S System Security Plan Project Name/Remedy#:

Checklist
Instructions – This checklist should first be completed during ISDM Phase 3 (Requirements Team Color
Analysis). The required controls should be designed and included in the system and will be Addressed by existing controls
validated during ISDM Phase 6 (Integration, Test, Acceptance).
BEA
ISDM Phase 2 – Each security control may be answered by a business unit within DIS or by the
Customer (administrative controls). The chart to the right translates the color in the table below to DBA
the unit typically charged with responding to the control. Deviations from this are expected based WEBDEV
on the level of integration or complexity of the system being assessed. Checklist completion Windows (WIN)
should be performed in a group setting to ensure improved accuracy of collective responses. The UNIX
ISM, PM, and technical contacts should be included. NS (Network Services)
♠ - Security risk (use a ♠ to identify security risks, bring to System Owner’s attention for action) ISO (Information Security Office)
♦ - Audit risk (use a ♦ to identify audit risks, bring to System Owner’s attention for action)
Mainframe (MF)
ISDM Phase 6 – This column is to be completed when the selected controls can be validated
through observation or testing of the system. The ISM validates the checklist. Business Unit Objective (BIZ)

O = Organization-wide function – supporting all baselines, S = System, P = Personnel

Validated
Control Type of Control/ Control Consideration (ISDM Phase 6:
Control Name
No. Primary Team (ISDM Phase 2: Requirements Analysis) Integration, Test
Acceptance)
Access Control
Access Control Policy and
AC-1 Procedures Technical O – AP&P 4-05
AC-2 Account Management
AC-3 Access Enforcement Technical/BEA
AC-4 Information Flow Enforcement Technical/BEA
AC-5 Separation of Duties Technical/BEA
AC-6 Least Privilege Technical/BEA
AC-7 Unsuccessful Login Attempts Technical/BEA
AC-8 System Use Notification Technical/BEA
Previous Logon (Access)
AC-9 Notification Technical N/A
AC-10 Concurrent Session Control Technical N/A
AC-11 Session Lock Technical/BEA
AC-12 Session Termination (Withdrawn)*
Page 1 of 8
Note: This document is owned by the DIS Information Security Office, please direct inquiries or revisions to DIS-InformationSecurityOffice@myfloridacfo.com.
See the Security Control Catalog located on pages 77-206 in NIST Special Publication 800-53 for descriptions, safeguards, and countermeasures.
*Withdrawn indicates that NIST removed applicability or moved to alternative control group.
 Supervision and Review—Access
AC-13 Control
(Withdrawn)
Permitted Actions without
AC-14 Identification or Authentication Technical/BEA
AC-15 Automated Marking (Withdrawn)
AC-16 Security Attributes Technical N/A
AC-17 Remote Access Technical/BEA
AC-18 Wireless Access Technical/BEA
AC-19 Access Control for Mobile Devices Technical/BEA
Use of External Information
AC-20 Systems Technical/BEA
User-Based Collaboration and
AC-21 Information Sharing Technical/BEA
AC-22 Publicly Accessible Content Technical/BEA
Awareness & Training
Security Awareness and Training
AT-1 Policy and Procedures
AT-2 Security Awareness
Operational
AT-3 Security Training O – Security Awareness Training Program
AT-4 Security Training Records
Contacts with Security Groups and
AT-5 Associations

Audit & Accountability

Audit and Accountability Policy and
AU-1 Procedures Technical O – AP&P 4-05.
AU-2 Auditable Events Technical/BIZ
AU-3 Content of Audit Records Technical/BIZ
AU-4 Audit Storage Capacity Technical/DBA
Response to Audit Processing
AU-5 Failures Technical/DBA
Audit Review, Analysis, and
AU-6 Reporting
(Withdrawn)*

Audit Reduction and Report

AU-7 Generation Technical/WIN
AU-8 Time Stamps Technical/BEA
AU-9 Protection of Audit Information Technical/BEA
AU-10 Non-repudiation Technical N/A
Refer to GS1-SL to properly configure, direct questions to the
AU-11 Audit Record Retention Technical/BEA ISO
Page 2 of 8
Note: This document is owned by the DIS Information Security Office, please direct inquiries or revisions to DIS-InformationSecurityOffice@myfloridacfo.com.
See the Security Control Catalog located on pages 77-206 in NIST Special Publication 800-53 for descriptions, safeguards, and countermeasures.
*Withdrawn indicates that NIST removed applicability or moved to alternative control group.
 AU-12 Audit Generation Technical/BEA
Monitoring for Information
AU-13 Disclosure Technical N/A
AU-14 Session Audit Technical N/A
Security Assessment & Authorization
Security Assessment and
CA-1 Authorization Policies and Management O – ISDM Toolkit
Procedures
CA-2 Security Assessments Management Not currently in place
CA-3 Information System Connections Management/BEA
CA-4 Security Certification (Withdrawn)*
CA-5 Plan of Action and Milestones Management
CA-6 Security Authorization Management O – ISDM Toolkit
CA-7 Continuous Monitoring Management
Configuration Management
Configuration Management Policy
CM-1 and Procedures
CM-2 Baseline Configuration
CM-3 Configuration Change Control
O – ISDM Toolkit
CM-4 Security Impact Analysis
CM-5 Access Restrictions for Change Operational
CM-6 Configuration Settings
CM-7 Least Functionality O – AP&P 4-03 (X.N. 8)
Information System Component
CM-8 Inventory O – AP&P 4-05.
CM-9 Configuration Management Plan

Contingency Planning
Contingency Planning Policy and
CP-1 Procedures
CP-2 Contingency Plan
Operational O – DR/COOP Function
CP-3 Contingency Training
Contingency Plan Testing and
CP-4 Exercises
CP-5 Contingency Plan Update (Withdrawn)
CP-6 Alternate Storage Site
CP-7 Alternate Processing Site Operational O – DR/COOP Function
CP-8 Telecommunications Services

Page 3 of 8
Note: This document is owned by the DIS Information Security Office, please direct inquiries or revisions to DIS-InformationSecurityOffice@myfloridacfo.com.
See the Security Control Catalog located on pages 77-206 in NIST Special Publication 800-53 for descriptions, safeguards, and countermeasures.
*Withdrawn indicates that NIST removed applicability or moved to alternative control group.
 CP-9 Information System Backup Operational/WIN
Information System Recovery and
CP-10 Reconstitution Operational/DBA
I&A
Identification and Authentication
IA-1 Policy and Procedures Technical O – AP&P’s 4-03, 4-04, and 4-05
Identification and Authentication
IA-2 (Organizational Users) Technical/BEA
Device Identification and
IA-3 Authentication Technical/BEA
O – AP&P’s 4-03, 4-04, and 4-05 (User Account
IA-4 Identifier Management Technical
management).
IA-5 Authenticator Management Technical/BEA
IA-6 Authenticator Feedback Technical Specified in AP&P’s 4-03
Cryptographic Module
IA-7 Authentication Technical/WIN
Identification and Authentication
IA-8 (Non-Organizational Users) Technical/BEA
Incident Response
Incident Response Policy and
IR-1 Procedures
IR-2 Incident Response Training
Incident Response Testing and
IR-3 Exercises
IR-4 Incident Handling
IR-5 Incident Monitoring Operational O – CSIRT Function
IR-6 Incident Reporting
IR-7 Incident Response Assistance
IR-8 Incident Response Plan

Maintenance
System Maintenance Policy and
MA-1 Procedures
MA-2 Controlled Maintenance
MA-3 Maintenance Tools
Operational O – Change Management Function
MA-4 Non-Local Maintenance
MA-5 Maintenance Personnel
MA-6 Timely Maintenance

Media Protection
Page 4 of 8
Note: This document is owned by the DIS Information Security Office, please direct inquiries or revisions to DIS-InformationSecurityOffice@myfloridacfo.com.
See the Security Control Catalog located on pages 77-206 in NIST Special Publication 800-53 for descriptions, safeguards, and countermeasures.
*Withdrawn indicates that NIST removed applicability or moved to alternative control group.
 Media Protection Policy and
MP-1 Procedures
MP-2 Media Access
MP-3 Media Marking Operational O – Data Center Controls
MP-4 Media Storage
MP-5 Media Transport
MP-6 Media Sanitization Operational O – Operating Procedure DIS-006
Physical & Environmental Protection
Physical and Environmental
PE-1 Protection Policy and Procedures
PE-2 Physical Access Authorizations
PE-3 Physical Access Control
Access Control for Transmission
PE-4 Medium
PE-5 Access Control for Output Devices
PE-6 Monitoring Physical Access
PE-7 Visitor Control
PE-8 Access Records
Power Equipment and Power
PE-9 Cabling
PE-10 Emergency Shutoff Operational O – Data Center Controls
PE-11 Emergency Power
PE-12 Emergency Lighting
PE-13 Fire Protection
Temperature and Humidity
PE-14 Controls
PE-15 Water Damage Protection
PE-16 Delivery and Removal
PE-17 Alternate Work Site
Location of Information System
PE-18 Components
PE-19 Information Leakage

Planning
Security Planning Policy and
PL-1 Procedures Management O – AP&P 4-03
PL-2 System Security Plan Management O – ISDM Toolkit
PL-3 System Security Plan Update (Withdrawn)*

Page 5 of 8
Note: This document is owned by the DIS Information Security Office, please direct inquiries or revisions to DIS-InformationSecurityOffice@myfloridacfo.com.
See the Security Control Catalog located on pages 77-206 in NIST Special Publication 800-53 for descriptions, safeguards, and countermeasures.
*Withdrawn indicates that NIST removed applicability or moved to alternative control group.
 PL-4 Rules of Behavior Management/BEA
PL-5 Privacy Impact Assessment Management/BEA
PL-6 Security-Related Activity Planning Management O – ISDM Toolkit, DR & CSIRT functions
Personnel Security
Personnel Security Policy and
PS-1 Procedures
PS-2 Position Categorization
PS-3 Personnel Screening
PS-4 Personnel Termination
Operational O – Multiple DFS AP&P’s
PS-5 Personnel Transfer
PS-6 Access Agreements
PS-7 Third-Party Personnel Security
PS-8 Personnel Sanctions

Risk Assessment
Risk Assessment Policy and
RA-1 Procedures O – AP&P 4-03
RA-2 Security Categorization Management O – SSP
RA-3 Risk Assessment O – SSP Checklist
RA-4 Risk Assessment Update (Withdrawn)
RA-5 Vulnerability Scanning Management To be implemented…
System & Services Acquisition
System and Services Acquisition
SA-1 Policy and Procedures Management O – AP&P 4-06
SA-2 Allocation of Resources
SA-3 Life Cycle Support
Management ISDM Toolkit
SA-4 Acquisitions
SA-5 Information System Documentation
SA-6 Software Usage Restrictions Management N/A
SA-7 User-Installed Software Management N/A
SA-8 Security Engineering Principles Management ISDM Toolkit
External Information System IDENTIFICATION OF FUNCTIONS, PORTS, PROTOCOLS,
SA-9 Services Management/BEA SERVICES
Developer Configuration
SA-10 Management Management ISDM Toolkit
SA-11 Developer Security Testing Management ISDM Toolkit
SA-12 Supply Chain Protection Management N/A
Page 6 of 8
Note: This document is owned by the DIS Information Security Office, please direct inquiries or revisions to DIS-InformationSecurityOffice@myfloridacfo.com.
See the Security Control Catalog located on pages 77-206 in NIST Special Publication 800-53 for descriptions, safeguards, and countermeasures.
*Withdrawn indicates that NIST removed applicability or moved to alternative control group.
 SA-13 Trustworthiness Management N/A (pending RMF)
Critical Information System Management/
SA-14 Components WINWIN
System & Communications Protection
System and Communications
SC-1 Protection Policy and Procedures Technical AP&P 4-03, AP&P 4-04
SC-2 Application Partitioning Technical/BEA
SC-3 Security Function Isolation Technical N/A
SC-4 Information in Shared Resources Technical/WIN
SC-5 Denial of Service Protection Technical/WIN
SC-6 Resource Priority Technical N/A
SC-7 Boundary Protection Technical/WIN
SC-8 Transmission Integrity Technical/WIN
SC-9 Transmission Confidentiality Technical/WIN
SC-10 Network Disconnect Technical/WIN
SC-11 Trusted Path Technical N/A
Cryptographic Key Establishment
SC-12 and Management Technical/WIN
SC-13 Use of Cryptography Technical/WIN
SC-14 Public Access Protections Technical/WIN
SC-15 Collaborative Computing Devices Technical N/A
SC-16 Transmission of Security Attributes Technical N/A
Public Key Infrastructure
SC-17 Certificates Technical N/A
SC-18 Mobile Code Technical/BEA
SC-19 Voice Over Internet Protocol Technical N/A
Secure Name /Address Resolution
SC-20 Service (Authoritative Source) Technical/BEA
Secure Name /Address Resolution
SC-21 Service Technical/WebDev
(Recursive or Caching Resolver)
Architecture and Provisioning for
SC-22 Name/Address Resolution Service Technical/WIN
SC-23 Session Authenticity Technical/BEA
SC-24 Fail in Known State Technical N/A
SC-25 Thin Nodes Technical N/A
SC-26 Honey pots Technical N/A
Page 7 of 8
Note: This document is owned by the DIS Information Security Office, please direct inquiries or revisions to DIS-InformationSecurityOffice@myfloridacfo.com.
See the Security Control Catalog located on pages 77-206 in NIST Special Publication 800-53 for descriptions, safeguards, and countermeasures.
*Withdrawn indicates that NIST removed applicability or moved to alternative control group.
 Operating System-Independent
SC-27 Applications Technical N/A
SC-28 Protection of Information at Rest Technical/BEA
SC-29 Heterogeneity Technical N/A
SC-30 Virtualization Techniques Technical N/A
SC-31 Covert Channel Analysis Technical N/A
SC-32 Information System Partitioning Technical/DBA
SC-33 Transmission Preparation Integrity Technical SC-8
Non-Modifiable Executable
SC-34 Programs Technical N/A
System & Information Integrity
System and Information Integrity
SI-1 Policy and Procedures
SI-2 Flaw Remediation
O – AP&P 4-03, DIS-015, AP&P 4-03 X. H.,
SI-3 Malicious Code Protection Operational
AP&P 4-03 XI, AP&P 4-03 XI
SI-4 Information System Monitoring
Security Alerts, Advisories, and
SI-5 Directives
SI-6 Security Functionality Verification N/A
SI-7 Software and Information Integrity O – AP&P 4-03 X. W.11.e
SI-8 Spam Protection O – AP&P 4-04, SPAM Reporting procedures
SI-9 Information Input Restrictions Operational/BEA
SI-10 Information Input Validation Operational/BEA
SI-11 Error Handling Operational/BEA
Information Output Handling and
SI-12 Retention Operational CSIRT Function

Page 8 of 8
Note: This document is owned by the DIS Information Security Office, please direct inquiries or revisions to DIS-InformationSecurityOffice@myfloridacfo.com.
See the Security Control Catalog located on pages 77-206 in NIST Special Publication 800-53 for descriptions, safeguards, and countermeasures.
*Withdrawn indicates that NIST removed applicability or moved to alternative control group.