Skip to content

Commit

Permalink
Removing last three broken links see #25
Browse files Browse the repository at this point in the history
  • Loading branch information
@wendellpiez @david-waltermire
wendellpiez authored and david-waltermire committed Dec 4, 2020
1 parent 9d8b8b1 commit 7d24de3
Showing 1 changed file with 6 additions and 6 deletions.
12 changes: 6 additions & 6 deletions nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5-FINAL_catalog.xml
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
<!-- XML produced by extraction/mapping from docx via XSweet++: 2020-11-04T20:07:24.324-05:00 -->
<catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="cabd4418-0145-42e8-87ef-d0cd910dcb19">
<!-- XML produced by extraction/mapping from docx via XSweet++: 2020-11-05T17:20:19.346-05:00 -->
<catalog xmlns="http://csrc.nist.gov/ns/oscal/1.0" uuid="53ec2412-5ec0-46fe-badb-1d1c5ac26469">
<metadata>
<title>NIST SP800-53 Revision 5</title>
<last-modified>2020-11-04T20:07:23.725-05:00</last-modified>
<last-modified>2020-11-05T17:20:17.748-05:00</last-modified>
<version>Revision 5</version>
<oscal-version>1.0.0-Milestone3</oscal-version>
<prop name="keywords">assurance; availability; computer security; confidentiality; control; cybersecurity; FISMA; information security; information system; integrity; personally identifiable information; Privacy Act; privacy controls; privacy functions; privacy requirements; Risk Management Framework; security controls; security functions; security requirements; system; system security.</prop>
Expand Down Expand Up @@ -2883,7 +2883,7 @@
<p>Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using <insert param-id="ac-20.3_prm_1"/>. </p>
</part>
<part name="guidance" id="ac-20.3_gdn">
<p>Non-organizationally owned systems or system components include systems or system components owned by other organizations as well as personally owned devices. There are potential risks to using non-organizationally owned systems or components. In some cases, the risk is sufficiently high as to prohibit such use (see <a>AC-20(6)</a>). In other cases, the use of such systems or system components may be allowed but restricted in some way. Restrictions include requiring the implementation of approved controls prior to authorizing the connection of non-organizationally owned systems and components; limiting access to types of information, services, or applications; using virtualization techniques to limit processing and storage activities to servers or system components provisioned by the organization; and agreeing to the terms and conditions for usage. Organizations consult with the Office of the General Counsel regarding legal issues associated with using personally owned devices, including requirements for conducting forensic analyses during investigations after an incident.</p>
<p>Non-organizationally owned systems or system components include systems or system components owned by other organizations as well as personally owned devices. There are potential risks to using non-organizationally owned systems or components. In some cases, the risk is sufficiently high as to prohibit such use (see AC-20(6)). In other cases, the use of such systems or system components may be allowed but restricted in some way. Restrictions include requiring the implementation of approved controls prior to authorizing the connection of non-organizationally owned systems and components; limiting access to types of information, services, or applications; using virtualization techniques to limit processing and storage activities to servers or system components provisioned by the organization; and agreeing to the terms and conditions for usage. Organizations consult with the Office of the General Counsel regarding legal issues associated with using personally owned devices, including requirements for conducting forensic analyses during investigations after an incident.</p>
</part>
</control>
<control class="SP800-53-enhancement" id="ac-20.4">
Expand Down Expand Up @@ -5575,7 +5575,7 @@
</part>
<part name="guidance" id="ca-7_gdn">
<p>Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms <q>continuous</q> and <q>ongoing</q> imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.</p>
<p>Automation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as <a href="#ac-2_smt.g">AC-2g</a>, <a href="#ac-2.7">AC-2(7)</a>, <a href="#ac-2.12_smt.a">AC-2(12)(a)</a>, <a href="#ac-2.7_smt.b">AC-2(7)(b)</a>, <a href="#ac-2.7_smt.c">AC-2(7)(c)</a>, <a href="#ac-17.1">AC-17(1)</a>, <a href="#at-4_smt.a">AT-4a</a>, <a href="#au-13">AU-13</a>, <a href="#au-13.1">AU-13(1)</a>, <a href="#au-13.2">AU-13(2)</a>, <a href="#cm-3_smt.f">CM-3f</a>, <a href="#cm-6_smt.d">CM-6d</a>, <a href="#cm-11_smt.c">CM-11c</a>, <a href="#ir-5">IR-5</a>, <a href="#ma-2_smt.b">MA-2b</a>, <a href="#ma-3_smt.a">MA-3a</a>, <a href="#ma-4_smt.a">MA-4a</a>, <a href="#pe-3_smt.d">PE-3d</a>, <a href="#pe-6">PE-6</a>, <a href="#pe-14_smt.b">PE-14b</a>, <a href="#pe-16">PE-16</a>, <a href="#pe-20">PE-20</a>, <a href="#pm-6">PM-6</a>, <a href="#pm-23">PM-23</a>, <a href="#pm-31">PM-31</a>, <a href="#ps-7_smt.e">PS-7e</a>, <a href="#sa-9_smt.c">SA-9c</a>, <a href="#sr-4">SR-4</a>, <a href="#sc-5.3_smt.b">SC-5(3)(b)</a>, <a href="#sc-7_smt.a">SC-7a</a>, <a href="#sc-7.24_smt.b">SC-7(24)(b)</a>, <a>SC-18c</a>, <a href="#sc-43_smt.b">SC-43b</a>, and <a href="#si-4">SI-4</a>.</p>
<p>Automation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as <a href="#ac-2_smt.g">AC-2g</a>, <a href="#ac-2.7">AC-2(7)</a>, <a href="#ac-2.12_smt.a">AC-2(12)(a)</a>, <a href="#ac-2.7_smt.b">AC-2(7)(b)</a>, <a href="#ac-2.7_smt.c">AC-2(7)(c)</a>, <a href="#ac-17.1">AC-17(1)</a>, <a href="#at-4_smt.a">AT-4a</a>, <a href="#au-13">AU-13</a>, <a href="#au-13.1">AU-13(1)</a>, <a href="#au-13.2">AU-13(2)</a>, <a href="#cm-3_smt.f">CM-3f</a>, <a href="#cm-6_smt.d">CM-6d</a>, <a href="#cm-11_smt.c">CM-11c</a>, <a href="#ir-5">IR-5</a>, <a href="#ma-2_smt.b">MA-2b</a>, <a href="#ma-3_smt.a">MA-3a</a>, <a href="#ma-4_smt.a">MA-4a</a>, <a href="#pe-3_smt.d">PE-3d</a>, <a href="#pe-6">PE-6</a>, <a href="#pe-14_smt.b">PE-14b</a>, <a href="#pe-16">PE-16</a>, <a href="#pe-20">PE-20</a>, <a href="#pm-6">PM-6</a>, <a href="#pm-23">PM-23</a>, <a href="#pm-31">PM-31</a>, <a href="#ps-7_smt.e">PS-7e</a>, <a href="#sa-9_smt.c">SA-9c</a>, <a href="#sr-4">SR-4</a>, <a href="#sc-5.3_smt.b">SC-5(3)(b)</a>, <a href="#sc-7_smt.a">SC-7a</a>, <a href="#sc-7.24_smt.b">SC-7(24)(b)</a>, SC-18c, <a href="#sc-43_smt.b">SC-43b</a>, and <a href="#si-4">SI-4</a>.</p>
</part>
<control class="SP800-53-enhancement" id="ca-7.1">
<title>Independent Assessment</title>
Expand Down Expand Up @@ -15069,7 +15069,7 @@
</part>
</part>
<part name="guidance" id="pm-31_gdn">
<p>Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms <q>continuous</q> and <q>ongoing</q> imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective, timely, and informed risk management decisions, including ongoing authorization decisions. To further facilitate security and privacy risk management, organizations consider aligning organization-defined monitoring metrics with organizational risk tolerance as defined in the risk management strategy. Monitoring requirements, including the need for monitoring, may be referenced in other controls and control enhancements such as, <a href="#ac-2_smt.g">AC-2g</a>, <a href="#ac-2.7">AC-2(7)</a>, <a href="#ac-2.12_smt.a">AC-2(12)(a)</a>, <a href="#ac-2.7_smt.b">AC-2(7)(b)</a>, <a href="#ac-2.7_smt.c">AC-2(7)(c)</a>, <a href="#ac-17.1">AC-17(1)</a>, <a href="#at-4_smt.a">AT-4a</a>, <a href="#au-13">AU-13</a>, <a href="#au-13.1">AU-13(1)</a>, <a href="#au-13.2">AU-13(2)</a>, <a href="#ca-7">CA-7</a>, <a href="#cm-3_smt.f">CM-3f</a>, <a href="#cm-6_smt.d">CM-6d</a>, <a href="#cm-11_smt.c">CM-11c</a>, <a href="#ir-5">IR-5</a>, <a href="#ma-2_smt.b">MA-2b</a>, <a href="#ma-3_smt.a">MA-3a</a>, <a href="#ma-4_smt.a">MA-4a</a>, <a href="#pe-3_smt.d">PE-3d</a>, <a href="#pe-6">PE-6</a>, <a href="#pe-14_smt.b">PE-14b</a>, <a href="#pe-16">PE-16</a>, <a href="#pe-20">PE-20</a>, <a href="#pm-6">PM-6</a>, <a href="#pm-23">PM-23</a>, <a href="#ps-7_smt.e">PS-7e</a>, <a href="#sa-9_smt.c">SA-9c</a>, <a href="#sc-5.3_smt.b">SC-5(3)(b)</a>, <a href="#sc-7_smt.a">SC-7a</a>, <a href="#sc-7.24_smt.b">SC-7(24)(b)</a>, <a>SC-18c</a>, <a href="#sc-43_smt.b">SC-43b</a>, <a href="#si-4">SI-4</a>.</p>
<p>Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms <q>continuous</q> and <q>ongoing</q> imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective, timely, and informed risk management decisions, including ongoing authorization decisions. To further facilitate security and privacy risk management, organizations consider aligning organization-defined monitoring metrics with organizational risk tolerance as defined in the risk management strategy. Monitoring requirements, including the need for monitoring, may be referenced in other controls and control enhancements such as, <a href="#ac-2_smt.g">AC-2g</a>, <a href="#ac-2.7">AC-2(7)</a>, <a href="#ac-2.12_smt.a">AC-2(12)(a)</a>, <a href="#ac-2.7_smt.b">AC-2(7)(b)</a>, <a href="#ac-2.7_smt.c">AC-2(7)(c)</a>, <a href="#ac-17.1">AC-17(1)</a>, <a href="#at-4_smt.a">AT-4a</a>, <a href="#au-13">AU-13</a>, <a href="#au-13.1">AU-13(1)</a>, <a href="#au-13.2">AU-13(2)</a>, <a href="#ca-7">CA-7</a>, <a href="#cm-3_smt.f">CM-3f</a>, <a href="#cm-6_smt.d">CM-6d</a>, <a href="#cm-11_smt.c">CM-11c</a>, <a href="#ir-5">IR-5</a>, <a href="#ma-2_smt.b">MA-2b</a>, <a href="#ma-3_smt.a">MA-3a</a>, <a href="#ma-4_smt.a">MA-4a</a>, <a href="#pe-3_smt.d">PE-3d</a>, <a href="#pe-6">PE-6</a>, <a href="#pe-14_smt.b">PE-14b</a>, <a href="#pe-16">PE-16</a>, <a href="#pe-20">PE-20</a>, <a href="#pm-6">PM-6</a>, <a href="#pm-23">PM-23</a>, <a href="#ps-7_smt.e">PS-7e</a>, <a href="#sa-9_smt.c">SA-9c</a>, <a href="#sc-5.3_smt.b">SC-5(3)(b)</a>, <a href="#sc-7_smt.a">SC-7a</a>, <a href="#sc-7.24_smt.b">SC-7(24)(b)</a>, SC-18c, <a href="#sc-43_smt.b">SC-43b</a>, <a href="#si-4">SI-4</a>.</p>
</part>
</control>
<control class="SP800-53" id="pm-32">
Expand Down

0 comments on commit 7d24de3

Please sign in to comment.