SI: System and Information Integrity

Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] system and information integrity policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate…

Identify, report, and correct system flaws; Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and Incorporate flaw remediation into the organizational configuration management process.

Implement [Assignment (one or more): signature based, non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures; Configure malicious code protection mechanisms to: Perform periodic scans of…

1. Strategically within the system to collect organization-determined essential information; and 1. At ad hoc locations within the system to track specific types of transactions of interest to the organization; Monitor the system to detect: Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and Unauthorized local,…

Receive system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis; Generate internal security alerts, advisories, and directives as deemed necessary; Disseminate security alerts, advisories, and directives to: [Assignment (one or more): [Assignment: organization-defined personnel or roles] , [Assignment: organization-defined elements within the organization] , [Assignment: organization-defined external organizations] ];…

Verify the correct operation of [Assignment: organization-defined security and privacy functions]; Perform the verification of the functions specified in SI-6a [Assignment (one or more): [Assignment: organization-defined system transitional states] , upon command by user with appropriate privilege, [Assignment: organization-defined frequency] ]; Alert [Assignment: organization-defined personnel or roles] to failed security and privacy verification tests; and…

Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [Assignment: organization-defined software, firmware, and information]; and Take the following actions when unauthorized changes to the software, firmware, and information are detected: [Assignment: organization-defined actions].

Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.

Check the validity of the following information inputs: [Assignment: organization-defined information inputs to the system].

Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and Reveal error messages only to [Assignment: organization-defined personnel or roles].

Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.

Determine mean time to failure (MTTF) for the following system components in specific environments of operation: [Assignment: organization-defined system components]; and Provide substitute system components and a means to exchange active and standby components in accordance with the following criteria: [Assignment: organization-defined MTTF substitution criteria].

Implement non-persistent [Assignment: organization-defined system components and services] that are initiated in a known state and terminated [Assignment (one or more): upon end of session of use, periodically at [Assignment: organization-defined frequency] ].

Validate information output from the following software programs and/or applications to ensure that the information is consistent with the expected content: [Assignment: organization-defined software programs and/or applications].

Implement the following controls to protect the system memory from unauthorized code execution: [Assignment: organization-defined controls].

Implement the indicated fail-safe procedures when the indicated failures occur: [Assignment: organization-defined list of failure conditions and associated fail-safe procedures].

Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle [Assignment: organization-defined frequency]; and Correct or delete inaccurate or outdated personally identifiable information.

Remove the following elements of personally identifiable information from datasets: [Assignment: organization-defined elements of personally identifiable information]; and Evaluate [Assignment: organization-defined frequency] for effectiveness of de-identification.

Embed data or capabilities in the following systems or system components to determine if organizational data has been exfiltrated or improperly removed from the organization: [Assignment: organization-defined systems or system components].

Refresh [Assignment: organization-defined information] at [Assignment: organization-defined frequencies] or generate the information on demand and delete the information when no longer needed.

Identify the following alternative sources of information for [Assignment: organization-defined essential functions and services]: [Assignment: organization-defined alternative information sources]; and Use an alternative information source for the execution of essential functions or services on [Assignment: organization-defined systems or system components] when the primary source of information is corrupted or unavailable.

Based on [Assignment: organization-defined circumstances]: Fragment the following information: [Assignment: organization-defined information]; and Distribute the fragmented information across the following systems or system components: [Assignment: organization-defined systems or system components].