MON-09.1: Identity Binding
Mechanisms exist to bind the identity of the information producer to the information generated.
Control Question: Does the organization bind the identity of the information producer to the information generated?
General (4)
| Framework | Mapping Values |
|---|---|
| NIST 800-53 R5 (source) | AU-10(1) AU-10(2) |
| NIST 800-161 R1 | AU-10(1) AU-10(2) |
| NIST 800-161 R1 Level 2 | AU-10(1) AU-10(2) |
| NIST 800-161 R1 Level 3 | AU-10(2) |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to bind the identity of the information producer to the information generated.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to bind the identity of the information producer to the information generated.
Level 2 — Planned & Tracked
C|P-CMM2 is N/A, since a well-defined process is required to bind the identity of the information producer to the information generated.
Level 3 — Well Defined
Continuous Monitoring (MON) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Governs asset management that ensures compliance with requirements for asset management. o Leverages a Configuration Management Database (CMDB), or similar tool, as the authoritative source of IT assets. o Centrally collects logs and is protected according to the manufacturer’s security guidelines to protect the integrity of the event logs with cryptographic mechanisms. o Monitors the organization for Indicators of Compromise (IoC) and provides 24x7x365 near real-time alerting capability. o Is configured to alert incident response personnel of detected suspicious events such that incident responders can look to terminate suspicious events.
- An IT Asset Management (ITAM) function, or similar function:
- A Security Incident Event Manager (SIEM), or similar automated tool:
- Both inbound and outbound network traffic is monitored for unauthorized activities to identify prohibited activities and assist incident handlers with identifying potentially compromised systems.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to bind the identity of the information producer to the information generated.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to bind the identity of the information producer to the information generated.
Assessment Objectives
- MON-09.1_A01 the strength of binding between the identity of the information producer and the information is defined.
- MON-09.1_A02 the identity of the information producer is bound with the information to organization-defined strength of binding.
- MON-09.1_A03 the means for authorized individuals to determine the identity of the producer of the information is provided.
- MON-09.1_A04 the frequency at which to validate the binding of the information producer identity to the information is defined.
- MON-09.1_A05 the actions to be performed in the event of a validation error are defined.
- MON-09.1_A06 the binding of the information producer identity to the information is validated at organization-defined frequency.
- MON-09.1_A07 organization-defined actions in the event of a validation error are performed.
Technology Recommendations
Micro/Small
- Secure Baseline Configurations (SBC)
Small
- Secure Baseline Configurations (SBC)
Medium
- Secure Baseline Configurations (SBC)
Large
- Secure Baseline Configurations (SBC)
Enterprise
- Secure Baseline Configurations (SBC)