li> </ul><h5>Intended candidates</h5> <ul><li>IT Security Professionals</li> <li>Law Enforcement</li> <li>Policy makers and Government Officials</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Ethical Hacking Foundations (S‑EHF)</h4> </div> <h5>Certification overview</h5> <ul><li>Entry-level certification</li> <li>Validates that a candidate has an in-depth understanding of basic penetration testing techniques and possesses fundamental hacking skills</li> <li>Exam consists of 40 multiple choice questions</li> <li>Valid for life and is not subject to re-certification requirements</li> </ul><h5>Intended candidates</h5> <ul><li>Web Developers</li> <li>Computer Software Engineers</li> <li>Security Administrator</li> <li>Network Engineer</li> <li>Ethical Hackers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Ethical Hacking Leader (S‑EHL)</h4> </div> <h5>Certification overview</h5> <ul><li>Highest achievable qualification in the Ethical Hacking certification track</li> <li>Demonstrates that a candidate has excellent penetration testing skills and experience in leading penetration tests</li> <li>Candidates must have expert-level knowledge (SECO Expert level certificate or equivalent) and at least 3 years of relevant work experience</li> <li>No exam</li> <li>Valid for 1 year</li> <li>To renew, candidates must pay annual membership fees and obtain 40 continuing education credits during the year</li> </ul><h5>Intended candidates</h5> <ul><li>Professionals who seek to validate the expertise they have built up through hands-on work experience</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">Ethical Hacking Practitioner (S‑EHP)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates that a candidate has a full understanding of the penetration testing process and familiarity with common penetration testing techniques</li> <li>Candidates should have a good understanding of ethical hacking fundamentals</li> <li>S-EHF certificate (or equivalent) is recommended</li> <li>3-part exam: 10 multiple choice questions, 5 essay type questions and 1 case study</li> <li>To renew, candidates must pay annual membership fees and obtain 60 continuing education credits over the 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Web Developers</li> <li>Security Administrators</li> <li>Network Engineers</li> <li>Computer Software Engineers</li> <li>Aspiring Penetration Testers</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">IT Security Expert/SOC (S-ITSE/SOC)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates that a candidate has acquired the knowledge and skills necessary to assume responsibility for threat detection, analysis and response, and can improve an organization’s overall security poster</li> <li>Candidates should have a basic understanding of TCP/IP, operating system fundamentals and common security concepts, and 2 years of experience in a SOC</li> <li>Prerequisite is the S-ITSP or equivalent</li> <li>Candidates can choose 1 of 2 specializations: SOC Manager or IT Security Manager</li> <li>Valid for 1 year</li> <li>To renew, candidates must pay annual membership fees and obtain 120 continuing education credits over the 3-year period</li> </ul><h5>Intended candidates</h5> <ul><li>Individuals that want to become Tier I/Tier II Soc Analysts</li> <li>Future SOC Managers</li> <li>System Engineers</li> <li>Security Analysts</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">IT Security Foundation (S‑ITSF)</h4> </div> <h5>Certification overview</h5> <ul><li>Entry-level certification</li> <li>Validates that a candidate has a basic understanding of computer architecture, common hardware vulnerabilities and security measures</li> <li>No prerequisites and suitable for beginners with basic understanding of computers and technology</li> <li>Exam consists of 40 multiple choice questions</li> <li>Valid for life and not subject to re-certification requirements</li> </ul><h5>Intended candidates</h5> <ul><li>Network or System Administrator</li> <li>Individuals looking to start a career in IT Security</li> </ul><div class="mrgn-tp-md well well-sm"> <h4 class="mrgn-tp-0 mrgn-bttm-0">IT Security Practitioner (S‑ITSP)</h4> </div> <h5>Certification overview</h5> <ul><li>Validates a candidate’s technical competencies in vulnerability management, firewall and network security, security architecture and penetration testing</li> <li>Candidates should have a good understanding of fundamental IT security terms, concepts and principle</li> <li>IT Security Foundation certificate (or equivalent) is recommended</li> <li>Exam includes 10 multiple choice questions, 5 open questions, and 1 case study</li> <li>Valid for 1 year</li> <li>To renew, candidates must pay annual membership fees and obtain 60 continuing education credits during the year</li> </ul><h5>Intended candidates</h5> <ul><li>Security Administrators</li> <li>Security Analysts</li> <li>Security Architects</li> <li>Security Auditors</li> <li>Future SOC Analysts</li> </ul></details></div> </section><div class="pull-right mrgn-tp-md small text-muted mrgn-bttm-md"><a href="#wb-tphp" title="Return to Top of page">Top of page</a></div> <div class="clearfix"> </div> <section><h2 id="E">5.0 Cyber Security certification listings and descriptions</h2> <details><summary><h3>5.1 List of abbreviations</h3> </summary><dl class="dl-horizontal"><dt>AI</dt> <dd>Artificial Intelligence</dd> <dt>(ICS)2</dt> <dd>International Information Systems Security Certification Consortium</dd> <dt>C3</dt> <dd>Cyber Credentials Collaborative</dd> <dt>CCSMS</dt> <dd>Central configuration setting management system</dd> <dt>CNSS</dt> <dd>Committee on National Security Systems</dd> <dt>CompTIA</dt> <dd>Computing Technology Industry Association</dd> <dt>CREST</dt> <dd>Council for Registered Ethical Testers</dd> <dt>CSA</dt> <dd>Cloud Security Alliance</dd> <dt>CSE</dt> <dd>Communications Security Establishment</dd> <dt>CWNP</dt> <dd>Certified Wireless Network Professionals</dd> <dt>Cyber Centre</dt> <dd>Canadian Centre for Cyber Security</dd> <dt>GIAC</dt> <dd>Global Information Assurance Certification</dd> <dt>GCHQ</dt> <dd>Government Communications Headquarters</dd> <dt>IAS</dt> <dd>International Accreditation Service</dd> <dt>IEC</dt> <dd>International Electrotechnical Commission</dd> <dt>ICS</dt> <dd>Industrial control systems</dd> <dt>IEEE</dt> <dd>Institute of Electronic Engineers</dd> <dt>INTERPOL</dt> <dd>International Criminal Police Organization</dd> <dt>IoT</dt> <dd>Internet of Things</dd> <dt>IS</dt> <dd>Information System</dd> <dt>ISACA</dt> <dd>Information Systems Audit and Control Association</dd> <dt>ISO</dt> <dd>International Organization for Standardization</dd> <dt>IT</dt> <dd>Information technology</dd> <dt>NERC CIP</dt> <dd>North American Electric Reliability Corporate Critical Infrastructure Protection</dd> <dt>NICCS</dt> <dd>National Initiative for Cyber Security Careers and Studies</dd> <dt>NIST</dt> <dd>National Institute of Standards and Technology</dd> <dt>NSA</dt> <dd>National Security Agency</dd> <dt>OS</dt> <dd>Operating system</dd> <dt>OSI</dt> <dd>Open systems interconnection</dd> <dt>PCI</dt> <dd>Payment card industry</dd> <dt>RBC</dt> <dd>Royal Bank of Canada</dd> <dt>RFID</dt> <dd>Radio frequency identification</dd> <dt>SCADA</dt> <dd>Supervisory control and data acquisitions</dd> <dt>SDLC</dt> <dd>Software development life cycle</dd> <dt>SECO</dt> <dd>Security and Continuity Institute</dd> <dt>SIEM</dt> <dd>Security Information and Event Management</dd> <dt>SOC</dt> <dd>Security Operations Centre</dd> <dt>TSP/IP</dt> <dd>Transmission control Protocol/Internet Protocol</dd> <dt>UKAS</dt> <dd>United Kingdom Accreditation Service</dd> <dt>VPN</dt> <dd>Virtual private network</dd> <dt>WLAN</dt> <dd>Wireless local area network</dd> </dl></details><aside class="wb-fnote" role="note"><h3 id="fn">5.2 References</h3> <dl><dt>1</dt> <dd id="fn1"> <p>Steve Morgan. “<a href="https://cybersecurityventures.com/10-hot-cybersecurity-certifications-for-it-professionals-to-pursue-in-2019/" rel="external">10 Hot Cybersecurity Certifications for IT Professionals to Pursue in 2020</a>”, Cyber Crime Magazine. 24 May, 2020.</p> <p class="fn-rtn"><a href="#fn*-rf"><span class="wb-inv">Return to footnote </span>1<span class="wb-inv"> referrer</span></a></p> </dd> <dt>2</dt> <dd id="fn2"> <p>Every effort has been made to ensure the accuracy of the information in this table; however, the information is subject to change at any time.</p> <p class="fn-rtn"><a href="#fn2-rf"><span class="wb-inv">Return to footnote </span>2<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></section></div> </div> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="7561" about="/en/guidance/security-configurations-best-practices-protect-your-mobile-device-itsm80002" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>May 2026</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Management series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSM.80.002</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>May 2026 | Management series</strong></p> </div> <div class="col-md-12 mrgn-tp-lg"> <h2 class="text-info mrgn-tp-0">Foreword</h2> <section><p>In today’s digital landscape, mobile devices play a pivotal role in our daily lives, aiding in productivity, enabling seamless communication, and facilitating transactions. Their significance extends beyond personal use, impacting the efficiency and success of businesses as well. Despite the numerous benefits of mobile device, the surge in their usage has also heightened the risk of security threats and highlights the need to protect them.</p> <p>At a personal level, individuals rely heavily on mobile devices like smartphones, tablets, and laptops to store important information such as contacts, passwords, emails, and personal data. Consequently, it is imperative protect these devices against unauthorized access. Similarly, within organizations, mobile devices are essential tools for communicating, collaborating, and accessing corporate data. However, the inherent vulnerability of these devices makes them attractive targets for threat actors. A security breach not only puts clients’ and employees’ personal data at risk but also has significant consequences for the organization. Unauthorized access could potentially compromise confidential business information, client and employee data, and other proprietary information and amplify the severity of a breach.</p> <p>This publication outlines the fundamental best practices for securing mobile devices, with the objective of preserving the integrity of sensitive information and protecting users and organizations from potential breaches.</p> <details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#Intro">1. Introduction</a> <ul><li><a href="#Mobile-security">1.1 Importance of mobile device security</a></li> <li><a href="#Types-threats">1.2 Types of mobile security threats</a></li> </ul></li> <li><a href="#Best-practices">2. Mobile device security best practices</a> <ul><li><a href="#Security-configuration">2.1 Mobile device security configuration recommendations</a></li> <li><a href="#Additional-practices">2.2 Additional best practices and tips to secure your mobile device</a></li> <li><a href="#Additional-ressources">2.3 Additional resources on mobile security</a></li> </ul></li> <li><a href="#Summary">3. Summary</a></li> </ul></details></section><section><h2 class="text-info" id="Intro">1 Introduction</h2> <p>With the increasing reliance on mobile devices for both personal and professional use, it is crucial for organizations to ensure the security of mobile devices. Mobile device security involves implementing measures and practices to defend against a variety of threats, including privacy breaches and unauthorized access to sensitive data. Mobile device security also includes a range of strategies and technologies aimed at ensuring the confidentiality, integrity and availability of information stored on mobile devices.</p> <h3 id="Mobile-security">1.1 Importance of mobile device security</h3> <p>Mobile device security is critical for organizations due to their widespread use, where employees often access work-related data and correspondence. These devices are vulnerable to various security threats such as malware, data breaches and unauthorized access. Many organizations have specific compliance and legal requirements for protecting client and employee information.</p> <p>Failure to secure mobile devices can result in legal consequences and reputational damage. Implementing proper mobile security measures is an important step in preventing data breaches, safeguarding sensitive corporate information, and protecting client and employee data. A security breach on a mobile device could result in substantial financial implications associated with data recovery and legal implications. Mobile security measures are also crucial for compliance and for maintaining trust, credibility and the overall integrity of your organization.</p> <p>The following publications from the Cyber Centre encompass a range of strategies, guidelines and best practices for enhancing mobile security measures within organizational frameworks:</p> <ul><li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="a8b8b4c0-568c-4225-9ba3-9f4e546a6204" href="/en/guidance/device-security-travel-and-telework-abroad-itsap00188">Device security for travel and telework abroad (ITSAP.00.188)</a></li> <li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="130c4aab-5f74-49f0-beb1-b2c3edaf6c33" href="/en/guidance/mobile-device-guidance-high-profile-travellers-itsap-00088">Mobile device guidance for high profile travellers (ITSAP.00.088)</a></li> <li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="c9cbfaae-471a-4c9b-a691-67c9f13eb776" href="/en/guidance/mobile-devices-and-business-travellers-itsap00087">Mobile devices and business travellers (ITSAP.00.087)</a></li> <li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="7aa3f54a-1d31-4a82-aa41-93dec6e4dc73" href="/en/guidance/security-considerations-mobile-device-deployments-itsap70002">Security considerations for mobile device deployments (ITSAP.70.002)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/securing-enterprise-mobility-itsm80001">Securing the enterprise for mobility (ITSM.80.001)</a></li> </ul><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a>  <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <div class="clearfix"> </div> <h3 id="Types-threats">1.2 Types of mobile security threats</h3> <p>Understanding the various types of threats is essential for protecting both your devices and the valuable data they store.</p> <p>The threat landscape for mobile devices is multifaceted and encompasses:</p> <ul><li>malicious applications (apps)</li> <li>network-level vulnerabilities</li> <li>exploits that target weaknesses within both the device and the mobile operating system (OS)</li> </ul><p>The following section provides an overview of common threat vectors.</p> <h4>1.2.1 Malicious applications and malware</h4> <p>When downloading and using applications, you may inadvertently download malware and infect your mobile device and, possibly, the environment to which they connect. Even apps downloaded from mobile device app stores, can pose a threat by disguising themselves as legitimate. They can perform malicious functions, such as gaining remote access, intercepting text messages, compromising sensitive data or taking control of the device. Trojans are among the most common threats. This type of malware disguises itself as legitimate code or software and is frequently involved in ad and click scams.</p> <p>Threat actors use malware loaders to inject malicious code into seemingly secure applications, slipping through initial security measures before they are detected and removed. Once a mobile device is compromised, these applications can execute various invasive actions, such as activating key loggers, accessing the camera and audio functions, and obtaining extensive permissions on your device.</p> <p>Besides trojans, threat actors may target mobile devices using diverse malware threats, including:</p> <ul><li>mobile ransomware that encrypts data for a ransom</li> <li>mobile phishing or smishing using deceptive links</li> <li>voice phishing (vishing) through phone calls</li> <li>spyware that secretly monitors user activities</li> <li>adware that displays intrusive ads</li> </ul><p>These threats exploit vulnerabilities, use social engineering and compromise user privacy.</p> <h4 id="1.2.2">1.2.2 Browser-based malware</h4> <p>Browser-based malware is malicious software that exploits vulnerabilities in web browsers, using web technologies to compromise the mobile device. Unlike apps downloaded from official app stores, which undergo malware scans and inspections, browser scripts execute arbitrary code sent by remote servers without prior vetting or inspection. This makes browser attacks highly effective. Even though modern browsers implement security measures such as sandboxing to mitigate the impact of browser exploits, existing vulnerabilities may still allow the malware to evade these measures and potentially compromise the mobile device. A subset of this threat involves "web apps" that can be downloaded from application stores. These web apps can be downloaded from a mobile app store, contain minimal code downloaded to the mobile device, and run on a web browser via a custom user interface. The code opens an instance of the system browser and displays a custom web page that may initially pass vetting because the benign content is provided remotely, but later switch to delivering malicious content.</p> <h4 id="1.2.3">1.2.3 Network attacks</h4> <p>Network attacks targeting mobile devices present an array of cyber threats that exploit vulnerabilities in communication channels. These attacks can take various forms, such as adversary-in-the-middle (AitM) attacks and Wi-Fi eavesdropping, each of which pose distinct risks.</p> <h4 id="1.2.4">1.2.4 Adversary-in-the-middle attacks</h4> <p>In <abbr title="adversary-in-the-middle">AitM</abbr> attacks, threat actors intercept the information exchange between 2 parties without their knowledge. This can occur in various ways, including online transactions, email communication or data transfers over networks. Threat actors engage in these attacks to manipulate information, steal data or introduce malicious software.</p> <p>Mobile devices are particularly susceptible to <abbr title="adversary-in-the-middle">AitM</abbr> attacks, as opposed to web traffic which commonly employs encrypted HTTPS for secure communication. You can often determine if a website is secure by looking for the lock symbol within the address bar, which provides additional information about the site’s security. Conversely, text messages (SMS) and many mobile apps used for voice and text communication often lack encryption, making them susceptible to interception.</p> <h4 id="1.2.5">1.2.5 Wi‑Fi eavesdropping and spoofing</h4> <p>Wi-Fi eavesdropping occurs when threat actors intercept Wi-Fi traffic, especially on a public unsecured Wi-Fi network. This can potentially result in data theft, unauthorized access or the installation of malicious software. Mobile devices connecting to open Wi-Fi networks are particularly susceptible to these intrusions.</p> <p>Wi-Fi protection access 3 (WPA3) represents the current standard for Wi-Fi security, addressing some shortcomings of the previous version, Wi-Fi protection access 2 (WPA2). While <abbr title=" Wi-Fi protection access 2">WPA2</abbr> remains generally suitable for most use cases, it lacks protection against de-authentication attacks— a type of cyber attack on wireless networks. In a de-authentication attack, threat actors force devices on a Wi-Fi network to disconnect. This disconnection can then be exploited to force the device to reconnect, allowing the threat actor to observe the initial connection. If someone with the network password observes this initial connection, they can decrypt the <abbr title=" Wi-Fi protection access 2">WPA2</abbr> protection, exposing all transmitted data. This vulnerability may enable threat actors to gain unauthorized access to the device or exploit opportunities for malicious activities.</p> <p>Both <abbr title=" Wi-Fi protection access 2">WPA2</abbr> and <abbr title="Wi-Fi protection access 3">WPA3</abbr> are vulnerable to spoofing attacks. Such attacks occur when someone with the network password creates a spoofed network impersonating the real access point and gains access to the traffic being transmitted over the network. You can mitigate this risk by configuring <abbr title="Wi-Fi protection access 3">WPA3</abbr> to use the Simultaneous Authentication of Equals protocol with Public Key Cryptography (SAE-PK). In this configuration, even if a threat actor has the network password, they will still need the corresponding private key to successfully authenticate. Unfortunately, this capability has not yet been widely adopted, and many access points still operate with weaker defaults.</p> <h4 id="1.2.6">1.2.6 Advanced jailbreaking and rooting techniques</h4> <p>Users who want more privileges for greater control over their devices may use jailbreaking and rooting techniques. This involves removing software restrictions imposed by the operating system to gain higher privileges, essentially allowing users to access and modify parts of the device’s file system that would otherwise be restricted. This process allows users to remove unwanted default applications or install applications from unofficial stores.</p> <p>In essence, while jailbreaking and rooting may offer users increased customization and control, it exposes devices to heightened security risks. If users do not implement strong alternate security controls, threat actors may exploit these vulnerabilities to access more data and inflict greater damage than they would if users keep the default operating system permissions.</p> <h4 id="1.2.7">1.2.7 Multi‑factor authentication bypass attacks</h4> <p>Multi-factor authentication (MFA) typically involves the use of multiple verification methods to enhance the protection of sensitive data and systems. These can include one-time passwords, digital tokens or biometric authentication.</p> <p><abbr title="Multi-factor authentication">MFA</abbr> bypass attacks encompass a range of tactics employed by threat actors to evade the additional layers of security implemented by <abbr title="Multi-factor authentication">MFA</abbr> systems. This includes voice phishing, or "vishing", a form of social engineering where threat actors employ phone calls to trick you in divulging <abbr title="Multi-factor authentication">MFA</abbr> codes or sensitive details like personal information or financial data. In contrast with traditional phishing through emails, vishing relies on manipulating individuals through voice communication. Criminals often use caller ID spoofing and voice-changing programs to create convincing pre-recorded messages.</p> <p>Additionally, <abbr title="Multi-factor authentication">MFA</abbr> bypass attacks may:</p> <ul><li>exploit flaws in the implementation of one-time passwords</li> <li>intercept or manipulate communication channels</li> <li>compromise biometric authentication systems</li> <li>leverage social engineering techniques to trick users into revealing their authentication credentials</li> </ul><p>Another <abbr title="Multi-factor authentication">MFA</abbr> security threat to be aware of is the <abbr title="Multi-factor authentication">MFA</abbr> fatigue attack, also known as <abbr title="Multi-factor authentication">MFA</abbr> bombing or <abbr title="Multi-factor authentication">MFA</abbr> spamming. In this social engineering cyber attack, threat actors overwhelm the target with numerous <abbr title="Multi-factor authentication">MFA</abbr> requests until that person approves the login attempt. The goal is to pressure the victim into confirming their identity through the notifications, providing an opportunity for attackers to gain unauthorized access to the victim’s account or device.</p> </section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a>  <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <div class="clearfix"> </div> <section><h2 class="text-info" id="Best-practices">2 Mobile device security best practices</h2> <p>Securing data on mobile devices is crucial to protecting your personal information and your organization’s sensitive data. Mobile devices are attractive targets for threat actors due to the amount of personal and potentially sensitive information they contain. A compromised mobile device has the potential to allow unauthorized access to your organization’s network, placing not only your own information at risk, but also that of your organization.</p> <p>The following section provides guidance on mobile device security configurations and best practices users and organizations can implement to enhance their security posture.</p> <h4 id="Security-configuration">2.1 Mobile device security configuration recommendations</h4> <p>This section describes the various configuration features available on mobile devices and provides insights into how users can selectively activate or deactivate them to maximize the security of their devices.</p> <h4 id="2.1.1">2.1.1 Enable multi‑factor authentication</h4> <p>One of the most effective ways of securing your mobile device involves implementing strong passwords and multi-factor authentication, preferably phishing-resistant <abbr title="Multi-factor authentication">MFA</abbr>, in the login process. While enabling <abbr title="Multi-factor authentication">MFA</abbr> on your mobile device may include receiving an <abbr title="text messages">SMS</abbr> with a code on your phone, it’s important to note that <abbr title="text messages">SMS</abbr> text codes are not considered a strong second authentication method because they can be intercepted and potentially compromised by malicious software on the device. Opting for more secure <abbr title="Multi-factor authentication">MFA</abbr> alternatives, like authenticator apps, passkeys, hardware tokens, near-field communication, or biometrics such as fingerprint, face or retina scans, is a better approach to authentication.</p> <p>Introducing this additional step in the login process enhances security by providing an extra layer of protection. It makes it more challenging for threat actors to access your account, even if they are aware of your password.</p> <p>It’s crucial to avoid using identical passwords across multiple accounts. Choosing unique ones and regularly updating them will enhance security. To mitigate potential risks, particularly in the event of device loss, refrain from storing passwords in browsers or writing them down and storing the paper in your device case.</p> <p>For more on passwords, passphrases and <abbr title="Multi-factor authentication">MFA</abbr> refer to:</p> <ul><li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="32369248-5885-44f2-9af9-d4a80bb9c8b6" href="/en/guidance/best-practices-passphrases-and-passwords-itsap30032">Best practices for passphrases and passwords (ITSAP.30.032)</a></li> <li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="df4d897c-c726-4e48-8901-408ba2bdf6d3" href="/en/guidance/secure-your-accounts-and-devices-multi-factor-authentication-itsap30030">Secure your accounts and devices with multi-factor authentication (ITSAP.30.030)</a></li> </ul><h4 id="2.1.2">2.1.2 Use the built‑in virtual private network</h4> <p>In instances where using public Wi-Fi is unavoidable, consider implementing extra security measures, such as using your mobile device’s built-in virtual private network (VPN) to encrypt Internet activity. This provides an additional layer of protection to data transmission and helps shield against potential threats on public networks. Understand, however, that while using a <abbr title="built-in virtual private network">VPN</abbr> is beneficial, it may not offer foolproof cyber security when accessing public Internet. Avoid using third-party <abbr title="built-in virtual private network">VPN</abbr> services as they may introduce security vulnerabilities that can compromise user privacy and overall network security. By avoiding third-party <abbr title="built-in virtual private network">VPN</abbr>s, you reduce the risk associated with trusting external providers with your network traffic and data.</p> <h4 id="2.1.3">2.1.3 Use encryption</h4> <p>Enable the built-in encryption feature on your mobile device to protect stored data from unauthorized access. This security measure encrypts your data, ensuring it is accessible only to authorized users. By using the built-in encryption feature, you can protect your device against potential compromise and unauthorized access, especially in situations like theft.</p> <h4 id="2.1.4">2.1.4 Update devices and applications regularly</h4> <p>To prevent threat actors from accessing your devices and exploiting vulnerabilities in software and apps, you should turn on automatic updates and periodically check for manual updates to ensure both the OS and installed applications are current. OS and app updates typically include security patches and fixes that address known vulnerabilities. Implementing these updates not only improves functionality and performance but also minimizes the risk of data loss due to crashes or errors. If you fail to enforce software updates or neglect application patches, you can create opportunities for threat actors, who closely monitor software vulnerabilities, to breach your network.</p> <p>Consult <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="639ede31-0d64-45cb-9688-664b3ee445cb" href="/en/guidance/how-updates-secure-your-device-itsap10096">How updates secure your device (ITSAP.10.096)</a> for more information on the advantages of keeping your OS and applications up to date.</p> <h4 id="2.1.5">2.1.5 Turn on screen lock</h4> <p>Given the susceptibility of laptops and smartphones to loss or theft, especially in public spaces, it is important to ensure that the device has a screen lock. Screen lock serves as a layer of defence, requiring authentication such as a PIN, password or biometric to access the device and its contents. This not only safeguards personal and sensitive data, but also helps prevent unauthorized use of the device, reinforcing overall device security.</p> <h4 id="2.1.6">2.1.6 Exercise caution when granting permission</h4> <p>Exercise caution when granting permissions to mobile applications and evaluate whether the permissions align with the app’s intended functionality. Regularly review and manage app permissions to restrict unnecessary access to sensitive data. Only allow the minimum necessary access for the app to perform its designated functions. Avoid granting permissions that seem unrelated to the app’s actual purpose, especially to things such as location, camera and microphone. Unnecessary access to sensitive information may pose privacy and security risks.</p> <p>Thoroughly evaluate terms, conditions and privacy statements, as data collection under these terms is considered legitimate across all mobile platforms. Users and enterprises should not rely on anonymization mechanisms as foolproof ways of preventing data leaks or safeguarding user identity. Any information that an application gains permission to access should be considered beyond enterprise control and already disclosed.</p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a>  <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <div class="clearfix"> </div> <h4 id="2.1.7">2.1.7 Deactivate and turn off automatic connections</h4> <p>To reduce the risk of potential security threats, you should deactivate Bluetooth and Wi-Fi when you are not actively using them. By doing so, you can minimize your exposure and reduce the attack vectors and access points that threat actors may exploit.</p> <p>When using Bluetooth, enable the "ask before connecting" option to prevent automatic connections. Bluetooth-enabled devices, while convenient, are susceptible to various mobile security threats, such as compromised privacy and gaining access to encompassing contact lists, personal information, credentials, email, and message content. The following are some of the risks you may incur when you enable Bluetooth on a mobile device:</p> <ul><li>unauthorized device control</li> <li>disruptions in functionality</li> <li>eavesdropping on audio connections</li> <li>compromise of smart locks and security devices used to protect facilities and vehicles</li> <li>spoofing attacks leading to nuisance and denial of service</li> <li>injection of malicious commands and data</li> </ul><p>Deactivating automatic connection to public Wi-Fi enhances overall security by preventing unauthorized access, minimizing the risk of cyber attacks and preserving user privacy. It allows users to make conscious and informed choices when connecting to networks, reducing vulnerability to potential security threats associated with public Wi-Fi environments.</p> <p>Deactivating Bluetooth and Wi-Fi requires intentional effort, emphasizing the importance of ongoing awareness and active management of these features.</p> <h4 id="2.1.8">2.1.8 Turn off location tracking</h4> <p>Location tracking on a mobile device is a feature used to monitor and record your geographic location. You can control and manage location settings through your device’s system preferences or settings menu. While enabling location tracking can enhance the functionality of services, such as mapping, navigation and location-basned applications, it’s important to note that when this feature is active, the device constantly collects and stores location data. This may pose a potential risk if accessed by unauthorized individuals. To safeguard your privacy, you should deactivate location tracking settings when they are not needed.</p> <p>It’s worth noting that in the latest OS releases, many devices offer the option to choose between precise or approximate location tracking. While approximate location tracking may offer a degree of privacy, not all applications may function correctly with this option selected. Even when approximate location tracking does work, it should not be solely relied upon, particularly when the location data of an individual is considered sensitive.</p> <h4 id="2.1.9">2.1.9 Turn off autofill</h4> <p>The password autofill feature is found in most browsers and password managers and is used to automatically populate login credentials on websites and applications. Threat actors can hide behind compromised websites and gain access to saved passwords and personal information stored in autofill, leaving users vulnerable to identity theft and other forms of cyber attacks. You can prevent this by disabling this feature on your device.</p> <h4 id="2.1.10">2.1.10 Keep wireless connection on hidden mode</h4> <p>When your wireless connection is in hidden mode, it adds an additional layer of privacy and security because others won’t see your network listed when scanning for available Wi-Fi networks. In general, keep your wireless connection on hidden mode unless you specifically need to be visible to others.</p> <h4 id="2.1.11">2.1.11 Turn off USB debugging</h4> <p>To prevent unauthorized access to your device via USB connections, turn off USB debugging when not needed. USB debugging is a feature that allows your device to communicate with a computer via a USB connection. Keeping USB debugging activated when it is not actively in use can create a potential entry point for threat actors to exploit vulnerabilities and gain unauthorized control of your device.</p> <h4 id="2.1.12">2.1.12 Configure browser settings</h4> <p>You can enhance your browsing security by configuring browser settings to block pop-ups, activate the do not track feature and manage cookies. Cookies, which can store login information, may be compromised if accessed by threat actors. You should regularly update your browser to the latest version to address potential vulnerabilities and always exercise caution when navigating the web.</p> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a>  <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <h3 id="Additional-practices">2.2 Additional best practices</h3> <p>The following are additional tips you should consider when using your mobile devices. These are not mobile configuration suggestions but rather overall best practices that can help improve the security of your mobile devices and safeguard your privacy.</p> <h4 id="2.2.1">2.2.1 Use password managers</h4> <p>Managing numerous passwords can be tedious, frustrating, and often leads to difficulty in remembering them. As previously mentioned, we recommend turning off the password autofill feature on your device. Additionally, it is important to avoid storing credentials in unprotected apps. Instead, adopt the use of a password manager – a secure repository for all your passwords, protected by an exclusive "primary" password accessible only to you. This not only simplifies password management, but it also helps generate strong passwords, mitigating the risk associated with creating predictable ones. To further enhance your mobile password security, consider integrating a password manager with an <abbr title="Multi-factor authentication">MFA</abbr> application.</p> <p>Consult <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="b417de95-576e-44d9-b445-1cd620a7deba" href="/en/guidance/password-managers-security-itsap30025">Password managers: Security tips (ITSAP.30.025)</a> for guidance on using a password manager.</p> <h4 id="2.2.2">2.2.2 Back up your data</h4> <p>If your mobile device is compromised or if it falls into the wrong hands, you risk losing all data, including contacts and photos. Having a cloud-based solution that automatically performs backups not only ensures data recovery but also enhances overall information security and facilitates retrieval in the event of a compromise. Automating backups makes it convenient, allowing backups during periods of low phone usage. While an automated cloud backup is generally suitable for personal data, you should verify this feature’s compatibility with enterprise cloud data service policies (for example, on retention, data residency or encryption) before enabling it for enterprise data.</p> <p>It’s important to know that remote backups are vulnerable to potential threats. To help mitigate these risks, you should incorporate encryption practices into the backup process. This can be achieved by choosing secure backup solutions with built-in encryption features, ensuring end-to-end encryption for data security during transmission and storage. Prioritizing client-side encryption adds an extra layer of protection by encrypting data on the user’s device before transmitting it to the remote backup server. This approach ensures that even in the event of server compromise, the encrypted data stored in the cloud remains indecipherable without the corresponding decryption key.</p> <h4 id="2.2.3">2.2.3 Use preventative security tools</h4> <p>When you download compromised apps or files on your mobile device, you risk downloading malware. Once malware is activated, threat actors can exploit it to compromise your data, thereby putting your security and privacy at risk. To mitigate this risk, make sure your device is equipped with up-to-date and reputable preventative security tools. These tools include antivirus software, firewalls, and intrusion detection and prevention systems. Certain antivirus applications offer additional features, such as:</p> <ul><li>wiping data in case of a lost device</li> <li>tracking and blocking suspicious callers</li> <li>identifying unsafe applications</li> <li>clearing browsing history</li> <li>deleting cookies</li> </ul><p>Firewalls should be activated whenever possible to enhance the protection of your device. Incorporating intrusion detection and prevention systems into mobile security practices can help you detect, respond to, and mitigate advanced threats that may bypass firewalls. This can strengthen the overall security posture of your mobile ecosystems.</p> <h4 id="2.2.4">2.2.4 Beware of untrustworthy applications</h4> <p>It is important to exercise caution when installing or using apps and to avoid those deemed untrustworthy. Be vigilant and selective about the apps you choose to install or to which you grant permissions. This can help minimize potential risks to your device and personal data. You should download mobile applications exclusively from official application marketplaces or app stores. However, you should not solely rely on application store vetting or approval, as many applications may collect significant data and pose a threat due to the scope and breadth of data collected.</p> <p>Be aware that some applications could disguise themselves as web applications where the content is remotely delivered as a web page. As previously mentioned, the remote content delivered at the time of vetting could be totally benign but can later change to malicious web content containing a browser-based exploit.</p> <p>We recommend that, before you include any application in an enterprise app store, you should use third-party vetting services and app reputation services and conduct an internal app inspection.</p> <h4 id="2.2.5">2.2.5 Log out</h4> <p>Regularly check your device’s accounts and log out from unused accounts. Make it a habit to log out from mobile applications every time you have finished using them. In addition to logging out of your applications, you should power down your mobile device and turn it back on a weekly basis as an additional mitigation against some cyber attacks, like spear phishing and zero-click exploits.</p> <h4 id="2.2.6">2.2.6 Do not leave devices unattended</h4> <p>Leaving mobile devices unattended increases the risk of unauthorized access and theft, potentially compromising sensitive data. It’s important to always keep mobile devices with you or store them securely when not in use to mitigate these risks effectively.</p> <h4 id="2.2.7">2.2.7 Avoid public charging stations</h4> <p>If possible, you should avoid charging your mobile devices in public charging ports or stations. They can be a possible vector for threat actors to gain access to your device. If you have to charge your device using a public port, consider using a USB data blocker to block and prevent data being transferred from your device when you plug it into a charging port.</p> <h4 id="2.2.8">2.2.8 Avoid bypassing security features</h4> <p>Manufacturers incorporate security restrictions and features on their devices to protect users’ devices and data. As mentioned earlier, bypassing security features (known as jailbreaking or rooting) removes these features. If you do not intend to implement strong alternate security controls, avoid bypassing these manufacturer security features, as doing so may expose the device to increased vulnerability to malware and other security threats.</p> <h4 id="2.2.9">2.2.9 Erase your device before disposing of it</h4> <p>Erasing your device before disposal is a critical step to protect sensitive data from unauthorized access. This involves securely wiping or deleting all data to prevent privacy and security risks such as identity theft or financial fraud. Proper data erasure methods include performing a factory reset, using specialized software or physically destroying the device.</p> <h4 id="2.2.10">2.2.10 Ignore unsolicited emails</h4> <p>Threat actors often send fraudulent emails, aiming to replicate legitimate sources and trick individuals into revealing personal information. This tactic is widely known as phishing. Avoid clicking on any links embedded in emails, as threat actors can create fake links that may compromise your security.</p> <p>Similarly, threat actors use <abbr title="text messages">SMS</abbr> in a tactic called smishing to lure victims into sharing personal or financial information, clicking on malicious links, or downloading harmful software or applications. To avoid falling victim to smishing, refrain from clicking on any links in unsolicited messages. Instead, if you’re uncertain about the legitimacy of a message, verify the information directly through official sources like company websites, portals, listed phone numbers or official apps.</p> <p>For additional guidance, refer to:</p> <ul><li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="b5039fc1-841e-42e0-9af9-b93be7d75241" href="/en/guidance/spotting-malicious-email-messages-itsap00100">Spotting malicious email messages (ITSAP.00.100)</a></li> <li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="8d072457-288e-4bd1-a076-da037de9ad03" href="/en/guidance/dont-take-bait-recognize-and-avoid-phishing-attacks">Don’t take the bait: Recognize and avoid phishing attacks (ITSAP.00.101)</a></li> </ul><h4 id="2.2.11">2.2.11 Use secure network connections</h4> <p>When possible, use public secure networks as they are safer than public insecure networks. Insecure networks can be accessed without passwords and authentication, making them accessible without the need for security encryption keys. This vulnerability exposes them to various security risks, such as malware attacks, denial-of-service attacks and <abbr title="adversary-in-the-middle">AitM</abbr> attacks.</p> <p>As previously mentioned, connecting your mobile device to public Wi-Fi exposes you to potential eavesdropping by malicious actors, jeopardizing sensitive information like credit card numbers, bank account details, passwords and other private data. To mitigate these risks, activate <abbr title="Wi-Fi protection access 3">WPA3</abbr> or preferably <abbr title="Wi-Fi protection access 3">WPA3</abbr> with <abbr title="Simultaneous Authentication of Equals protocol with Public Key Cryptography">SAE-PK</abbr> when possible. Additionally, using your mobile device’s built-in <abbr title="built-in virtual private network">VPN</abbr> adds an extra layer of protection by encrypting Internet activity.</p> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a>  <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <h3 id="Additional-ressources">2.3 Additional resources on mobile security</h3> </section><section><p>For more information on mobile security best practices, refer to the Cyber Centre’s publication <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="38a1fb42-00d7-4f06-89ad-c73fa0e72ce9" href="/en/guidance/using-your-mobile-device-securely-itsap00001">Using your mobile device securely (ITSAP.00.001)</a>. Additionally, the Cybersecurity and Infrastructure Security Agency’s <a href="https://www.cisa.gov/sites/default/files/publications/Mobile%20Device%20Adoption%20Best%20Practices%20Guide-508%20compliant%20041316%20FINAL.pdf">Mobile device adoption best practices (PDF)</a> offers best practices for mobile device users to implement alongside the policies already established within their organizations.</p> <h2 class="text-info" id="Summary">3 Summary</h2> <p>Maintaining good security practices for mobile devices is imperative to mitigate the growing risks of data breaches and unauthorized access. The importance of protecting sensitive data on smartphones, tablets and other mobile devices is highlighted by the evolving threats posed by threat actors seeking to gain unauthorized access and compromise privacy.</p> <p>The best practices outlined in this publication aim to strengthen the security posture of mobile devices. Combining technical measures with user habits creates a comprehensive approach to mobile security and can help maintain the confidentiality, integrity and availability of information. By adhering to these guidelines, you can significantly minimize the threats to your mobile devices and better safeguard your personal information and that of your organization.</p> </section><section><h3>Effective date</h3> <p>This publication takes effect on May 4, 2026.</p> <p>This is an UNCLASSIFIED publication that has been issued under the authority of the Head of the Canadian Centre for Cyber Security (Cyber Centre). For more information, email or phone our Contact Centre:</p> <p><span class="glyphicon glyphicon-envelope"></span><span class="wb-inv">email</span> <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a> |<span class="glyphicon glyphicon-phone"></span><span class="wb-inv">Mobile</span> <a href="tel:613-949-7048">613-949-7048</a> or <a href="tel:+1-833-292-3788">1<span>‑</span>833<span>‑</span>CYBER<span>‑</span>88</a></p> <h3>Revision history</h3> <ol class="lst-spcd"><li>First release: May 6, 2026</li> </ol></section></div> </div> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="7662" about="/en/guidance/securing-enterprise-mobility-itsm80001" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><!–ENGLISH Intro paragraph plus pdf download–> <div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>May 2026</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Management series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSM.80.001</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>May 2026 | Management series</strong></p> </div> <div class="col-md-12 mrgn-tp-lg"> <p>This publication provides an overview of enterprise mobility security and lists some of the threats and risks that mobile devices can pose to your organization. It outlines mitigation strategies and safeguards your organization can implement. Lastly, it describes the benefits and features of mobile management solution tools for organizations with more complex information technology (IT) infrastructures.</p> <p>It is important to note that these recommendations are not comprehensive. Furthermore, even if all possible mitigation strategies are properly implemented, a residual risk to your organization’s network and information assets remains.</p> <section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul><li><a href="#intro">1 Introduction</a></li> <li><a href="#EM-buisness">2 Enterprise mobility business drivers</a></li> <li><a href="#EM-overview">3 Enterprise mobility overview</a> <ul><li><a href="#Mobile">3.1 Mobile devices</a></li> <li><a href="#Wireless-comms">3.2 Wireless communication networks</a></li> <li><a href="#Enterprise-infra">3.3 Enterprise infrastructure</a></li> <li><a href="#Services-app">3.4 Service and applications</a></li> </ul></li> <li><a href="#Mobile-security-vul">4 Mobile device security vulnerabilities</a> <ul><li><a href="#Vulnerability-exploit">4.1 How threat actors exploit these vulnerabilities</a></li> </ul></li> <li><a href="#Threat-risks">5 Threats and risks to the enterprise</a> <ul><li><a href="#Credential-authentification">5.1 Loss of authentication credentials</a></li> <li><a href="#Improper-disposal">5.2 Improper disposal of old mobile devices with sensitive configurations and data</a></li> <li><a href="#Improper-social">5.3 Improper use of social media applications</a></li> <li><a href="#Exploit-devices">5.4 Exploitation of lost or stolen devices</a></li> <li><a href="#Tracking-behaviour">5.5 Threat actors tracking employee behaviour</a></li> <li><a href="#priviledge-misuse">5.6 Authorized equipment users attempting to misuse their privileges</a></li> <li><a href="#untrust-app">5.7 Untrusted app stores</a></li> </ul></li> <li><a href="#Migitation-strat">6 Mitigation strategies</a> <ul><li><a href="#mobile-security-policy">6.1 Implement a mobile device security policy</a></li> <li><a href="#policy-byod">6.2 Implement a policy and user agreements for bring-your-own-device deployments</a></li> <li><a href="#employee-training">6.3 Establish and implement employee training and awareness programs</a></li> <li><a href="#risk-assessments-mobile">6.4 Perform threat and risk assessments for mobile device use</a></li> <li><a href="#security-measures">6.5 Implement the necessary security measures</a></li> <li><a href="#before-deploying">6.6 Before deploying a mobile device solution</a></li> <li><a href="#maintain-mobile-security">6.7 Maintain mobile device security</a></li> <li><a href="#manage-lifcycle">6.8 Manage the lifecycle of mobile devices </a></li> </ul></li> <li><a href="#Mobility-management">7 Mobility management solutions</a> <ul><li><a href="#benefits-management">7.1 Benefits of mobile management tools</a></li> <li><a href="#Common-management">7.2 Common mobile device management and enterprise mobility management features</a></li> <li><a href="#Additional-capabilities">7.3 Additional mobile management solution capabilities</a></li> </ul></li> <li><a href="#CC-mobility-suite">8 Cyber Centre’s mobility suite</a></li> <li><a href="#Summary">9 Summary</a></li> </ul></details></section><section><h2 class="text-info" id="intro">Introduction</h2> <p>Mobile devices such as smartphones, tablets and laptops are key components for your organization. They contain powerful computing capabilities, as well as the ability to communicate wirelessly. Although mobile devices enable collaboration and boost productivity and efficiency, they can also increase the risk of a compromise to your organization’s sensitive information. Your organization should implement security controls and safeguards before mobile devices are allowed to access the organization’s network.</p> <p>This publication offers guidance to help your organization understand the security threats and risks associated with mobile devices. It also provides mitigation strategies and mobile management solutions you can implement to minimize the impact on your organization.</p> </section><section><h2 class="text-info" id="EM-buisness">Enterprise mobility business drivers</h2> <p>Mobile devices have become an integral part of most organizations’ business operations. They offer employees flexibility, help improve productivity, and allow for quicker collaboration for decision-making. Employees require access to the latest technologies to perform their tasks and help them reach their goals. Organizations use mobile devices for the following reasons:</p> <ul><li><strong>Ease of use</strong>: Mobile devices have user-friendly interfaces that can be customized to meet employee and organization needs</li> <li><strong>Anytime, anywhere connectivity:</strong> Employees can remotely access business data, enterprise services and applications. This is especially important for employees who travel frequently, work at various sites, or have a patrol or delivery route.</li> <li><strong>Customization:</strong> Organizations can customize device settings to improve convenience and flexibility for employees</li> <li><strong>Cloud computing:</strong> Many organizations use cloud-based infrastructures to deliver services</li> <li><strong>Cost:</strong> Using mobile devices and service providers can lower program costs and reduce technical obsolescence issues</li> </ul></section><section><h2 class="text-info" id="EM-overview">Enterprise mobility overview</h2> <p>Enterprise mobility allows mobile devices such as smartphones, tablets and laptops to access your organization’s networks and services through commercial cellular networks and Wi-Fi. The basic segments of the enterprise mobility architecture consist of mobile devices, wireless communication networks, enterprise infrastructure, and services and applications. If your organization chooses to include mobile devices as part of your enterprise architecture, ensure you understand the related risks.</p> <h3 id="Mobile">3.1 Mobile devices</h3> <p>Mobile devices are widely available, cost effective and contain updated features and technology for communications and application functionality. Mobile device features are constantly changing and allow users to:</p> <ul><li>connect to wireless networks for voice and data communications</li> <li>store information</li> <li>access global positioning systems (GPS)</li> <li>use digital video cameras</li> </ul><h3 id="Wireless-comms">3.2 Wireless communication networks</h3> <p>There are 3 major types of wireless communication networks:</p> <ul><li>cellular networks, which are managed by commercial carriers and provide coverage by dividing a large geographical service area into smaller areas</li> <li>Wi-Fi networks, which businesses or consumers can establish to provide a networking service within a limited geographic area, such as a home, office or place of business</li> <li>other wireless networks, some of which may not conform to the Wi-Fi standard; for example, Bluetooth is often used to connect to nearby devices, such as headsets or keyboards</li> </ul><h3 id="Enterprise-infra">3.3 Enterprise infrastructure</h3> <p>The enterprise infrastructure provides the hardware, software, network resources and services required to create, operate and manage an enterprise <abbr title="information technology">IT</abbr> environment. This infrastructure enables your organization to deliver <abbr title="information technology">IT</abbr> solutions and services to employees, partners and clients. Your organization’s enterprise infrastructure may also host mobility-specific applications or allow your systems to interact with other mobile devices. The enterprise mobility capability helps secure and manage interactions between your organization’s enterprise services and authorized devices and users, ensuring a seamless and protected experience.</p> <h3 id="Services-app">3.4 Service and applications</h3> <p>These are the existing and evolving services provided for all enterprise users, including mobile users. This may include unified communications such as data (for example, email and chat), voice (for example, telephone and teleconferencing), and applications or web interfaces.</p> </section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <p><span class="clearfix"> </span></p> <section><h2 class="text-info" id="Mobile-security-vul">4 Mobile device security vulnerabilities</h2> <p>The use of mobile devices, wireless networks, and voice and data services exposes organizations to a range of threats. These threats include deliberate actions by threat actors or accidental actions by authorized users. For example, threat actors might focus on a specific enterprise with the goal of compromising its clients. Organizations must also consider phishing attacks, ransomware incidents, unauthorized data access and network vulnerabilities. These risks must be addressed and sufficiently mitigated to achieve acceptable risk levels. Lastly, loss or theft of mobile devices can also create security risks for your organization, as threat actors can compromise the device and gain access to your systems and data.</p> <p>There are various mitigation strategies to address these threats, and most of them work together. In particular, the enterprise mobility infrastructure and existing enterprise capabilities can provide strong security features to protect mobile devices and employee communications.</p> <p>Mobile devices are generally at higher risk of exposure than devices that are used only within an organization’s facilities, on an organization’s networks. Therefore, they often need additional protection. You should be aware of the following major security vulnerabilities when using mobile devices:</p> <ul><li>lack of physical security controls</li> <li>untrusted mobile devices</li> <li>untrusted networks</li> <li>untrusted applications</li> <li>interaction with other systems</li> <li>untrusted content</li> <li>location services</li> </ul><h3 id="Vulnerability-exploit">4.1 How threat actors exploit these vulnerabilities</h3> <p>Some threats are intended to compromise the mobile device itself, while others are intended to ultimately infiltrate and compromise the enterprise. Some of the main threats that threat actors exploit on mobile devices include:</p> <ul><li>identifying, targeting and delivering malware to the device</li> <li>using the network connections of the device (cellular, Wi-Fi, Bluetooth) for nefarious purposes, such as exploiting flaws to compromise the device or to track its location</li> <li>using the device to infiltrate other organizational networks</li> <li>accessing the device to track location through <abbr title="global positioning systems">GPS</abbr> and other location services</li> <li>activating the microphone or camera to access data</li> <li>intercepting voice and data communications to exfiltrate sensitive data</li> <li>using third-party software to gain access to device features</li> <li>modifying the device, including changing its hardware or software remotely, by physically accessing the device or by intervening in the supply chain process</li> <li>exploiting software flaws in operating systems (OS) and applications to exploit</li> </ul></section><section><h2 class="text-info" id="Threat-risks">5 Threats and risks to the enterprise</h2> <p>Mobile devices have become integral to business operations. However, this increased dependency on mobile technology comes with a spectrum of challenges that organizations must proactively address, including data breaches, unauthorized access, and the persistent threat of malware and phishing attacks. The following examples illustrate some of these challenges.</p> <h3 id="Credential-authentification">5.1 Loss of authentication credentials</h3> <p>The loss of authentication credentials, such as passwords, tokens or private keys for certificates, presents opportunities for unauthorized access to sensitive systems, applications and data. Unauthorized access can lead to data breaches, the compromise of confidential information, and the potential misuse of corporate resources. We recommend you implement phishing-resistant multi-factor authentication (MFA) and educate your users on cyber hygiene principles such as password management.</p> <p>For more information, read <a href="/en/guidance/password-managers-security-itsap30025">Password managers: Security tips (ITSAP.30.025)</a>.</p> <h3 id="Improper-disposal">5.2 Improper disposal of old mobile devices with sensitive configurations and data</h3> <p>Access to sensitive configurations by unauthorized individuals can pose a significant risk, including potential unauthorized data access and breaches. Residual data on devices that are not wiped properly poses an ongoing threat, even after the devices have been disposed of. Non-compliance with privacy regulations may result in legal consequences, fines and reputational damage.</p> <p>For more information, read <a href="/en/guidance/sanitization-and-disposal-electronic-devices-itsap40006">Sanitization and disposal of electronic devices (ITSP.40.006)</a> and <a href="/en/guidance/it-media-sanitization-itsp40006"><abbr title="information technology">IT</abbr> media sanitization (ITSP.40.006)</a>.</p> <h3 id="Improper-social">5.3 Improper use of social media applications</h3> <p>Threat actors can exploit security vulnerabilities within social media applications installed on corporate mobile devices. If the applications contain vulnerabilities, most often from poorly written code, threat actors can leverage them to access corporate data storage. Social media applications conduct data mining to understand and predict human behaviour and if installed on corporate devices or networks, they can collect data about your organization, including contact lists or aspects of the corporate network. We recommend implementing corporate control over the applications’ permissions and using mobile device management (MDM) restrictions.</p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h3 id="Exploit-devices">5.4 Exploitation of lost or stolen devices</h3> <p>Threat actors may exploit lost or stolen devices to try and gain entry to the enterprise infrastructure or to pose as an authorized user. Identity masquerading is a significant threat and could lead to the exploitation of enterprise resources, operational disruptions and the compromise of confidential business information.</p> <h3 id="Tracking-behaviour">5.5 Threat actors tracking employee behaviour</h3> <p>Threat actors may observe employee behaviour through compromised devices in order to violate privacy and gather personal information, which can subsequently be used for entrapment or blackmail. This type of intrusion can damage the affected employee’s personal and professional life and contribute to broader consequences for the organization’s reputation and workplace trust.</p> <p>For more information, read <a href="/en/guidance/social-engineering-itsap00166">Social engineering (ITSAP.00.166)</a> and <a href="/en/guidance/digital-footprint-itsap00133">Digital footprint (ITSAP.00.133)</a>.</p> <h3 id="priviledge-misuse">5.6 Authorized equipment users attempting to misuse their privileges</h3> <p>If employees fail to adhere to security policies, it can increase vulnerabilities and the potential for data breaches. It may also compromise the integrity of devices rendering them more susceptible to security threats. Employees may misuse their privileges by attempting to access unauthorized services or applications, or by connecting directly to commercial platforms that are not permitted.</p> <h3 id="untrust-app">5.7 Untrusted app stores</h3> <p>The primary risk posed by applications downloaded from untrusted app stores is the potential compromise of a device’s security and user data caused by malware. Applications can be repackaged to include malware without the user realizing. The user may unknowingly expose themself to harmful activities such as sensitive data exposure ,or unauthorized surveillance. This can lead to identity theft, financial losses, and significant privacy breaches for both the user and the organization.</p> </section><section><h2 class="text-info" id="Migitation-strat">6 Mitigation strategies</h2> <p>To protect sensitive information and networks, organizations should implement a defence-in-depth strategy. This includes placing multiple layers of security throughout an <abbr title="information technology">IT</abbr> system to provide redundancy if a security control fails or a vulnerability is exploited. A defence-in-depth strategy has 3 layers that focus on 3 key elements: people, technology and operations.</p> <p>As part of a defence-in-depth strategy, the following section provides additional advice on <abbr title="mobile device management">MDM</abbr> and mitigation actions your organization can take to better secure mobile devices.</p> <h3 id="mobile-security-policy">6.1 Implement a mobile device security policy</h3> <p>A mobile device security policy should define what resources can be accessed via mobile devices, the degree of access granted to mobile devices, and what types of mobile devices are permitted to access organization resources (for example, organization-issued devices versus personal devices). The policy should also cover how <abbr title="mobile device management">MDM</abbr> servers are administered, how policies in <abbr title="mobile device management">MDM</abbr> servers are updated and all other requirements for <abbr title="mobile device management">MDM</abbr> technologies. The mobile device security policy should be documented in the departmental security plan.</p> <h3 id="policy-byod">6.2 Implement a policy and user agreements for bring-your-own-device deployments</h3> <p>The bring-your-own-device (BYOD) policy should clearly define your organization’s authorities granted under legislation, regulation and user agreements to manage, monitor and respond to threats arising from personally owned mobile devices. Key considerations should include:</p> <ul><li>addressing the impact of monitoring capabilities on privacy risks</li> <li>outlining response strategies based on deployment models</li> <li>defining the organization’s authorities in triaging and responding to security incidents on personal devices</li> </ul><p>The goal is to establish a robust operational framework to effectively mitigate security risks in <abbr title="bring-your-own-device">BYOD</abbr> environments. Your organization should consider mitigation actions such as segregating guest and <abbr title="bring-your-own-device">BYOD</abbr> Wi-Fi networks from your corporate Wi-Fi network. To determine if implementing a <abbr title="bring-your-own-device">BYOD</abbr> deployment model is suitable for your organization, consult the <a href="/en/guidance/end-user-device-security-bring-your-own-device-byod-deployment-models-itsm70003">End user device security for Bring-Your-Own-Device (BYOD) deployment models (ITSM.70.003)</a> publication.</p> <h3 id="employee-training">6.3 Establish and implement employee training and awareness programs</h3> <p>Information security is the responsibility of everyone in the organization. Your organization should clearly define, communicate and support employee responsibility with effective education and awareness. Opening a single malicious email attachment or accessing just a single malicious website can compromise an entire network. Employee diligence is an important factor for business continuity in the face of today’s cyber threats. It is essential that senior management actively endorse and advance awareness initiatives, integrating them into the organization’s strategic framework.</p> <h3 id="risk-assessments-mobile">6.4 Perform threat and risk assessments for mobile device use</h3> <p>Mobile devices often need additional protection because their mobile nature exposes them to more threats than other devices. Before designing and deploying mobile device solutions, organizations should perform threat and risk assessments (TRAs). TRAs assist organizations in determining security requirements and in developing mobile device solutions that incorporate appropriate security controls.</p> <p>In a TRA, you should:</p> <ul><li>identify resources of interest, vulnerabilities and security controls related to these resources</li> <li>quantify the most likely threats and their likelihood of a successful attack and their impacts</li> <li>analyze this information to determine where security controls should be improved or added</li> </ul><p>Factors like international travel can impact TRAs. Organizations should consider the risks associated with using mobile devices abroad. Specific risk assessments for individual travel or foreign telework agreements are covered in the Cyber Centre’s publication <a href="/en/guidance/device-security-travel-and-telework-abroad-itsap00188">Device security for travel and telework abroad (ITSAP.00.188)</a>. Additionally, <a href="/en/guidance/mobile-device-guidance-high-profile-travellers-itsap-00088">Mobile device guidance for high-profile travellers (ITSAP.00.088)</a> outlines common threats and security measures to safeguard mobile devices before, during and after travel.</p> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h3 id="security-measures">6.5 Implement the necessary security measures</h3> <p>Organizations should consider the merits of each security measure, determine which controls are needed, and then implement the solutions that provide the necessary security posture. Organizations should consider the following security measures:</p> <ul><li>Enforcing departmental security policies on mobile devices, such as restricting access to hardware and software, managing wireless network interfaces, and automatically monitoring, detecting and reporting policy violations</li> <li>Supporting strongly encrypted data communications and data storage</li> <li>Securely wiping a device before reissuing it and remotely wiping a device if it is lost or stolen</li> <li>Requiring device authentication before allowing the mobile device to access departmental resources</li> <li>Restricting which third-party applications can be installed on mobile devices</li> <li>Determining the permissions assigned to each application and verifying digital signatures on applications</li> <li>Detecting and documenting anomalies within the mobile device infrastructure, including unauthorized configuration changes to mobile devices</li> </ul><p>Once an application has collected data, that data is no longer under enterprise control. Users should not trust claims of data “anonymization” by application developers. Relying on app store vetting alone is insufficient to ensure that an app will not compromise data. App stores primarily scan for overt malware and may allow behind-the-scenes data collection activities for advertising or analytics.</p> <h3 id="before-deploying">6.6 Before deploying a mobile device solution</h3> <p>Before establishing a mobile device solution organizations should evaluate the following security aspects of the environment accounting for each type of mobile device that the organization intends to use:</p> <ul><li>connectivity</li> <li>protection</li> <li>authentication</li> <li>application functionality</li> <li>solution management</li> <li>logging</li> <li>performance</li> </ul><p>All components of the system should be updated with the latest patches and configured in accordance with sound security practices. Secure organization-issued mobile devices before allowing user access.</p> <p>Ensuring that every device is fully secured prior to granting user access establishes a foundational level of trust in the device before it encounters potential security threats. Any previously deployed organization-issued mobile devices with unknown security profiles should be fully secured to a known good state using <abbr title="mobile device management">MDM</abbr> technologies. Organizations should also deploy supplemental security controls, such as anti-virus software and data-loss prevention (DLP) technologies.</p> <h3 id="maintain-mobile-security">6.7 Maintain mobile device security</h3> <p>Organizations should implement the following processes for maintaining mobile device security:</p> <ul><li>Regularly installing upgrades and patches to enhance device protection</li> <li>Adjusting access control settings as needed to maintain security standards</li> <li>Maintaining an up-to-date inventory detailing each mobile device, its assigned user and installed applications</li> <li>Revoking access to or deleting applications that have been assessed as too risky</li> <li>Safeguarding sensitive data by sanitizing mobile devices before issuing them for reuse</li> <li>Implementing an incident response plan that details how to address high-risk and compromised devices</li> </ul><p>Organizations should perform audits periodically to ensure that their mobile device policies, processes and procedures are being followed properly.</p> <p>Organizations with more mature <abbr title="information technology">IT</abbr> infrastructure and business processes should choose a mobility management solution that enables enhanced business features, such as mobile access to corporate email, calendars, contact lists and other corporate applications, to integrate seamlessly with corporate authentication mechanisms. The mobility management solution should also maintain the security of the mobility enterprise. There are different mobile management solutions with distinct capabilities. In industry, these solutions are referred to as <abbr title="mobile device management">MDM</abbr>, enterprise mobility management (EMM) and unified endpoint management (UEM).</p> <a href="#Mobility-management">Section 7 Mobility management solutions</a> will provide an overview of the different categories of mobility management solutions, as well as strategies to help you choose the solution that best suits your organization’s needs. <h3 id="manage-lifcycle">6.8 Manage the lifecycle of mobile devices</h3> <p>Your organization should ensure you have a process for identifying mobile device vendors that provide procedures and solutions to manage end-of-life (EoL) devices. For laptops, this can also include EoL for operating systems. You should also ensure that your vendors adhere to supply chain integrity (SCI) risk assessments, which should be conducted prior to procuring devices.</p> <p>Ensure you have procedures in place to lifecycle of <abbr title="end-of-life">EoL</abbr> devices, to properly sanitize the device once recovered from the user, and to dispose of the device in a secure manner. For more information on device sanitization and destruction, read <a href="/en/guidance/sanitization-and-disposal-electronic-devices-itsap40006">Sanitization and disposal of electronic devices (ITSAP.40.006)</a>.</p> </section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="Mobility-management">7 Mobility management solutions</h2> <p>Mobile devices have become essential for many organizations, enabling more efficient execution of business activities. With greater amounts of sensitive data now passing through endpoints and being exchanged between mobile devices, information sharing has reached unprecedented levels. If mobile devices are not managed properly, they can put your organization’s data and network security at risk. Proactively managing these devices across all business operations and implementing a strong mobility management solution is critical to protect your organization from potential data breaches.</p> <p>Managing mobile devices is a unified approach that encompasses various categories of mobile management solutions, referred to in industry as <abbr title="mobile device management">MDM</abbr>, EMM, and UEM. Mobile management solutions apply software, processes and security policies to mobile devices in their usage. Understanding the different features offered by various mobile management solutions will help you choose the best solution for your organization.</p> <p>There is little difference between <abbr title="mobile device management">MDM</abbr> and EMM, and the 2 terms are often used interchangeably. <abbr title="mobile device management">MDM</abbr> focuses on fundamental tasks such as:</p> <ul><li>enrolling and configuring devices</li> <li>managing credentials</li> <li>enforcing password and functionality restrictions</li> <li>managing <abbr title="bring-your-own-device">BYOD</abbr> profiles</li> <li>facilitating device management and support functions, such as inventory audits, password resets and remote wipes</li> </ul><p>EMM encompasses all <abbr title="mobile device management">MDM</abbr> functionalities, with additional advanced features such as:</p> <ul><li>more sophisticated containerization</li> <li>management of corporate credentials and authentication mechanisms</li> <li>advanced mobile application management</li> <li>integration with other enterprise platforms</li> </ul><p>EMM also extends <abbr title="mobile device management">MDM</abbr> capabilities through features like mobile application management and mobile threat response applications.</p> <p>UEM is a unified holistic mobile management solution that encompasses <abbr title="mobile device management">MDM</abbr>, EMM and other mobile management capabilities to address security concerns related to managing corporate data while increasing connectivity and productivity. While <abbr title="mobile device management">MDM</abbr> and EMM solutions are dedicated to managing mobile devices, UEM allows organizations to distribute, manage, control and track other endpoint devices in the workplace, such as personal computers, tablets, Internet of Things (IoT) devices, printers and wearables.</p> <p>We encourage organizations to conduct a security threat assessment using a framework like <a href="/en/guidance/cyber-security-privacy-risk-management">Cyber security and privacy risk management series: A lifecycle approach (ITSP.10.033)</a> to determine their security requirements and acceptable level of risk, rather than focusing on terms. A threat assessment will also help identify the technical security controls required to address these threat areas, which will help organizations choose a mobility management solution.</p> <p>Identifying and implementing a narrower set of technical controls, along with other security controls and policies as per <a href="/en/guidance/cyber-security-privacy-risk-management">Cyber security and privacy risk management: A lifecycle approach</a>, can help organizations mitigate risks while balancing the user experience, flexibility and functionality promised by mobile devices. Once implemented, test and adjust the controls periodically to ensure that they are functional and providing adequate security.</p> <h3 id="benefits-management">7.1 Benefits of mobile management tools</h3> <p>Mobile management tools can secure, monitor, manage and support mobile devices such as smartphones and tablets that run on multiple platforms and are deployed within a network. These tools control and protect data and configuration settings. With these tools, your <abbr title="information technology">IT</abbr> administrator can configure devices according to employee job requirements and install the applications needed for work purposes.</p> <p>A wide range of mobile management tools are available, from basic solutions that control a mobile device’s security settings to more advanced solutions that extend and enforce a mobile device’s security policies and controls and provide seamless integration with your organization’s systems and services.</p> <p>An optimal mobile management solution must consider the product’s capabilities and the mobile device platforms, as well as security feature capabilities and support. Consider the type of mobile devices your organization uses before choosing a mobile management solution.</p> <p>Do not rely on an <abbr title="mobile device management">MDM</abbr> solution to make up for poor mobile device security. <abbr title="mobile device management">MDM</abbr> tools cannot add missing security features to a platform or device; they can only use the security features and controls that a mobile device platform supports natively.</p> <p>Your organization should choose the solution that best suits its business and security needs by considering the following:</p> <ul><li>level of control needed depending on the sensitivity of the data being handled</li> <li>budget available for specific deployment models (for example, hardware supply or <abbr title="information technology">IT</abbr> support)</li> <li>best balance between business and personal use</li> </ul><p>It is important for your organization to train employees on privacy and security best practices to ensure devices are used safely with the deployment model your organization selects.</p> <p>In addition to the mitigation strategies provided in this publication, you can reference the <a href="https://www.cisa.gov/sites/default/files/publications/CEG_Mobile_Device_Cybersecurity_Checklist_for_Organizations_0.pdf">Mobile Device Cybersecurity Checklist for Organizations (PDF)</a> developed by the Cybersecurity and Infrastructure Security Agency (CISA). This checklist provides best practices to help organizations protect their mobile enterprise by mitigating security vulnerabilities and ensuring secure mobile access to enterprise resources.</p> <h3 id="Common-management">7.2 Common mobile device management and enterprise mobility management features</h3> <p><abbr title="mobile device management">MDM</abbr> and EMM solutions offer many features to address mobile device security, compliance and operational efficiency. Some common features include:</p> <ul><li>mobile device management <ul><li>deploy and enroll</li> <li>provision devices—device settings, restrictions, credentials</li> <li>control devices—audit devices, reset passwords, remote wipe</li> <li>manage applications—control what applications can be loaded and used</li> <li>track inventory</li> </ul></li> <li>mobile device security <ul><li>enforce security policies, real-time monitoring and reporting</li> <li>enforce strong passwords for mobile device access</li> <li>prevent unauthorized device access using a remote lock</li> <li>perform remote wiping if device is stolen or lost</li> <li>protect device from unsecured Wi-Fi and Bluetooth connections</li> </ul></li> <li>facilitation of corporate data security <ul><li>mandate data encryption for both data-in-transit and data-at-rest</li> <li>enforce the use of virtual private network (VPN) connection between the mobile device and the organization’s server</li> <li>automatically back up essential data from the device to the main server</li> </ul></li> <li>messaging and email integration—fully integrate and support all major features (calendar, contacts, support for all major platforms)</li> <li>enterprise enablers—provide support, access and control for intranet and corporate web services and applications</li> </ul><h3 id="Additional-capabilities">7.3 Additional mobile management solution capabilities</h3> <p>Larger organizations that have complex mobile device infrastructures and require a more comprehensive solution can consider some of the following additional capabilities that certain mobile management tools offer.</p> <h4>7.3.1 Mobile application management</h4> <p>Mobile application management (MAM) involves deploying, managing and controlling specific business applications on <abbr title="bring-your-own-device">BYOD</abbr> and company-owned/personally enabled (COPE) devices. MAM allows organizations to segregate personal and business applications, and to create a personalized enterprise application store. With MAM, administrators can push, install, patch and update mobile business applications as required, and configure the applications to comply with specific policies. MAM also supports inventory management, application lifecycle management and software licensing management.</p> <h4>7.3.2 Mobile content management</h4> <p>Mobile content management (MCM) is a security tool that manages content access on mobile devices. It allows employees to access, distribute and store work-related files, information and data without compromising security or the end-user experience. It offers ease of collaboration across secured networks and <abbr title="mobile device management">MDM</abbr>-registered devices. <abbr title="Mobile content management">MCM</abbr> enables the administrator to restrict access rights to each employee and to allows only approved applications to access and distribute data.</p> <h4>7.3.3 Mobile identity and access management</h4> <p>This process manages and defines roles and privileges for each user to ensure that access to organizational resources is restricted to those with access rights. It relies on <abbr title="multi-factor authentication">MFA</abbr>, biometrics, certificates, code signatures or device-specific information to control how employees use the organization’s applications and data.</p> <h4>7.3.4 Mobile threat management</h4> <p>Mobile threat management (MTM) is a mobile security product that helps organizations reduce the risk posed by mobile devices. The premise of <abbr title="Mobile threat management">MTM</abbr> is that although device manufacturers are improving the security posture of their devices with every release, vulnerabilities remain, and new ones are continually discovered.</p> <p><abbr title="Mobile threat management">MTM</abbr> attempts to help organizations manage risk by implementing functions such as:</p> <ul><li>integration with <abbr title="mobile device management">MDM</abbr>/EMM functions, such as enrollment, security policy and restrictions, and audit/logging</li> <li>application and <abbr title="operating systems">OS</abbr> version and patch management</li> <li>enforcement and automation of domain name system (DNS) filtering and VPN use</li> <li>installed application inventory, malware detection, and allow list and deny list</li> <li>mobile incident response—this pairs well with UEM platforms, where compliance-based controls are often used for automated responses to mobile security incidents</li> </ul><h4>7.3.5 Mobile expense management</h4> <p>Mobile expense management (MEM) allows organizations to track and control expenses across their entire mobility infrastructure. It also allows organizations to set limits for data and application usage.</p> <h4>7.3.6 Containerization</h4> <p>Containerization is a data segregation solution for devices that store both work and personal data such as <abbr title="bring-your-own-device">BYOD</abbr> and COPE. It isolates your organization’s data from everything else on the device, in separate encrypted containers.</p> </section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h2 class="text-info" id="CC-mobility-suite">8 Cyber Centre’s mobility suite</h2> <p>To help mitigate the threats posed by mobile devices, the Cyber Centre has created a suite of mobile security publications that can help organizations significantly reduce their threat surface with respect to mobile devices. In addition to the publications mentioned earlier in this publication, the following resources may also be of value to your organization:</p> <ul><li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="38a1fb42-00d7-4f06-89ad-c73fa0e72ce9" href="/en/guidance/using-your-mobile-device-securely-itsap00001">Using your mobile device securely (ITSAP.00.001)</a></li> <li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="7aa3f54a-1d31-4a82-aa41-93dec6e4dc73" href="/en/guidance/security-considerations-mobile-device-deployments-itsap70002">Security considerations for mobile device deployments (ITSAP.70.002)</a></li> <li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="c9cbfaae-471a-4c9b-a691-67c9f13eb776" href="/en/guidance/mobile-devices-and-business-travellers-itsap00087">Mobile devices and business travellers (ITSAP.00.087)</a></li> <li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="639ede31-0d64-45cb-9688-664b3ee445cb" href="/en/guidance/how-updates-secure-your-device-itsap10096">How updates secure your device (ITSAP.10.096)</a></li> <li><a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="4e3fdb7e-a4e6-4823-8828-4cb10673f867" href="/en/guidance/cyber-security-considerations-5g-networks-itsap80116">Cyber security considerations for 5G networks (ITSAP.80.116) </a></li> </ul></section><section><h2 class="text-info" id="Summary">Summary</h2> <p>Mobile devices are convenient, flexible and allow employees to work anywhere and at any time. However, their complex design and enhanced functionality can pose a threat to your organization’s information, assets and networks. Since mobile devices can contain, or provide access to, vast amounts of sensitive corporate and personal information, they are attractive targets that can provide unique opportunities for threat actors intent on gathering information.</p> <p>The threats posed by mobile device use are numerous and must be clearly understood and mitigated to protect the confidentiality, availability and integrity of your organization’s information. Enterprise mobility should use commercially available protections and compensate for device limitations within the overall enterprise mobility architecture, leverage the organization’s risk-management framework, and develop security policies specifically for mobile devices.</p> <p>Where necessary, you can further harden commercial mobile devices to improve integrity and reduce risks. Your organization should conduct a threat and risk assessment to determine the security controls for its enterprise mobility solutions. Security controls need to be implemented and verified for the organization’s complete information system, from mobile devices to the network services that support business processes and information assets.</p> <p>The Cyber Centre encourages organizations with more mature <abbr title="information technology">IT</abbr> infrastructures and business processes to implement a mobility management solution that enables enhanced business and security features, as well as improved capabilities to secure, manage, audit and support mobile devices in the workplace.</p> </section><!– Forward and details –><section><h3>Effective date</h3> <p>This publication takes effect on May 4, 2026.</p> <p>This is an unclassified publication issued under the authority of the Head of the Cyber Centre.</p> <p>This document supersedes:</p> <ul><li>Securing the enterprise for mobility (ITSM.80.001), July 2016</li> <li>Mobile device management (MDM) solutions – guidance for the Government of Canada (ITSB-64), July 2013</li> <li>Mobile security – Securing the Government of Canada (ITSE.80.001), June 2016</li> </ul><h3>Revision history</h3> <ol class="lst-spcd"><li>First release: July, 2016</li> <li>Second release: May, 2026</li> </ol></section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp" title="Return to Top of page">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </div> </div> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="7625" about="/en/guidance/protect-your-devices-sms-blasters-itsap00104" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>May 2026</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.00.104</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>May 2026 | Awareness series</strong></p> </div> <!–pdf download–> <div class="col-md-12 mrgn-tp-lg"><!–<div class="mrgn-bttm-md well well-sm col-md-4 pull-right mrgn-lft-md col-sm-12 col-xs-12"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/itsap00104-e.pdf">Protect your devices from <abbr title="short message service">SMS</abbr> blasters &nbsp;- ITSAP.00.104 (PDF,&nbsp;#&nbsp;KB)</a></p> </div>–> <p>Text messages (<abbr title="short message service">SMS</abbr>) have become one of the most common ways for threat actors to try and scam victims. <abbr title="short message service">SMS</abbr> blasters are a type of cell site simulator, which are portable devices that impersonate legitimate mobile networks to trick nearby devices to connect to them. Threat actors use <abbr title="short message service">SMS</abbr> blasters to carry out <abbr title="short message service">SMS</abbr> phishing attacks (known as smishing) and other malicious activities designed to steal sensitive or financial information or spread disinformation. This publication offers information on the threats posed by <abbr title="short message service">SMS</abbr> blasters and how to best protect yourself.</p> <section><h2 class="text-info h3">On this page</h2> <ul><li><a href="#1">How <abbr title="short message service">SMS</abbr> blasters work</a></li> <li><a href="#2">Threats posed by <abbr title="short message service">SMS</abbr> blasters</a></li> <li><a href="#3">How to protect against <abbr title="short message service">SMS</abbr> blasters</a></li> <li><a href="#4">Learn more</a></li> </ul></section></div> </div> <h2 class="text-info" id="1">How <abbr title="short message service">SMS</abbr> blasters work</h2> <p><abbr title="short message service">SMS</abbr> blasters can impersonate cellular towers to take advantage of inherent or unpatched vulnerabilities found in older second generation (2G) network standards that are still supported by modern devices. 2G network standards do not enforce authentication or encryption between the mobile device and the network.</p> <p><abbr title="short message service">SMS</abbr> blasters can broadcast higher power signals such as fourth generation (4G) and fifth generation (5G) network signals to trick nearby devices into connecting by broadcasting a stronger signal than the current connection. After the connection has been established, the <abbr title="short message service">SMS</abbr> blaster will attempt to downgrade the device to 2G mode. This allows threat actors to bypass the protections and filters implemented by mobile network operators (MNOs) to protect their customers.</p> <h2 class="text-info" id="2">Threats posed by <abbr title="short message service">SMS</abbr> blasters</h2> <p><abbr title="short message service">SMS</abbr> blasters pose many threats to devices within range of a compromised device. These threats include:</p> <h3>Smishing and fraud</h3> <p>Smishing is a scam in which threat actors send fraudulent messages that look legitimate to trick victims into clicking links and attachments or sharing sensitive information. <abbr title="short message service">SMS</abbr> blasters allow threat actors to quickly send thousands of smishing messages to mobile devices within the coverage area of the device. The messages can be generic or tailored for a specific scenario, such as sporting events or conferences, or to a source, such as bank authentication <abbr title="personal identification number">PIN</abbr>s.</p> <p>When bypassing <abbr title="mobile network operator">MNO</abbr> network security, the links in <abbr title="short message service">SMS</abbr> messages are not analyzed and can’t be assessed for legitimacy. This makes it easier for threat actors to impersonate legitimate businesses and their websites. Smishing scams bypass network security, making them, and the links found in them, more dangerous.</p> <p>Smishing scams can lead to fraud with compromised credentials, unauthorized transactions and identity theft. For more details on smishing, see the Cyber Centre’s <a href="/en/guidance/smishing-protect-yourself-sms-attacks-itsap00103">Smishing: Protect yourself from <abbr title="short message service">SMS</abbr> attacks (ITSAP.00.103)</a>.</p> <h3>Misinformation, disinformation and malinformation</h3> <p>By using <abbr title="short message service">SMS</abbr> blasters to conduct smishing and fraud, threat actors can spread misinformation, disinformation and malinformation (MDM). The threat can target all devices within the coverage area of the <abbr title="short message service">SMS</abbr> blaster and spread <abbr title="misinformation, disinformation and malinformation">MDM</abbr> concerning a specific source or event. Spreading <abbr title="misinformation, disinformation and malinformation">MDM</abbr> in this context is a serious concern. It can cause harm by manipulating individuals and organizations into thinking there is a conflict or urgency.</p> <h3>Service disruption</h3> <p><abbr title="short message service">SMS</abbr> blasters can cause dropped calls, slow data speeds and strain mobile infrastructure by downgrading connected devices to the 2G network. This can affect emergency calls and connection to Internet of Things (IoT) devices.</p> <h3>Privacy and data loss</h3> <p><abbr title="short message service">SMS</abbr> blasters can collect sensitive data that includes identifiable information, such as:</p> <ul><li>unique subscriber identification (international mobile subscriber identity (IMSI))</li> <li>unique device identification (international mobile equipment identity (IMEI))</li> <li>user locations</li> </ul><p>Threat actors can further use this information as entry points for more advanced cyber campaigns.</p> <!–** TOP OF PAGE ******–> <div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <h2 class="text-info" id="3">How to protect against <abbr title="short message service">SMS</abbr> blasters</h2> <p><abbr title="mobile network operators">MNOs</abbr>, device manufacturers and end users should consider the following mitigation strategies to protect mobile devices from <abbr title="short message service">SMS</abbr> blasters.</p> <h3>Mitigation strategies for mobile network operators</h3> <ul><li><strong>Detect and respond quickly:</strong> <ul><li>Use tools that can spot fake cellular towers and monitor network logs for unusual activities, such as unknown neighbour cell towers, sudden handover failures and rapid disconnections and reconnections</li> <li>Implement standalone solutions to monitor the signaling layer to identify sudden spikes in signaling volume or abnormal registration patterns that indicate a rogue base station is active</li> <li>Use analytics with spam reporting to catch abnormal <abbr title="short message service">SMS</abbr> patterns or suspicious device identification</li> </ul></li> <li><strong>Implement Rich Communication Services:</strong> Transition from standard <abbr title="short message service">SMS</abbr> to Rich Communication Services (RCS) to offer a more secure messaging protocol with verified sender identifiers and encryption</li> <li><strong>Share intelligence:</strong> <ul><li>Feed real-time network data into fraud management systems, update blocklists or malicious Uniform Resource Locators (URLs) and share threat information with other operators and government authorities</li> <li>Use specialized direction-finding equipment to pinpoint the exact location of active <abbr title="short message service">SMS</abbr> blasters, allowing law enforcement to seize the hardware</li> </ul></li> <li><strong>Coordinate across the industry:</strong> Collaborate with device makers and regulators to improve privacy features and strengthen defense mechanisms</li> </ul><h3>Mitigation strategies for device manufacturers</h3> <ul><li><strong>Offer users more security control:</strong> <ul><li>Provide options for users to disable 2G network connections</li> <li>Enforce the use of encryption with the mobile network</li> </ul></li> <li><strong>Improve security features:</strong> <ul><li>Offer clearly defined options for how users can select and restrict network connections</li> <li>Disable 2G network usage by default</li> <li>Use applications for messages securely (for example, allowing users to accept the risk before enabling <abbr title="short message service">SMS</abbr> messaging)</li> </ul></li> </ul><h3>Mitigation strategies for end users</h3> <ul><li><strong>Use phishing-resistant multi-factor authentication (MFA):</strong> Use authentication apps or hardware security keys rather than <abbr title="short message service">SMS</abbr>-based codes and one-time passwords</li> <li><strong>Stop, verify and report:</strong> <ul><li><strong>Stop:</strong> Refrain from clicking on links or attachments in unsolicited <abbr title="short message service">SMS</abbr> and avoid responding to suspicious or unexpected messages</li> <li><strong>Verify:</strong> Contact the organization or individual directly through their official channels, such as the contact information listed on their official website</li> <li><strong>Report:</strong> <ul><li>Forward the suspicious message to 7-7-2-6 (“SPAM”) or use the messaging application’s spam reporting function</li> <li>Report the incident to the Royal Canadian Mounted Police via the <a href="https://reportcyberandfraud.canada.ca/">Report cybercrime and fraud portal</a>. This will notify the appropriate organizations to initiate an investigation and take appropriate actions</li> </ul></li> </ul></li> <li><strong>Disable 2G:</strong> <ul><li>Turn off 2G network connections in your phone’s settings, if the option is available</li> <li>Contact your mobile provider if you don’t have the option</li> </ul></li> <li><strong>Use end-to-end encryption applications:</strong> Protect the contents within messaging and data transfer communications with applications that support end-to-end encryption</li> <li><strong>Be skeptical:</strong> Remember that legitimate organizations never ask for personal information, passwords or banking information through messages</li> <li><strong>Install applications safely:</strong> <ul><li>Only download applications from official app stores or from developers with a verified reputation</li> <li>Use an anti-virus software to scan newly downloaded and existing apps on your device for malware</li> </ul></li> </ul><p>As <abbr title="short message service">SMS</abbr>-based authentication and notifications continue to be default for many applications, threat actors will continue to exploit its vulnerable nature. To address these challenges, collaboration among the industry is essential for raising awareness and implementing robust security measures.</p> <h2 class="text-info" id="4">Learn more</h2> <ul class="lst-spcd"><li><a href="/en/guidance/using-your-mobile-device-securely-itsap00001">Using your mobile device securely (ITSAP.00.001)</a></li> <li><a href="/en/guidance/dont-take-bait-recognize-and-avoid-phishing-attacks">Don’t take the bait: Recognize and avoid phishing attacks (ITSAP.00.101)</a></li> <li><a href="/en/guidance/how-identify-misinformation-disinformation-and-malinformation-itsap00300">How to identify misinformation, disinformation, and malinformation (ITSAP.00.300)</a></li> <li><a href="/en/guidance/steps-effectively-deploying-multi-factor-authentication-mfa-itsap00105">Steps for effectively deploying multi-factor authentication (MFA) (ITSAP.00.105)</a></li> <li><a href="https://www.getcybersafe.gc.ca/en/blogs/reporting-spam-text-messages-7726">Reporting spam text messages to 7726</a></li> </ul></div> </div> </div> </div> </div> </article>

This joint guidance is intended for organizations that are considering developing or deploying agentic AI systems. It outlines security considerations related to LLMs and AI and describes the key risks associated with agentic AI.

<article data-history-node-id="7184" about="/en/news-events/cyber-centre-warns-sophisticated-smishing-activity-targeting-canadians" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre), in collaboration with the Royal Canadian Mounted Police (RCMP), is warning Canadians and businesses about sophisticated smishing attacks – phishing attempts delivered via text messages.</p> <p>Cybercriminals are actively targeting mobile users across Canada. These fraudulent messages often appear to come from trusted organizations, such as banks, and may even show up in legitimate message threads, making them difficult to detect.</p> <h2>Why this matters now</h2> <p>Smishing attacks are becoming more sophisticated, using spoofed numbers and urgent language to trick victims into clicking malicious links or sharing sensitive information. Falling for these scams can lead to financial fraud, identity theft or malware infections.</p> <p>To help Canadians protect themselves, the Cyber Centre has released new <a href="/en/guidance/smishing-protect-yourself-sms-attacks-itsap00103"> guidance on protecting against smishing</a> that outlines what to look for and the steps to take if you receive a suspicious text. This resource is timely and essential for staying safe in today’s evolving cyber threat landscape.</p> <h3>Reporting smishing attacks</h3> <p>Stay vigilant and <a href="https://www.getcybersafe.gc.ca/en/blogs/reporting-spam-text-messages-7726"> report suspicious messages to 7726 (SPAM)</a>. If you believe that you have fallen victim to a smishing attack and have shared sensitive information or suffered financial loss, <a href="/en/incident-management"> report the incident to the Canadian Anti-Fraud Centre</a> and to your local police service.</p> <p>Your reporting and cooperation will contribute to law enforcement efforts to investigate and disrupt cybercriminal activities impacting the safety and security of Canadians.</p> <h2>Further reading</h2> <ul><li><a href="/en/guidance/smishing-protect-yourself-sms-attacks-itsap00103">Smishing: Protect yourself from SMS attacks</a></li> <li><a href="/en/guidance/dont-take-bait-recognize-and-avoid-phishing-attacks">Don’t take the bait: Recognize and avoid phishing attacks (ITSAP.00.101)</a></li> <li><a href="https://www.getcybersafe.gc.ca/en/blogs/phish-vish-smish-how-banks-are-helping-canadians-spot-digital-fraud">Phish, vish, smish – how banks are helping Canadians spot digital fraud (Get Cyber Safe)</a></li> <li><a href="https://cba.ca/article/what-your-bank-will-never-ask">Spot scams before they happen: what your bank will never ask (Canadian Bankers Association)</a></li> </ul></div> </div> </div> </div> </div> </article>

<article data-history-node-id="7183" about="/en/guidance/smishing-protect-yourself-sms-attacks-itsap00103" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>April 2026</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.00.103</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>April 2026 | Awareness series</strong></p> </div> <!–pdf download–> <div class="col-md-12 mrgn-tp-lg"> <div class="mrgn-bttm-md well well-sm col-md-4 pull-right mrgn-lft-md col-sm-12 col-xs-12"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/itsap.00.103-e_1.pdf">Smishing: Protect yourself from SMS attacks – ITSAP.00.103 (PDF, 828 KB)</a></p> </div> <p>Smishing is a type of phishing scam. Threat actors use social engineering to send fraudulent text messages (<abbr title="short message service">SMS</abbr>) to trick victims into revealing sensitive information, such as login credentials or banking details. The text messages use language that creates a sense of urgency in an attempt to force the recipient to act fast. Smishing messages may link to malware or fake websites, allowing threat actors to steal your data, money or identity.</p> <p>This publication was written in collaboration with the Royal Canadian Mounted Police to raise awareness on the identification, reporting and mitigation of smishing scams.</p> <section><h2 class="text-info h3">On this page</h2> <ul><li><a href="#1">How threat actors leverage smishing</a></li> <li><a href="#2">Tips for spotting a smishing message</a></li> <li><a href="#3">Protect yourself from smishing</a></li> <li><a href="#4">Learn more</a></li> </ul></section></div> </div> <h2 class="text-info" id="1">How threat actors leverage smishing</h2> <p>Modern smishing techniques enable threat actors to spoof the sender’s phone number, making the message appear to come directly from a well known organization you trust. For example, if threat actors spoof your bank’s legitimate short code, the fraudulent messages will appear in the same chat thread as any legitimate communications you may have had with your bank in the past. This continuation of the conversation makes it very difficult to distinguish fraudulent messages from valid messages.</p> <h2 class="text-info" id="2">Tips for spotting a smishing message</h2> <p>Although the sender’s name and number may appear legitimate in a smishing message, there are common warning signs to watch for, including:</p> <ul><li>urgent claims about accounts being "locked" or "compromised"</li> <li>suspicious links using URL shorteners or slightly altered web addresses</li> <li>requests for sensitive information such as passwords, <abbr title="personal identification number">PIN</abbr>s, or <abbr title="social insurance number">SIN</abbr>s</li> </ul><p>These are all details that legitimate organizations would not request through text messages.</p> <div class="row"> <div class="col-md-6 pull-right"><img alt="Figure 1: Example of a smishing message – long description to follow" class="img-responsive" src="/sites/default/files/images/itsap.00.103-smishing-fig1.png" /><details><summary>Long description – Figure 1: Example of a smishing message</summary><p>Example of a smishing message depicts four examples of <abbr title="short message service">SMS</abbr> messages received on a cell phone. The messages all appear to come from the same financial institution, but the one circled is a Smishing message. The image highlights that when threat actors spoof a bank’s legitimate short code, fraudulent messages appear in the same chat thread as legitimate communications you may have had with this bank in the past. This continuation of the conversation makes it very difficult to distinguish fraudulent messages from valid messages. The smishing message includes a hyperlink intended for the user to click, which will lead to an illegitimate website that will attempt to steal sensitive information.</p> </details></div> <div class="col-md-6"> <div class="mrgn-tp-md visible-xs visible-sm"> </div> <h2 class="text-info" id="3">Protect yourself from smishing</h2> <p>To protect yourself from smishing attacks, follow these recommended mitigation strategies.</p> <h3>Do not click links</h3> <p>Do not click links received by <abbr title="short message service">SMS</abbr> message. If you receive an urgent message or a message with a suspicious or unusual link, pause before reacting. Scammers rely on impulsive reactions. Navigate to the organization’s official online portal using your browser or official mobile app.</p> <h3>Verify independently</h3> <p>If a message appears in a legitimate message thread (for example, from your bank), call the number on the back of your debit or credit card to verify the request. Do not call the number provided in the text.</p> <h3>Report the spam</h3> <p><a href="https://www.getcybersafe.gc.ca/en/blogs/reporting-spam-text-messages-7726">Forward the suspicious <abbr title="short message service">SMS</abbr> to 7726 (SPAM)</a> or use the messaging applications spam reporting function. You can also <a href="https://reportcyberandfraud.canada.ca/">report the spam to the Canadian Anti-Fraud Centre</a>. This will notify the appropriate organizations to initiate an investigation and take appropriate actions.</p> <h3>Enable multi-factor authentication</h3> <p>Ensure <abbr title="multi-factor authentication">MFA</abbr> is enabled on your accounts to prevent unauthorized access even if credentials are stolen. Whenever possible, choose <abbr title="multi-factor authentication">MFA</abbr> options that do not rely on <abbr title="short message service">SMS</abbr> like an authenticator app, or options that are phishing-resistant such as passkeys, or hardware tokens.</p> </div> </div> <h3>Disable 2G</h3> <p>If your phone allows it, turn off 2G in the settings. This can help prevent your phone from connecting to a false base station operated by a threat actor.</p> <h3>Stay updated</h3> <p>Keep your device’s software current and enable <abbr title="short message service">SMS</abbr> spam protection.</p> <h3>Delete suspicious messages</h3> <p>If the suspicious sender is a new number, block it. Delete suspicious messages to avoid accidentally clicking the link.</p> <h2 class="text-info" id="4">Learn more</h2> <ul class="lst-spcd"><li><a href="https://www.getcybersafe.gc.ca/en/blogs/smishing-introduction">Smishing: An introduction</a></li> <li><a href="/en/guidance/dont-take-bait-recognize-and-avoid-phishing-attacks">Don’t take the bait: Recognize and avoid phishing attacks (ITSAP.00.101)</a></li> <li><a href="https://www.getcybersafe.gc.ca/en/phishing">Phishing: Don’t get reeled in</a></li> <li><a href="https://www.getcybersafe.gc.ca/en/resources/7-red-flags-phishing">The 7 red flags of phishing</a></li> <li><a href="https://www.getcybersafe.gc.ca/en/resources/fact-sheet-phishing">Fact sheet: Phishing</a></li> <li><a href="https://www.getcybersafe.gc.ca/en/blogs/three-common-types-phishing-scams">Three common types of phishing scams</a></li> <li><a href="/en/guidance/using-your-mobile-device-securely-itsap00001">Using your mobile device securely (ITSAP.00.001)</a></li> <li><a href="https://www.getcybersafe.gc.ca/en/blogs/reporting-spam-text-messages-7726">Reporting spam text messages to 7726</a></li> </ul></div> </div> </div> </div> </div> </article>

<article data-history-node-id="7592" about="/en/news-events/joint-guidance-defending-against-peoples-republic-china-linked-covert-networks" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre) has joined the United Kingdom’s National Cyber Security Centre (NCSC), UK industry and the following international partners in releasing a cyber security advisory on defending against the People’s Republic of China (PRC)-linked covert networks.</p> <ul><li>Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC)</li> <li>Germany Federal Office for the Protection of the Constitution – (BfV)</li> <li>Germany’s Federal Intelligence Service (BND)</li> <li>Germany’s Federal Office for Information Security (BSI)</li> <li>Japan’s National Cybersecurity Office (NCO)</li> <li>The Netherlands General Intelligence and Security Service (AIVD)</li> <li>The Netherlands Defence Intelligence and Security Service (MIVD)</li> <li>New Zealand’s National Cyber Security Centre (NCSC-NZ)</li> <li>Spain’s National Cryptologic Centre (CCN)</li> <li>Sweden’s National Cyber Security Centre (NCSC-SE)</li> <li>The United States’ Cybersecurity and Infrastructure Security Agency (CISA)</li> <li>The United States’ Department of Defense Cyber Crime Center (DC3)</li> <li>The United States’ Federal Bureau of Investigation (FBI)</li> <li>The United States’ National Security Agency (NSA)</li> </ul><p>Covert networks are often made up of vulnerable everyday Internet-connected edge devices that have been compromised. PRC-linked threat actors have shifted their tactics, techniques and procedures (TTPs) to leverage externally provisioned, large-scale networks of compromised devices to target critical sectors, steal sensitive data and maintain persistent access.</p> <p>This joint advisory describes how covert networks used by PRC-linked threat actors are being created and maintained , externally, by Chinese information security companies. It provides insight into the TTPs threat actors use and provides comprehensive mitigation advice to help protect systems from malicious activity from covert networks.</p> <p>The joint advisory also warns of a key issue for network defenders: indicator of compromise (IOC) extinction. This occurs when IOCs disappear as quickly as they are discovered and requires network defenders to deploy more adaptive, intelligence-driven measures to mitigate the risks.</p> <p>Read the full joint guidance: <a href="https://www.ncsc.gov.uk/news/international-cyber-agencies-fresh-advice-defend-against-china-linked-covert-networks">International cyber agencies share fresh advice to defend against China-linked covert networks</a></p> <h2>Related advisories</h2> <ul><li><a href="/en/news-events/joint-cyber-security-advisory-peoples-republic-china-linked-actors-compromise-routers-and-internet-connected-devices-botnet">Joint cyber security advisory: People’s Republic of China-linked actors compromise routers and Internet-connected devices for botnet operations</a></li> <li><a href="/en/news-events/joint-cyber-security-advisory-worldwide-network-compromises-peoples-republic-china-state-sponsored-actors">Joint cyber security advisory on worldwide network compromises by People’s Republic of China state-sponsored actors – Canadian Centre for Cyber Security</a></li> </ul></div> </div> </div> </div> </div> </article>

<article data-history-node-id="7531" about="/en/guidance/vendor-diversification-itsap10006" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>April 2026</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.10.006</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>April 2026 | Awareness series</strong></p> </div> <section><p>Modern enterprise systems often depend on a variety of complex architectures and technologies to achieve an organization’s core mission and objectives. These systems rely on direct and indirect supply chains as well as vendor relationships, which can expose the business to mission-critical risks.</p> <p>Your organization can incorporate diversification strategies into its supply chain risk management (SCRM) processes. This will help mitigate risks to mission-critical objectives and reduce vulnerabilities associated with over-dependence on a single vendor or dominant technology stack. All security controls referenced in this guidance are documented in our publication <a href="https://www.cyber.gc.ca/en/guidance/cyber-security-privacy-risk-management">Cyber security and privacy risk management – A lifecycle approach Security and privacy controls (ITSP.10.033)</a>.</p> </section><section><h2 class="text-info">On this page</h2> <ul><li><a href="#vendor-diverse">Vendor diversification</a></li> <li><a href="#diversity-complexity">Balancing diversity and complexity</a></li> <li><a href="#diversification-critical">Why vendor diversification is critical</a></li> <li><a href="#key-strategies">Key strategies for implementation</a></li> <li><a href="#learn-more">Learn more</a></li> </ul></section></div> <section><h2 class="text-info" id="vendor-diverse">Vendor diversification</h2> <p>Vendor diversification refers to the strategy of engaging a wide range of vendors and complementary solutions. The goal of this strategy is to mitigate risks associated with over-dependence on a single supplier or technology stack. This approach, also known as supplier diversity, requires organizations to:</p> <ul><li>evaluate solution strengths and weaknesses</li> <li>assess vendor confidence risks</li> <li>determine the criticality to business functions (for example, single point of failure (SPOF) or criticality path analysis)</li> <li>identify critical functions exposed to high-risk vendors</li> <li>implement measures to mitigate associated risks</li> </ul><p>In this context, a high-risk vendor includes any vendor or service provider assessed as posing a significant risk to your organization. A high-risk vendor compromise will impact the security of your organization’s information systems and your critical business functions.</p> <p>The goal of vendor diversification is to develop resilient architectures and leverage procurement decisions to build a robust cyber security posture. This will help protect your organization against risks, including:</p> <ul><li>unexpected business failures</li> <li>geopolitical disruptions</li> <li>vendor lock-in</li> <li>blind spots in threat detection tools</li> </ul><p>Another benefit of diversifying your vendors is that your organization will have access to broad offerings aligned with a vendor’s strength, while also providing an additional layer of protection against single-ecosystem vulnerabilities.</p> </section><div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <p><span class="clearfix"></span></p> <section><h2 class="text-info" id="diversity-complexity">Balancing diversity and complexity</h2> <p>Although diversification is vital for developing resilient architectures, managing multiple vendors, contracts, network infrastructure and operation teams can become more challenging. Handling numerous products and relationships can also introduce interoperability challenges. If diversification is not carefully implemented and managed, it can lead to operational inefficiencies and higher costs.</p> <p>Therefore, we recommend an approach that continuously assesses design outcomes against mission objectives. The goal is to build and operate a secure, resilient and robust architecture while avoiding risks associated with an unmanageable collection of disparate enterprise security solutions.</p> </section><section><h2 class="text-info" id="diversification-critical">Why vendor diversification is critical</h2> <p>Vendor diversification is important because it:</p> <ul><li>avoids <abbr title="single point of failure">SPOF</abbr> <ul><li>particularly when reliance on a single vendor or single technology stack would introduce a <abbr title="single point of failure">SPOF</abbr></li> <li>if a single-sourced solution supports several mission-critical assets, a vulnerability or compromise within that system can have significant repercussions and cascade across your organization’s environment</li> <li>diversification, together with defence-in-depth and heterogeneity, can help mitigate associated risks</li> </ul></li> <li>prevents many automated attacks <ul><li>ransomware-as-a-service and other scripted or automated attack types exploit a limited, specified set of vulnerabilities</li> <li>finding vulnerabilities across multiple technology stacks and embedding them as contingencies in automated malware can present too high an investment for numerous lower-level threat actors</li> </ul></li> <li>reduces vendor lock-in <ul><li>you may have less leverage in negotiations with vendors if you rely excessively on a single provider</li> <li>diversification allows you to select the best-of-breed solutions for specific security layers and provides the flexibility to switch providers if needed</li> </ul></li> <li>provides specialized, enhanced capabilities <ul><li>different vendors have unique areas of specialization and technical capabilities</li> <li>by using a diverse set of vendors, your organization can benefit from a wider range of specialized capabilities, which can mitigate against a broader spectrum of threats</li> <li>by using different vendor solutions, your organization can take advantage of differences in threat update cycles to respond and defend against zero‑day or emerging threats (for example, your boundary protection defense solution (firewall or intrusion prevention system) may deliver a faster turnaround on threat updates to address a zero-day vulnerability than your endpoint antivirus or endpoint threat prevention solution vendor)</li> </ul></li> <li>increases ecosystem resilience against attacks <ul><li>a diverse vendor ecosystem introduces an additional layer of unpredictability that makes it more difficult for threat actors to target your environment</li> <li>diversified enterprise management activities may introduce additional overhead, but they can serve as a layer of defence for improving network redundancy and strengthening cyber threat detection capabilities</li> </ul></li> <li>enhances opportunities for threat detection <ul><li>diversification not only increases the work factor for threat actors to discover an organization’s assets, but it also increases the likelihood that the attacker will require additional techniques to achieve their objectives. This can be very effective against lower-level actors who may have limited flexibility, while meaningfully slowing down sophisticated attackers and providing more time for detection</li> </ul></li> </ul></section><div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <p><span class="clearfix"></span></p> <section><h2 class="text-info" id="key-strategies">Key strategies for implementation</h2> <p>The following section offers the best strategies to implement vendor diversification for your organization.</p> <h3>Determine criticality and security categorization of assets</h3> <p>Before considering diversification strategies, your organization will need to conduct a security categorization to identify critical functions or assets based on their impact or degree of injury to business-critical objectives. This will help you focus your protection and mitigation measures on components that could lead to mission failure if compromised. Some critical components or services may not be easily discoverable using typical network discovery mechanisms; additional considerations may be required to identify and support them.</p> <h3>Identify disaggregation requirements</h3> <p>Some organizations may be subject to a greater degree of injury when their assets are consolidated or aggregated. Implementing disaggregation strategies can reduce the risk exposure. Disaggregation may follow natural boundaries, including a geographically disperse operation, decentralized chain of command or sub-divisional independence (such as a combat unit), or disaggregation of data and intellectual property generated by teams. These boundaries can form a core component of their vendor or technology diversification program.</p> <h3>Implement a vendor risk assessment program</h3> <p>Your organization should implement a continuous vendor risk management program. This will help you identify, assess and monitor critical operational dependencies on your vendors and their third-party relationships. You should also identify higher-risk vendors and related services for additional mitigations. Organizations can also consider requesting for a detailed software bill of materials to track and monitor risk dependencies across software applications running in their environment.</p> <h3>Map current vendors to critical functions</h3> <p>Identify all vendors and contractors that support critical functions. Categorize them based on the criticality of their service and the level of access to your operations. This will reveal areas of vendor over-dependence that may need to be diversified.</p> <h3>Design and implement a multi-vendor strategy</h3> <p>Strategically design or redesign system architectures, keeping diversity in mind and avoiding over-dependence on a single solution architecture. Incorporate versatile design architectures that can easily adapt to different threats and are supported by a diversified supplier base. Scenarios or examples where diversification may be required include:</p> <ul><li> <p><strong>boundary protection</strong>: incorporating diversity across devices that mediate or authorize network flows across internal and external networks</p> <ul><li>examples include routers, network firewalls, web application firewalls, intrusion detection and prevention systems and web service protections</li> <li>consider solutions from a variety of vendors that offer detection capabilities across different domains (software, hardware and firmware) and content types (for example, data, files, messages, packet inspection and protocol flow analysis)</li> </ul></li> <li><strong>endpoint device security:</strong> ensuring security protections on endpoint devices provides diverse protection capabilities against malicious code and system‑based attacks <ul><li>solution components include antivirus software, endpoint detection and response solutions, data loss prevention and others</li> <li>implement diverse capabilities (for example, heuristics and static-based detection for malware or malicious code detection) across multiple layers of the system including <ul><li>the hardware platform</li> <li>operating system (OS) boot loaders</li> <li>core <abbr title="operating system">OS</abbr></li> <li>hypervisors</li> <li>the applications layer</li> </ul></li> </ul></li> <li><strong>data centre infrastructure diversity:</strong> ensuring data centre services and dependencies are diverse and contractually independent to mitigate against underlying service convergence risks <ul><li>ensure risks associated with the primary power source, back-up power, cooling, water supply, communication infrastructures and contractual oversight are sufficiently isolated</li> <li>additionally, using at least 2 independent Internet service providers that offer independent circuit loops with isolated backbone infrastructure</li> </ul></li> </ul><h3>Consider open-standards and interoperability</h3> <p>To manage a multi-vendor environment efficiently, where possible, design systems that are vendor agnostic and based on open standards to facilitate interoperability. Supplement commercial tools with solutions based on independent or open-source standards for greater visibility and resilience. Evaluate alternative solutions based on the ability to provide multiple delivery paths, access to source-code and data portability, among other considerations.</p> <h3>Incorporate diversity into operational resiliency and contingency plans</h3> <p>Adopt a strategy that incorporates diversity into your cyber redundancy and recovery architectures. Identify alternate or contingency plans for the most critical security controls. Failover and recovery protocols should identify critical vendors and alternates. Diversification efforts must integrate with resilience planning activities to ensure unplanned new risks do not emerge.</p> </section><section><h2 class="text-info" id="learn-more">Learn more</h2> <ul><li><a href="/en/guidance/cyber-supply-chain-approach-assessing-risk-itsap10070">Cyber supply chain: An approach to assessing risk (ITSAP.10.070)</a></li> <li><a href="/en/guidance/cyber-supply-chain-security-small-medium-sized-organizations-itsap00070">Cyber supply chain security for small and medium-sized organizations (ITSAP.00.070)</a></li> <li><a href="/en/guidance/protecting-your-organization-software-supply-chain-threats-itsm10071">Protecting your organization from software supply chain threats (ITSM.10.071)</a></li> <li><a href="/en/guidance/cyber-threat-supply-chains">The cyber threat from supply chains</a></li> <li><a href="/en/cyber-security-readiness/cross-sector-cyber-security-readiness-goals-toolkit">Cross-Sector Cyber Security Readiness Goals Toolkit</a></li> <li><a href="/en/guidance/annex-3a-security-control-catalogue-itsg-33">IT security risk management: A lifecycle approach (ITSG-33) Annex 3A – Security control catalogue</a></li> <li><a href="/en/guidance/guidance-security-categorization-cloud-based-services-itsp50103">Guidance on the security categorization of cloud-based services (ITSP.50.103)</a></li> </ul></section><div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <p><span class="clearfix"></span></p> </div> </div> </div> </div> </div> </article>

While passkeys provide a strong and phishing-resistant authentication mechanism, there are several security considerations that your organization should be aware of.

<article data-history-node-id="7581" about="/en/guidance/assessing-security-requirements-specified-information-itsp10171-01" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>April 2026</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Practitioner series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSP.10.171-01</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>April 2026 | Practitioner series</strong></p> </div> <!–pdf download–> <div class="col-md-12 mrgn-tp-lg"><!–<div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="#">Assessing security requirements for specified information&nbsp;- ITSP.10.171-01 (PDF,&nbsp;#&nbsp;MB)</a></p> </div>–> <h2 class="text-info">Foreword</h2> <p>This is an UNCLASSIFIED publication, issued under the authority of the Head of the Canadian Centre for Cyber Security (Cyber Centre). For more information or to suggest amendments, contact the Cyber Centre:</p> <ul><li>by email: <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a></li> <li>by phone: <a href="tel:+16139497048">(613) 949-7048</a> or <span class="nowrap"><a href="tel:+18332923788">1-833-CYBER-88</a></span></li> </ul><h2 class="text-info">Effective date</h2> <p>This publication takes effect on April 20, 2026.</p> <h2 class="text-info">Revision history</h2> <ol><li><strong>First release:</strong> April 20, 2026</li> </ol><section><h2 class="text-info">Overview</h2> <p>This publication is a Canadian version of the National Institute of Standards and Technology <a href="https://csrc.nist.gov/pubs/sp/800/171/a/r3/final">SP 800-171A Rev. 3 Assessing Security Requirements for Controlled Unclassified Information</a>. This publication provides a comprehensive set of procedures to assess security requirements. It serves a complementary guideline to <a href="https://www.cyber.gc.ca/en/guidance/protecting-specified-information-non-government-canada-systems-and-organizations-itsp10171">Protecting specified information in non-Government of Canada systems and organizations (ITSP.10.171)</a>.</p> <p>Protecting specified information is of paramount importance to the Government of Canada (GC) departments and agencies. It can directly impact the <abbr title="Government of Canada">GC</abbr>’s ability to successfully conduct its essential missions and functions. This publication provides <abbr title="Government of Canada">GC</abbr> departments and agencies with recommended security requirements assessment procedures for ensuring the protection of the confidentiality of specified information when it resides in non-<abbr title="Government of Canada">GC</abbr> systems and organizations. These assessment procedures apply to the security requirements specified by <abbr title="Government of Canada">GC</abbr> departments and agencies in contractual vehicles or other agreements established between those departments and agencies and non-<abbr title="Government of Canada">GC</abbr> organizations. The assessment procedures can be used by organizations to generate evidence that the security requirements specified in contracts or agreements have been satisfied.</p> <h2 class="text-info">Acknowledgments</h2> <p>The Cyber Centre wishes to acknowledge and thank Dr. Ron Ross and Victoria Pillitteri from the Computer Security Division at <abbr title="National Institute of Standards and Technology">NIST</abbr> for allowing the Cyber Security Guidance (CSG) team to use their guidance and modify it to the Canadian context.</p> </section><section><h2 class="text-info">Table of contents</h2> <ul class="list-unstyled lst-spcd"><li><a href="#1">1 Introduction</a> <ul class="lst-none"><li><a href="#1.1">1.1 Purpose</a></li> <li><a href="#1.2">1.2 Audience</a></li> <li><a href="#1.3">1.3 Publication organization</a></li> </ul></li> <li><a href="#2">2 Fundamentals</a> <ul class="lst-none"><li><a href="#2.1">2.1 Assessment procedures</a></li> <li><a href="#2.2">2.2 Assurance cases</a></li> </ul></li> <li><a href="#3">3 Procedures</a> <ul class="lst-none"><li><a href="#3.1">3.1 Access control</a></li> <li><a href="#3.2">3.2 Awareness and training</a></li> <li><a href="#3.3">3.3 Audit and accountability</a></li> <li><a href="#3.4">3.4 Configuration management</a></li> <li><a href="#3.5">3.5 Identification and authentication</a></li> <li><a href="#3.6">3.6 Incident response</a></li> <li><a href="#3.7">3.7 Maintenance</a></li> <li><a href="#3.8">3.8 Media protection</a></li> <li><a href="#3.9">3.9 Personnel security</a></li> <li><a href="#3.10">3.10 Physical protection</a></li> <li><a href="#3.11">3.11 Risk assessment</a></li> <li><a href="#3.12">3.12 Security assessment and monitoring</a></li> <li><a href="#3.13">3.13 System and communications protection</a></li> <li><a href="#3.14">3.14 System and information integrity</a></li> <li><a href="#3.15">3.15 Planning</a></li> <li><a href="#3.16">3.16 System and services acquisition</a></li> <li><a href="#3.17">3.17 Supply chain risk management</a></li> </ul></li> <li><a href="#AA">Annex A Organization-defined parameters</a></li> </ul></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="1">1 Introduction</h2> <p>This publication is the Canadian version of <a href="https://csrc.nist.gov/pubs/sp/800/171/a/r3/final">NIST SP 800-171A Rev. 3 Assessing Security Requirements for Controlled Unclassified Information</a>. There are no substantial technical changes between the Canadian publication and NIST SP 800-171A Rev. 3. The primary modifications arise from differences in laws, policies, directives, standards and guidelines. In other words, the changes reflect the distinct Canadian regulatory and compliance landscape, there are no changes to the underlying technical context.</p> <p>The security assessment process gathers information and produces evidence to determine the effectiveness of security requirements by:</p> <ul><li>identifying potential problems or shortfalls in security and risk management programs</li> <li>identifying security weaknesses and deficiencies in systems and the environments in which those systems operate</li> <li>prioritizing risk mitigation decisions and activities</li> <li>confirming that identified security weaknesses and deficiencies in the system and environment of operation have been addressed</li> <li>supporting continuous monitoring activities and providing information security situational awareness</li> </ul><h3 id="1.1">1.1 Purpose</h3> <p>This publication provides a comprehensive set of procedures for assessing the effectiveness of security requirements for protecting the confidentiality of specified information when this information resides in non-<abbr title="Government of Canada">GC</abbr> systems and organizations. The guidelines apply to the security requirements defined in <a href="https://www.cyber.gc.ca/en/guidance/protecting-specified-information-non-government-canada-systems-and-organizations-itsp10171">Protecting specified information in non-Government of Canada systems and organizations (ITSP.10.171)</a>.</p> <p>The overarching objective of the assessment is to ensure that the security controls are implemented with sufficient robustness and coverage to address the threat actors that have been identified to be mitigated.</p> <h3 id="1.2">1.2 Audience</h3> <p>This publication is intended for individuals and organizations in the public and private sectors, including those with:</p> <ul><li>system development lifecycle responsibilities, for example <ul><li>program managers</li> <li>mission/business owners</li> <li>information custodians</li> <li>system designers and developers</li> <li>system/security engineers</li> <li>system integrators</li> </ul></li> <li>acquisition or procurement responsibilities, for example, contracting officers</li> <li>system, security, privacy or risk management and oversight responsibilities, for example <ul><li>authorizing officials</li> <li>chief information officers</li> <li>chief information security officers</li> <li>chief privacy officers</li> <li>system owners</li> <li>information security managers</li> </ul></li> <li>security or privacy assessment and monitoring responsibilities, for example <ul><li>auditors</li> <li>system evaluators</li> <li>assessors</li> <li>independent verifiers/validators</li> <li>analysts</li> </ul></li> </ul><p>The above roles and responsibilities can be viewed from 2 perspectives:</p> <ul><li><abbr title="Government of Canada">GC</abbr> perspective: the entity establishing and conveying security assessment requirements in contractual vehicles or other types of agreements</li> <li>non-<abbr title="Government of Canada">GC</abbr> perspective: the entity responding to and complying with the security assessment requirements set forth in contracts or agreements</li> </ul><h3 id="1.3">1.3 Publication organization</h3> <p>The remainder of this publication is organized as follows:</p> <ul><li><a href="#2">Section 2: Fundamentals</a> describes the fundamental concepts associated with assessments of security requirements, including assessment procedures, methods, objects, and assurance cases that can be created using the evidence produced during assessments</li> <li><a href="#3">Section 3: Procedures</a> provides assessment procedures for the security requirements in <a href="https://www.cyber.gc.ca/en/guidance/protecting-specified-information-non-government-canada-systems-and-organizations-itsp10171">Protecting specified information in non-Government of Canada systems and organizations (ITSP.10.171)</a>, including assessment objectives and potential assessment methods and objects for each procedure</li> <li><a href="#AA">Annex A: Organization-defined parameters</a> provides additional information to support the protection of specified information</li> </ul></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="2">2 Fundamentals</h2> <p>The process used by organizations and assessors to assess the security requirements in ITSP.10.171 includes the following steps:</p> <ol><li>Preparing for the assessment</li> <li>Developing a security and privacy assessment plan</li> <li>Conducting the assessment</li> <li>Documenting, analyzing and reporting the assessment results</li> </ol><p>Assessment of security and privacy controls and assurance activities (ITSP.10.033-02) provides additional information on the assessment process and the individual steps listed above.</p> <p>This section describes the structure and content of the assessment procedures and the importance of assurance cases in providing the evidence necessary to determine compliance with the requirements.</p> <h3 id="2.1">2.1 Assessment procedures</h3> <p>ITSP.10.171 security requirements represent a subset of the controls that are necessary to protect the confidentiality of specified information. The security requirements are organized into 17 families. Each family contains the requirements related to its general security topic. The assessment procedures in <a href="#3">Section 3</a> are grouped by similar family designations to ensure the completeness and consistency of assessments. The procedures have been derived from the assessment procedures in ITSP.10.033-02.</p> <p>The following are the security requirements families:</p> <ul><li>Access control</li> <li>Awareness and training</li> <li>Audit and accountability</li> <li>Configuration management</li> <li>Identification and authentication</li> <li>Incident response</li> <li>Maintenance</li> <li>Media protection</li> <li>Personnel security</li> <li>Physical protection</li> <li>Risk assessment</li> <li>Security assessment and monitoring</li> <li>System and communications protection</li> <li>System and information integrity</li> <li>Planning</li> <li>System and services acquisition</li> <li>Supply chain risk management</li> </ul><p>An assessment procedure consists of a set of assessment objectives, each with an associated set of potential assessment methods and objects. The assessment procedures in <a href="#3">Section 3</a> have been derived from the assessment procedures in ITSP.10.033-02. Security requirement assessments comprise several key elements:</p> <ul><li><strong>Assessment objects</strong> identify the specific items being assessed as part of a given control or activity and include specifications, mechanisms, procedures and individuals</li> <li><strong>Specifications</strong> are the document-based artifacts associated with a system-specific or common control or activity. These artifacts include <ul><li>policies</li> <li>procedures</li> <li>plans</li> <li>system security and privacy requirements</li> <li>functional specifications</li> <li>architectural designs</li> </ul></li> <li><strong>Mechanisms</strong> are the specific hardware, software or firmware, including physical protection devices, that comprise safeguards and countermeasures employed within a system or common control or activity</li> <li><strong>Procedures</strong> are the specific protection-related actions supporting a system or common control or activity that involve people, for example <ul><li>conducting system backup operations</li> <li>monitoring network traffic</li> <li>exercising a contingency plan</li> </ul></li> <li><strong>Assessment methods</strong> define the nature of the assessor’s actions and include the following <ul><li><strong>Examine:</strong> the process of reviewing, inspecting, observing, studying or analyzing 1 or more assessment objects (that is, specifications, mechanisms or procedures) to facilitate assessor understanding, achieve clarification, or obtain evidence</li> <li><strong>Interview:</strong> the process of holding discussions with individuals or groups of individuals within an organization to facilitate assessor understanding, achieve clarification, or obtain evidence</li> <li><strong>Test:</strong> the process of exercising 1 or more assessment objects (that is, procedures or mechanisms) under specified conditions to compare the actual state of the object to the desired state or expected behaviour of the object</li> </ul></li> <li>Assessment methods have a set of associated <strong>attributes</strong> (scope and depth) that help define the level of effort for the assessment. The attributes are hierarchical, providing the means to define the scope, depth and rigour of the assessment for the increased assurances that may be needed for some systems <ul><li>The depth attribute addresses the rigour of and level of detail in the assessment efforts</li> <li>The scope attribute addresses the breadth of the assessment efforts, including the number and types of specifications, mechanisms and procedures to be examined or tested, and individuals to be interviewed</li> </ul></li> <li>The <strong>level of effort</strong> for the assessment is primarily determined by the privacy risk assessment or security categorization of the system or common control or activity being assessed, as described in Organizational cyber security and privacy risk management activities (ITSP.10.036). The values for these attributes range from security assurance level (SAL) 1 to SAL 5 (the <abbr title="security assurance levels">SALs</abbr> are defined in System lifecycle cyber security and privacy risk management activities (ITSP.10.037))</li> <li>The appropriate attribute values for a particular assessment method are based on the assurance requirements specified by the organization and are an important component of protecting information commensurate with risk are known as <strong>risk management</strong></li> </ul><div class="panel panel-default"> <div class="panel-body"> <h3 class="text-center" id="fig1">Figure 1: Structure and content of an assessment procedure</h3> <h4>03.01.06 Least privilege – privileged accounts<span class="label label-info">Security requirement name</span></h4> <p><strong><abbr title="organization-defined parameter">ODP</abbr>:</strong><span class="label label-info"><abbr title="organization-defined parameter">ODP</abbr> for security requirement</span></p> <p><strong>A.03.01.06.ODP:</strong> personnel or roles to which privileged accounts on the system are to be restricted are defined</p> <p><strong>Determine if:</strong> <span class="label label-info">Multi-part determination statement</span></p> <p><strong>A.03.01.06.A:</strong> privileged accounts on the system are restricted to <strong>&lt;A.03.01.06.ODP: personnel or roles&gt;</strong></p> <p><strong>A.03.01.06.B:</strong> users (or roles) with privileged accounts are required to use non-privileged accounts when accessing non-security functions or non-security information</p> <p><strong>A.03.01.06.C:</strong> administrative or superuser actions are required to be performed from a physical workstation which is dedicated to those specific tasks and isolated from all other functions and networks</p> <p><strong>Potential assessment methods and objects:</strong></p> <p><strong>Examine</strong></p> <p>[Select from: access control policy and procedures; procedures for least privilege; list of system-generated privileged accounts; list of system administration personnel; system audit records; system configuration settings; system security plan; list of system-generated security functions or security-relevant information assigned to system accounts or roles; system management architecture documentation; dedicated administration workstation (DAW) configuration settings; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with responsibilities for defining least privileges; personnel with information security responsibilities; personnel with systems security engineering responsibilities; security architects; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for implementing least privilege functions; penetration testing on the DAW]</p> <p><strong>References:</strong></p> <p>Source assessment procedures: AC-06(02), AC-06(05), SI-400</p> </div> <details><summary>Long description: Figure 1 – Structure and content of an assessment procedure</summary><p>Figure 1 presents a screenshot of the security requirement 03.01.06 Least privilege – privileged accounts. The figure is intended to illustrate the structure and key components of a security requirement as it appears in the publication. Three annotated boxes are used to highlight specific elements of the requirement. The first box appears next to the header of the requirement and identifies the name of the security requirement. The second box is positioned next to the text “<abbr title="organization-defined parameter">ODP</abbr>:” and indicates that the text immediately below contains the organization-defined parameters (ODPs) associated with the requirement. The third box contains the text “Multi-part determination statement” and is placed next to the phrase “Determine if:”. The text that follows lists the set of actions or conditions that must be satisfied in order for the requirement to be considered implemented.</p> </details></div> <p>The structure and content of assessment procedures include the following elements in Figure 1:</p> <ul><li><strong>Determination statements</strong> have alphanumeric identifiers. Each determination statement begins with the letter “A” to indicate that it is part of an assessment procedure. They often present as “multi-part determination statements” as they have more than one action to take.</li> <li>The next <strong>sequence of numbers or letters</strong> (for example, 03.01.01.E or 03.01.01.F.02) indicates the security requirement name or identifier from ITSP.10.171 (and the specific control item if it is a multi-part requirement) that is the target of the assessment.</li> <li><strong>Organization-defined parameters (ODP)</strong> for the security requirement are indicated by the letters “<abbr title="organization-defined parameter">ODP</abbr>”. If there are multiple <abbr title="organization-defined parameters">ODPs</abbr> in the determination statement, the ODP number is indicated in a square bracket (for example, A.03.01.08.ODP[01])</li> <li><strong>Square brackets</strong> are also used to denote when an assessment procedure further decomposes a requirement into more granular determination statements (for example, A.03.01.12.A[01], A.03.01.12.A[02], A.03.01.12.A[03])</li> <li>Applying an assessment procedure to a security requirement produces assessment results or <strong>findings</strong>. Findings are compiled and used as evidence to determine whether the security requirement has been satisfied or other than satisfied. <ul><li>A finding of <strong>satisfied</strong> indicates that the assessment objective has been met, producing a fully acceptable result</li> <li>A finding <strong>other than satisfied</strong> indicates that there are potential anomalies that may need to be addressed by the organization. A finding other than satisfied may also indicate that the assessor was unable to obtain sufficient information to make the determination called for in the determination statement</li> </ul></li> </ul><h3 id="2.2">2.2 Assurance cases</h3> <p>Building an effective assurance case for control effectiveness and quality of activity execution is a process that involves compiling evidence from various assurance procedures conducted during the system lifecycle. The evidence comes from the implementation of the security and privacy controls and activities in the system and inherited by the system (common controls) and from the assessment of that implementation.</p> <p>Assurance activities can be performed at 2 different levels:</p> <ul><li>they can be related to a specific control, in support of a specific product or security mechanism</li> <li>they can support the system as a whole to assess its development and the integration of the controls in the system</li> </ul><p>Assurance activities that support system development are intended to improve the design, architecture, and engineering outcomes. The assurance activities that were labelled as “activities” in the <a href="/en/guidance/cyber-security-privacy-risk-management/itsp10033">Security and privacy controls and assurance activities catalogue (ITSP.10.033)</a> function as such.</p> <p>Assessing a control or an activity constitutes an assurance procedure. When evaluating an assurance activity, as defined in ITSP.10.033, the focus is on assessing the quality of its execution. This process is described in detail in ITSP.10.037.</p> <p>Together, strength and assurance define the requirements that must be met in the implementation of a control to satisfy the control’s security or privacy objective.</p> <p>The security or privacy <strong>strength</strong> is related to the implemented control’s potential ability to protect the confidentiality, integrity or availability of assets. As the strength increases, so does the effort or cost required by the threat actor to defeat the implemented control.</p> <p>The protective potential of a control can be fulfilled only when it is implemented with adequate assurance.</p> <p><strong>Assurance</strong> consists of confidence-building tasks aimed at ensuring that a control is designed and implemented correctly and is operating as intended, or that an assurance activity is properly executed. Assurance also includes tasks that ensure that all controls in system design, implementation and operation satisfy the business needs for security and privacy.</p> <p>Assurance is provided through tasks completed by system developers, implementers, operators, maintainers, and security and privacy assessors. Assurance is increased through additional efforts in the scope and depth of these tasks by contributing to the efficacy of the evidence and measures of confidence. Rigour and depth usually follow the same trajectory: when one is increased, the other should also be increased.</p> <p><strong>Robustness</strong> is a characterization of the strength and assurance of a security or privacy control. The strength is related to the control’s potential ability to protect the confidentiality, integrity or availability of assets. Assurance activities, as outlined in the catalogue, are assigned an assurance level only, not a robustness level.</p> <p>A control incorporates a strength element when it mitigates a specific tradecraft. Since assurance activities do not directly counter tradecraft, the concept of strength is not applicable. The assurance of a control is related to the confidence that the control is designed and implemented correctly, is operating as intended, and is achieving the intended results in fulfilling the system and organizational security and privacy requirements.</p> <p>For example, a security control can be conceptually strong (like an <abbr title="multi-factor authentication">MFA</abbr> mechanism) but come with no assurance (where there is no evidence like a security review or vulnerability testing to demonstrate the quality of its implementation). In this case it will have a lower effective robustness than a similar system that has higher assurance (like when a mechanism has been validated by undergoing rigorous testing and validation to confirm its security).</p> <p>Controls that protect more sensitive or critical assets, or that are exposed to more significant threats will generally require stronger security or privacy solutions, more assurance in their implementation, and higher levels of robustness.</p> <p>The robustness model defines a hierarchy of robustness levels that are based on expected injury and threat levels. ITSP.10.037 and <a href="/en/guidance/calculating-robustness-boundary-controls-itsp80032">Calculating robustness for boundary controls (ITSP.80.032)</a> provide more information on the robustness model.</p> <p>The coverage assessment of a control answers the following questions:</p> <ul><li>Does the control adequately safeguard the desired assets or other related controls that it supports?</li> <li>Is the control properly applied throughout the system?</li> </ul><p>For example, if an organization has a perimeter and builds a fence (control) to secure only three-quarters of the perimeter, leaving one-quarter unprotected, the security provided by the fence is incomplete. The unprotected quarter undermines the effectiveness of the secured sections, rendering the overall perimeter vulnerable.</p> <p>An assessment must consider more than just the presence of a control. While the response to a question about whether a control exists is “yes, there is a fence,” the critical question is, “does the control provide appropriate coverage?” In this case, the answer is no, as the coverage is insufficient. This illustrates the importance of evaluating the adequacy and effectiveness of the control’s implementation.</p> </section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="3">3 Procedures</h2> <p>This section provides assessment procedures for the security requirements defined in ITSP.10.171. Organizations that conduct security requirement assessments can develop their security assessment plans by using the information provided in the assessment procedures and selecting the specific assessment methods and objects that meet the organization’s needs. Organizations also have flexibility in defining the level of rigour and detail associated with the assessment based on the assurance requirements of the organization.</p> <section><h3 id="3.1">3.1 Access control</h3> <p>The controls in the Access control family support the ability to permit or deny user access to resources within the system.</p> <details><summary><h4>03.01.01 Account management</h4> </summary><h5><abbr title="organization-defined parameters">ODPs</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.01.01.odp-01"><strong>A.03.01.01.ODP[01]:</strong> the time period for account inactivity before disabling is defined</li> <li id="a.03.01.01.odp-02"><strong>A.03.01.01.ODP[02]:</strong> the time period within which to notify account managers and designated personnel or roles when accounts are no longer required is defined</li> <li id="a.03.01.01.odp-03"><strong>A.03.01.01.ODP[03]:</strong> the time period within which to notify account managers and designated personnel or roles when users are terminated or transferred is defined</li> <li id="a.03.01.01.odp-04"><strong>A.03.01.01.ODP[04]:</strong> the time period within which to notify account managers and designated personnel or roles when system usage or the need-to-know changes for an individual is defined</li> <li id="a.03.01.01.odp-05"><strong>A.03.01.01.ODP[05]:</strong> the time period of expected inactivity requiring users to log out of the system is defined</li> <li id="a.03.01.01.odp-06"><strong>A.03.01.01.ODP[06]:</strong> circumstances requiring users to log out of the system are defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.01.01.A[01]:</strong> system account types allowed are defined</li> <li><strong>A.03.01.01.A[02]:</strong> system account types prohibited are defined</li> <li><strong>A.03.01.01.B[01]:</strong> system accounts are created in accordance with organizational policy, procedures, prerequisites, and criteria</li> <li><strong>A.03.01.01.B[02]:</strong> system accounts are enabled in accordance with organizational policy, procedures, prerequisites, and criteria</li> <li><strong>A.03.01.01.B[03]:</strong> system accounts are modified in accordance with organizational policy, procedures, prerequisites, and criteria</li> <li><strong>A.03.01.01.B[04]:</strong> system accounts are disabled in accordance with organizational policy, procedures, prerequisites, and criteria</li> <li><strong>A.03.01.01.B[05]:</strong> system accounts are removed in accordance with organizational policy, procedures, prerequisites, and criteria</li> <li><strong>A.03.01.01.C.01:</strong> authorized users of the system are specified</li> <li><strong>A.03.01.01.C.02:</strong> group and role memberships are specified</li> <li><strong>A.03.01.01.C.03:</strong> access authorizations (for example, privileges) for each account are specified</li> <li><strong>A.03.01.01.D.01:</strong> access to the system is authorized based on a valid access authorization</li> <li><strong>A.03.01.01.D.02:</strong> access to the system is authorized based on intended system usage</li> <li><strong>A.03.01.01.E:</strong> the use of system accounts is monitored</li> <li><strong>A.03.01.01.F.01:</strong> system accounts are disabled when the accounts have expired</li> <li><strong>A.03.01.01.F.02:</strong> system accounts are disabled when the accounts have been inactive for <strong>&lt;A.03.01.01.ODP[01]: time period&gt;</strong></li> <li><strong>A.03.01.01.F.03:</strong> system accounts are disabled when the accounts are no longer associated with a user or individual</li> <li><strong>A.03.01.01.F.04:</strong> system accounts are disabled when the accounts violate organizational policy</li> <li><strong>A.03.01.01.F.05:</strong> system accounts are disabled when significant risks associated with individuals are discovered</li> <li><strong>A.03.01.01.G.01:</strong> account managers and designated personnel or roles are notified within <strong>&lt;A.03.01.01.ODP[02]: time period&gt;</strong> when accounts are no longer required</li> <li><strong>A.03.01.01.G.02:</strong> account managers and designated personnel or roles are notified within <strong>&lt;A.03.01.01.ODP[03]: time period&gt;</strong> when users are terminated or transferred</li> <li><strong>A.03.01.01.G.03:</strong> account managers and designated personnel or roles are notified within <strong>&lt;A.03.01.01.ODP[04]:</strong> time period&gt; when system usage or the need-to-know changes for an individual</li> <li><strong>A.03.01.01.H:</strong> users are required to log out of the system after <strong>&lt;A.03.01.01.ODP[05]: time period&gt;</strong> of expected inactivity or when the following circumstances occur: <strong>&lt;A.03.01.01.ODP[06]: circumstances&gt;</strong></li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: access control policy and procedures; personnel termination or transfer policies and procedures; procedures for account management; list of active system accounts and the name of the individual associated with each account; system design documentation; list of conditions for group and role membership; system configuration settings; notifications of recent transfers, separations, or terminations of employees; list of recently disabled system accounts and the name of the individual associated with each account; list of user activities that pose significant organizational risks; access authorization records; account management compliance reviews; system monitoring and audit records; system security plan; privacy plan; system-generated list of accounts removed; system-generated list of emergency accounts disabled; system-generated list of disabled accounts; other relevant documents and records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with account management responsibilities; system administrators; personnel with information security and privacy responsibilities; system developers]</p> <p><strong>Test</strong></p> <p>[Select from: processes for account management on the system; mechanisms for implementing account management]</p> <h5>References</h5> <p>Source assessment procedures: AC-02, AC-02(03), AC-02(05), AC-02(13)</p> </details><details><summary><h4>03.01.02 Access enforcement</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.01.02[01]:</strong> approved authorizations for logical access to specified information are enforced in accordance with applicable access control policies</li> <li><strong>A.03.01.02[02]:</strong> approved authorizations for logical access to system resources are enforced in accordance with applicable access control policies</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: access control policy and procedures; procedures for access enforcement; system design documentation; system configuration settings; list of approved authorizations (for example, user privileges); system audit records; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with access enforcement responsibilities; system administrators; personnel with information security responsibilities; system developers]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for implementing the access control policy]</p> <h5>References</h5> <p>Source assessment procedure: AC-03</p> </details><details><summary><h4>03.01.03 Information flow enforcement</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.01.03[01]:</strong> approved authorizations are enforced for controlling the flow of specified information within the system</li> <li><strong>A.03.01.03[02]:</strong> approved authorizations are enforced for controlling the flow of specified information between connected systems</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: access control policy and procedures; information flow control policies; procedures for information flow enforcement; security architecture and design documentation; system configuration settings; system baseline configuration; system audit records; list of information flow authorizations; system security plan; privacy plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: system administrators; personnel with security and privacy architecture responsibilities; personnel with information security and privacy responsibilities; system developers]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for implementing the information flow enforcement policy]</p> <h5>References</h5> <p>Source assessment procedure: AC-04</p> </details><details><summary><h4>03.01.04 Separation of duties</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.01.04.A:</strong> duties of individuals requiring separation are identified</li> <li><strong>A.03.01.04.B:</strong> system access authorizations to support separation of duties are defined</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: access control policy and procedures; procedures for the separation of duties and the division of responsibilities; system configuration settings; system audit records; system access authorizations; list of divisions of responsibility and separation of duties; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with responsibilities for defining the separation of duties and the division of responsibilities; personnel with information security responsibilities; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for implementing the separation of duties policy]</p> <h5>References</h5> <p>Source assessment procedure: AC-05</p> </details><details><summary><h4>03.01.05 Least privilege</h4> </summary><h5><abbr title="organization-defined parameters">ODPs</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.01.05.odp-01"><strong>A.03.01.05.ODP[01]:</strong> security functions for authorized access are defined</li> <li id="a.03.01.05.odp-02"><strong>A.03.01.05.ODP[02]:</strong> security-relevant information for authorized access is defined</li> <li id="a.03.01.05.odp-03"><strong>A.03.01.05.ODP[03]:</strong> the frequency at which to review the privileges assigned to roles or classes of users is defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.01.05.A:</strong> system access for users (or processes acting on behalf of users) is authorized only when necessary to accomplish assigned organizational tasks</li> <li><strong>A.03.01.05.B[01]:</strong> access to <strong>&lt;A.03.01.05.ODP[01]: security functions&gt;</strong> is authorized</li> <li><strong>A.03.01.05.B[02]:</strong> access to <strong>&lt;A.03.01.05.ODP[02]: security-relevant information&gt;</strong> is authorized</li> <li><strong>A.03.01.05.C:</strong> the privileges assigned to roles or classes of users are reviewed <strong>&lt;A.03.01.05.ODP[03]: frequency&gt;</strong> to validate the need for such privileges</li> <li><strong>A.03.01.05.D:</strong> privileges are reassigned or removed, as necessary</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: access control policy and procedures; procedures for least privilege; list of assigned access authorizations (user privileges); system configuration settings; system audit records; list of security functions (implemented in hardware, software, and firmware); security-relevant information for which access must be explicitly authorized; list of system-generated roles or classes of users and assigned privileges; validation reviews of privileges assigned to roles or classes of users; records of privilege removals or reassignments for roles or classes of users; system security plan; system design documentation; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with responsibilities for defining least privilege; personnel with information security responsibilities; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for implementing least privilege functions; mechanisms for implementing reviews of user privileges]</p> <h5>References</h5> <p>Source assessment procedures: AC-06, AC-06(01), AC-06(07), AU-09(04)</p> </details><details><summary><h4>03.01.06 Least privilege – privileged accounts</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.01.06.odp-01"><strong>A.03.01.06.ODP:</strong> personnel or roles to which privileged accounts on the system are to be restricted are defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.01.06.A:</strong> privileged accounts on the system are restricted to <strong>&lt;A.03.01.06.ODP: personnel or roles&gt;</strong></li> <li><strong>A.03.01.06.B:</strong> users (or roles) with privileged accounts are required to use non-privileged accounts when accessing non-security functions or non-security information</li> <li><strong>A.03.01.06.C:</strong> administrative or superuser actions are required to be performed from a physical workstation which is dedicated to those specific tasks and isolated from all other functions and networks</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: access control policy and procedures; procedures for least privilege; list of system-generated privileged accounts; list of system administration personnel; system audit records; system configuration settings; system security plan; list of system-generated security functions or security-relevant information assigned to system accounts or roles; system management architecture documentation; dedicated administration workstation (DAW) configuration settings; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with responsibilities for defining least privileges; personnel with information security responsibilities; personnel with systems security engineering responsibilities; security architects; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for implementing least privilege functions; penetration testing on the <abbr title="dedicated administration workstation">DAW</abbr>]</p> <h5>References</h5> <p>Source assessment procedures: AC-06(02), AC-06(05), SI-400</p> </details><details><summary><h4>03.01.07 Least privilege – privileged functions</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.01.07.A:</strong> non-privileged users are prevented from executing privileged functions</li> <li><strong>A.03.01.07.B:</strong> the execution of privileged functions is logged</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: access control policy and procedures; procedures for least privilege; system design documentation; system configuration settings; system audit records; list of audited events; list of privileged functions to be audited and associated user account assignments; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with responsibilities for reviewing least privilege; personnel with information security responsibilities; system developers; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for auditing the execution of least privilege functions; mechanisms for implementing least privilege functions for non-privileged users]</p> <h5>References</h5> <p>Source assessment procedures: AC-06(09), AC-06(10)</p> </details><details><summary><h4>03.01.08 Unsuccessful logon attempts</h4> </summary><h5><abbr title="organization-defined parameters">ODPs</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.01.08.odp-01"><strong>A.03.01.08.ODP[01]:</strong> the number of consecutive invalid logon attempts by a user allowed during a time period is defined</li> <li id="a.03.01.08.odp-02"><strong>A.03.01.08.ODP[02]:</strong> the time period to which the number of consecutive invalid logon attempts by a user is limited is defined</li> <li id="a.03.01.08.odp-03"><strong>A.03.01.08.ODP[03]:</strong> 1 or more of the following parameter values are selected: {the account or node is locked automatically for <strong>&lt;A.03.01.08.ODP[04]: time period&gt;</strong>; the account or node is locked automatically until released by an administrator; the next logon prompt is delayed automatically; the system administrator is notified automatically; other action is taken automatically}</li> <li id="a.03.01.08.odp-04"><strong>A.03.01.08.ODP[04]:</strong> the time period for an account or node to be locked is defined (if selected)</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.01.08.A:</strong> a limit of <strong>&lt;A.03.01.08.ODP[01]: number&gt;</strong> consecutive invalid logon attempts by a user during <strong>&lt;A.03.01.08.ODP[02]: time period&gt;</strong> is enforced</li> <li><strong>A.03.01.08.B:</strong> <strong>&lt;A.03.01.08.ODP[03]: selected parameter values&gt;</strong> when the maximum number of unsuccessful attempts is exceeded</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: access control policy and procedures; procedures for unsuccessful logon attempts; system design documentation; system audit records; system configuration settings; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with information security responsibilities; system developers; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for implementing the access control policy for unsuccessful logon attempts]</p> <h5>References</h5> <p>Source assessment procedure: AC-07</p> </details><details><summary><h4>03.01.09 System use notification</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.01.09:</strong> a system use notification message with privacy and security notices consistent with applicable specified information rules is displayed before granting access to the system</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: access control policy and procedures; privacy and security policies, procedures for system use notification; documented approval of system use notification messages; system audit records; user acknowledgements of system use notification messages; system design documentation; system configuration settings; system use notification messages; system security plan; privacy plan; privacy impact assessment (PIA); privacy assessment report; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with information security and privacy responsibilities; legal counsel; system developers; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for implementing system use notifications]</p> <h5>References</h5> <p>Source assessment procedure: AC-08</p> </details><details><summary><h4>03.01.10 Device lock</h4> </summary><h5><abbr title="organization-defined parameters">ODPs</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.01.10.odp-01"><strong>A.03.01.10.ODP[01]:</strong> 1 or more of the following parameter values are selected: {a device lock is initiated after <strong>&lt;A.03.01.10.ODP[02]: time period&gt;</strong> of inactivity; the user is required to initiate a device lock before leaving the system unattended}</li> <li id="a.03.01.10.odp-02"><strong>A.03.01.10.ODP[02]:</strong> the time period of inactivity after which a device lock is initiated is defined (if selected)</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.01.10.A:</strong> access to the system is prevented by <strong>&lt;A.03.01.10.ODP[01]: selected parameter values&gt;</strong></li> <li><strong>A.03.01.10.B:</strong> the device lock is retained until the user re-establishes access using established identification and authentication procedures</li> <li><strong>A.03.01.10.C:</strong> information previously visible on the display is concealed via device lock with a publicly viewable image</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: access control policy and procedures; procedures for session lock and identification and authentication; system design documentation; system configuration settings; display screen with session lock activated; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with information security responsibilities; system developers; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for implementing the access control policy for session lock; session lock mechanisms]</p> <h5>References</h5> <p>Source assessment procedures: AC-11, AC-11(01)</p> </details><details><summary><h4>03.01.11 Session termination</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.01.11.odp"><strong>A.03.01.11.ODP:</strong> conditions or trigger events that require session disconnect are defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.01.11:</strong> a user session is terminated automatically after <strong>&lt;A.03.01.11.ODP: conditions or trigger events&gt;</strong></li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: access control policy and procedures; procedures for session termination; system design documentation; system configuration settings; list of conditions or trigger events requiring session disconnect; system audit records; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with information security responsibilities; system developers; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: automated mechanisms for implementing user session termination]</p> <h5>References</h5> <p>Source assessment procedure: AC-12</p> </details><details><summary><h4>03.01.12 Remote access</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.01.12.A[01]:</strong> types of allowable remote system access are defined</li> <li><strong>A.03.01.12.A[02]:</strong> usage restrictions are established for each type of allowable remote system access</li> <li><strong>A.03.01.12.A[03]:</strong> configuration requirements are established for each type of allowable remote system access</li> <li><strong>A.03.01.12.A[04]:</strong> connection requirements are established for each type of allowable remote system access</li> <li><strong>A.03.01.12.B:</strong> each type of remote system access is authorized prior to establishing such connections</li> <li><strong>A.03.01.12.C[01]:</strong> remote access to the system is routed through authorized access control points</li> <li><strong>A.03.01.12.C[02]:</strong> remote access to the system is routed through managed access control points</li> <li><strong>A.03.01.12.D[01]:</strong> remote execution of privileged commands is authorized</li> <li><strong>A.03.01.12.D[02]:</strong> remote access to security-relevant information is authorized</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: access control policy and procedures; procedures for remote system access; remote system access configuration and connection requirements; configuration management plan; system configuration settings; remote access authorizations; system audit records; system design documentation; procedures for remote access to the system; system monitoring records; list of managed network access control points; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with responsibilities for managing remote access connections; personnel with information security responsibilities; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for monitoring and controlling remote access methods; mechanisms for routing remote accesses through managed access control points; remote access management capability for the system]</p> <h5>References</h5> <p>Source assessment procedures: AC-17, AC-17(03), AC-17(04)</p> </details><h4>03.01.13 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4>03.01.14 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4>03.01.15 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4>03.01.16 Wireless access</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.01.16.A[01]:</strong> each type of wireless access to the system is defined</li> <li><strong>A.03.01.16.A[02]:</strong> usage restrictions are established for each type of wireless access to the system</li> <li><strong>A.03.01.16.A[03]:</strong> configuration requirements are established for each type of wireless access to the system</li> <li><strong>A.03.01.16.A[04]:</strong> connection requirements are established for each type of wireless access to the system</li> <li><strong>A.03.01.16.B:</strong> each type of wireless access to the system is authorized prior to establishing such connections</li> <li><strong>A.03.01.16.C:</strong> wireless networking capabilities not intended for use are disabled prior to issuance and deployment</li> <li><strong>A.03.01.16.D[01]:</strong> wireless access to the system is protected using authentication</li> <li><strong>A.03.01.16.D[02]:</strong> wireless access to the system is protected using encryption</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: access control policy and procedures; procedures for wireless system access; wireless system access configuration and connection requirements; configuration management plan; system configuration settings; wireless access authorizations; system audit records; system design documentation; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with responsibilities for managing wireless access connections; personnel with information security responsibilities; system developers; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: wireless access management capability for the system; mechanisms for implementing wireless access protections to the system; mechanisms for managing the disabling of wireless networking capabilities]</p> <h5>References</h5> <p>Source assessment procedures: AC-18, AC-18(01), AC-18(03)</p> </details><h4>03.01.17 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4>03.01.18 Access control for mobile devices</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.01.18.A[01]:</strong> usage restrictions are established for mobile devices</li> <li><strong>A.03.01.18.A[02]:</strong> configuration requirements are established for mobile devices</li> <li><strong>A.03.01.18.A[03]:</strong> connection requirements are established for mobile devices</li> <li><strong>A.03.01.18.B:</strong> the connection of mobile devices to the system is authorized</li> <li><strong>A.03.01.18.C:</strong> full-device or container-based encryption is implemented to protect the confidentiality of specified information on mobile devices</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: access control policy and procedures; procedures for mobile device access control; system design documentation; configuration management plan; system configuration settings; authorizations for mobile device connections to organizational systems; system audit records; encryption mechanisms and associated configuration documentation; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with access control responsibilities for mobile devices; personnel using mobile devices to access organizational systems; personnel with information security responsibilities; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: access control capability for mobile device connections to organizational systems; encryption mechanisms for protecting the confidentiality of specified information on mobile devices; configurations of mobile devices]</p> <h5>References</h5> <p>Source assessment procedures: AC-19, AC-19(05)</p> </details><h4>03.01.19 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4>03.01.20 Use of external systems</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.01.20.odp"><strong>A.03.01.20.ODP:</strong> security requirements to be satisfied on external systems prior to allowing the use of or access to those systems by authorized individuals are defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.01.20.A:</strong> the use of external systems is prohibited unless the systems are specifically authorized</li> <li><strong>A.03.01.20.B:</strong> the following security requirements to be satisfied on external systems prior to allowing the use of or access to those systems by authorized individuals are established: <strong>&lt;A.03.01.20.ODP: security requirements&gt;</strong></li> <li><strong>A.03.01.20.C.01:</strong> authorized individuals are permitted to use external systems to access the organizational system or to process, store, or transmit specified information only after verifying that the security requirements on the external systems as specified in the organization’s system security plans have been satisfied</li> <li><strong>A.03.01.20.C.02:</strong> authorized individuals are permitted to use external systems to access the organizational system or to process, store, or transmit specified information only after retaining approved system connection or processing agreements with the organizational entity hosting the external systems</li> <li><strong>A.03.01.20.D:</strong> the use of organization-controlled portable storage devices by authorized individuals on external systems is restricted</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: access control policy and procedures; procedures for the use of external systems; terms and conditions for the use of external systems; external systems security requirements; list of types of applications accessible from external systems; system configuration settings; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with responsibilities for defining terms, conditions, and security requirements for the use of external systems; personnel with information security responsibilities; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for implementing or enforcing terms, conditions, and security requirements for the use of external systems]</p> <h5>References</h5> <p>Source assessment procedures: AC-20, AC-20(01), AC-20(02)</p> </details><h4>03.01.21 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4>03.01.22 Publicly accessible content</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.01.22.A:</strong> authorized individuals are trained to ensure that publicly accessible information does not contain specified information</li> <li><strong>A.03.01.22.B[01]:</strong> the content on publicly accessible systems is reviewed for specified information</li> <li><strong>A.03.01.22.B[02]:</strong> specified information is removed from publicly accessible systems, if discovered</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: access control policy and procedures; procedures for publicly accessible content; list of users authorized to post publicly accessible content on organizational systems; training materials or records; records of publicly accessible information reviews; records of response to specified information discovered on public websites; system audit logs; security awareness training records; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with responsibilities for managing publicly accessible information posted on organizational systems; personnel with information security responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for implementing the management of publicly accessible content]</p> <h5>References</h5> <p>Source assessment procedure: AC-22</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 id="3.2">3.2 Awareness and training</h3> <p>The Awareness and training controls deal with the education of users with respect to the security of the system.</p> <details><summary><h4>03.02.01 Literacy training and awareness</h4> </summary><h5><abbr title="organization-defined parameters">ODPs</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.02.01.odp-01"><strong>A.03.02.01.ODP[01]:</strong> the frequency at which to provide security literacy training to system users after initial training is defined</li> <li id="a.03.02.01.odp-02"><strong>A.03.02.01.ODP[02]:</strong> events that require security literacy training for system users are defined</li> <li id="a.03.02.01.odp-03"><strong>A.03.02.01.ODP[03]:</strong> the frequency at which to update security literacy training content is defined</li> <li id="a.03.02.01.odp-04"><strong>A.03.02.01.ODP[04]:</strong> events that require security literacy training content updates are defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.02.01.A.01[01]:</strong> security literacy training is provided to system users as part of initial training for new users</li> <li><strong>A.03.02.01.A.01[02]:</strong> security literacy training is provided to system users <strong>&lt;A.03.02.01.ODP[01]: frequency&gt;</strong> after initial training</li> <li><strong>A.03.02.01.A.02:</strong> security literacy training is provided to system users when required by system changes or following <strong>&lt;A.03.02.01.ODP[02]: events&gt;</strong></li> <li><strong>A.03.02.01.A.03[01]:</strong> security literacy training is provided to system users on recognizing indicators of insider threat</li> <li><strong>A.03.02.01.A.03[02]:</strong> security literacy training is provided to system users on reporting indicators of insider threat</li> <li><strong>A.03.02.01.A.03[03]:</strong> security literacy training is provided to system users on recognizing indicators of social engineering</li> <li><strong>A.03.02.01.A.03[04]:</strong> security literacy training is provided to system users on reporting indicators of social engineering</li> <li><strong>A.03.02.01.A.03[05]:</strong> security literacy training is provided to system users on recognizing indicators of social mining</li> <li><strong>A.03.02.01.A.03[06]:</strong> security literacy training is provided to system users on reporting indicators of social mining</li> <li><strong>A.03.02.01.B[01]:</strong> security literacy training content is updated <strong>&lt;A.03.02.01.ODP[03]: frequency&gt;</strong></li> <li><strong>A.03.02.01.B[02]:</strong> security literacy training content is updated following <strong>&lt;A.03.02.01.ODP[04]: events&gt;</strong></li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: security and privacy literacy training and awareness policy and procedures; procedures for security and privacy literacy training and awareness implementation; appropriate codes of federal regulations; security and privacy literacy and awareness training curriculum; security and privacy literacy and awareness training materials; training records; system security plan; privacy plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with responsibilities for security and privacy literacy training and awareness; personnel comprising the general system user community; personnel with information security and privacy responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for managing information security and privacy literacy training and awareness]</p> <h5>References</h5> <p>Source assessment procedures: AT-02, AT-02(02), AT-02(03)</p> </details><details><summary><h4>03.02.02 Role-based training</h4> </summary><h5><abbr title="organization-defined parameters">ODPs</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.02.02.odp-01"><strong>A.03.02.02.ODP[01]:</strong> the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined</li> <li id="a.03.02.02.odp-02"><strong>A.03.02.02.ODP[02]:</strong> events that require role-based security and privacy training are defined</li> <li id="a.03.02.02.odp-03"><strong>A.03.02.02.ODP[03]:</strong> the frequency at which to update role-based security and privacy training content is defined</li> <li id="a.03.02.02.odp-04"><strong>A.03.02.02.ODP[04]:</strong> events that require role-based security and privacy training content updates are defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.02.02.A.01[01]:</strong> role-based security and privacy training is provided to organizational personnel before authorizing access to the system or specified information</li> <li><strong>A.03.02.02.A.01[02]:</strong> role-based security and privacy training is provided to organizational personnel before performing assigned duties</li> <li><strong>A.03.02.02.A.01[03]:</strong> role-based security and privacy training is provided to organizational personnel <strong>&lt;A.03.02.02.ODP[01]: frequency&gt;</strong> after initial training</li> <li><strong>A.03.02.02.A.02:</strong> role-based security and privacy training is provided to organizational personnel when required by system changes or following <strong>&lt;A.03.02.02.ODP[02]: events&gt;</strong></li> <li><strong>A.03.02.02.B[01]:</strong> role-based security and privacy training content is updated <strong>&lt;A.03.02.02.ODP[03]: frequency&gt;</strong></li> <li><strong>A.03.02.02.B[02]:</strong> role-based security and privacy training content is updated following <strong>&lt;A.03.02.02.ODP[04]: events&gt;</strong></li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: security and privacy awareness and training policy and procedures; procedures for security and privacy training implementation; codes of federal regulations; security and privacy training curriculum; security and privacy training materials; training records; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with responsibilities for role-based security and privacy training; personnel with assigned system security and privacy roles and responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for managing role-based security and privacy training and awareness]</p> <h5>References</h5> <p>Source assessment procedure: AT-03</p> </details><h4>03.02.03 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> </section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 id="3.3">3.3 Audit and accountability</h3> <p>The Audit and accountability controls support the ability to collect, analyze, and store audit records associated with user operations performed within the system.</p> <details><summary><h4>03.03.01 Event logging</h4> </summary><h5><abbr title="organization-defined parameters">ODPs</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.03.01.odp-01"><strong>A.03.03.01.ODP[01]:</strong> event types selected for logging within the system are defined</li> <li id="a.03.03.01.odp-02"><strong>A.03.03.01.ODP[02]:</strong> the frequency of event types selected for logging are reviewed and updated</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.03.01.A:</strong> the following event types are specified for logging within the system: <strong>&lt;A.03.03.01.ODP[01]: event types&gt;</strong></li> <li><strong>A.03.03.01.B[01]:</strong> the event types selected for logging are reviewed <strong>&lt;A.03.03.01.ODP[02]: frequency&gt;</strong></li> <li><strong>A.03.03.01.B[02]:</strong> the event types selected for logging are updated <strong>&lt;A.03.03.01.ODP[02]: frequency&gt;</strong></li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: audit and accountability policy and procedures; procedures for auditable events; system design documentation; system configuration settings; system audit records; system auditable events; system security plan; privacy plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with audit and accountability responsibilities; personnel with information security and privacy responsibilities; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for implementing system auditing]</p> <h5>References</h5> <p>Source assessment procedure: AU-02</p> </details><details><summary><h4>03.03.02 Audit record content</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.03.02.A.01:</strong> audit records contain information that establishes what type of event occurred</li> <li><strong>A.03.03.02.A.02:</strong> audit records contain information that establishes when the event occurred</li> <li><strong>A.03.03.02.A.03:</strong> audit records contain information that establishes where the event occurred</li> <li><strong>A.03.03.02.A.04:</strong> audit records contain information that establishes the source of the event</li> <li><strong>A.03.03.02.A.05:</strong> audit records contain information that establishes the outcome of the event</li> <li><strong>A.03.03.02.A.06:</strong> audit records contain information that establishes the identity of the individuals, subjects, objects, or entities associated with the event</li> <li><strong>A.03.03.02.B:</strong> additional information for audit records is provided, as needed</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: audit and accountability policy and procedures; procedures for the content of audit records; list of organization-defined auditable events; system design documentation; system configuration settings; system audit records; system incident reports; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with audit and accountability responsibilities; personnel with information security responsibilities; system developers; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for implementing system auditing of auditable events; system audit capability]</p> <h5>References</h5> <p>Source assessment procedures: AU-03, AU-03(01)</p> </details><details><summary><h4>03.03.03 Audit record generation</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.03.03.A:</strong> audit records for the selected event types and audit record content specified in 03.03.01 and 03.03.02 are generated</li> <li><strong>A.03.03.03.B:</strong> audit records are retained for a time period consistent with the records retention policy</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: audit and accountability policy and procedures; procedures for audit record generation; system design documentation; list of auditable events; system audit records; audit record retention policy and procedures; organization-defined retention period for audit records; audit record archives; system configuration settings; system security plan; privacy plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with audit record generation responsibilities; personnel with audit record retention responsibilities; personnel with information security and privacy responsibilities; system developers; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for implementing the audit record generation capability]</p> <h5>References</h5> <p>Source assessment procedures: AU-11, AU-12</p> </details><details><summary><h4>03.03.04 Response to audit logging process failures</h4> </summary><h5><abbr title="organization-defined parameters">ODPs</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.03.04.odp-01"><strong>A.03.03.04.ODP[01]:</strong> the time period for organizational personnel or roles receiving audit logging process failure alerts is defined</li> <li id="a.03.03.04.odp-02"><strong>A.03.03.04.ODP[02]:</strong> additional actions to be taken in the event of an audit logging process failure are defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.03.04.A:</strong> organizational personnel or roles are alerted in the event of an audit logging process failure within <strong>&lt;A.03.03.04.ODP[01]: time period&gt;</strong></li> <li><strong>A.03.03.04.B:</strong> the following additional actions are taken: <strong>&lt;A.03.03.04.ODP[02]: additional actions&gt;</strong></li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: audit and accountability policy and procedures; procedures for responding to audit processing failures; system design documentation; system configuration settings; list of personnel to be notified in case of an audit processing failure; system audit records; system security plan; privacy plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with audit and accountability responsibilities; personnel with information security and privacy responsibilities; system developers; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for implementing system response to audit processing failures]</p> <h5>References</h5> <p>Source assessment procedure: AU-05</p> </details><details><summary><h4>03.03.05 Audit record review, analysis, and reporting</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.03.05.odp"><strong>A.03.03.05.ODP:</strong> the frequency at which system audit records are reviewed and analyzed is defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.03.05.A:</strong> system audit records are reviewed and analyzed <strong>&lt;A.03.03.05.ODP: frequency&gt;</strong> for indications and the potential impact of inappropriate or unusual activity</li> <li><strong>A.03.03.05.B:</strong> findings are reported to organizational personnel or roles</li> <li><strong>A.03.03.05.C[01]:</strong> audit records across different repositories are analyzed to gain organization-wide situational awareness</li> <li><strong>A.03.03.05.C[02]:</strong> audit records across different repositories are correlated to gain organization-wide situational awareness</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: audit and accountability policy and procedures; procedures for audit record review, analysis, and reporting; reports of audit record findings; records of actions taken in response to reviews and analyses of audit records; system design documentation; system audit records across different repositories; system security plan; privacy plan; system configuration settings; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with audit record review, analysis, and reporting responsibilities; personnel with information security and privacy responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for supporting the analysis and correlation of audit records]</p> <h5>References</h5> <p>Source assessment procedures: AU-06, AU-06(03)</p> </details><details><summary><h4>03.03.06 Audit record reduction and report generation</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.03.06.A[01]:</strong> an audit record reduction and report generation capability that supports audit record review is implemented</li> <li><strong>A.03.03.06.A[02]:</strong> an audit record reduction and report generation capability that supports audit record analysis is implemented</li> <li><strong>A.03.03.06.A[03]:</strong> an audit record reduction and report generation capability that supports audit record reporting requirements is implemented</li> <li><strong>A.03.03.06.A[04]:</strong> an audit record reduction and report generation capability that supports after-the-fact investigations of incidents is implemented</li> <li><strong>A.03.03.06.B[01]:</strong> the original content of audit records is preserved</li> <li><strong>A.03.03.06.B[02]:</strong> the original time ordering of audit records is preserved</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: audit and accountability policy and procedures; procedures for audit record reduction and report generation; audit record reduction, review, analysis, and reporting tools; system audit records; system design documentation; system configuration settings; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with audit record reduction and report generation responsibilities; personnel with information security responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for supporting audit record reduction and report generation capability]</p> <h5>References</h5> <p>Source assessment procedure: AU-07</p> </details><details><summary><h4>03.03.07 Time stamps</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.03.07.odp"><strong>A.03.03.07.ODP:</strong> granularity of time measurement for audit record time stamps is defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.03.07.A:</strong> internal system clocks are used to generate time stamps for audit records</li> <li><strong>A.03.03.07.B[01]:</strong> time stamps are recorded for audit records that meet <strong>&lt;A.03.03.07.ODP: granularity of time measurement&gt;</strong></li> <li><strong>A.03.03.07.B[02]:</strong> time stamps are recorded for audit records that use Coordinated Universal Time (UTC), have a fixed local time offset from <abbr title="Coordinated Universal Time">UTC</abbr>, or include the local time offset as part of the time stamp</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: audit and accountability policy and procedures; procedures for timestamp generation; system design documentation; system configuration settings; system audit records; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with information security responsibilities; system developers; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for implementing time stamp generation]</p> <h5>References</h5> <p>Source assessment procedure: AU-08</p> </details><details><summary><h4>03.03.08 Protection of audit information</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.03.08.A[01]:</strong> audit information is protected from unauthorized access, modification, and deletion</li> <li><strong>A.03.03.08.A[02]:</strong> audit logging tools are protected from unauthorized access, modification, and deletion</li> <li><strong>A.03.03.08.B:</strong> access to management of audit logging functionality is authorized to only a subset of privileged users or roles</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: audit and accountability policy and procedures; access control policy and procedures; procedures for the protection of audit information; system configuration settings; system audit records; audit tools; system-generated list of privileged users with access to the management of audit functionality; access authorizations; access control list; system design documentation; system security plan; privacy plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with audit and accountability responsibilities; personnel with information security and privacy responsibilities; system developers; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for implementing audit information protection; mechanisms for managing access to audit functionality]</p> <h5>References</h5> <p>Source assessment procedures: AU-09, AU-09(04)</p> </details><h4>03.03.09 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> </section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 id="3.4">3.4 Configuration management</h3> <p>The Configuration management controls support the management and control of all components of the system such as hardware, software, and configuration items.</p> <details><summary><h4>03.04.01 Baseline configuration</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.04.01.odp"><strong>A.03.04.01.ODP:</strong> the frequency of baseline configuration review and update is defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.04.01.A[01]:</strong> a current baseline configuration of the system is developed</li> <li><strong>A.03.04.01.A[02]:</strong> a current baseline configuration of the system is maintained under configuration control</li> <li><strong>A.03.04.01.B[01]:</strong> the baseline configuration of the system is reviewed <strong>&lt;A.03.04.01.ODP[01]: frequency&gt;</strong></li> <li><strong>A.03.04.01.B[02]:</strong> the baseline configuration of the system is updated <strong>&lt;A.03.04.01.ODP[01]: frequency&gt;</strong></li> <li><strong>A.03.04.01.B[03]:</strong> the baseline configuration of the system is reviewed when system components are installed or modified</li> <li><strong>A.03.04.01.B[04]:</strong> the baseline configuration of the system is updated when system components are installed or modified</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: configuration management policy and procedures; procedures for the baseline system configuration; configuration management plan; enterprise architecture documentation; system design documentation; system architecture documentation; system configuration settings; system component inventory; change control records; system security plan; privacy plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with configuration management responsibilities; personnel with information security and privacy responsibilities; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: processes for managing baseline configurations; mechanisms for supporting configuration control of the baseline configuration]</p> <h5>References</h5> <p>Source assessment procedure: CM-02</p> </details><details><summary><h4>03.04.02 Configuration settings</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.04.02.odp"><strong>A.03.04.02.ODP:</strong> configuration settings for the system that reflect the most restrictive mode consistent with operational requirements are defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.04.02.A[01]:</strong> the following configuration settings for the system that reflect the most restrictive mode consistent with operational requirements are established and documented: <strong>&lt;A.03.04.02.ODP: configuration settings&gt;</strong></li> <li><strong>A.03.04.02.A[02]:</strong> the following configuration settings for the system are implemented: <strong>&lt;A.03.04.02.ODP: configuration settings&gt;</strong></li> <li><strong>A.03.04.02.B[01]:</strong> any deviations from established configuration settings are identified and documented</li> <li><strong>A.03.04.02.B[02]:</strong> any deviations from established configuration settings are approved</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: configuration management policy and procedures; procedures for system configuration settings; configuration management plan; system design documentation; system configuration settings; common secure configuration checklists; system component inventory; evidence supporting approved deviations from established configuration settings; change control records; system data processing and retention permissions; system audit records; system security plan; privacy plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with security configuration management responsibilities; personnel with privacy configuration management responsibilities; personnel with information security and privacy responsibilities; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: processes for managing configuration settings; mechanisms that implement, monitor, or control system configuration settings; mechanisms that identify or document deviations from established configuration settings]</p> <h5>References</h5> <p>Source assessment procedure: CM-06</p> </details><details><summary><h4>03.04.03 Configuration change control</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.04.03.A:</strong> the types of changes to the system that are configuration-controlled are defined</li> <li><strong>A.03.04.03.B[01]:</strong> proposed configuration-controlled changes to the system are reviewed with explicit consideration for security impacts</li> <li><strong>A.03.04.03.B[02]:</strong> proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security impacts</li> <li><strong>A.03.04.03.C[01]:</strong> approved configuration-controlled changes to the system are implemented</li> <li><strong>A.03.04.03.C[02]:</strong> approved configuration-controlled changes to the system are documented</li> <li><strong>A.03.04.03.D[01]:</strong> activities associated with configuration-controlled changes to the system are monitored</li> <li><strong>A.03.04.03.D[02]:</strong> activities associated with configuration-controlled changes to the system are reviewed</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: configuration management policy and procedures; procedures for system configuration change control; configuration management plan; system architecture documentation; configuration settings; change control records; system audit records; change control audit and review reports; agenda, minutes, and documentation from configuration change control oversight meetings; system security plan; privacy plan; PIAs; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with configuration change control responsibilities; personnel with information security and privacy responsibilities; members of change control board or similar; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: processes for configuration change control; mechanisms that implement configuration change control]</p> <h5>References</h5> <p>Source assessment procedure: CM-03</p> </details><details><summary><h4>03.04.04 Impact analyses</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.04.04.A[01]:</strong> changes to the system are analyzed to determine potential security impacts prior to change implementation</li> <li><strong>A.03.04.04.A[02]:</strong> changes to the system are analyzed to determine potential privacy impacts prior to change implementation</li> <li><strong>A.03.04.04.B:</strong> the security requirements for the system continue to be satisfied after the system changes have been implemented</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: configuration management policy and procedures; procedures for security impact analyses for system changes; configuration management plan; security impact analysis documentation; privacy impact analysis documentation; <abbr title="privacy impact assessment">PIA</abbr>; privacy risk assessment documentation; system design documentation; analysis tools and outputs; change control records; system audit records; system security plan; privacy plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with security impact analysis responsibilities; personnel with responsibility for conducting privacy impact analyses; personnel with information security and privacy responsibilities; members of change control board; system developers; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: processes for security impact analyses; processes for privacy impact analyses]</p> <h5>References</h5> <p>Source assessment procedure: CM-04, CM-04(02)</p> </details><details><summary><h4>03.04.05 Access restrictions for change</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.04.05[01]:</strong> physical access restrictions associated with changes to the system are defined and documented</li> <li><strong>A.03.04.05[02]:</strong> physical access restrictions associated with changes to the system are approved</li> <li><strong>A.03.04.05[03]:</strong> physical access restrictions associated with changes to the system are enforced</li> <li><strong>A.03.04.05[04]:</strong> logical access restrictions associated with changes to the system are defined and documented</li> <li><strong>A.03.04.05[05]:</strong> logical access restrictions associated with changes to the system are approved</li> <li><strong>A.03.04.05[06]:</strong> logical access restrictions associated with changes to the system are enforced</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: configuration management policy and procedures; procedures for access restrictions for system changes; configuration management plan; system design documentation; system architecture documentation; system configuration settings; logical access approvals; physical access approvals; access credentials; change control records; system audit records; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with logical access control responsibilities; personnel with physical access control responsibilities; personnel with information security responsibilities; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: processes for managing access restrictions for system changes; mechanisms for supporting, implementing, or enforcing access restrictions associated with system changes]</p> <h5>References</h5> <p>Source assessment procedure: CM-05</p> </details><details><summary><h4>03.04.06 Least functionality</h4> </summary><h5><abbr title="organization-defined parameters">ODPs</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.04.06.odp-01"><strong>A.03.04.06.ODP[01]:</strong> functions to be prohibited or restricted are defined</li> <li id="a.03.04.06.odp-02"><strong>A.03.04.06.ODP[02]:</strong> ports to be prohibited or restricted are defined</li> <li id="a.03.04.06.odp-03"><strong>A.03.04.06.ODP[03]:</strong> protocols to be prohibited or restricted are defined</li> <li id="a.03.04.06.odp-04"><strong>A.03.04.06.ODP[04]:</strong> connections to be prohibited or restricted are defined</li> <li id="a.03.04.06.odp-05"><strong>A.03.04.06.ODP[05]:</strong> services to be prohibited or restricted are defined</li> <li id="a.03.04.06.odp-06"><strong>A.03.04.06.ODP[06]:</strong> the frequency at which to review the system to identify unnecessary or nonsecure functions, ports, protocols, connections, or services is defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.04.06.A:</strong> the system is configured to provide only mission-essential capabilities</li> <li><strong>A.03.04.06.B[01]:</strong> the use of the following functions is prohibited or restricted: <strong>&lt;A.03.04.06.ODP[01]: functions&gt;</strong></li> <li><strong>A.03.04.06.B[02]:</strong> the use of the following ports is prohibited or restricted: <strong>&lt;A.03.04.06.ODP[02]: ports&gt;</strong></li> <li><strong>A.03.04.06.B[03]:</strong> the use of the following protocols is prohibited or restricted: <strong>&lt;A.03.04.06.ODP[03]: protocols&gt;</strong></li> <li><strong>A.03.04.06.B[04]:</strong> the use of the following connections is prohibited or restricted: <strong>&lt;A.03.04.06.ODP[04]: connections&gt;</strong></li> <li><strong>A.03.04.06.B[05]:</strong> the use of the following services is prohibited or restricted: <strong>&lt;A.03.04.06.ODP[05]: services&gt;</strong></li> <li><strong>A.03.04.06.C:</strong> the system is reviewed <strong>&lt;A.03.04.06.ODP[06]: frequency&gt;</strong> to identify unnecessary or nonsecure functions, ports, protocols, connections, and services</li> <li><strong>A.03.04.06.D:</strong> unnecessary or nonsecure functions, ports, protocols, connections, and services are disabled or removed</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: configuration management policy and procedures; procedures for least functionality in the system; configuration management plan; system design documentation; system configuration settings; system component inventory; common secure configuration checklists; documented reviews of functions, ports, protocols, and services; change control records; system audit records; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with configuration management responsibilities; personnel with responsibilities for reviewing functions, ports, protocols, and services; personnel with information security responsibilities; system developers; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: processes for prohibiting or restricting functions, ports, protocols, and services; processes for reviewing or disabling functions, ports, protocols, and services; mechanisms for implementing the review and disabling of functions, ports, protocols, and services; mechanisms for implementing restrictions on or the prohibition of functions, ports, protocols, and services]</p> <h5>References</h5> <p>Source assessment procedures: CM-07, CM-07(01)</p> </details><h4>03.04.07 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4>03.04.08 Authorized software – allow by exception</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.04.08.odp"><strong>A.03.04.08.ODP:</strong> the frequency at which to review and update the list of authorized software programs is defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.04.08.A:</strong> software programs authorized to execute on the system are identified</li> <li><strong>A.03.04.08.B:</strong> a deny-all, allow-by-exception policy for the execution of authorized software programs on the system is implemented</li> <li><strong>A.03.04.08.C:</strong> the list of authorized software programs is reviewed and updated <strong>&lt;A.03.04.08.ODP: frequency&gt;</strong></li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: configuration management policy and procedures; procedures for least functionality in the system; configuration management plan; system design documentation; system configuration settings; list of software programs authorized to execute on the system; system component inventory; records associated with the review and update of the list of authorized software programs; common secure configuration checklists; change control records; system audit records; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with responsibilities for identifying software authorized to execute on the system; personnel with information security responsibilities; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: processes for identifying, reviewing, and updating programs authorized to execute on the system; processes for implementing authorized software policy; mechanisms for supporting or implementing authorized software policy]</p> <h5>References</h5> <p>Source assessment procedure: CM-07(05)</p> </details><h4>03.04.09 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4>03.04.10 System component inventory</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.04.10.odp"><strong>A.03.04.10.ODP:</strong> the frequency at which to review and update the system component inventory is defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.04.10.A:</strong> an inventory of system components is developed and documented</li> <li><strong>A.03.04.10.B[01]:</strong> the system component inventory is reviewed <strong>&lt;A.03.04.10.ODP: frequency&gt;</strong></li> <li><strong>A.03.04.10.B[02]:</strong> the system component inventory is updated <strong>&lt;A.03.04.10.ODP: frequency&gt;</strong></li> <li><strong>A.03.04.10.C[01]:</strong> the system component inventory is updated as part of component installations</li> <li><strong>A.03.04.10.C[02]:</strong> the system component inventory is updated as part of component removals</li> <li><strong>A.03.04.10.C[03]:</strong> the system component inventory is updated as part of system updates</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: configuration management policy and procedures; procedures for system component inventory; configuration management plan; system design documentation; system component inventory; inventory reviews and update records; component installation records; change control records; component removal records; system change records; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with component inventory management responsibilities; personnel with information security responsibilities; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: processes for managing the system component inventory; mechanisms for supporting or implementing the system component inventory; processes for updating the system component inventory; mechanisms for supporting or implementing the system component inventory updates]</p> <h5>References</h5> <p>Source assessment procedures: CM-08, CM-08(01)</p> </details><details><summary><h4>03.04.11 Information location</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.04.11.A[01]:</strong> the location of specified information is identified and documented</li> <li><strong>A.03.04.11.A[02]:</strong> the system components on which specified information is processed are identified and documented</li> <li><strong>A.03.04.11.A[03]:</strong> the system components on which specified information is stored are identified and documented</li> <li><strong>A.03.04.11.B[01]:</strong> changes to the system or system component location where specified information is processed are documented</li> <li><strong>A.03.04.11.B[02]:</strong> changes to the system or system component location where specified information is stored are documented</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: configuration management policy and procedures; configuration management plan; procedures for identification and documentation of information location; system audit records; architecture documentation; system design documentation; security categorization of the information; personal information inventory documentation; data mapping documentation; audit records; list of users with system and system component access; change control records; system component inventory; system security plan; privacy plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with responsibilities for managing information location and user access; personnel with responsibilities for operating, using, or maintaining the system; personnel with information security and privacy responsibilities; system developers; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: processes governing information location; mechanisms for enforcing policies and methods for governing information location]</p> <h5>References</h5> <p>Source assessment procedure: CM-12</p> </details><details><summary><h4>03.04.12 System and component configuration for high-risk areas</h4> </summary><h5><abbr title="organization-defined parameters">ODPs</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.04.12.odp-01"><strong>A.03.04.12.ODP[01]:</strong> configurations for systems or system components to be issued to individuals traveling to high-risk locations are defined</li> <li id="a.03.04.12.odp-02"><strong>A.03.04.12.ODP[02]:</strong> security requirements to be applied to the system or system components when individuals return from travel are defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.04.12.A:</strong> systems or system components with the following configurations are issued to individuals traveling to high-risk locations: <strong>&lt;A.03.04.12.ODP[01]: configurations&gt;</strong></li> <li><strong>A.03.04.12.B:</strong> the following security requirements are applied to the system or system components when the individuals return from travel: <strong>&lt;A.03.04.12.ODP[02]: security requirements&gt;</strong></li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: configuration management policy and procedures; configuration management plan; procedures for the baseline configuration of the system; procedures for system component installations and upgrades; system component inventory; system component installations or upgrades and associated records; records of system baseline configuration reviews and updates; system configuration settings; system architecture documentation; change control records; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with configuration management responsibilities; personnel with information security responsibilities; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: processes for managing baseline configurations]</p> <h5>References</h5> <p>Source assessment procedure: CM-02(07)</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 id="3.5">3.5 Identification and authentication</h3> <p>The Identification and authentication controls support the unique identification of users, processes acting on behalf of users and devices. They also support the authentication or verification of the identities of those users, processes or devices as a prerequisite to allowing access to organizational systems.</p> <details><summary><h4>03.05.01 User identification, authentication, and re-authentication</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.05.01.odp"><strong>A.03.05.01.ODP:</strong> circumstances or situations that require reauthentication are defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.05.01.A[01]:</strong> system users are uniquely identified</li> <li><strong>A.03.05.01.A[02]:</strong> system users are authenticated</li> <li><strong>A.03.05.01.A[03]:</strong> processes acting on behalf of users are associated with uniquely identified and authenticated system users</li> <li><strong>A.03.05.01.B:</strong> users are reauthenticated when <strong>&lt;A.03.05.01.ODP: circumstances or situations&gt;</strong></li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: identification and authentication policy and procedures; list of circumstances or situations requiring reauthentication; system design documentation; system configuration settings; system audit records; list of system accounts; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with identification and authentication responsibilities; personnel with system operations responsibilities; personnel with account management responsibilities; system developers; personnel with information security responsibilities; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: processes for uniquely identifying and authenticating users; mechanisms for supporting or implementing identification and authentication capabilities]</p> <h5>References</h5> <p>Source assessment procedures: IA-02, IA-11</p> </details><details><summary><h4>03.05.02 Device identification and authentication</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.05.02.odp"><strong>A.03.05.02.ODP:</strong> devices or types of devices to be uniquely identified and authenticated before establishing a connection are defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.05.02.[01]:</strong> <strong>&lt;A.03.05.02.ODP: devices or types of devices&gt;</strong> are uniquely identified before establishing a system connection</li> <li><strong>A.03.05.02.[02]:</strong> <strong>&lt;A.03.05.02.ODP: devices or types of devices&gt;</strong> are authenticated before establishing a system connection</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: identification and authentication policy and procedures; procedures for device identification and authentication; system design documentation; list of devices requiring unique identification and authentication; device connection reports; system configuration settings; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with responsibilities for device identification and authentication; personnel with information security responsibilities; system developers; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for supporting or implementing device identification and authentication capabilities]</p> <h5>References</h5> <p>Source assessment procedure: IA-03</p> </details><details><summary><h4>03.05.03 Multi-factor authentication</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.05.03[01]:</strong> strong <abbr title="multi-factor authentication">MFA</abbr> for access to privileged accounts is implemented</li> <li><strong>A.03.05.03[02]:</strong> strong <abbr title="multi-factor authentication">MFA</abbr> for access to non-privileged accounts is implemented</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: identification and authentication policy and procedures; system design documentation; list of system accounts; system configuration settings; system audit records; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with system operations responsibilities; personnel with account management responsibilities; personnel with information security responsibilities; system developers; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for supporting or implementing a <abbr title="multi-factor authentication">MFA</abbr> capability]</p> <h5>References</h5> <p>Source assessment procedures: IA-02(01), IA-02(02)</p> </details><details><summary><h4>03.05.04 Replay-resistant authentication</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.05.04[01]:</strong> replay-resistant authentication mechanisms for access to privileged accounts are implemented</li> <li><strong>A.03.05.04[02]:</strong> replay-resistant authentication mechanisms for access to non-privileged accounts are implemented</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: identification and authentication policy and procedures; system design documentation; system audit records; system configuration settings; list of privileged system accounts; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with system operations responsibilities; personnel with account management responsibilities; personnel with information security responsibilities; system developers; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for supporting or implementing identification and authentication capabilities; mechanisms for supporting or implementing replay-resistance]</p> <h5>References</h5> <p>Source assessment procedure: IA-02(08)</p> </details><details><summary><h4>03.05.05 Identifier management</h4> </summary><h5><abbr title="organization-defined parameters">ODPs</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.05.05.odp-01"><strong>A.03.05.05.ODP[01]:</strong> the time period for preventing the reuse of identifiers is defined</li> <li id="a.03.05.05.odp-02"><strong>A.03.05.05.ODP[02]:</strong> characteristics used to identify individual status are defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.05.05.A:</strong> authorization is received from organizational personnel or roles to assign an individual, group, role, service, or device identifier</li> <li><strong>A.03.05.05.B[01]:</strong> an identifier that identifies an individual, group, role, service, or device is selected</li> <li><strong>A.03.05.05.B[02]:</strong> an identifier that identifies an individual, group, role, service, or device is assigned</li> <li><strong>A.03.05.05.C:</strong> the reuse of identifiers for <strong>&lt;A.03.05.05.ODP[01]: time period&gt;</strong> is prevented</li> <li><strong>A.03.05.05.D:</strong> individual identifiers are managed by uniquely identifying each individual as <strong>&lt;A.03.05.05.ODP[02]: characteristic&gt;</strong></li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: identification and authentication policy and procedures; procedures for identifier management; procedures for account management; system design documentation; list of system accounts; list of characteristics identifying individual status; system configuration settings; list of identifiers generated from physical access control devices; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with identifier management responsibilities; personnel with information security responsibilities; system developers; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for supporting or implementing identifier management]</p> <h5>References</h5> <p>Source assessment procedures: IA-04, IA-04(04)</p> </details><h4>03.05.06 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4>03.05.07 Password management</h4> </summary><h5><abbr title="organization-defined parameters">ODPs</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.05.07.odp-01"><strong>A.03.05.07.ODP[01]:</strong> the frequency at which to update the list of commonly used, expected, or compromised passwords is defined</li> <li id="a.03.05.07.odp-02"><strong>A.03.05.07.ODP[02]:</strong> password composition and complexity rules are defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.05.07.A[01]:</strong> a list of commonly used, expected, or compromised passwords is maintained</li> <li><strong>A.03.05.07.A[02]:</strong> a list of commonly used, expected, or compromised passwords is updated <strong>&lt;A.03.05.07.ODP[01]: frequency&gt;</strong></li> <li><strong>A.03.05.07.A[03]:</strong> a list of commonly used, expected, or compromised passwords is updated when organizational passwords are suspected to have been compromised</li> <li><strong>A.03.05.07.B:</strong> passwords are verified not to be found on the list of commonly used, expected, or compromised passwords when they are created or updated by users</li> <li><strong>A.03.05.07.C:</strong> passwords are only transmitted over cryptographically protected channels</li> <li><strong>A.03.05.07.D:</strong> passwords are stored in a cryptographically protected form</li> <li><strong>A.03.05.07.E:</strong> a new password is selected upon first use after account recovery</li> <li><strong>A.03.05.07.F:</strong> the following composition and complexity rules for passwords are enforced: <strong>&lt;A.03.05.07.ODP[02]: rules&gt;</strong></li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: identification and authentication policy and procedures; password policy; procedures for authenticator management; system design documentation; system configuration settings; password configurations; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with authenticator management responsibilities; personnel with information security responsibilities; system developers; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for supporting or implementing a password-based authenticator management capability]</p> <h5>References</h5> <p>Source assessment procedure: IA-05(01)</p> </details><h4>03.05.08 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4>03.05.09 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4>03.05.10 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4>03.05.11 Authentication feedback</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.05.11:</strong> feedback of authentication information during the authentication process is obscured</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: identification and authentication policy and procedures; procedures for authenticator feedback; system design documentation; system configuration settings; system audit records; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with information security responsibilities; system developers; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for supporting or implementing the obscuring of feedback of authentication information during authentication]</p> <h5>References</h5> <p>Source assessment procedure: IA-06</p> </details><details><summary><h4>03.05.12 Authenticator management</h4> </summary><h5><abbr title="organization-defined parameters">ODPs</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.05.12.odp-01"><strong>A.03.05.12.ODP[01]:</strong> the frequency for changing or refreshing authenticators is defined</li> <li id="a.03.05.12.odp-02"><strong>A.03.05.12.ODP[02]:</strong> events that trigger the change or refreshment of authenticators are defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.05.12.A:</strong> the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution is verified</li> <li><strong>A.03.05.12.B:</strong> initial authenticator content for any authenticators issued by the organization is established</li> <li><strong>A.03.05.12.C[01]:</strong> administrative procedures for initial authenticator distribution are established</li> <li><strong>A.03.05.12.C[02]:</strong> administrative procedures for lost, compromised, or damaged authenticators are established</li> <li><strong>A.03.05.12.C[03]:</strong> administrative procedures for revoking authenticators are established</li> <li><strong>A.03.05.12.C[04]:</strong> administrative procedures for initial authenticator distribution are implemented</li> <li><strong>A.03.05.12.C[05]:</strong> administrative procedures for lost, compromised, or damaged authenticators are implemented</li> <li><strong>A.03.05.12.C[06]:</strong> administrative procedures for revoking authenticators are implemented</li> <li><strong>A.03.05.12.D:</strong> default authenticators are changed at first use</li> <li><strong>A.03.05.12.E:</strong> authenticators are changed or refreshed <strong>&lt;A.03.05.12.ODP[01]: frequency&gt;</strong> or when the following events occur: <strong>&lt;A.03.05.12.ODP[02]: events&gt;</strong></li> <li><strong>A.03.05.12.F[01]:</strong> authenticator content is protected from unauthorized disclosure</li> <li><strong>A.03.05.12.F[02]:</strong> authenticator content is protected from unauthorized modification</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: identification and authentication policy and procedures; procedures for authenticator management; system configuration settings; list of system authenticator types; system design documentation; system audit records; change control records associated with managing system authenticators; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with authenticator management responsibilities; personnel with information security responsibilities; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for supporting or implementing the authenticator management capability]</p> <h5>References</h5> <p>Source assessment procedure: IA-05</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 id="3.6">3.6 Incident response</h3> <p>The Incident response controls support the establishment of an operational incident handling capability for organizational systems that includes:</p> <ul><li>adequate preparation</li> <li>monitoring</li> <li>detection</li> <li>analysis</li> <li>containment</li> <li>recovery</li> <li>response</li> </ul><p>Incidents are monitored, documented, and reported to appropriate organizational officials and authorities.</p> <details><summary><h4>03.06.01 Incident handling</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.06.01[01]:</strong> an incident-handling capability that is consistent with the incident response plan is implemented</li> <li><strong>A.03.06.01[02]:</strong> the incident handling capability includes preparation</li> <li><strong>A.03.06.01[03]:</strong> the incident handling capability includes detection and analysis</li> <li><strong>A.03.06.01[04]:</strong> the incident handling capability includes containment</li> <li><strong>A.03.06.01[05]:</strong> the incident handling capability includes eradication</li> <li><strong>A.03.06.01[06]:</strong> the incident handling capability includes recovery</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: incident response policy and procedures; contingency planning policy and procedures; procedures for incident handling; procedures for incident response planning; incident response plan; contingency plan; records of incident response plan reviews and approvals; system security plan; privacy plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with incident handling responsibilities; personnel with incident response planning responsibilities; personnel with contingency planning responsibilities; personnel with information security and privacy responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: incident handling capability for the organization; incident response plan]</p> <h5>References</h5> <p>Source assessment procedure: IR-04</p> </details><details><summary><h4>03.06.02 Incident monitoring, reporting, and response assistance</h4> </summary><h5><abbr title="organization-defined parameters">ODPs</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.06.02.odp-01"><strong>A.03.06.02.ODP[01]:</strong> the time period to report suspected incidents to the organizational incident response capability is defined</li> <li id="a.03.06.02.odp-02"><strong>A.03.06.02.ODP[02]:</strong> authorities to whom incident information is to be reported are defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.06.02.A[01]:</strong> system security incidents are tracked</li> <li><strong>A.03.06.02.A[02]:</strong> system security incidents are documented</li> <li><strong>A.03.06.02.B:</strong> suspected incidents are reported to the organizational incident response capability within <strong>&lt;A.03.06.02.ODP[01]: time period&gt;</strong></li> <li><strong>A.03.06.02.C:</strong> incident information is reported to <strong>&lt;A.03.06.02.ODP[02]: authorities&gt;</strong></li> <li><strong>A.03.06.02.D:</strong> an incident response support resource that offers advice and assistance to system users on handling and reporting incidents is provided</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: incident response policy and procedures; procedures for incident monitoring; procedures for incident response assistance; incident response records and documentation; incident response plan; system security plan; privacy plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with incident monitoring responsibilities; personnel with incident response assistance and support responsibilities; personnel with information security and privacy responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: processes for incident reporting; incident monitoring capability; mechanisms for supporting or implementing the tracking and documenting of system security incidents; mechanisms for supporting or implementing incident reporting; mechanisms for supporting or implementing incident response assistance; processes for incident response assistance]</p> <h5>References</h5> <p>Source assessment procedures: IR-05, IR-06, IR-07</p> </details><details><summary><h4>03.06.03 Incident response testing</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.06.03.odp"><strong>A.03.06.03.ODP:</strong> the frequency at which to test the effectiveness of the incident response capability for the system is defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.06.03:</strong> the effectiveness of the incident response capability is tested <strong>&lt;A.03.06.03.ODP: frequency&gt;</strong></li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: incident response policy and procedures; contingency planning policy and procedures; procedures for incident response testing; procedures for contingency plan testing; incident response testing material; incident response test results; incident response test plan; incident response plan; contingency plan; system security plan; privacy plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with incident response testing responsibilities; personnel with information security and privacy responsibilities]</p> <h5>References</h5> <p>Source assessment procedure: IR-03</p> </details><details><summary><h4>03.06.04 Incident response training</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.06.04.odp-01"><strong>A.03.06.04.ODP[01]:</strong> the time period within which incident response training is to be provided to system users is defined</li> <li id="a.03.06.04.odp-02"><strong>A.03.06.04.ODP[02]:</strong> the frequency at which to provide incident response training to users after initial training is defined</li> <li id="a.03.06.04.odp-03"><strong>A.03.06.04.ODP[03]:</strong> the frequency at which to review and update incident response training content is defined</li> <li id="a.03.06.04.odp-04"><strong>A.03.06.04.ODP[04]:</strong> events that initiate a review of the incident response training content are defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.06.04.A.01:</strong> incident response training for system users consistent with assigned roles and responsibilities is provided within <strong>&lt;A.03.06.04.ODP[01]: time period&gt;</strong> of assuming an incident response role or responsibility or acquiring system access</li> <li><strong>A.03.06.04.A.02:</strong> incident response training for system users consistent with assigned roles and responsibilities is provided when required by system changes</li> <li><strong>A.03.06.04.A.03:</strong> incident response training for system users consistent with assigned roles and responsibilities is provided <strong>&lt;A.03.06.04.ODP[02]: frequency&gt;</strong> thereafter</li> <li><strong>A.03.06.04.B[01]:</strong> incident response training content is reviewed <strong>&lt;A.03.06.04.ODP[03]: frequency&gt;</strong></li> <li><strong>A.03.06.04.B[02]:</strong> incident response training content is updated <strong>&lt;A.03.06.04.ODP[03]: frequency&gt;</strong></li> <li><strong>A.03.06.04.B[03]:</strong> incident response training content is reviewed following <strong>&lt;A.03.06.04.ODP[04]: events&gt;</strong></li> <li><strong>A.03.06.04.B[04]:</strong> incident response training content is updated following <strong>&lt;A.03.06.04.ODP[04]: events&gt;</strong></li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: incident response policy and procedures; procedures for incident response training; incident response training curriculum; incident response training materials; incident response plan; incident response training records; system security plan; privacy plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with incident response training and operational responsibilities; personnel with information security and privacy responsibilities]</p> <h5>References</h5> <p>Source assessment procedure: IR-02</p> </details><details><summary><h4>03.06.05 Incident response plan</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.06.05.A.01:</strong> an incident response plan is developed that provides the organization with a roadmap for implementing its incident response capability</li> <li><strong>A.03.06.05.A.02:</strong> an incident response plan is developed that describes the structure and organization of the incident response capability</li> <li><strong>A.03.06.05.A.03:</strong> an incident response plan is developed that provides a high-level approach for how the incident response capability fits into the overall organization</li> <li><strong>A.03.06.05.A.04:</strong> an incident response plan is developed that defines reportable incidents</li> <li><strong>A.03.06.05.A.05:</strong> an incident response plan is developed that addresses the sharing of incident information</li> <li><strong>A.03.06.05.A.06:</strong> an incident response plan is developed that designates responsibilities to organizational entities, personnel, or roles</li> <li><strong>A.03.06.05.B[01]:</strong> copies of the incident response plan are distributed to designated incident response personnel (identified by name or by role)</li> <li><strong>A.03.06.05.B[02]:</strong> copies of the incident response plan are distributed to organizational elements</li> <li><strong>A.03.06.05.C:</strong> the incident response plan is updated to address system and organizational changes or problems encountered during plan implementation, execution, or testing</li> <li><strong>A.03.06.05.D:</strong> the incident response plan is protected from unauthorized disclosure</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: incident response policy; procedures addressing incident response planning; incident response plan; system security plan; privacy plan; records of incident response plan reviews and approvals; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with incident response planning responsibilities; personnel with information security and privacy responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: incident response plan and related processes]</p> <h5>References</h5> <p>Source assessment procedure: IR-08</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 id="3.7">3.7 Maintenance</h3> <p>The Maintenance controls support periodic and timely maintenance on organizational systems and provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance to ensure its ongoing availability.</p> <h4>03.07.01 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4>03.07.02 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4>03.07.03 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4>03.07.04 Maintenance tools</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.07.04.A[01]:</strong> the use of system maintenance tools is approved</li> <li><strong>A.03.07.04.A[02]:</strong> the use of system maintenance tools is controlled</li> <li><strong>A.03.07.04.A[03]:</strong> the use of system maintenance tools is monitored</li> <li><strong>A.03.07.04.B:</strong> media with diagnostic and test programs are checked for malicious code before the media are used in the system</li> <li><strong>A.03.07.04.C:</strong> the removal of system maintenance equipment containing specified information is prevented by verifying that there is no specified information on the equipment, sanitizing or destroying the equipment, or retaining the equipment within the facility</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: maintenance policy and procedures; procedures for system maintenance tools; system maintenance tools; maintenance tool inspection records; equipment sanitization records; media sanitization records; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with system maintenance responsibilities; personnel responsible for media sanitization; personnel with information security responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: processes for approving, controlling, and monitoring maintenance tools; mechanisms for supporting or implementing the approval, control, or monitoring of maintenance tools; processes for preventing the unauthorized removal of information; processes for inspecting media for malicious code; mechanisms for supporting media sanitization or the destruction of equipment; mechanisms for supporting the verification of media sanitization; processes for inspecting maintenance tools; mechanisms for supporting or implementing the inspection of maintenance tools; mechanisms for supporting or implementing the inspection of media used for maintenance]</p> <h5>References</h5> <p>Source assessment procedures: MA-03, MA-03(01), MA-03(02), MA-03(03)</p> </details><details><summary><h4>03.07.05 Non-local maintenance</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.07.05.A[01]:</strong> nonlocal maintenance and diagnostic activities are approved</li> <li><strong>A.03.07.05.A[02]:</strong> nonlocal maintenance and diagnostic activities are monitored</li> <li><strong>A.03.07.05.B[01]:</strong> MFA is implemented in the establishment of non-local maintenance and diagnostic sessions</li> <li><strong>A.03.07.05.B[02]:</strong> replay resistance is implemented in the establishment of non-local maintenance and diagnostic sessions</li> <li><strong>A.03.07.05.C[01]:</strong> session connections are terminated when non-local maintenance is completed</li> <li><strong>A.03.07.05.C[02]:</strong> network connections are terminated when non-local maintenance is completed</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: maintenance policy and procedures; remote access policy and procedures; procedures for non-local system maintenance; records of remote access; maintenance records; diagnostic records; system design documentation; system configuration settings; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with system maintenance responsibilities; personnel with information security responsibilities; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: processes for managing non-local maintenance; mechanisms for implementing, supporting, or managing non-local maintenance; mechanisms for implementing <abbr title="multi-factor authentication">MFA</abbr> and replay resistance; mechanisms for terminating non-local maintenance sessions and network connections]</p> <h5>References</h5> <p>Source assessment procedures: MA-04</p> </details><details><summary><h4>03.07.06 Maintenance personnel</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.07.06.A:</strong> a process for maintenance personnel authorization is established</li> <li><strong>A.03.07.06.B:</strong> a list of authorized maintenance organizations or personnel is maintained</li> <li><strong>A.03.07.06.C:</strong> non-escorted personnel who perform maintenance on the system possess the required access authorizations</li> <li><strong>A.03.07.06.D[01]:</strong> organizational personnel with required access authorizations are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations</li> <li><strong>A.03.07.06.D[02]:</strong> organizational personnel with required technical competence are designated to supervise the maintenance activities of personnel who do not possess the required access authorizations</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: maintenance policy and procedures; service provider contracts; service-level agreements; list of authorized personnel; maintenance records; access control records; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with system maintenance responsibilities; personnel with information security responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: processes for authorizing and managing maintenance personnel; mechanisms for supporting or implementing the authorization of maintenance personnel]</p> <h5>References</h5> <p>Source assessment procedure: MA-05</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 id="3.8">3.8 Media protection</h3> <p>The Media protection controls support the protection of system media throughout their lifecycle. They help limit access to information on system media to authorized users and sanitize or destroy system media before disposal or release for reuse.</p> <details><summary><h4>03.08.01 Media storage</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.08.01.[01]:</strong> system media that contain specified information are physically controlled</li> <li><strong>A.03.08.01.[02]:</strong> system media that contain specified information are securely stored</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: physical protection policy and procedures; media protection policy and procedures; procedures for media storage; access control policy and procedures; system media; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with system media protection and storage responsibilities; personnel with information security responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: processes for storing information media; mechanisms for supporting or implementing secure media storage/media protection]</p> <h5>References</h5> <p>Source assessment procedure: MP-04</p> </details><details><summary><h4>03.08.02 Media access</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.08.02:</strong> access to specified information on system media is restricted to authorized personnel or roles</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: physical protection policy and procedures; media protection policy and procedures; procedures for media access restrictions; access control policy and procedures; media storage facilities; access control records; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with system media protection responsibilities; personnel with information security responsibilities; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: processes for restricting information on media; mechanisms for supporting or implementing media access restrictions]</p> <h5>References</h5> <p>Source assessment procedure: MP-02</p> </details><details><summary><h4>03.08.03 Media sanitization</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.08.03:</strong> system media that contain specified information are sanitized prior to disposal, release out of organizational control, or release for reuse</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: media protection policy and procedures; procedures for media sanitization and disposal; applicable standards and policies that address media sanitization policy; system audit records; media sanitization records; system design documentation; system configuration settings; records retention and disposition policy; records retention and disposition procedures; system security plan; privacy plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with media sanitization responsibilities; personnel with records retention and disposition responsibilities; personnel with information security and privacy responsibilities; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: processes for media sanitization; mechanisms for supporting or implementing media sanitization]</p> <h5>References</h5> <p>Source assessment procedure: MP-06</p> </details><details><summary><h4>03.08.04 Media marking</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.08.04[01]:</strong> system media that contain specified information are marked to indicate distribution limitations</li> <li><strong>A.03.08.04[02]:</strong> system media that contain specified information are marked to indicate handling caveats</li> <li><strong>A.03.08.04[03]:</strong> system media that contain specified information are marked to indicate applicable specified information markings</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: physical protection policy and procedures; media protection policy and procedures; procedures for media marking; list of system media marking security attributes; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with system media protection and marking responsibilities; personnel with information security responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: processes for marking information media; mechanisms for supporting or implementing media marking]</p> <h5>References</h5> <p>Source assessment procedure: MP-03</p> </details><details><summary><h4>03.08.05 Media transport</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.08.05.A[01]:</strong> system media that contain specified information are protected during transport outside of controlled areas</li> <li><strong>A.03.08.05.A[02]:</strong> system media that contain specified information are controlled during transport outside of controlled areas</li> <li><strong>A.03.08.05.B:</strong> accountability for system media that contain specified information is maintained during transport outside of controlled areas</li> <li><strong>A.03.08.05.C:</strong> activities associated with the transport of system media that contain specified information are documented</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: physical protection policy and procedures; media protection policy and procedures; procedures for media storage; access control policy and procedures; authorized personnel list; system media; designated controlled areas; system and communications protection policy and procedures; cryptographic mechanisms and configuration documentation; procedures for the protection of information at rest; system design documentation; system configuration settings; list of information at rest requiring confidentiality protections; system audit records; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with system media protection and storage responsibilities; personnel with information security responsibilities; system developers; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: processes for storing information media; mechanisms for supporting or implementing media storage/media protection; mechanisms for supporting or implementing confidentiality protections for information at rest]</p> <h5>References</h5> <p>Source assessment procedures: MP-05, SC-28</p> </details><h4>03.08.06 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4>03.08.07 Media use</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.08.07.odp"><strong>A.03.08.07.ODP:</strong> types of system media with usage restrictions or that are prohibited from use are defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.08.07.A:</strong> the use of the following types of system media is restricted or prohibited: <strong>&lt;A.03.08.07.ODP: types of system media&gt;</strong></li> <li><strong>A.03.08.07.B:</strong> the use of removable system media without an identifiable owner is prohibited</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: system media protection policy and procedures; system use policy; procedures for media usage restrictions; rules of behaviour; system audit records; system design documentation; system configuration settings; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with system media use responsibilities; personnel with information security responsibilities; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: processes for media use; mechanisms for restricting or prohibiting the use of system media on systems or system components]</p> <h5>References</h5> <p>Source assessment procedure: MP-07</p> </details><h4>03.08.08 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4>03.08.09 System backup – cryptographic protection</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.08.09.A:</strong> the confidentiality of backup information is protected</li> <li><strong>A.03.08.09.B:</strong> cryptographic mechanisms are implemented to prevent the unauthorized disclosure of specified information at backup storage locations</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: contingency planning policy and procedures; procedures for system backup; contingency plan; system design documentation; system configuration settings; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with system backup responsibilities; personnel with information security responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for supporting or implementing the cryptographic protection of backup information]</p> <h5>References</h5> <p>Source assessment procedures: CP-09, CP-09(08)</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 id="3.9">3.9 Personnel security</h3> <p>The Personnel security controls support the procedures required to ensure that all personnel who have access to systems have the necessary authorization as well as appropriate security screening levels. They ensure that organizational information and systems are protected during and after personnel actions such as terminations and transfers.</p> <details><summary><h4>03.09.01 Personnel screening</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.09.01.odp"><strong>A.03.09.01.ODP:</strong> conditions that require the rescreening of individuals are defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.09.01.A:</strong> individuals are screened prior to authorizing access to the system</li> <li><strong>A.03.09.01.B:</strong> individuals are rescreened in accordance with the following conditions: <strong>&lt;A.03.09.01.ODP: conditions&gt;</strong></li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: personnel security policy and procedures; procedures for personnel screening and rescreening; records of screened personnel; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with personnel security responsibilities; personnel with information security responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: processes for personnel screening and rescreening]</p> <h5>References</h5> <p>Source assessment procedure: PS-03</p> </details><details><summary><h4>03.09.02 Personnel termination and transfer</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.09.02.odp"><strong>A.03.09.02.ODP:</strong> the time period within which to disable system access is defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.09.02.A.01:</strong> upon termination of individual employment, system access is disabled within <strong>&lt;A.03.09.02.ODP: time period&gt;</strong></li> <li><strong>A.03.09.02.A.02[01]:</strong> upon termination of individual employment, authenticators associated with the individual are terminated or revoked</li> <li><strong>A.03.09.02.A.02[02]:</strong> upon termination of individual employment, credentials associated with the individual are terminated or revoked</li> <li><strong>A.03.09.02.A.03:</strong> upon termination of individual employment, security-related system property is retrieved</li> <li><strong>A.03.09.02.B.01[01]:</strong> upon individual reassignment or transfer to other positions in the organization, the ongoing operational need for current logical and physical access authorizations to the system and facility is reviewed</li> <li><strong>A.03.09.02.B.01[02]:</strong> upon individual reassignment or transfer to other positions in the organization, the ongoing operational need for current logical and physical access authorizations to the system and facility is confirmed</li> <li><strong>A.03.09.02.B.02:</strong> upon individual reassignment or transfer to other positions in the organization, access authorization is modified to correspond with any changes in operational need</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: personnel security policy and procedures; procedures for personnel termination; records of personnel transfer actions; procedures for personnel transfer; list of system and facility access authorizations; records of personnel termination actions; records of terminated or revoked authenticators or credentials; list of system accounts; records of exit interviews; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with personnel security responsibilities; personnel with account management responsibilities; personnel with information security responsibilities; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: processes for personnel termination; processes for personnel transfer; mechanisms for supporting or implementing personnel transfer notifications; mechanisms for supporting or implementing personnel termination notifications; mechanisms for disabling system access and revoking authenticators]</p> <h5>References</h5> <p>Source assessment procedures: PS-04, PS-05</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 id="3.10">3.10 Physical protection</h3> <p>The Physical protection controls support the control of physical access to systems, equipment, and the respective operating environments to authorized individuals. They facilitate the protection of the physical plant and support infrastructure for systems, the protection of systems against environmental hazards, and provide appropriate environmental controls in facilities containing systems.</p> <details><summary><h4>03.10.01 Physical access authorizations</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.10.01.odp"><strong>A.03.10.01.ODP:</strong> the frequency at which to review the access list detailing authorized physical access by individuals is defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.10.01.A[01]:</strong> a list of individuals with authorized access to the facility where the system resides is developed</li> <li><strong>A.03.10.01.A[02]:</strong> a list of individuals with authorized access to the facility where the system resides is approved</li> <li><strong>A.03.10.01.A[03]:</strong> a list of individuals with authorized access to the facility where the system resides is maintained</li> <li><strong>A.03.10.01.B:</strong> authorization credentials for facility access are issued</li> <li><strong>A.03.10.01.C:</strong> the physical access list is reviewed <strong>&lt;A.03.10.01.ODP: frequency&gt;</strong></li> <li><strong>A.03.10.01.D:</strong> individuals from the physical access list are removed when access is no longer required</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: physical protection policy and procedures; procedures for physical access authorizations; authorized personnel access list; physical access list reviews; physical access termination records; authorization credentials; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with physical access authorization responsibilities; personnel with physical access to the facility where the system resides; personnel with information security responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: processes for physical access authorizations; mechanisms for supporting or implementing physical access authorizations]</p> <h5>References</h5> <p>Source assessment procedure: PE-02</p> </details><details><summary><h4>03.10.02 Monitoring physical access</h4> </summary><h5><abbr title="organization-defined parameters">ODPs</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.10.02.odp-01"><strong>A.03.10.02.ODP[01]:</strong> the frequency at which to review physical access logs is defined</li> <li id="a.03.10.02.odp-02"><strong>A.03.10.02.ODP[02]:</strong> events or potential indications of events requiring physical access logs to be reviewed are defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.10.02.A[01]:</strong> physical access to the facility where the system resides is monitored to detect physical security incidents</li> <li><strong>A.03.10.02.A[02]:</strong> physical security incidents are responded to</li> <li><strong>A.03.10.02.B[01]:</strong> physical access logs are reviewed <strong>&lt;A.03.10.02.ODP[01]: frequency&gt;</strong></li> <li><strong>A.03.10.02.B[02]:</strong> physical access logs are reviewed upon occurrence of <strong>&lt;A.03.10.02.ODP[02]: events or potential indications of events&gt;</strong></li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: physical protection policy and procedures; procedures for physical access monitoring; physical access logs or records; physical access monitoring records; physical access log reviews; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with physical access monitoring responsibilities; personnel with incident response responsibilities; personnel with information security responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: processes for monitoring physical access; mechanisms for supporting or implementing physical access monitoring; mechanisms for supporting or implementing the review of physical access logs]</p> <h5>References</h5> <p>Source assessment procedure: PE-06</p> </details><h4>03.10.03 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4>03.10.04 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4>03.10.05 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4>03.10.06 Alternate work site</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.10.06.odp"><strong>A.03.10.06.ODP:</strong> security requirements to be employed at alternate work sites are defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.10.06.A:</strong> alternate work sites allowed for use by employees are determined</li> <li><strong>A.03.10.06.B:</strong> the following security requirements are employed at alternate work sites: <strong>&lt;A.03.10.06.ODP: security requirements&gt;</strong></li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: physical protection policy and procedures; procedures for alternate work sites for personnel; list of security requirements for alternate work sites; assessments of security requirements at alternate work sites; system security plan; privacy plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel approving the use of alternate work sites; personnel using alternate work sites; personnel assessing security requirements at alternate work sites; personnel with information security and privacy responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: processes for security and privacy at alternate work sites; mechanisms for supporting alternate work sites; security and privacy requirements employed at alternate work sites; means of communication between personnel at alternate work sites and security personnel]</p> <h5>References</h5> <p>Source assessment procedure: PE-17</p> </details><details><summary><h4>03.10.07 Physical access control</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.10.07.A.01:</strong> physical access authorizations are enforced at entry and exit points to the facility where the system resides by verifying individual physical access authorizations before granting access</li> <li><strong>A.03.10.07.A.02:</strong> physical access authorizations are enforced at entry and exit points to the facility where the system resides by controlling ingress and egress with physical access control systems, devices, or guards</li> <li><strong>A.03.10.07.B:</strong> physical access audit logs for entry or exit points are maintained</li> <li><strong>A.03.10.07.C[01]:</strong> visitors are escorted</li> <li><strong>A.03.10.07.C[02]:</strong> visitor activity is controlled</li> <li><strong>A.03.10.07.D:</strong> keys, combinations, and other physical access devices are secured</li> <li><strong>A.03.10.07.E:</strong> physical access to output devices is controlled to prevent unauthorized individuals from obtaining access to specified information</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: physical protection policy and procedures; procedures for physical access control; physical access control logs or records; inventory records of physical access control devices; system entry and exit points; records of key and lock combination changes; storage locations for physical access control devices; physical access control devices; list of security safeguards controlling access to designated publicly accessible areas within facility; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with physical access control responsibilities; personnel with information security responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: processes for physical access control; mechanisms for supporting or implementing physical access control; physical access control devices]</p> <h5>References</h5> <p>Source assessment procedure: PE-03, PE-05</p> </details><details><summary><h4>03.10.08 Access control for transmission</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.10.08:</strong> physical access to system distribution and transmission lines within organizational facilities is controlled</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: physical protection policy and procedures; procedures for access control for transmission mediums; system design documentation; facility communications and wiring diagrams; list of physical security safeguards applied to system distribution and transmission lines; procedures for access control for display medium; facility layout of system components; list of output devices and associated outputs that require physical access controls; actual displays from system components; physical access control logs or records for areas containing output devices and related outputs; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with physical access control responsibilities; personnel with information security responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: processes for access control for distribution and transmission lines; mechanisms for supporting or implementing access control for distribution and transmission lines; processes for access control to output devices; mechanisms for supporting or implementing access control for output devices]</p> <h5>References</h5> <p>Source assessment procedure: PE-04</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 id="3.11">3.11 Risk assessment</h3> <p>The Risk assessment controls deal with the periodic conduct of risk assessments, including <abbr title="privacy impact assessments">PIAs</abbr>, resulting from the operation of organizational systems and associated handling, storage, or transmission of data and information.</p> <details><summary><h4>03.11.01 Risk assessment</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.11.01.odp"><strong>A.03.11.01.ODP:</strong> the frequency at which to update the risk assessment is defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.11.01.A:</strong> the risk (including supply chain risk) of unauthorized disclosure resulting from the processing, storage, or transmission of specified information is assessed</li> <li><strong>A.03.11.01.B:</strong> risk assessments are updated <strong>&lt;A.03.11.01.ODP: frequency&gt;</strong></li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: risk assessment policy and procedures; security and privacy planning policy and procedures; procedures for organizational assessments of risk; risk assessment; risk assessment results; risk assessment reviews; risk assessment updates; supply chain risk management (SCRM) policy and procedures; inventory of critical systems, system components, and system services; procedures for organizational assessments of supply chain risk; acquisition policy; <abbr title="supply chain risk management">SCRM</abbr> plan; system security plan; privacy plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with risk assessment responsibilities; personnel with <abbr title="supply chain risk management">SCRM</abbr> responsibilities; personnel with security and privacy responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: processes for organizational risk assessments; mechanisms for supporting or conducting, documenting, reviewing, disseminating, and updating risk assessments; mechanisms for supporting or conducting, documenting, reviewing, disseminating, and updating supply chain risk assessments]</p> <h5>References</h5> <p>Source assessment procedures: RA-03, RA-03(01), SR-06</p> </details><details><summary><h4>03.11.02 Vulnerability monitoring and scanning</h4> </summary><h5><abbr title="organization-defined parameters">ODPs</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.11.02.odp-01"><strong>A.03.11.02.ODP[01]:</strong> the frequency at which the system is monitored for vulnerabilities is defined</li> <li id="a.03.11.02.odp-02"><strong>A.03.11.02.ODP[02]:</strong> the frequency at which the system is scanned for vulnerabilities is defined</li> <li id="a.03.11.02.odp-03"><strong>A.03.11.02.ODP[03]:</strong> response times to remediate system vulnerabilities are defined</li> <li id="a.03.11.02.odp-04"><strong>A.03.11.02.ODP[04]:</strong> the frequency at which to update system vulnerabilities to be scanned is defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.11.02.A[01]:</strong> the system is monitored for vulnerabilities <strong>&lt;A.03.11.02.ODP[01]: frequency&gt;</strong></li> <li><strong>A.03.11.02.A[02]:</strong> the system is scanned for vulnerabilities <strong>&lt;A.03.11.02.ODP[02]: frequency&gt;</strong></li> <li><strong>A.03.11.02.A[03]:</strong> the system is monitored for vulnerabilities when new vulnerabilities that affect the system are identified</li> <li><strong>A.03.11.02.A[04]:</strong> the system is scanned for vulnerabilities when new vulnerabilities that affect the system are identified</li> <li><strong>A.03.11.02.B:</strong> system vulnerabilities are remediated within <strong>&lt;A.03.11.02.ODP[03]: response times&gt;</strong></li> <li><strong>A.03.11.02.C[01]:</strong> system vulnerabilities to be scanned are updated <strong>&lt;A.03.11.02.ODP[04]: frequency&gt;</strong></li> <li><strong>A.03.11.02.C[02]:</strong> system vulnerabilities to be scanned are updated when new vulnerabilities are identified and reported</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: risk assessment policy and procedures; procedures for vulnerability scanning; patch and vulnerability management records; vulnerability scanning tools and configuration documentation; vulnerability scanning results; risk assessment; risk assessment report; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with risk assessment and vulnerability scanning responsibilities; personnel with vulnerability scan analysis responsibilities; personnel with vulnerability remediation responsibilities; personnel with information security responsibilities; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: processes for vulnerability monitoring, scanning, analysis, and remediation; mechanisms for supporting or implementing vulnerability monitoring, scanning, analysis, and remediation]</p> <h5>References</h5> <p>Source assessment procedures: RA-05, RA-05(02)</p> </details><h4>03.11.03 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4>03.11.04 Risk response</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.11.04[01]:</strong> findings from security assessments are responded to</li> <li><strong>A.03.11.04[02]:</strong> findings from security monitoring are responded to</li> <li><strong>A.03.11.04[03]:</strong> findings from security audits are responded to</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: risk assessment policy; assessment reports; system audit records; event logs; system security plan; privacy plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with assessment and auditing responsibilities; system administrators; personnel with security and privacy responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: processes for assessments and audits; mechanisms and tools supporting or implementing assessments and auditing]</p> <h5>References</h5> <p>Source assessment procedure: RA-07</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 id="3.12">3.12 Security assessment and monitoring</h3> <p>The Security assessment and monitoring controls deal with the security assessment and monitoring of the system.</p> <details><summary><h4>03.12.01 Security assessment</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.12.01.odp"><strong>A.03.12.01.ODP:</strong> the frequency at which to assess the security requirements for the system and its environment of operation is defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.12.01:</strong> the security requirements for the system and its environment of operation are assessed <strong>&lt;A.03.12.01.ODP: frequency&gt;</strong> to determine if the requirements have been satisfied</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: security assessment and monitoring policy and procedures; procedures for security assessment planning; security assessment plan; security assessment report; system security plan; privacy plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with security assessment responsibilities; personnel with information security and privacy responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for supporting security assessments, processes for security assessment plan development, or security assessment reporting]</p> <h5>References</h5> <p>Source assessment procedure: CA-02</p> </details><details><summary><h4>03.12.02 Plan of action and milestones</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.12.02.A.01:</strong> a plan of action and milestones for the system is developed to document the planned remediation actions for correcting weaknesses or deficiencies noted during security assessments</li> <li><strong>A.03.12.02.A.02:</strong> a plan of action and milestones for the system is developed to reduce or eliminate known system vulnerabilities</li> <li><strong>A.03.12.02.B.01:</strong> the existing plan of action and milestones is updated based on the findings from security assessments</li> <li><strong>A.03.12.02.B.02:</strong> the existing plan of action and milestones is updated based on the findings from audits or reviews</li> <li><strong>A.03.12.02.B.03:</strong> the existing plan of action and milestones is updated based on the findings from continuous monitoring activities</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: security assessment and monitoring policy and procedures; procedures for plans of action and milestones; security assessment plan; security assessment report; security assessment evidence; plan of action and milestones; system security plan; privacy plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with plans of action and milestones development and implementation responsibilities; personnel with information security and privacy responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for developing, implementing, and maintaining plans of action and milestones]</p> <h5>References</h5> <p>Source assessment procedure: CA-05</p> </details><details><summary><h4>03.12.03 Continuous monitoring</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.12.03[01]:</strong> a system-level continuous monitoring strategy is developed</li> <li><strong>A.03.12.03[02]:</strong> a system-level continuous monitoring strategy is implemented</li> <li><strong>A.03.12.03[03]:</strong> ongoing monitoring is included in the continuous monitoring strategy</li> <li><strong>A.03.12.03[04]:</strong> security assessments are included in the continuous monitoring strategy</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: security assessment and monitoring policy and procedures; organizational continuous monitoring strategy; system-level continuous monitoring strategy; procedures for continuous monitoring of the system; procedures for configuration management; security assessment report; privacy assessment report; plan of action and milestones; system monitoring records; configuration management records; impact analyses; status reports; system security plan; privacy plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with continuous monitoring responsibilities; personnel with information security and privacy responsibilities; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for implementing continuous monitoring; mechanisms for supporting response actions for assessment and monitoring results; mechanisms for supporting security and privacy status reporting]</p> <h5>References</h5> <p>Source assessment procedure: CA-07</p> </details><h4>03.12.04 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4>03.12.05 Information exchange</h4> </summary><h5><abbr title="organization-defined parameters">ODPs</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.12.05.odp-01"><strong>A.03.12.05.ODP[01]:</strong> 1 or more of the following parameter values are selected: {interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; information sharing arrangements; service-level agreements; user agreements; nondisclosure agreements; other types of agreements}</li> <li id="a.03.12.05.odp-02"><strong>A.03.12.05.ODP[02]:</strong> the frequency at which to review and update agreements is defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.12.05.A[01]:</strong> the exchange of specified information between the system and other systems is approved using <strong>&lt;A.03.12.05.ODP[01]: selected parameter values&gt;</strong></li> <li><strong>A.03.12.05.A[02]:</strong> the exchange of specified information between the system and other systems is managed using <strong>&lt;A.03.12.05.ODP[01]: selected parameter values&gt;</strong></li> <li><strong>A.03.12.05.B[01]:</strong> interface characteristics for each system are documented as part of the exchange agreements</li> <li><strong>A.03.12.05.B[02]:</strong> security and privacy requirements for each system are documented as part of the exchange agreements</li> <li><strong>A.03.12.05.B[03]:</strong> responsibilities for each system are documented as part of the exchange agreements</li> <li><strong>A.03.12.05.C[01]:</strong> exchange agreements are reviewed <strong>&lt;A.03.12.05.ODP[02]: frequency&gt;</strong></li> <li>A.03.12.05.C[02]: exchange agreements are updated <strong>&lt;A.03.12.05.ODP[02]: frequency&gt;</strong></li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: access control policy and procedures; procedures for system connections; system and communications protection policy and procedures; system interconnection security agreements; information exchange security agreements; service-level agreements; memoranda of understanding or agreements; information sharing arrangements; nondisclosure agreements; system design documentation; enterprise architecture; security architecture; system configuration settings; system security plan; privacy plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with development, implementation, and approval responsibilities for system interconnection agreements; personnel who manage systems to which the exchange agreements apply; personnel with information security and privacy responsibilities]</p> <h5>References</h5> <p>Source assessment procedure: CA-03</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 id="3.13">3.13 System and communications protection</h3> <p>The System and communications protection controls support the monitoring, control and protection of the systems themselves and of the communications between and within the systems.</p> <details><summary><h4>03.13.01 Boundary protection</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.13.01.A[01]:</strong> communications at external managed interfaces to the system are monitored</li> <li><strong>A.03.13.01.A[02]:</strong> communications at external managed interfaces to the system are controlled</li> <li><strong>A.03.13.01.A[03]:</strong> communications at key internal managed interfaces within the system are monitored</li> <li><strong>A.03.13.01.A[04]:</strong> communications at key internal managed interfaces within the system are controlled</li> <li><strong>A.03.13.01.B:</strong> subnetworks are implemented for publicly accessible system components that are physically or logically separated from internal networks</li> <li><strong>A.03.13.01.C:</strong> external system connections are only made through managed interfaces that consist of boundary protection devices arranged in accordance with an organizational security architecture</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: system and communications protection policy and procedures; procedures for boundary protection; list of key internal boundaries within the system; boundary protection hardware and software; system configuration settings; security architecture; system audit records; system design documentation; enterprise security architecture documentation; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with boundary protection responsibilities; personnel with information security responsibilities; system developers; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for implementing boundary protection capabilities]</p> <h5>References</h5> <p>Source assessment procedure: SC-07</p> </details><h4>03.13.02 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4>03.13.03 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4>03.13.04 Information in shared system resources</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.13.04[01]:</strong> unauthorized information transfer via shared system resources is prevented</li> <li><strong>A.03.13.04[02]:</strong> unintended information transfer via shared system resources is prevented</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: system and communications protection policy and procedures; procedures for information protection in shared system resources; system configuration settings; system audit records; system design documentation; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with information security responsibilities; system developers; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for preventing the unauthorized and unintended transfer of information via shared system resources]</p> <h5>References</h5> <p>Source assessment procedure: SC-04</p> </details><h4>03.13.05 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4>03.13.06 Network communications – deny by default – allow by exception</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.13.06[01]:</strong> network communications traffic is denied by default</li> <li><strong>A.03.13.06[02]:</strong> network communications traffic is allowed by exception</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: system and communications protection policy and procedures; procedures for boundary protection; system design documentation; system configuration settings; system audit records; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with boundary protection responsibilities; personnel with information security responsibilities; system developers; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for implementing traffic management at managed interfaces]</p> <h5>References</h5> <p>Source assessment procedure: SC-07(05)</p> </details><h4>03.13.07 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4>03.13.08 Transmission and storage confidentiality</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.13.08[01]:</strong> cryptographic mechanisms are implemented to prevent the unauthorized disclosure of specified information during transmission</li> <li><strong>A.03.13.08[02]:</strong> cryptographic mechanisms are implemented to prevent the unauthorized disclosure of specified information while in storage</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: system and communications protection policy and procedures; procedures for transmission confidentiality; procedures for the protection of information at rest; system design documentation; system configuration settings; cryptographic mechanisms and associated configuration documentation; information in storage requiring confidentiality protection; system audit records; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with information security responsibilities; system developers; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for supporting or implementing transmission confidentiality; cryptographic mechanisms for supporting or implementing transmission confidentiality; mechanisms for supporting or implementing confidentiality protection for information in storage; cryptographic mechanisms for implementing confidentiality protections for information in storage]</p> <h5>References</h5> <p>Source assessment procedures: SC-08, SC-08(01), SC-28, SC-28(01)</p> </details><details><summary><h4>03.13.09 Network disconnect</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.13.09.odp"><strong>A.03.13.09.ODP:</strong> the time period of inactivity after which the system terminates a network connection associated with a communications session is defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.13.09:</strong> the network connection associated with a communications session is terminated at the end of the session or after <strong>&lt;A.03.13.09.ODP: time period&gt;</strong> of inactivity</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: system and communications protection policy and procedures; procedures for network disconnect; system design documentation; system configuration settings; system audit records; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with information security responsibilities; system developers; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for supporting or implementing a network disconnect capability]</p> <h5>References</h5> <p>Source assessment procedure: SC-10</p> </details><details><summary><h4>03.13.10 Cryptographic key establishment and management</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.13.10.odp"><strong>A.03.13.10.ODP:</strong> requirements for key generation, distribution, storage, access, and destruction are defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.13.10[01]:</strong> cryptographic keys are established in the system in accordance with the following key management requirements: <strong>&lt;A.03.13.10.ODP: requirements&gt;</strong></li> <li><strong>A.03.13.10[02]:</strong> cryptographic keys are managed in the system in accordance with the following key management requirements: <strong>&lt;A.03.13.10.ODP: requirements&gt;</strong></li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: system and communications protection policy and procedures; procedures for cryptographic key establishment and management; system design documentation; system configuration settings; cryptographic mechanisms; system audit records; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with responsibilities for cryptographic key establishment or management; personnel with information security responsibilities; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for supporting or implementing cryptographic key establishment and management]</p> <h5>References</h5> <p>Source assessment procedure: SC-12</p> </details><details><summary><h4>03.13.11 Cryptographic protection</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.13.11.odp"><strong>A.03.13.11.ODP:</strong> the types of cryptography for protecting the confidentiality of specified information are defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.13.11:</strong> the following types of cryptography are implemented to protect the confidentiality of specified information: <strong>&lt;A.03.13.11.ODP: types of cryptography&gt;</strong></li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: system and communications protection policy and procedures; procedures for cryptographic protection; system design documentation; system configuration settings; cryptographic module validation certificates; list of Federal Information Processing Standards (FIPS) 140-validated cryptographic modules; system audit records; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with responsibilities for cryptographic protection; personnel with information security responsibilities; system developers; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for supporting or implementing cryptographic protection]</p> <h5>References</h5> <p>Source assessment procedure: SC-13</p> </details><details><summary><h4>03.13.12 Collaborative computing devices and applications</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.13.12.odp"><strong>A.03.13.12.ODP:</strong> exceptions where remote activation is to be allowed are defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.13.12.A:</strong> the remote activation of collaborative computing devices and applications is prohibited with the following exceptions: <strong>&lt;A.03.13.12.ODP: exceptions&gt;</strong></li> <li><strong>A.03.13.12.B:</strong> an explicit indication of use is provided to users who are physically present at the devices</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: system and communications protection policy and procedures; procedures for collaborative computing; access control policy and procedures; system configuration settings; system design documentation; system audit records; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with responsibilities for managing collaborative computing devices; personnel with information security responsibilities; system developers; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for supporting or implementing the management of remote activation of collaborative computing devices; mechanisms for providing an indication of use of collaborative computing devices]</p> <h5>References</h5> <p>Source assessment procedure: SC-15</p> </details><details><summary><h4>03.13.13 Mobile code</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.13.13.A[01]:</strong> acceptable mobile code is defined</li> <li><strong>A.03.13.13.A[02]:</strong> acceptable mobile code technologies are defined</li> <li><strong>A.03.13.13.B[01]:</strong> the use of mobile code is authorized</li> <li><strong>A.03.13.13.B[02]:</strong> the use of mobile code is monitored</li> <li><strong>A.03.13.13.B[03]:</strong> the use of mobile code is controlled</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: system and communications protection policy and procedures; procedures for mobile code; mobile code implementation policy and procedures; list of acceptable mobile code and mobile code technologies; authorization records; system monitoring records; system audit records; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with responsibilities for managing mobile code; personnel with information security responsibilities; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: processes for authorizing, monitoring, and controlling mobile code; mechanisms for supporting or implementing the management of mobile code; mechanisms for supporting or implementing mobile code monitoring]</p> <h5>References</h5> <p>Source assessment procedure: SC-18</p> </details><h4>03.13.14 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4>03.13.15 Session authenticity</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.13.15:</strong> the authenticity of communications sessions is protected</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: system and communications protection policy and procedures; procedures for session authenticity; system design documentation; system configuration settings; system audit records; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with information security responsibilities; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: mechanisms for supporting or implementing session authenticity]</p> <h5>References</h5> <p>Source assessment procedure: SC-23</p> </details><h4>03.13.16 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> </section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 id="3.14">3.14 System and information integrity</h3> <p>The System and information integrity controls support the protection of the integrity of the system components and the data that it processes. They allow an organization to:</p> <ul><li>identify, report and correct data and system flaws in a timely manner</li> <li>provide protection against malicious code</li> <li>monitor system security alerts and advisories</li> <li>take appropriate actions in response.</li> </ul><details><summary><h4>03.14.01 Flaw remediation</h4> </summary><h5><abbr title="organization-defined parameters">ODPs</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.14.01.odp-1"><strong>A.03.14.01.ODP[01]:</strong> the time period within which to install security-relevant software updates after the release of the updates is defined</li> <li id="a.03.14.01.odp-2"><strong>A.03.14.01.ODP[02]:</strong> the time period within which to install security-relevant firmware updates after the release of the updates is defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.14.01.A[01]:</strong> system flaws are identified</li> <li><strong>A.03.14.01.A[02]:</strong> system flaws are reported</li> <li><strong>A.03.14.01.A[03]:</strong> system flaws are corrected</li> <li><strong>A.03.14.01.B[01]:</strong> security-relevant software updates are installed within <strong>&lt;A.03.14.01.ODP[01]: time period&gt;</strong> of the release of the updates</li> <li><strong>A.03.14.01.B[01]:</strong> security-relevant firmware updates are installed within <strong>&lt;A.03.14.01.ODP[02]: time period&gt;</strong> of the release of the updates</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: system and information integrity policy and procedures; procedures for flaw remediation; procedures for configuration management; list of recent security flaw remediation actions performed on the system; list of flaws and vulnerabilities that may potentially affect the system; test results from the installation of software and firmware updates to correct system flaws; installation and change control records for security-relevant software and firmware updates; system security plan; privacy plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel responsible for installing, configuring, or maintaining the system; personnel responsible for flaw remediation; personnel with configuration management responsibilities; personnel with information security and privacy responsibilities; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: processes for identifying, reporting, and correcting system flaws; processes for installing software and firmware updates; mechanisms for supporting or implementing the reporting and correction of system flaws; mechanisms for supporting or implementing the testing software and firmware updates]</p> <h5>References</h5> <p>Source assessment procedure: SI-02</p> </details><details><summary><h4>03.14.02 Malicious code protection</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.14.02.odp"><strong>A.03.14.02.ODP:</strong> the frequency at which malicious code protection mechanisms perform scans is defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.14.02.A[01]:</strong> malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code</li> <li><strong>A.03.14.02.A[02]:</strong> malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code</li> <li><strong>A.03.14.02.B:</strong> malicious code protection mechanisms are updated as new releases are available in accordance with configuration management policy and procedures</li> <li><strong>A.03.14.02.C.01[01]:</strong> malicious code protection mechanisms are configured to perform scans of the system <strong>&lt;A.03.14.02.ODP: frequency&gt;</strong></li> <li><strong>A.03.14.02.C.01[02]:</strong> malicious code protection mechanisms are configured to perform real-time scans of files from external sources at endpoints or system entry and exit points as the files are downloaded, opened, or executed</li> <li><strong>A.03.14.02.C.02:</strong> malicious code protection mechanisms are configured to block or quarantine malicious code, or take other mitigation actions in response to malicious code detection</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: system and information integrity policy and procedures; configuration management policy and procedures; procedures for malicious code protection; records of malicious code protection updates; system design documentation; system configuration settings; scan results from malicious code protection mechanisms; record of actions initiated by malicious code protection mechanisms in response to malicious code detection; system audit records; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel responsible for malicious code protection; personnel with system installation, configuration, or maintenance responsibilities; personnel with information security responsibilities; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: processes for employing, updating, and configuring malicious code protection mechanisms; processes for addressing the detection of false positives and resulting potential impacts; mechanisms for supporting or implementing, employing, updating, and configuring malicious code protection mechanisms; mechanisms for supporting or implementing malicious code scanning and the execution of subsequent actions]</p> <h5>References</h5> <p>Source assessment procedure: SI-03</p> </details><details><summary><h4>03.14.03 Security alerts, advisories, and directives</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.14.03.A[01]:</strong> system security alerts, advisories, and directives from external organizations are received on an ongoing basis</li> <li><strong>A.03.14.03.B[01]:</strong> internal security alerts, advisories, and directives are generated, as necessary</li> <li><strong>A.03.14.03.B[02]:</strong> internal security alerts, advisories, and directives are disseminated, as necessary</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: system and information integrity policy and procedures; procedures for security alerts, advisories, and directives; records of security alerts and advisories; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with security alert and advisory responsibilities; personnel implementing, operating, maintaining, and using the system; personnel, organizational elements, or external organizations to whom alerts, advisories, and directives are to be disseminated; personnel with information security responsibilities; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives; mechanisms for supporting or implementing security directives; mechanisms for supporting or implementing the definition, receipt, generation, and dissemination of security alerts, advisories, and directives]</p> <h5>References</h5> <p>Source assessment procedure: SI-05</p> </details><h4>03.14.04 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <h4>03.14.05 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4>03.14.06 System monitoring</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.14.06.A.01[01]:</strong> the system is monitored to detect attacks</li> <li><strong>A.03.14.06.A.01[02]:</strong> the system is monitored to detect indicators of potential attacks</li> <li><strong>A.03.14.06.A.02:</strong> the system is monitored to detect unauthorized connections</li> <li><strong>A.03.14.06.B:</strong> unauthorized use of the system is identified</li> <li><strong>A.03.14.06.C[01]:</strong> inbound communications traffic is monitored to detect unusual or unauthorized activities or conditions</li> <li><strong>A.03.14.06.C[02]:</strong> outbound communications traffic is monitored to detect unusual or unauthorized activities or conditions</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: system and information integrity policy and procedures; procedures for system monitoring tools and techniques; continuous monitoring strategy; facility diagram or layout; system design documentation; locations within the system where monitoring devices are deployed; system configuration settings; system protocols; system audit records; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with responsibilities for installing, configuring, or maintaining the system; personnel with system monitoring responsibilities; personnel with intrusion detection responsibilities; personnel with information security responsibilities; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: processes for intrusion detection and system monitoring; mechanisms for supporting or implementing system monitoring capabilities; mechanisms for supporting or implementing intrusion detection and system monitoring capabilities; mechanisms for supporting or implementing the monitoring of inbound and outbound communications traffic]</p> <h5>References</h5> <p>Source assessment procedures: SI-04, SI-04(04)</p> </details><h4>03.14.07 Not allocated</h4> <p>Withdrawn by <abbr title="National Institute of Standards and Technology">NIST</abbr>.</p> <details><summary><h4>03.14.08 Information management and retention</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.14.08[01]:</strong> specified information within the system is managed in accordance with applicable laws, Orders in Council, directives, regulations, policies, standards, guidelines, and operational requirements</li> <li><strong>A.03.14.08[02]:</strong> specified information within the system is retained in accordance with applicable laws, Orders in Council, directives, regulations, policies, standards, guidelines, and operational requirements</li> <li><strong>A.03.14.08[03]:</strong> specified information output from the system is managed in accordance with applicable laws, Orders in Council, directives, regulations, policies, standards, guidelines, and operational requirements</li> <li><strong>A.03.14.08[04]:</strong> specified information output from the system is retained in accordance with applicable laws, Orders in Council, directives, regulations, policies, standards, guidelines, and operational requirements</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: system and information integrity policy and procedures; laws, Orders in Council, directives, policies, regulations, standards, and operational requirements applicable to information management and retention; records retention and disposition policy; records retention and disposition procedures; personal information handling policy; media protection policy; media protection procedures; audit findings; system security plan; privacy plan; privacy program plan; personal information inventory; <abbr title="privacy impact assessment">PIA</abbr>, privacy risk assessment documentation; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with information and records management, retention, and disposition responsibilities; personnel with information security and privacy responsibilities; system administrators]</p> <p><strong>Test</strong></p> <p>[Select from: processes for information management, retention, and disposition; mechanisms for supporting or implementing information management, retention, and disposition]</p> <h5>References</h5> <p>Source assessment procedure: SI-12</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 id="3.15">3.15 Planning</h3> <p>The Planning controls and assurance activities deal with the development, documentation, update, and implementation of security and privacy plans for organizational systems. Those plans describe the security and privacy controls and assurance activities in place or planned for the systems, and the rules of behaviour for individuals accessing the systems.</p> <details><summary><h4>03.15.01 Policy and procedures</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.15.01.odp"><strong>A.03.15.01.ODP:</strong> the frequency at which the policies and procedures for satisfying security requirements are reviewed and updated is defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.15.01.A[01]:</strong> policies needed to satisfy the security requirements for the protection of specified information are developed and documented</li> <li><strong>A.03.15.01.A[02]:</strong> policies needed to satisfy the security requirements for the protection of specified information are disseminated to organizational personnel or roles</li> <li><strong>A.03.15.01.A[03]:</strong> procedures needed to satisfy the security requirements for the protection of specified information are developed and documented</li> <li><strong>A.03.15.01.A[04]:</strong> procedures needed to satisfy the security requirements for the protection of specified information are disseminated to organizational personnel or roles</li> <li><strong>A.03.15.01.B[01]:</strong> policies and procedures are reviewed <strong>&lt;A.03.15.01.ODP: frequency&gt;</strong></li> <li><strong>A.03.15.01.B[02]:</strong> policies and procedures are updated <strong>&lt;A.03.15.01.ODP: frequency&gt;</strong></li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: security policies and procedures associated with the protection of specified information; audit findings; system security plan; privacy plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with information security and privacy responsibilities]</p> <h5>References</h5> <p>Source assessment procedures: AC-01, AT-01, AU-01, CA-01, CM-01, IA-01, IR-01, MA-01, MP-01, PE-01, PL-01, PS-01, RA-01, SA-01, SC-01, SI-01, SR-01</p> </details><details><summary><h4>03.15.02 System security plan</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.15.02.odp"><strong>A.03.15.02.ODP:</strong> the frequency at which the system security plan is reviewed and updated is defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.15.02.A.01:</strong> a system security plan that defines the constituent system components is developed</li> <li><strong>A.03.15.02.A.02:</strong> a system security plan that identifies the information types processed, stored, and transmitted by the system is developed</li> <li><strong>A.03.15.02.A.03:</strong> a system security plan that describes specific threats to the system that are of concern to the organization is developed</li> <li><strong>A.03.15.02.A.04:</strong> a system security plan that describes the operational environment for the system and any dependencies on or connections to other systems or system components is developed</li> <li><strong>A.03.15.02.A.05:</strong> a system security plan that provides an overview of the security requirements for the system is developed</li> <li><strong>A.03.15.02.A.06:</strong> a system security plan that describes the safeguards in place or planned for meeting the security requirements is developed</li> <li><strong>A.03.15.02.A.07:</strong> a system security plan that identifies individuals that fulfill system roles and responsibilities is developed</li> <li><strong>A.03.15.02.A.08:</strong> a system security plan that includes other relevant information necessary for the protection of specified information is developed</li> <li><strong>A.03.15.02.B[01]:</strong> the system security plan is reviewed <strong>&lt;A.03.15.02.ODP: frequency&gt;</strong></li> <li><strong>A.03.15.02.B[02]:</strong> the system security plan is updated <strong>&lt;A.03.15.02.ODP: frequency&gt;</strong></li> <li><strong>A.03.15.02.C:</strong> the system security plan is protected from unauthorized disclosure</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: security planning policy and procedures; procedures for system security and privacy plan development and implementation; procedures for system security and privacy plan reviews and updates; enterprise architecture; system security plan; privacy plan; records of system security and privacy plan reviews and updates; risk assessments; risk assessment results; security architecture and design documentation; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with system security planning and plan implementation responsibilities; system developers; personnel with information security and privacy responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: processes for system security and privacy plan development, review, update, and approval]</p> <h5>References</h5> <p>Source assessment procedure: PL-02</p> </details><details><summary><h4>03.15.03 Rules of behaviour</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.15.03.odp"><strong>A.03.15.03.ODP:</strong> the frequency at which the rules of behaviour are reviewed and updated is defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.15.03.A:</strong> rules that describe responsibilities and expected behaviour for system usage and protecting specified information are established</li> <li><strong>A.03.15.03.B:</strong> rules are provided to individuals who require access to the system</li> <li><strong>A.03.15.03.C:</strong> a documented acknowledgement from individuals indicating that they have read, understand, and agree to abide by the rules of behaviour is received before authorizing access to specified information and the system</li> <li><strong>A.03.15.03.D[01]:</strong> the rules of behavior are reviewed <strong>&lt;A.03.15.03.ODP: frequency&gt;</strong></li> <li><strong>A.03.15.03.D[02]:</strong> the rules of behavior are updated <strong>&lt;A.03.15.03.ODP: frequency&gt;</strong></li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: security and privacy planning policy and procedures; rules of behaviour for system users; signed acknowledgements of rules of behaviour; records for rules of behaviour reviews and updates; system security plan; privacy plan; information sharing arrangements; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with rules of behaviour establishment, review, and update responsibilities; personnel with literacy training and awareness responsibilities; personnel with role-based training responsibilities; authorized users of the system who have signed rules of behaviour; personnel with information security and privacy responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: processes for establishing, reviewing, disseminating, and updating rules of behaviour; mechanisms for supporting or implementing the establishment, dissemination, review, and update of rules of behaviour]</p> <h5>References</h5> <p>Source assessment procedure: PL-04</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 id="3.16">3.16 System and services acquisition</h3> <p>The System and services acquisition controls deal with the contracting of products and services required to support the implementation and operation of organizational systems. They ensure that sufficient resources are allocated for the protection of organizational systems, and they support system development lifecycle processes that incorporate security considerations.</p> <details><summary><h4>03.16.01 Security engineering principles</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.16.01.odp"><strong>A.03.16.01.ODP:</strong> systems security engineering principles to be applied to the development or modification of the system and system components are defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.16.01:</strong> <strong>&lt;A.03.16.01.ODP: systems security engineering principles&gt;</strong> are applied to the development or modification of the system and system components</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: system and services acquisition policy; system and services acquisition procedures; procedures addressing security engineering principles used in the development and modification of the system; system design documentation; security and privacy requirements and specifications for the system; system security plan; privacy plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with acquisition/contracting responsibilities; personnel with information security and privacy responsibilities; personnel with system development and modification responsibilities; system developers]</p> <p><strong>Test</strong></p> <p>[Select from: processes for applying security engineering principles in system development and modification; mechanisms supporting the application of security engineering principles in system development and modification]</p> <h5>References</h5> <p>Source assessment procedure: SA-08</p> </details><details><summary><h4>03.16.02 Unsupported system components</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.16.02.A:</strong> system components are replaced when support for the components is no longer available from the developer, vendor, or manufacturer</li> <li><strong>A.03.16.02.B:</strong> options for risk mitigation or alternative sources for continued support for unsupported components that cannot be replaced are provided</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: system and services acquisition policy and procedures; procedures for the replacement or continued use of unsupported system components; documented evidence of replacing unsupported system components; documented approvals (including justification) for the continued use of unsupported system components; <abbr title="supply chain risk management">SCRM</abbr> plan; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with system and service acquisition responsibilities; personnel responsible for component replacement; personnel with system development lifecycle responsibilities; personnel with information security responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: processes for replacing unsupported system components; mechanisms for supporting or implementing the replacement of unsupported system components]</p> <h5>References</h5> <p>Source assessment procedure: SA-22</p> </details><details><summary><h4>03.16.03 External system services</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.16.03.odp"><strong>A.03.16.03.ODP:</strong> security requirements to be satisfied by external system service providers are defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.16.03.A:</strong> the providers of external system services used for the processing, storage, or transmission of specified information comply with the following security requirements: <strong>&lt;A.03.16.03.ODP: security requirements&gt;</strong></li> <li><strong>A.03.16.03.B:</strong> user roles and responsibilities with regard to external system services, including shared responsibilities with external service providers, are defined and documented</li> <li><strong>A.03.16.03.C:</strong> processes, methods, and techniques to monitor security requirement compliance by external service providers on an ongoing basis are implemented</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: system and services acquisition policy and procedures; procedures for monitoring security requirement compliance by external service providers; acquisition documentation; contracts; service-level agreements; interagency agreements; licensing agreements; list of security requirements for external provider services; assessment results or reports from external service providers; <abbr title="supply chain risk management">SCRM</abbr> plan; system security plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with acquisition responsibilities; external providers of system services; personnel with <abbr title="supply chain risk management">SCRM</abbr> responsibilities; personnel with information security and privacy responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: organizational processes for monitoring security and privacy control compliance by external service providers on an ongoing basis; mechanisms for monitoring security and privacy control compliance by external service providers on an ongoing basis]</p> <h5>References</h5> <p>Source assessment procedure: SA-09</p> </details></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h3 id="3.17">3.17 Supply chain risk management</h3> <p>The Supply chain risk management controls support the mitigation of cyber security risks throughout all phases of the supply chain.</p> <details><summary><h4>03.17.01 Supply chain risk management plan</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.17.01.odp"><strong>A.03.17.01.ODP:</strong> the frequency at which to review and update the <abbr title="supply chain risk management">SCRM</abbr> plan is defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.17.01.A[01]:</strong> a plan for managing supply chain risks is developed</li> <li><strong>A.03.17.01.A[02]:</strong> the <abbr title="supply chain risk management">SCRM</abbr> plan addresses risks associated with the research and development of the system, system components, or system services</li> <li><strong>A.03.17.01.A[03]:</strong> the <abbr title="supply chain risk management">SCRM</abbr> plan addresses risks associated with the design of the system, system components, or system services</li> <li><strong>A.03.17.01.A[04]:</strong> the <abbr title="supply chain risk management">SCRM</abbr> plan addresses risks associated with the manufacturing of the system, system components, or system services</li> <li><strong>A.03.17.01.A[05]:</strong> the <abbr title="supply chain risk management">SCRM</abbr> plan addresses risks associated with the acquisition of the system, system components, or system services</li> <li><strong>A.03.17.01.A[06]:</strong> the <abbr title="supply chain risk management">SCRM</abbr> plan addresses risks associated with the delivery of the system, system components, or system services</li> <li><strong>A.03.17.01.A[07]:</strong> the <abbr title="supply chain risk management">SCRM</abbr> plan addresses risks associated with the integration of the system, system components, or system services</li> <li><strong>A.03.17.01.A[08]:</strong> the <abbr title="supply chain risk management">SCRM</abbr> plan addresses risks associated with the operation of the system, system components, or system services</li> <li><strong>A.03.17.01.A[09]:</strong> the <abbr title="supply chain risk management">SCRM</abbr> plan addresses risks associated with the maintenance of the system, system components, or system services</li> <li><strong>A.03.17.01.A[10]:</strong> the <abbr title="supply chain risk management">SCRM</abbr> plan addresses risks associated with the disposal of the system, system components, or system services</li> <li><strong>A.03.17.01.B[01]:</strong> the <abbr title="supply chain risk management">SCRM</abbr> plan is reviewed <strong>&lt;A.03.17.01.ODP: frequency&gt;</strong></li> <li><strong>A.03.17.01.B[02]:</strong> the <abbr title="supply chain risk management">SCRM</abbr> plan is updated <strong>&lt;A.03.17.01.ODP: frequency&gt;</strong></li> <li><strong>A.03.17.01.C:</strong> the <abbr title="supply chain risk management">SCRM</abbr> plan is protected from unauthorized disclosure</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: <abbr title="supply chain risk management">SCRM</abbr> policy and procedures; <abbr title="supply chain risk management">SCRM</abbr> plan; system and services acquisition policy and procedures; system and services acquisition procedures; procedures for supply chain protection; procedures for protecting the <abbr title="supply chain risk management">SCRM</abbr> plan from unauthorized disclosure; system development lifecycle (SLDC) procedures; procedures for the integration of information security requirements into the acquisition process; acquisition documentation; service-level agreements; acquisition contracts for the system, system components, or system services; list of supply chain threats; list of safeguards for supply chain threats; system lifecycle documentation, including research and development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal; inter-organizational agreements and procedures; system security plan; privacy plan; privacy program plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with acquisition responsibilities; personnel with <abbr title="supply chain risk management">SCRM</abbr> responsibilities; personnel with information security and privacy responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: organizational processes for defining and documenting the <abbr title="system development lifecycle">SDLC</abbr>; organizational processes for identifying <abbr title="system development lifecycle">SDLC</abbr> roles and responsibilities; organizational processes for integrating <abbr title="supply chain risk management">SCRM</abbr> into the <abbr title="system development life cycle">SDLC</abbr>; mechanisms for supporting or implementing the <abbr title="system development life cycle">SDLC</abbr>]</p> <h5>References</h5> <p>Source assessment procedure: SR-02</p> </details><details><summary><h4>03.17.02 Acquisition strategies, tools, and methods</h4> </summary><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.17.02[01]:</strong> acquisition strategies, contract tools, and procurement methods are developed to identify supply chain risks</li> <li><strong>A.03.17.02[02]:</strong> acquisition strategies, contract tools, and procurement methods are developed to protect against supply chain risks</li> <li><strong>A.03.17.02[03]:</strong> acquisition strategies, contract tools, and procurement methods are developed to mitigate supply chain risks</li> <li><strong>A.03.17.02[04]:</strong> acquisition strategies, contract tools, and procurement methods are implemented to identify supply chain risks</li> <li><strong>A.03.17.02[05]:</strong> acquisition strategies, contract tools, and procurement methods are implemented to protect against supply chain risks</li> <li><strong>A.03.17.02[06]:</strong> acquisition strategies, contract tools, and procurement methods are implemented to mitigate supply chain risks</li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: <abbr title="supply chain risk management">SCRM</abbr> policy and procedures; <abbr title="supply chain risk management">SCRM</abbr> plan; system and services acquisition policy and procedures; procedures for supply chain protection; procedures for the integration of information security requirements into the acquisition process; solicitation documentation; acquisition documentation (including purchase orders); service-level agreements; acquisition contracts for the system, system components, or services; documentation of identified supply chain risks; mitigation plans for supply chain risks; documentation of training, education, and awareness programs for personnel regarding supply chain risk; system security plan; privacy plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with acquisition responsibilities; personnel with <abbr title="supply chain risk management">SCRM</abbr> responsibilities; personnel with information security and privacy responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods; mechanisms for implementing tailored acquisition strategies, contract tools, and procurement methods]</p> <h5>References</h5> <p>Source assessment procedure: SR-05</p> </details><details><summary><h4>03.17.03 Supply chain requirements and processes</h4> </summary><h5><abbr title="organization-defined parameter">ODP</abbr></h5> <ul class="list-unstyled lst-spcd"><li id="a.03.17.03.odp"><strong>A.03.17.03.ODP:</strong> security requirements to protect against supply chain risks to the system, system components, or system services and to limit the harm or consequences from supply chain-related events are defined</li> </ul><h5>Determine if:</h5> <ul class="list-unstyled lst-spcd"><li><strong>A.03.17.03.A[01]:</strong> a process for identifying weaknesses or deficiencies in the supply chain elements and processes is established</li> <li><strong>A.03.17.03.A[02]:</strong> a process for addressing weaknesses or deficiencies in the supply chain elements and processes is established</li> <li><strong>A.03.17.03.B[01]:</strong> the following security requirements are enforced to protect against supply chain risks to the system, system components, or system services and to limit the harm or consequences of supply chain-related events: <strong>&lt;A.03.17.03.ODP: security requirements&gt;</strong></li> </ul><h5>Potential assessment methods and objects</h5> <p><strong>Examine</strong></p> <p>[Select from: <abbr title="supply chain risk management">SCRM</abbr> policy and procedures; <abbr title="supply chain risk management">SCRM</abbr> strategy; <abbr title="supply chain risk management">SCRM</abbr> plan; systems and critical system components inventory documentation; system and services acquisition policy and procedures; procedures for the integration of security and privacy requirements into the acquisition process; solicitation documentation; acquisition documentation (including purchase orders); shipping and handling procedures; configuration management documentation and records; acquisition contracts for systems or services; service-level agreements; risk register documentation; system security plan; privacy plan; other relevant documents or records]</p> <p><strong>Interview</strong></p> <p>[Select from: personnel with acquisition responsibilities; personnel with information security and privacy responsibilities; personnel with <abbr title="supply chain risk management">SCRM</abbr> responsibilities]</p> <p><strong>Test</strong></p> <p>[Select from: processes for identifying and addressing supply chain element and process deficiencies]</p> <h5>References</h5> <p>Source assessment procedure: SR-03</p> </details></section></section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> <!–** END TOP OF PAGE **–> <section><h2 class="text-info" id="AA">Annex A Organization-defined parameters</h2> <p>This appendix lists the organization-defined parameters (ODPs) that are included in the security requirements in Section 3. The <abbr title="organization-defined parameters">ODPs</abbr> are listed sequentially by requirement family, beginning with the first requirement containing an <abbr title="organization-defined parameter">ODPs</abbr> in the Access control (AC) family and ending with the last requirement containing an ODP in the Supply chain risk management (SR) family.</p> <div class="panel panel-default"> <header class="panel-heading"><h3 id="tab1">Table 1: Organization-defined parameters</h3> </header><div class="panel-body"> <dl class="dl-horizontal"><dt><a href="#a.03.01.01.odp-01"><strong>Account management A.03.01.01.ODP[01]</strong></a></dt> <dd>The time period for account inactivity before disabling is defined</dd> <dt><a href="#a.03.01.01.odp-02"><strong>Account management A.03.01.01.ODP[02]</strong></a></dt> <dd>The time period within which to notify account managers and designated personnel or roles when accounts are no longer required is defined</dd> <dt><a href="#a.03.01.01.odp-03"><strong>Account management A.03.01.01.ODP[03]</strong></a></dt> <dd>The time period within which to notify account managers and designated personnel or roles when users are terminated or transferred is defined</dd> <dt><a href="#a.03.01.01.odp-04"><strong>Account management A.03.01.01.ODP[04]</strong></a></dt> <dd>The time period within which to notify account managers and designated personnel or roles when system usage or the need-to-know changes for an individual is defined</dd> <dt><a href="#a.03.01.01.odp-05"><strong>Account management A.03.01.01.ODP[05]</strong></a></dt> <dd>The time period of expected inactivity requiring users to log out of the system is defined</dd> <dt><a href="#a.03.01.01.odp-06"><strong>Account management A.03.01.01.ODP[06]</strong></a></dt> <dd>Circumstances requiring users to log out of the system are defined</dd> <dt><a href="#a.03.01.05.odp-01"><strong>Least privilege A.03.01.05.ODP[01]</strong></a></dt> <dd>Security functions for authorized access are defined</dd> <dt><a href="#a.03.01.05.odp-02"><strong>Least privilege A.03.01.05.ODP[02]</strong></a></dt> <dd>Security-relevant information for authorized access is defined</dd> <dt><a href="#a.03.01.05.odp-03"><strong>Least privilege A.03.01.05.ODP[03]</strong></a></dt> <dd>The frequency at which to review the privileges assigned to roles or classes of users is defined</dd> <dt><a href="#a.03.01.06.odp-01"><strong>Least privilege — privileged accounts A.03.01.06.ODP</strong></a></dt> <dd>Personnel or roles to which privileged accounts on the system are to be restricted are defined</dd> <dt><a href="#a.03.01.08.odp-01"><strong>Unsuccessful logon attempts A.03.01.08.ODP[01]</strong></a></dt> <dd>The number of consecutive invalid logon attempts by a user allowed during a time period is defined</dd> <dt><a href="#a.03.01.08.odp-02"><strong>Unsuccessful logon attempts A.03.01.08.ODP[02]</strong></a></dt> <dd>The time period to which the number of consecutive invalid logon attempts by a user is limited is defined</dd> <dt><a href="#a.03.01.08.odp-03"><strong>Unsuccessful logon attempts A.03.01.08.ODP[03]</strong></a></dt> <dd>1 or more of the following parameter values are selected: {the account or node is locked automatically for <strong>&lt;A.03.01.08.ODP[04]: time period&gt;</strong>; the account or node is locked automatically until released by an administrator; the next logon prompt is delayed automatically; the system administrator is notified automatically; other action is taken automatically}</dd> <dt><a href="#a.03.01.08.odp-04"><strong>Unsuccessful logon attempts A.03.01.08.ODP[04]</strong></a></dt> <dd>The time period for an account or node to be locked is defined (if selected)</dd> <dt><a href="#a.03.01.10.odp-01"><strong>Device lock A.03.01.10.ODP[01]</strong></a></dt> <dd>One or more of the following parameter values are selected: {a device lock is initiated after <strong>&lt;A.03.01.10.ODP[02]: time period&gt;</strong> of inactivity; the user is required to initiate a device lock before leaving the system unattended}</dd> <dt><a href="#a.03.01.10.odp-02"><strong>Device lock A.03.01.10.ODP[02]</strong></a></dt> <dd>The time period of inactivity after which a device lock is initiated is defined (if selected)</dd> <dt><a href="#a.03.01.11.odp"><strong>Session termination A.03.01.11.ODP</strong></a></dt> <dd>Conditions or trigger events that require session disconnect are defined</dd> <dt><a href="#a.03.01.20.odp"><strong>Use of external systems A.03.01.20.ODP</strong></a></dt> <dd>Security requirements to be satisfied on external systems prior to allowing the use of or access to those systems by authorized individuals are defined</dd> <dt><a href="#a.03.02.01.odp-01"><strong>Literacy training and awareness A.03.02.01.ODP[01]</strong></a></dt> <dd>The frequency at which to provide security literacy training to system users after initial training is defined</dd> <dt><a href="#a.03.02.01.odp-02"><strong>Literacy training and awareness A.03.02.01.ODP[02]</strong></a></dt> <dd>Events that require security literacy training for system users are defined</dd> <dt><a href="#a.03.02.01.odp-03"><strong>Literacy training and awareness A.03.02.01.ODP[03]</strong></a></dt> <dd>The frequency at which to update security literacy training content is defined</dd> <dt><a href="#a.03.02.01.odp-04"><strong>Literacy training and awareness A.03.02.01.ODP[04]</strong></a></dt> <dd>Events that require security literacy training content updates are defined</dd> <dt><a href="#a.03.02.02.odp-01"><strong>Role-based training A.03.02.02.ODP[01]</strong></a></dt> <dd>The frequency at which to provide role-based security training to assigned personnel after initial training is defined</dd> <dt><a href="#a.03.02.02.odp-02"><strong>Role-based training A.03.02.02.ODP[02]</strong></a></dt> <dd>Events that require role-based security training are defined</dd> <dt><a href="#a.03.02.02.odp-03"><strong>Role-based training A.03.02.02.ODP[03]</strong></a></dt> <dd>The frequency at which to update role-based security training content is defined</dd> <dt><a href="#a.03.02.02.odp-04"><strong>Role-based training A.03.02.02.ODP[04]</strong></a></dt> <dd>Events that require role-based security training content updates are defined</dd> <dt><a href="#a.03.03.01.odp-01"><strong>Event logging A.03.03.01.ODP[01]</strong></a></dt> <dd>Event types selected for logging within the system are defined</dd> <dt><a href="#a.03.03.01.odp-02"><strong>Event logging A.03.03.01.ODP[02]</strong></a></dt> <dd>The frequency of event types selected for logging are reviewed and updated</dd> <dt><a href="#a.03.03.04.odp-01"><strong>Response to audit logging process failures A.03.03.04.ODP[01]</strong></a></dt> <dd>The time period for organizational personnel or roles receiving audit logging process failure alerts is defined</dd> <dt><a href="#a.03.03.04.odp-02"><strong>Response to audit logging process failures A.03.03.04.ODP[02]</strong></a></dt> <dd>Additional actions to be taken in the event of an audit logging process failure are defined</dd> <dt><a href="#a.03.03.05.odp"><strong>Audit record review, analysis, and reporting A.03.03.05.ODP</strong></a></dt> <dd>The frequency at which system audit records are reviewed and analyzed is defined</dd> <dt><a href="#a.03.03.07.odp"><strong>Time stamps A.03.03.07.ODP</strong></a></dt> <dd>Granularity of time measurement for audit record time stamps is defined</dd> <dt><a href="#a.03.04.01.odp"><strong>Baseline configuration A.03.04.01.ODP</strong></a></dt> <dd>The frequency of baseline configuration review and update is defined</dd> <dt><a href="#a.03.04.02.odp"><strong>Configuration settings A.03.04.02.ODP</strong></a></dt> <dd>Configuration settings for the system that reflect the most restrictive mode consistent with operational requirements are defined</dd> <dt><a href="#a.03.04.06.odp-01"><strong>Least functionality A.03.04.06.ODP[01]</strong></a></dt> <dd>Functions to be prohibited or restricted are defined</dd> <dt><a href="#a.03.04.06.odp-02"><strong>Least functionality A.03.04.06.ODP[02]</strong></a></dt> <dd>Ports to be prohibited or restricted are defined</dd> <dt><a href="#a.03.04.06.odp-03"><strong>Least functionality A.03.04.06.ODP[03]</strong></a></dt> <dd>Protocols to be prohibited or restricted are defined</dd> <dt><a href="#a.03.04.06.odp-04"><strong>Least functionality A.03.04.06.ODP[04]</strong></a></dt> <dd>Connections to be prohibited or restricted are defined</dd> <dt><a href="#a.03.04.06.odp-05"><strong>Least functionality A.03.04.06.ODP[05]</strong></a></dt> <dd>Services to be prohibited or restricted are defined</dd> <dt><a href="#a.03.04.06.odp-06"><strong>Least functionality A.03.04.06.ODP[06]</strong></a></dt> <dd>The frequency at which to review the system to identify unnecessary or nonsecure functions, ports, protocols, connections, or services is defined</dd> <dt><a href="#a.03.04.08.odp"><strong>Authorized software – allow by exception A.03.04.08.ODP</strong></a></dt> <dd>The frequency at which to review and update the list of authorized software programs is defined</dd> <dt><a href="#a.03.04.10.odp"><strong>System component inventory A.03.04.10.ODP</strong></a></dt> <dd>The frequency at which to review and update the system component inventory is defined</dd> <dt><a href="#a.03.04.12.odp-01"><strong>System and component configuration for high-risk areas A.03.04.12.ODP[01]</strong></a></dt> <dd>Configurations for systems or system components to be issued to individuals traveling to high-risk locations are defined</dd> <dt><a href="#a.03.04.12.odp-02"><strong>System and component configuration for high-risk areas A.03.04.12.ODP[02]</strong></a></dt> <dd>Security requirements to be applied to the system or system components when individuals return from travel are defined</dd> <dt><a href="#a.03.05.01.odp"><strong>User identification, authentication, and reauthentication A.03.05.01.ODP</strong></a></dt> <dd>Circumstances or situations that require reauthentication are defined</dd> <dt><a href="#a.03.05.02.odp"><strong>Device identification and authentication A.03.05.02.ODP</strong></a></dt> <dd>Devices or types of devices to be uniquely identified and authenticated before establishing a connection are defined</dd> <dt><a href="#a.03.05.05.odp-01"><strong>Identifier management A.03.05.05.ODP[01]</strong></a></dt> <dd>The time period for preventing the reuse of identifiers is defined</dd> <dt><a href="#a.03.05.05.odp-02"><strong>Identifier management A.03.05.05.ODP[02]</strong></a></dt> <dd>Characteristics used to identify individual status are defined</dd> <dt><a href="#a.03.05.07.odp-01"><strong>Password management A.03.05.07.ODP[01]</strong></a></dt> <dd>The frequency at which to update the list of commonly used, expected, or compromised passwords is defined</dd> <dt><a href="#a.03.05.07.odp-02"><strong>Password management A.03.05.07.ODP[02]</strong></a></dt> <dd>Password composition and complexity rules are defined</dd> <dt><a href="#a.03.05.12.odp-01"><strong>Authenticator management A.03.05.12.ODP[01]</strong></a></dt> <dd>The frequency for changing or refreshing authenticators is defined</dd> <dt><a href="#a.03.05.12.odp-02"><strong>Authenticator management A.03.05.12.ODP[02]</strong></a></dt> <dd>Events that trigger the change or refreshment of authenticators are defined</dd> <dt><a href="#a.03.06.02.odp-01"><strong>Incident monitoring, reporting, and response assistance A.03.06.02.ODP[01]</strong></a></dt> <dd>The time period to report suspected incidents to the organizational incident response capability is defined</dd> <dt><a href="#a.03.06.02.odp-02"><strong>Incident monitoring, reporting, and response assistance A.03.06.02.ODP[02]</strong></a></dt> <dd>Authorities to whom incident information is to be reported are defined</dd> <dt><a href="#a.03.06.03.odp"><strong>Incident response testing A.03.06.03.ODP</strong></a></dt> <dd>The frequency at which to test the effectiveness of the incident response capability for the system is defined</dd> <dt><a href="#a.03.06.04.odp-01"><strong>Incident response training A.03.06.04.ODP[01]</strong></a></dt> <dd>The time period within which incident response training is to be provided to system users is defined</dd> <dt><a href="#a.03.06.04.odp-02"><strong>Incident response training A.03.06.04.ODP[02]</strong></a></dt> <dd>The frequency at which to provide incident response training to users is defined</dd> <dt><a href="#a.03.06.04.odp-03"><strong>Incident response training A.03.06.04.ODP[03]</strong></a></dt> <dd>The frequency at which to review and update incident response training content is defined</dd> <dt><a href="#a.03.06.04.odp-04"><strong>Incident response training A.03.06.04.ODP[04]</strong></a></dt> <dd>Events that initiate a review of the incident response training content are defined</dd> <dt><a href="#a.03.08.07.odp"><strong>Media use A.03.08.07.ODP</strong></a></dt> <dd>Types of system media with usage restrictions or that are prohibited from use are defined</dd> <dt><a href="#a.03.09.01.odp"><strong>Personnel screening A.03.09.01.ODP</strong></a></dt> <dd>Conditions that require the rescreening of individuals are defined</dd> <dt><a href="#a.03.09.02.odp"><strong>Personnel termination and transfer A.03.09.02.ODP</strong></a></dt> <dd>The time period within which to disable system access is defined</dd> <dt><a href="#a.03.10.01.odp"><strong>Physical access authorizations A.03.10.01.ODP</strong></a></dt> <dd>The frequency at which to review the access list detailing authorized facility access by individuals is defined</dd> <dt><a href="#a.03.10.02.odp-01"><strong>Monitoring physical access A.03.10.02.ODP[01]</strong></a></dt> <dd>The frequency at which to review physical access logs is defined</dd> <dt><a href="#a.03.10.02.odp-02"><strong>Monitoring physical access A.03.10.02.ODP[02]</strong></a></dt> <dd>Events or potential indications of events requiring physical access logs to be reviewed are defined</dd> <dt><a href="#a.03.10.06.odp"><strong>Alternate work site A.03.10.06.ODP</strong></a></dt> <dd>Security requirements to be employed at alternate work sites are defined</dd> <dt><a href="#a.03.11.01.odp"><strong>Risk assessment A.03.11.01.ODP</strong></a></dt> <dd>The frequency at which to update the risk assessment is defined</dd> <dt><a href="#a.03.11.02.odp-01"><strong>Vulnerability monitoring and scanning A.03.11.02.ODP[01]</strong></a></dt> <dd>The frequency at which the system is monitored for vulnerabilities is defined</dd> <dt><a href="#a.03.11.02.odp-02"><strong>Vulnerability monitoring and scanning A.03.11.02.ODP[02]</strong></a></dt> <dd>The frequency at which the system is scanned for vulnerabilities is defined</dd> <dt><a href="#a.03.11.02.odp-03"><strong>Vulnerability monitoring and scanning A.03.11.02.ODP[03]</strong></a></dt> <dd>Response times to remediate system vulnerabilities are defined</dd> <dt><a href="#a.03.11.02.odp-04"><strong>Vulnerability monitoring and scanning A.03.11.02.ODP[04]</strong></a></dt> <dd>The frequency at which to update system vulnerabilities to be scanned is defined</dd> <dt><a href="#a.03.12.01.odp"><strong>Security assessment A.03.12.01.ODP</strong></a></dt> <dd>The frequency at which to assess the security requirements for the system and its environment of operation is defined</dd> <dt><a href="#a.03.12.05.odp-01"><strong>Information exchange A.03.12.05.ODP[01]</strong></a></dt> <dd>1 or more of the following parameter values are selected: {interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service-level agreements; user agreements; non-disclosure agreements; other types of agreements}</dd> <dt><a href="#a.03.12.05.odp-02"><strong>Information exchange A.03.12.05.ODP[02]</strong></a></dt> <dd>The frequency at which to review and update agreements is defined</dd> <dt><a href="#a.03.13.09.odp"><strong>Network disconnect A.03.13.09.ODP</strong></a></dt> <dd>The time period of inactivity after which the system terminates a network connection associated with a communications session is defined</dd> <dt><a href="#a.03.13.10.odp"><strong>Cryptographic key establishment and management A.03.13.10.ODP</strong></a></dt> <dd>Requirements for key generation, distribution, storage, access, and destruction are defined</dd> <dt><a href="#a.03.13.11.odp"><strong>Cryptographic protection A.03.13.11.ODP</strong></a></dt> <dd>The types of cryptography for protecting the confidentiality of specified information are defined</dd> <dt><a href="#a.03.13.12.odp"><strong>Collaborative computing devices and applications A.03.13.12.ODP</strong></a></dt> <dd>Exceptions where remote activation is to be allowed are defined</dd> <dt><a href="#a.03.14.01.odp-1"><strong>Flaw remediation A.03.14.01.ODP[01]</strong></a></dt> <dd>The time period within which to install security-relevant software updates after the release of the updates is defined</dd> <dt><a href="#a.03.14.01.odp-2"><strong>Flaw remediation A.03.14.01.ODP[02]</strong></a></dt> <dd>The time period within which to install security-relevant firmware updates after the release of the updates is defined</dd> <dt><a href="#a.03.14.02.odp"><strong>Malicious code protection A.03.14.02.ODP</strong></a></dt> <dd>The frequency at which malicious code protection mechanisms perform scans is defined</dd> <dt><a href="#a.03.15.01.odp"><strong>Policy and procedures A.03.15.01.ODP</strong></a></dt> <dd>The frequency at which the policies and procedures for implementing security requirements are reviewed and updated is defined</dd> <dt><a href="#a.03.15.02.odp"><strong>System security plan A.03.15.02.ODP</strong></a></dt> <dd>The frequency at which the system security plan is reviewed and updated is defined</dd> <dt><a href="#a.03.15.03.odp"><strong>Rules of behaviour A.03.15.03.ODP</strong></a></dt> <dd>The frequency at which the rules of behaviour are reviewed and updated is defined</dd> <dt><a href="#a.03.16.01.odp"><strong>Systems security engineering principles A.03.16.01.ODP</strong></a></dt> <dd>Systems security engineering principles to be applied to the development or modification of the system and system components are defined</dd> <dt><a href="#a.03.16.03.odp"><strong>External system services A.03.16.03.ODP</strong></a></dt> <dd>Security requirements to be satisfied by external system service providers are defined</dd> <dt><a href="#a.03.17.01.odp"><strong>Supply chain risk management plan A.03.17.01.ODP</strong></a></dt> <dd>The frequency at which to review and update the supply chain risk management plan is defined</dd> <dt><a href="#a.03.17.03.odp"><strong>Supply chain requirements and processes A.03.17.03.ODP</strong></a></dt> <dd>Security requirements to protect against supply chain risks to the system, system components, or system services and to limit the harm or consequences from supply chain-related events are defined</dd> </dl></div> </div> </section><!–** TOP OF PAGE ******–><div class="clearfix"> </div> <div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"></span></div> </div> </div> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="7572" about="/en/news-events/cyber-centre-launches-new-initiative-help-canadas-critical-infrastructure-prepare-severe-cyber-threats" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> </div> </div> </div> </article>

The time to act is now: Strengthening critical infrastructure cyber readiness for a resilient Canada.