Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control
The organization:
a. Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and
b. Notifies [FedRAMP Assignment: (H) at a minimum, the ISSO and/or similar role within the organization, (L) (M) organization-defined personnel or roles] within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.
NIST 800-53 (r4) Supplemental Guidance
Organizational sanctions processes reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Sanctions processes are described in access agreements and can be included as part of general personnel policies and procedures for organizations. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions. Related controls: PL-4, PS-6.
Control Enhancements: None.
References: None.
NIST 800-53 (r5) Discussion
Organizational sanctions reflect applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Sanctions processes are described in access agreements and can be included as part of general personnel policies for organizations and/or specified in security and privacy policies. Organizations consult with the Office of the General Counsel regarding matters of employee sanctions.
Meets Minimum Requirement:
Document formal sanctions process, including termination and any intermediary steps (e.g. PIP)
Document stakeholders (e.g. HR, legal, etc.) that must also be involved in formal sanctions
Designate senior information security personnel to receive notifications when formal employee sanctions process is initiated, identifying the individual and the reason for sanction
Document formal sanctions and retain records
Include descriptions of formal sanctions processes in access agreements
Best Practice:
Coordinate sanctions with HR personnel to ensure that federal, state and local laws are adhered to
Coordinate sanctions process with physical security personnel as needed
Consider enhanced electronic monitoring of personnel subject to formal sanction for a period of time
Retain sanctions-related documentation for the duration of an individuals employment and for a period of seven (7) years following departure
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Review access agreements to ensure that the sanctions process is described
Review documentation of past sanctions imposed on employees
Interview designated roles receiving notifications of sanction to ensure they understand their responsibilities
Review general personnel policies for sanctions processes
CSP Implementation Tips:
AWS: Fully inherited
Azure: Fully inherited
GCP: Fully inherited
Page updated
Report abuse