Embedded Files
This page is classified as INTERNAL.
NIST SP 800-53 (r4) Control:
The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use.
NIST 800-53 (r4) Supplemental Guidance:
The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design phases) allows organizations to influence the design of the information system, information system component, or information system service. This early involvement in the life cycle helps organizations to avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services (or when requiring information system service providers to do so). Early identification of functions, ports, protocols, and services avoids costly retrofitting of security controls after the information system, system component, or information system service has been implemented. SA-9 describes requirements for external information system services with organizations identifying which functions, ports, protocols, and services are provided from external sources. Related controls: CM-7, SA-9.
NIST 800-53 (r5) Discussion:
The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design stages) allows organizations to influence the design of the system, system component, or system service. This early involvement in the system development life cycle helps organizations avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services or requiring system service providers to do so. Early identification of functions, ports, protocols, and services avoids costly retrofitting of controls after the system, component, or system service has been implemented. SA-9 describes the requirements for external system services. Organizations identify which functions, ports, protocols, and services are provided from external sources.
38North Guidance:
Meets Minimum Requirement:
The CSP/developer must identify the required functions, ports, protocols, and services required for proper functionality of the information system.
Best Practice:
Maintain a list of functions, ports, protocols, and services and update the list as required. CSP should audit the compliance of functions, ports, protocols, and services and report any non-compliance to responsible stakeholders/service teams.
CSP should document and monitor the compliance of security controls that includes the review of the required functions, ports, protocols and services that are currently employed.
Review and validate all functions, ports, protocols, and services at least annually. Remove/disable any that are not required for day-to-day operations.
Unofficial FedRAMP Guidance:
None.
Assessment Evidence:
Provide a list of functions, ports, protocols, and services.
Audit reports that verify functions, ports, protocols, and services.
Samples of acquisition contracts or documented evidence to show:
Security requirements are addressed
A description of the product is provided
The security controls employed by the product
A plan for continuous monitoring is produced
The functions, ports, protocols, and services required to operation are defined
Testing performed on acquired product prior to implementation
CSP Implementation Tips:
None.
Page updated
Report abuse