NOTES/COMMENTS DATE
Finished
CTR
Init's
GOV
Witness
DESCRIPTION
Remove all Software and Services not required for operation and/or maintenance of the product :
If removal is not technically feasible, then disable software not required for the operation and/or maintenance of the product. This removal shall not impede the primary function of the
product. If software that is not required cannot be removed or disabled, document a specific explanation and provide risk mitigating recommendations and/or specific technical justification.
Provide documentation on what is removed and/or disabled. The software/service to be removed and/or disabled shall include, but not be limited to:
• Games
• Device drivers for product components not procured/delivered
• Messaging services (e.g., email, instant messenger, peer-to-peer file sharing)
• Source code
• Software compilers in user workstations and servers
• Software compilers for programming languages that are not used in the energy
delivery system
• Unused networking and communications protocols
• Unused administrative utilities, diagnostics, network management, and system
management functions
• Backups of files, databases, and programs used only during system development
• All unused data and configuration files
Provide documentation of software/firmware that supports the product, including scripts and/or macros, run time configuration files and interpreters, databases and tables, and all other
included software (identifying versions, revisions, and/or patch levels, as delivered). The listing shall include all ports and authorized services required for normal operation, emergency
operation, or troubleshooting.
Remove and/or disable, through software, physical disconnection, or engineered barriers, all services and/or ports in the procured product not required for normal operation, emergency
operations, or troubleshooting. This shall include communication ports and physical input/output ports (e.g., USB docking ports, CD/DVD drives, video ports, and serial ports). Provide
documentation of disabled ports, connectors, and interfaces.
Configure the product to allow the ability to re-enable ports and/or services if they are disabled by software.
Disclose the existence of all known methods for bypassing computer authentication in the product, often referred to as backdoors, and provide written documentation that all such backdoors
created have been permanently deleted from the system.
Provide summary documentation of the procured product’s security features and security-focused instructions on product maintenance, support, and reconfiguration of default settings.
Access Control
Implement a warning banner on terminal interfaces that conforms to DoD warning banner guidelines
Configure each component of the product to operate using the principle of least privilege. This includes operating system permissions, file access, user accounts, application-to-application
communications, and energy delivery system services.
Provide user accounts with configurable access and permissions associated with one or more organizationally defined user role(s), where roles are used.
Provide a system administration mechanism for changing user(s’) role (e.g., group) associations.
Configure the product such that when a session or interprocess communication is initiated from a less privileged application, access shall be limited and enforced at the more critical side.
Provide a method for protecting against unauthorized privilege escalation.
Document options for defining access and security permissions, user accounts, and applications with associated roles. Configure these options, as specified.
Prevent unauthorized changes to the Basic Input/Output System (BIOS) and other firmware and document if not feasible, provide mitigation recommendations.
Verify and provide documentation for the procured product, attesting that unauthorized logging devices are not installed (e.g., key loggers, cameras, and microphones).
Account Management
Document all accounts (including, but not limited to, generic and/or default) that need to be active for proper operation of the product.
Change default account settings to specific settings (e.g., length, complexity, history, and configurations) provided by government rep. Changed account information will not be published.
All new account information will be provided by a protected mechanism.
Remove or disable any accounts that are not needed for normal or maintenance operations of the energy delivery system.
Accounts for emergency operations shall be placed in a highly secure configuration and documentation on their configuration.
Session Management
Configure system to disallow multiple concurrent logins using the same authentication credentials, allow applications to retain login information between sessions, provide any auto-fill
functionality during login, or allow anonymous logins.
Implement account-based and group-based configurable session-based logout and timeout settings (e.g., alarms and human-machine interfaces).
Authentication/Password Policy and Management
NAVFAC MARIANAS ICS CHECKLIST v2.1 FOR [SYSTEM NAME]
FOUOͲFOROFFICIALUSEONLYͲDONOTDISTRIBUTE