| 1 |
No |
$0 |
$0 |
|
|
Define actions not permitted by application administrators to ensure separation of duties is adequate and implement technical controls, or determine other mechanisms, to prohibit application administrators from conducting those actions.
|
| 2 |
No |
$0 |
$0 |
|
|
Ensure plans are in place for effective access controls during the expansion of CATS to uncleared personnel, or any other significant changes to the application, to help prevent account management weaknesses.
|
| 3 |
No |
$0 |
$0 |
|
|
Prioritize efforts to implement automated account management to lessen the burden on administrators and ensure appropriate roles and access are granted.
|
| 4 |
No |
$0 |
$0 |
|
|
Ensure that control assessment plans are developed and that they detail the scope of the assessment, including assessment procedures and specific roles and responsibilities of members on the assessment team.
|
| 5 |
No |
$0 |
$0 |
|
|
Ensure that all required controls are fully assessed for CATS and its operating environment on the frequency basis described within the ISCM plan to determine whether controls were implemented correctly, operating as intended, and producing desired outcomes. Controls assessments should be shared with relevant stakeholders. Any deficiencies should be documented in a plan of action and milestones, as appropriate.
|
| 6 |
No |
$0 |
$0 |
|
|
Document the ISA annual review process and any updates that may have occurred as a result.
|
| 7 |
No |
$0 |
$0 |
|
|
Communicate with the Authorizing Official of eDISS+ during the annual review process of the ISA to ensure that all technical changes are updated appropriately within the agreement and that both parties are aware of any potential system changes that may impact either system’s security categorization and/or implemented controls.
|
| 8 |
No |
$0 |
$0 |
|
|
Ensure that the NA-IM cybersecurity team participates in the monthly data bridge meetings that support the ISA between CATS and eDISS+ to verify that the CATS data remains secure and that all risks associated with the system information exchange are reported to management and addressed appropriately.
|
| 9 |
No |
$0 |
$0 |
|
|
Ensure that annual reviews and updates to the CATS risk assessment are performed to include the evaluation of all risks and subsequential existence of mitigating controls, in accordance with NNSA’s internal policies and NIST requirements.
|
| 10 |
No |
$0 |
$0 |
|
|
Ensure that the CATS PIA is completed/updated annually in accordance with NNSA’s privacy procedures and that the information being reported is accurate by collaborating with all system subject matter experts.
|
| 11 |
No |
$0 |
$0 |
|
|
Ensure that the CATS security categorization is reevaluated to consider all relevant factors and additional security controls are implemented, as necessary.
|
| 12 |
No |
$0 |
$0 |
|
|
Develop a system-level contingency plan for CATS and test the plan on a specified frequency to verify that notification, recovery, and restoration capabilities are adequately implemented.
|
| 13 |
No |
$0 |
$0 |
|
|
Reevaluate the risks and needs associated with implementing an alternate storage site for the CATS backup information and implement changes, as necessary.
|
| 14 |
No |
$0 |
$0 |
|
|
Ensure that all system users complete applicable security and privacy training based on assigned roles and responsibilities within the system in accordance with established requirements.
|
| 15 |
No |
$0 |
$0 |
|
|
Ensure that an analysis is conducted to identify PSFs in the system that are eligible for dispositioning, per Federal and Department requirements. Once completed, direct system personnel to communicate those results to the respective CPSOs to prepare for destruction where it is warranted.
|
| 16 |
No |
$0 |
$0 |
|
|
Ensure a mechanism is developed to assist in identifying, communicating, and destroying PSFs that meet Federal and Department retention and dispositioning requirements.
|
| 17 |
No |
$0 |
$0 |
|
|
Ensure initial and refresher training is provided to security personnel regarding the management, retention, and destruction of PSFs housed in CATS.
|
| 18 |
No |
$0 |
$0 |
|
|
Define and document the types of events that are logged by NA-74, and ensure a plan is created for adding new logging capability that includes a gap analysis between existing capability and desired capability to allow for prioritization of adding new logging capability.
|
| 19 |
No |
$0 |
$0 |
|
|
Ensure that all system users and system personnel receive training on CATS-specific incident response activities, to include but not limited to topics such as incident reporting procedures and incident response roles and responsibilities.
|
| 20 |
No |
$0 |
$0 |
|
|
Ensure that the CATS system security plan is updated to reflect the current status of controls implementation and is scheduled for review and update on a defined periodic basis.
|
| 21 |
No |
$0 |
$0 |
|
|
Ensure that rules of behavior are developed for privileged system users and require all users of the system to sign the appropriate rules of behavior according to their assigned role.
|
| 22 |
No |
$0 |
$0 |
|
|
Ensure that all system users are trained in the appropriate use of the system.
|
| 23 |
No |
$0 |
$0 |
|
|
Develop and update, as appropriate, cybersecurity policies, plans, and procedures related not only to CATS, but also the NNSA Enterprise System to reflect current Federal and Department requirements.
|
| 24 |
No |
$0 |
$0 |
|
|
Establish an SLA, or equivalent document, to define and communicate the roles and responsibilities of NA-IM and NA-74 personnel, as they relate to CATS.
|
| 25 |
No |
$0 |
$0 |
|
|
Ensure that application security controls are implemented in the CATS application to protect against known types of attacks, including user spoofing.
|
| 26 |
No |
$0 |
$0 |
|
|
Update existing web application security risk assessment and testing processes for the CATS application, to include scanning third-party libraries for missing security updates and to identify common application vulnerabilities prior to using them and remediate known web application vulnerabilities.
|
| 27 |
No |
$0 |
$0 |
|
|
Create and implement a firewall rule configuration review process to ensure firewall rules are periodically reviewed for unauthorized rule deviations and to determine if rules can be removed on a continuous basis.
|
| 1 |
No |
$0 |
$0 |
|
|
Define actions not permitted by application administrators to ensure separation of duties is adequate and implement technical controls, or etermine other mechanisms, to prohibit application administrators from conducting those actions.
|
| 3 |
No |
$0 |
$0 |
|
|
Prioritize efforts to implement automated account management to lessen the burden on administrators and ensure appropriate roles and access are granted.
|
| 4 |
No |
$0 |
$0 |
|
|
Ensure that control assessment plans are developed and that they detail the scope of the assessment, including assessment procedures and specific roles and responsibilities of members on the assessment team.
|
| 5 |
No |
$0 |
$0 |
|
|
Ensure that all required controls are fully assessed for CATS and its operating environment on the frequency basis described within the ISCM plan to determine whether controls were implemented correctly, operating as intended, and producing desired outcomes. Controls assessments should be shared with relevant stakeholders. Any deficiencies should be documented in a plan of action and milestones, as appropriate.
|
| 6 |
No |
$0 |
$0 |
|
|
Document the ISA annual review process and any updates that may have occurred as a result.
|
| 7 |
No |
$0 |
$0 |
|
|
Communicate with the Authorizing Official of eDISS+ during the annual review process of the ISA to ensure that all technical changes are updated appropriately within the agreement and that both parties are aware of any potential system changes that may impact either system’s security categorization and/or implemented controls.
|
| 8 |
No |
$0 |
$0 |
|
|
Ensure that the NA-IM cybersecurity team participates in the monthly data bridge meetings that support the ISA between CATS and eDISS+ to verify that the CATS data remains secure and that all risks associated with the system information exchange
|
| 9 |
No |
$0 |
$0 |
|
|
Ensure that annual reviews and updates to the CATS risk assessment are performed to include the evaluation of all risks and subsequential existence of mitigating controls, in accordance with NNSA’s internal policies and NIST requirements.
|
| 12 |
No |
$0 |
$0 |
|
|
Develop a system-level contingency plan for CATS and test the plan on a specified frequency to verify that notification, recovery, and restoration capabilities are adequately implemented.
|
| 13 |
No |
$0 |
$0 |
|
|
Reevaluate the risks and needs associated with implementing an alternate storage site for the CATS backup information and implement changes, as necessary.
|
| 14 |
No |
$0 |
$0 |
|
|
Ensure that all system users complete applicable security and privacy training based on assigned roles and responsibilities within the system in accordance with established requirements.
|
| 15 |
No |
$0 |
$0 |
|
|
Ensures that an analysis is conducted to identify PSFs in the system that are eligible for dispositioning, per Federal and Department requirements. Once completed, direct system personnel to communicate those results to the respective CPSOs to prepare for destruction where it is warranted.
|
| 16 |
No |
$0 |
$0 |
|
|
Ensure a mechanism is developed to assist in identifying, communicating, and destroying PSFs that meet Federal and Department retention and dispositioning requirements.
|
| 27 |
No |
$0 |
$0 |
|
|
Create and implement a firewall rule configuration review process to ensure firewall rules are periodically reviewed for unauthorized rule deviations and to determine if rules can be removed on a continuous basis.
|
| 26 |
No |
$0 |
$0 |
|
|
Update existing web application security risk assessment and testing processes for the CATS application, to include scanning third-party libraries for missing security updates and to identify common application vulnerabilities prior to using them and remediate known web application vulnerabilities.
|
| 25 |
No |
$0 |
$0 |
|
|
Ensure that application security controls are implemented in the CATS application to protect against known types of attacks, including user spoofing.
|
| 24 |
No |
$0 |
$0 |
|
|
Establish an SLA, or equivalent document, to define and communicate the roles and responsibilities of NA-IM and NA-74 personnel, as they relate to CATS.
|
| 23 |
No |
$0 |
$0 |
|
|
Develop and update, as appropriate, cybersecurity policies, plans, and procedures related not only to CATS, but also the NNSA Enterprise System to reflect current Federal and Department requirements.
|
| 22 |
No |
$0 |
$0 |
|
|
Ensure that all system users are trained in the appropriate use of the system.
|
| 21 |
No |
$0 |
$0 |
|
|
Ensure that rules of behavior are developed for privileged system users and require all users of the system to sign the appropriate rules of behavior according to their assigned role.
|
| 20 |
No |
$0 |
$0 |
|
|
Ensure that the CATS system security plan is updated to reflect the current status of controls implementation and is scheduled for review and update on a defined periodic basis.
|
| 19 |
No |
$0 |
$0 |
|
|
Ensure that all system users and system personnel receive training on CATS-specific incident response activities, to include but not limited to topics such as incident reporting procedures and incident response roles and responsibilities.
|
| 18 |
No |
$0 |
$0 |
|
|
Define and document the types of events that are logged by NA-74, and ensure a plan is created for adding new logging capability that includes a gap analysis between existing capability and desired capability to allow for prioritization of adding new logging capability.
|
| 17 |
No |
$0 |
$0 |
|
|
Ensure initial and refresher training is provided to security personnel regarding the management, retention, and destruction of PSFs housed in CATS.
|
