CLASSIFICATION WAS NOT SELECTED

Test_2015-01-15-1052

[project acronym not provided]

[Enter system number]

Requirements Traceability Matrix

(RTM)

Prepared for

Department of Homeland Security

16 January 2015

CLASSIFICATION WAS NOT SELECTED

CLASSIFICATION WAS NOT SELECTED

1.Introduction

The Requirements Traceability Matrix (RTM) relates requirements from requirement source documents to the security certification process. It ensures that all security requirements are identified and investigated. Each row of the matrix identifies a specific requirement and provides the details of how it was tested or analyzed and the results.

The table is arranged to display the system security requirements from the applicable regulation documents, which are listed below:

  • NIST 800-53 w/ DHS 4300A - Department of Homeland Security Sensitive Systems Policy Directive 4300A Version 10

The columns of the RTM are defined as follows:

Control Ref. / Refers to the name (short title) of the source document and the ID or paragraph number of the listed control or requirement.
Security Req./
Control / Short title describing the security control or requirement (and the text of the control/requirement, which may be paraphrased for brevity).
Security Category / Category and class associated with the security control.
Control Type / Auto populated if the requirement is identified with two security control types: common and system-specific; i.e., a part of the requirement is identified as common type and another part of it is system-specific.
  • Common. Auto populated if the requirement is designated to one or more information systems.
  • Hybrid. Auto populated if the requirement is identified with two security control types: common and system-specific; i.e., a part of the requirement is identified as common type and another part of it is system-specific.
  • System-Specific. Auto populated if the requirement is assigned to a specific information system.
  • Inherited. Auto populated if the requirement is inherited from another system.
  • Not Specified. Auto populated if the requirement does not require any security control.

Planned Imp. / Auto populated if the requirement is identified with two security control types: common and system-specific; i.e., a part of the requirement is identified as common type and another part of it is system-specific.
  • Common. Auto populated if the requirement is designated to one or more information systems.
  • Hybrid. Auto populated if the requirement is identified with two security control types: common and system-specific; i.e., a part of the requirement is identified as common type and another part of it is system-specific.
  • System-Specific. Auto populated if the requirement is assigned to a specific information system.
  • Inherited. Auto populated if the requirement is inherited from another system.
  • Not Specified. Auto populated if the requirement does not require any security control.

Actual Imp. / Identification whether the control is in place and how it has been implemented, or differences in how the control was implemented compared to what was planned.
  • As Planned. Auto populated if Implemented control status is selected and Planned Implementation column does not read Not Entered.
  • Pending Implementation. Auto populated if Planned control status is selected and Planned Implementation column does not read Not Entered.
  • Partially Implemented. Auto populated if Partial control status is selected and Planned Implementation column does not read Not Entered.
  • Not Entered. Auto populated if the Planned Implementation column reads Not Entered.
  • Not Assigned. Auto populated if the Control Type and/or Control Status were not selected.

Test #(s) / The ID number of the specific test procedure(s) that is used to validate the requirement or control.
  • -. The control is not applicable.

Methods / The evaluation method (or methods) used to assess the requirement.
  • I. Interview.
  • E. Examine.
  • T. Testing.
  • -. The control is not applicable.

Tailored / The tailored control that modifies the control set.
  • In. The control was tailored in.
  • Out. The control was tailored out.
  • - . The control was not affected from tailoring.

Overlays / The controls included or excluded from the controls already in the baseline.
  • In. The control was added in to the controls in the baseline.
  • Out. The control was removed from the controls in the baseline.
  • - . The control was not affected from overlay(s).

Result / The summarized result for the test procedures that cover the requirement/control.
  • Met - Requirement fully satisfied.
  • Not Met - Requirement not satisfied.
  • Not Applicable - Requirement not applicable.

Notes / Identifies the factor, and the basis for; any tailoring of controls from the NIST 800-53 w/ DHS 4300A baseline or organizational overlay that was used for the system.

CLASSIFICATION WAS NOT SELECTED

1

CLASSIFICATION WAS NOT SELECTED

2.Requirements Traceability Matrix

Control Ref. / Security Req./
Control / Security Category / Control
Type / Planned
Imp. / Actual
Imp. / Test
#(s) / Methods / Tailored / Result / Notes
I / E / T / IN / OUT
NIST 800-53 w/ DHS 4300A AC-1 / Access Control Policy and Procedures / Access Control Policy and Procedures (T) / Not Specified / Not Entered / Not Assigned / AC-1.1, AC-1.2 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-1 (DHS-5.1.1.c) / Sharing of Personal Passwords / Access Control Policy and Procedures (T) / Not Specified / Not Entered / Not Assigned / AC-1(DHS-5.1.1.c) / - / X / X / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-2 / Account Management / Account Management (T) / Not Specified / Not Entered / Not Assigned / AC-2.1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-2 (1) / Account Management / Account Management (T) / Not Specified / Not Entered / Not Assigned / AC-2(1).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-2 (2) / Account Management / Account Management (T) / Not Specified / Not Entered / Not Assigned / AC-2(2).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-2 (3) / Account Management / Account Management (T) / Not Specified / Not Entered / Not Assigned / AC-2(3).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-2 (4) / Account Management / Account Management (T) / Not Specified / Not Entered / Not Assigned / AC-2(4).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-2 (5) / Account Management / Account Management (T) / Not Specified / Not Entered / Not Assigned / AC-2(5).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-2 (11) / Account Management / Account Management (T) / Not Specified / Not Entered / Not Assigned / AC-2(11).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-3 / Access Enforcement / Access Enforcement (T) / Not Specified / Not Entered / Not Assigned / AC-3.1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-3 (DHS-5.1.1.d) / Access Enforcement / Access Enforcement (T) / Not Specified / Not Entered / Not Assigned / AC-3(DHS-5.1.1.d) / - / X / X / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-4 / Information Flow Enforcement / Information Flow Enforcement (T) / Not Specified / Not Entered / Not Assigned / AC-4.1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-5 / Separation of Duties / Separation of Duties (T) / Not Specified / Not Entered / Not Assigned / AC-5.1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-6 / Least Privilege / Least Privilege (T) / Not Specified / Not Entered / Not Assigned / AC-6.1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-6 (1) / Least Privilege / Least Privilege (T) / Not Specified / Not Entered / Not Assigned / AC-6(1).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-6 (2) / Least Privilege / Least Privilege (T) / Not Specified / Not Entered / Not Assigned / AC-6(2).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-6 (3) / Least Privilege / Least Privilege (T) / Not Specified / Not Entered / Not Assigned / AC-6(3).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-6 (5) / Least Privilege / Least Privilege (T) / Not Specified / Not Entered / Not Assigned / AC-6(5).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-6 (9) / Least Privilege / Least Privilege (T) / Not Specified / Not Entered / Not Assigned / AC-6(9).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-6 (10) / Least Privilege / Least Privilege (T) / Not Specified / Not Entered / Not Assigned / AC-6(10).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-7 / Unsuccessful Logon Attempts / Unsuccessful Logon Attempts (T) / Not Specified / Not Entered / Not Assigned / AC-7.1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-8 / System Use Notification / System Use Notification (T) / Not Specified / Not Entered / Not Assigned / AC-8.1, AC-8.2 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-8 (DHS-4.8.5.d) / System Use Notification / System Use Notification (T) / Not Specified / Not Entered / Not Assigned / AC-8(DHS-4.8.5.d) / - / X / X / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-10 / Concurrent Session Control / Concurrent Session Control (T) / Not Specified / Not Entered / Not Assigned / AC-10.1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-11 / Session Lock / Session Lock (T) / Not Specified / Not Entered / Not Assigned / AC-11.1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-11 (1) / Session Lock / Session Lock (T) / Not Specified / Not Entered / Not Assigned / AC-11(1).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-12 / Session Termination / Session Termination (T) / Not Specified / Not Entered / Not Assigned / AC-12.1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-14 / Permitted Actions without Identification or Authentication / Permitted Actions without Identification or Authentication (T) / Not Specified / Not Entered / Not Assigned / AC-14.1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-17 / Remote Access / Remote Access (T) / Not Specified / Not Entered / Not Assigned / AC-17.1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-17 (1) / Remote Access / Remote Access (T) / Not Specified / Not Entered / Not Assigned / AC-17(1).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-17 (2) / Remote Access / Remote Access (T) / Not Specified / Not Entered / Not Assigned / AC-17(2).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-17 (3) / Remote Access / Remote Access (T) / Not Specified / Not Entered / Not Assigned / AC-17(3).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-17 (4) / Remote Access / Remote Access (T) / Not Specified / Not Entered / Not Assigned / AC-17(4).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-17 (DHS-5.4.1.b) / Remote Access / Remote Access (T) / Not Specified / Not Entered / Not Assigned / AC-17(DHS-5.4.1.b) / X / X / X / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-17 (DHS-5.4.1.c) / Remote Access / Remote Access (T) / Not Specified / Not Entered / Not Assigned / AC-17(DHS-5.4.1.c) / - / X / X / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-18 / Wireless Access / Wireless Access (T) / Not Specified / Not Entered / Not Assigned / AC-18.1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-18 (1) / Wireless Access / Wireless Access (T) / Not Specified / Not Entered / Not Assigned / AC-18(1).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-18 (4) / Wireless Access / Wireless Access (T) / Not Specified / Not Entered / Not Assigned / AC-18(4).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-18 (5) / Wireless Access / Wireless Access (T) / Not Specified / Not Entered / Not Assigned / AC-18(5).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-19 / Access Control for Mobile Devices / Access Control for Mobile Devices (T) / Not Specified / Not Entered / Not Assigned / AC-19.1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-19 (5) / Access Control for Mobile Devices / Access Control for Mobile Devices (T) / Not Specified / Not Entered / Not Assigned / AC-19(5).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-20 / Use of External Information Systems / Use of External Information Systems (T) / Not Specified / Not Entered / Not Assigned / AC-20.1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-20 (1) / Use of External Information Systems / Use of External Information Systems (T) / Not Specified / Not Entered / Not Assigned / AC-20(1).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-20 (2) / Use of External Information Systems / Use of External Information Systems (T) / Not Specified / Not Entered / Not Assigned / AC-20(2).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-21 / User-Based Collaboration and Information Sharing / Information Sharing (T) / Not Specified / Not Entered / Not Assigned / AC-21.1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AC-22 / Publicly Accessible Content / Publicly Accessible Content (T) / Not Specified / Not Entered / Not Assigned / AC-22.1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AT-1 / Security Awareness and Training Policy and Procedures / Security Awareness and Training Policy and Procedures (O) / Not Specified / Not Entered / Not Assigned / AT-1.1, AT-1.2 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AT-2 / Security Awareness / Security Awareness Training (O) / Not Specified / Not Entered / Not Assigned / AT-2.1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AT-2 (2) / Security Awareness / Security Awareness Training (O) / Not Specified / Not Entered / Not Assigned / AT-2(2).1, AT-2(2).1, AT-2(2).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AT-3 / Security Training / Role-Based Security Training (O) / Not Specified / Not Entered / Not Assigned / AT-3.1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AT-4 / Security Training Records / Security Training Records (O) / Not Specified / Not Entered / Not Assigned / AT-4.1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-1 / Audit and Accountability Policy and Procedures / Audit and Accountability Policy and Procedures (T) / Not Specified / Not Entered / Not Assigned / AU-1.1, AU-1.2 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-2 / Audit Events / Audit Events (T) / Not Specified / Not Entered / Not Assigned / AU-2.1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-2 (3) / Auditable Events / Audit Events (T) / Not Specified / Not Entered / Not Assigned / AU-2(3).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-3 / Content of Audit Records / Content of Audit Records (T) / Not Specified / Not Entered / Not Assigned / AU-3.1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-3 (1) / Content of Audit Records / Content of Audit Records (T) / Not Specified / Not Entered / Not Assigned / AU-3(1).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-3 (2) / Content of Audit Records / Content of Audit Records (T) / Not Specified / Not Entered / Not Assigned / AU-3(2).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-4 / Audit Storage Capacity / Audit Storage Capacity (T) / Not Specified / Not Entered / Not Assigned / AU-4.1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-5 / Response to Audit Processing Failures / Response to Audit Processing Failures (T) / Not Specified / Not Entered / Not Assigned / AU-5.1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-5 (1) / Response to Audit Processing Failures / Response to Audit Processing Failures (T) / Not Specified / Not Entered / Not Assigned / AU-5(1).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-5 (2) / Response to Audit Processing Failures / Response to Audit Processing Failures (T) / Not Specified / Not Entered / Not Assigned / AU-5(2).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-6 / Audit Review, Analysis, and Reporting / Audit Review, Analysis, and Reporting (T) / Not Specified / Not Entered / Not Assigned / AU-6.1, AU-6.2 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-6 (1) / Audit Review, Analysis, and Reporting / Audit Review, Analysis, and Reporting (T) / Not Specified / Not Entered / Not Assigned / AU-6(1).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-6 (3) / Audit Review, Analysis, and Reporting / Audit Review, Analysis, and Reporting (T) / Not Specified / Not Entered / Not Assigned / AU-6(3).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-6 (5) / Audit Review, Analysis, and Reporting / Audit Review, Analysis, and Reporting (T) / Not Specified / Not Entered / Not Assigned / AU-6(5).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-6 (6) / Audit Review, Analysis, and Reporting / Audit Review, Analysis, and Reporting (T) / Not Specified / Not Entered / Not Assigned / AU-6(6).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-6 (DHS-5.3.b) / Audit Review, Analysis, and Reporting / Audit Review, Analysis, and Reporting (T) / Not Specified / Not Entered / Not Assigned / AU-6(DHS-5.3.b) / X / X / X / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-6 (DHS-5.4.6.f) / Audit Review, Analysis, and Reporting / Audit Review, Analysis, and Reporting (T) / Not Specified / Not Entered / Not Assigned / AU-6(DHS-5.4.6.f) / X / X / X / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-7 / Audit Reduction and Report Generation / Audit Reduction and Report Generation (T) / Not Specified / Not Entered / Not Assigned / AU-7.1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-7 (1) / Audit Reduction and Report Generation / Audit Reduction and Report Generation (T) / Not Specified / Not Entered / Not Assigned / AU-7(1).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-8 / Time Stamps / Time Stamps (T) / Not Specified / Not Entered / Not Assigned / AU-8.1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-8 (1) / Time Stamps / Time Stamps (T) / Not Specified / Not Entered / Not Assigned / AU-8(1).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-9 / Protection of Audit Information / Protection of Audit Information (T) / Not Specified / Not Entered / Not Assigned / AU-9.1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-9 (2) / Protection of Audit Information / Protection of Audit Information (T) / Not Specified / Not Entered / Not Assigned / AU-9(2).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-9 (3) / Protection of Audit Information / Protection of Audit Information (T) / Not Specified / Not Entered / Not Assigned / AU-9(3).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-9 (4) / Protection of Audit Information / Protection of Audit Information (T) / Not Specified / Not Entered / Not Assigned / AU-9(4).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-10 / Non-repudiation / Non-repudiation (T) / Not Specified / Not Entered / Not Assigned / AU-10.1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-11 / Audit Record Retention / Audit Record Retention (T) / Not Specified / Not Entered / Not Assigned / AU-11.1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-11 (DHS-5.3.d) / Audit Record Retention / Audit Record Retention (T) / Not Specified / Not Entered / Not Assigned / AU-11(DHS-5.3.d) / X / X / X / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-12 / Audit Generation / Audit Generation (T) / Not Specified / Not Entered / Not Assigned / AU-12.1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-12 (1) / Audit Generation / Audit Generation (T) / Not Specified / Not Entered / Not Assigned / AU-12(1).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A AU-12 (3) / Audit Generation / Audit Generation (T) / Not Specified / Not Entered / Not Assigned / AU-12(3).1 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A CA-1 / Security Assessment and Authorization Policies and Procedures / Security Assessment and Authorization Policies and Procedures (M) / Not Specified / Not Entered / Not Assigned / CA-1.1, CA-1.2 / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A CA-1 (DHS-3.9.m) / Security Assessment and Authorization Policies and Procedures / Security Assessment and Authorization Policies and Procedures (M) / Not Specified / Not Entered / Not Assigned / CA-1(DHS-3.9.m) / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A CA-1 (DHS-3.18.c) / Security Assessment and Authorization Policies and Procedures / Security Assessment and Authorization Policies and Procedures (M) / Not Specified / Not Entered / Not Assigned / CA-1(DHS-3.18.c) / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A CA-1 (DHS-3.18.d) / Security Assessment and Authorization Policies and Procedures / Security Assessment and Authorization Policies and Procedures (M) / Not Specified / Not Entered / Not Assigned / CA-1(DHS-3.18.d) / X / X / - / - / - / Not Met / None
NIST 800-53 w/ DHS 4300A CA-1 (DHS-3.18.e) / Security Assessment and Authorization Policies and Procedures / Security Assessment and Authorization Policies and Procedures (M) / Not Specified / Not Entered / Not Assigned / CA-1(DHS-3.18.e) / X / X / - / - / - / Not Met / None