ARTIFACTS
SI: SYSTEM & INFORMATION INTEGRITY
What's On This Page
Each control family has a page dedicated to presenting all of the artifacts associated with the controls and control enhancements in that family. This is a consolidated view of the artifacts organized in a way to make the information usable. From here you can navigate to the individual control pages where the artifacts associated with each control or control enhancement are displayed with the control. You can use the Links Panels to select the individual controls or control enhancements you want to work with.
Supplement the artifacts here with other relevent documents and records dictated by your risk-based cybersecurity program and your information supply chain requirements.
The Source of the Artifacts
The control information comes from NIST Special Publication 800-53R4, Security and Privacy Controls for Information Systems and Organizationsand Special Publication and NIST Special Publication 800-53AR4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations Building Effective Assessment Plans. We've normalized the artifact names and annotated them with information useful in understanding these artifacts in the context of your digital enterprise, information supply chain, and security architecture.
Essential Artifacts for Risk-Based Cybersecurity Programs
This section includes core documents for risk-based cybersecurity; the POLICY & PROCEDURES document for System & Information Security (SI); and documents that are widely used in the assessment of controls and control enhancements in the System & Information Security (SI) family. Policy and Procedure documents from control families are in CAPS and identified with their two letter code.
| CORE ARTIFACTS |
| WIDELY USED ARTIFACTS FOR SYSTEM AND INFORMATION INTEGRITY (SI) |
| SYSTEM AND INFORMATION INTEGRITY POLICY & PROCEDURES (SI) |
| System & Information Integrity policy |
| Information system design documentation |
| Information system configuration settings and associated documentation |
| Information system audit records |
Security Authorization Package Documents:
|
| ESSENTIALS |
| ACCESS CONTROL POLICY & PROCEDURES (AC) |
| Asset Inventory |
| AUDIT & ACCOUNTABILITY POLICY & PROCEDURES (AU) | Configuration Management Plan |
| CONFIGURATION MANAGEMENT POLICY & PROCEDURES (CM) |
Contingency Plan
|
| CONTINGENCY PLANNING POLICY & PROCEDURES (CP) |
| Continuous Monitoring Strategy |
| Continuous Monitoring Plan |
| Enterprise Architecture (EA) |
| IDENTIFICATION & AUTHENTICATION POLICY & PROCEDURES (IA) |
| INCIDENT RESPONSE POLICY & PROCEDURES (IR) |
| INFORMATION SECURITY PROGRAM PLAN (PM) |
| MEDIA PROTECTION POLICY & PROCEDURES (MP) |
| PERSONNEL SECURITY POLICY & PROCEDURES (PS) |
| PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY & PROCEDURES (PE) |
| Privacy Impact Assessment |
| Privacy Program Plan |
| Risk Assessment |
| RISK ASSESSMENT POLICY & PROCEDURES (RA) |
| SECURITY ASSESSMENT & AUTHORIZATION POLICY & PROCEDURES (CA) |
| SECURITY AWARENESS AND TRAINING POLICY & PROCEDURES (AT) |
| Security Configurations |
| SECURITY PLANNING POLICY & PROCEDURES (PL) |
| SYSTEM AND COMMUNICATIONS PROTECTION POLICY & PROCEDURES (SC) |
| SYSTEM AND INFORMATION INTEGRITY POLICY & PROCEDURES (SI) |
| SYSTEM AND SERVICES ACQUISITION POLICY & PROCEDURES (SA) |
| System Interconnection Agreements |
| SYSTEM MAINTENANCE POLICY & PROCEDURES (MA) |
Policy & Procedures
Here you'll find a catalog of System & Information Security (SI) related policies and procedures for managing access to your digital enterprise and information supply chain. Select those that enable your risk-based cybersecurity program.
| POLICES & PROCEDURES | APPLICABLE CONTROL(S) |
| Access control POLICY & PROCEDURES | SI-4 (3) SI-10 SI-10 (1) SI-10 (2) |
| Media protection POLICY & PROCEDURES | SI-12 |
| Procedures addressing configuration management | SI-2 |
| Procedures addressing flaw remediation | SI-2 SI-2 (1) SI-2 (2) SI-2 (3) SI-2 (5) SI-2 (6) SI-3 (10) |
| Procedures addressing incident response | SI-3 (10) SI-7 (7) |
| Procedures addressing information input validation | SI-10 SI-10 (1) SI-10 (2) SI-10 (3) SI-10 (4) SI-10 (5) |
| Procedures addressing information output filtering | SI-15 |
| Procedures addressing information system error handling | SI-11 |
| Procedures addressing information system monitoring | SI-4 (19) SI-4 (21) SI-4 (24) |
| Procedures addressing information system monitoring tools and techniques | SI-4 SI-4 (1) SI-4 (2) SI-4 (3) SI-4 (4) SI-4 (5) SI-4 (7) SI-4 (10) SI-4 (11) SI-4 (12) SI-4 (13) SI-4 (14) SI-4 (15) SI-4 (16) SI-4 (17) SI-4 (18) SI-4 (20) SI-4 (22) SI-4 (23) |
| Procedures addressing information system output handling and retention | SI-12 |
| Procedures addressing malicious code protection | SI-3 SI-3 (1) SI-3 (2) SI-3 (4) SI-3 (6) SI-3 (7) SI-3 (8) SI-3 (9) SI-3 (10) |
| Procedures addressing memory protection for the information system | SI-16 SI-17 |
| Procedures addressing non-persistence for information system components | SI-14 SI-14 (1) |
| Procedures addressing predictable failure prevention | SI-13 SI-13 (1) SI-13 (3) SI-13 (4) SI-13 (5) |
| Procedures addressing security alerts, advisories, and directives | SI-5 SI-5 (1) |
| Procedures addressing security function verification | SI-6 SI-6 (2) SI-6 (3) |
| Procedures addressing software and information integrity | SI-7 (16) |
| Procedures addressing software, firmware, and information integrity | SI-7 SI-7 (1) SI-7 (2) SI-7 (3) SI-7 (5) SI-7 (6) SI-7 (7) SI-7 (8) SI-7 (9) SI-7 (10) SI-7 (11) SI-7 (12) SI-7 (13) SI-7 (14) SI-7 (15) |
| Procedures addressing spam protection | SI-8 SI-8 (1) SI-8 (2) SI-8 (3) |
| Procedures addressing testing of information system monitoring tools and techniques | SI-4 (9) |
| System and information integrity POLICY & PROCEDURES | SI-1 |
Evidence, Records & Artifacts
Here you'll find a catalog of System & Information Security (SI) related policies and procedures for managing access to your digital enterprise and information supply chain. Select those that enable your risk-based cybersecurity program.
| ARTIFACT | APPLICABLE CONTROL(S) |
| Alerts/notifications generated based on compromise indicators | SI-4 (5) |
| Alerts/notifications generated based on detected suspicious events | SI-4 (7) |
| Alerts/notifications of failed security verification tests | SI-6 |
| Alerts/notifications provided to security personnel | SI-4 (12) |
| Alerts/notifications provided upon discovering discrepancies during integrity verifications | SI-7 (2) |
| Approval records for execution of binary and machine-executable code | SI-7 (13) SI-7 (14) |
| Automated mechanisms supporting centralized management of flaw remediation | SI-2 (1) |
| Automated mechanisms supporting centralized management of flaw remediation | SI-2 (2) |
| Automated mechanisms supporting centralized management of malicious code protection mechanisms | SI-3 (1) SI-3 (2) |
| Automated mechanisms supporting flaw remediation | SI-2 (6) |
| Automated mechanisms supporting flaw remediation and automatic software/firmware updates | SI-2 (5) |
| Automated mechanisms supporting the distribution of security alert and advisory information | SI-5 (1) |
| Automated tools supporting alerts and notifications for integrity discrepancies | SI-7 (2) |
| Automated tools supporting alerts and notifications if unauthorized security changes are detected | SI-7 (8) |
| Configuration management POLICY & PROCEDURES | SI-3 SI-8 |
| Continuous monitoring strategy | SI-4 |
| Cryptographic mechanisms and associated documentation | SI-7 (6) SI-7 (15) |
| Documentation describing failover capability provided for the information system | SI-13 (5) |
| Documentation for automated tools and applications to verify validity of information | SI-10 |
| Documentation providing evidence of testing intrusion-monitoring tools | SI-4 (9) |
| Documentation providing structure/content of error messages | SI-11 |
| Documented authorization/approval of network services | SI-4 (22) |
| Event correlation logs or records | SI-4 (16) |
| Event correlation logs or records resulting from physical, cyber, and supply chain activities | SI-4 (17) |
| Facility diagram/layout | SI-4 |
| Federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information handling and retention | SI-12 |
| Host-based monitoring mechanisms | SI-4 (23) |
| Incident response records | SI-7 (7) SI-7 (8) |
| Information audit records | SI-7 (5) SI-7 (7) |
| Information input validation error logs or records | SI-10 (2) |
| Information retention records, | SI-12 |
| Information system monitoring logs or records | SI-4 (11) SI-4 (12) SI-4 (18) SI-4 (20) SI-4 (21) SI-4 (22) SI-4 (23) SI-4 (24) |
| Information system monitoring tools and techniques documentation | SI-4 SI-4 (1) SI-4 (2) SI-4 (3) SI-4 (4) SI-4 (5) SI-4 (7) SI-4 (10) SI-4 (11) SI-4 (12) SI-4 (13) SI-4 (14) SI-4 (15) SI-4 (16) SI-4 (17) SI-4 (18) SI-4 (20) SI-4 (21) SI-4 (22) SI-4 (23) SI-4 (24) |
| Information system protocols | SI-4 (4) SI-4 (10) SI-4 (14) |
| Information system protocols documentation | SI-4 (13) SI-4 (15) |
| Installation/change control records for security-relevant software and firmware updates | SI-2 |
| Integrity verification records | SI-7 (12) |
| Integrity verification tools and associated documentation | SI-7 SI-7 (1) SI-7 (2) SI-7 (3) SI-7 (5) SI-7 (8) SI-7 (9) SI-7 (10) |
| Locations within information system where monitoring devices are deployed | SI-4 |
| Malicious code protection mechanisms | SI-3 SI-3 (4) SI-3 (7) SI-3 (8) SI-3 (9) |
| Malicious code protection mechanisms, tools, and techniques | SI-3 (10) |
| Network diagram | SI-4 (11) |
| Network diagram | SI-4 (18) |
| Notifications or alerts of unauthorized network services | SI-4 (22) |
| Record of actions initiated by malicious code protection mechanisms in response to malicious code detection | SI-3 |
| Records generated/triggered from integrity verification tools regarding unauthorized software, firmware, and information changes | SI-7 |
| Records of actions taken to terminate suspicious events | SI-4 (7) |
| Records of detected unauthorized changes to software, firmware, and information | SI-7 (6) |
| Records of flaw remediation events resulting from malicious code analyses | SI-3 (10) |
| Records of integrity checks and responses to integrity violations | SI-7 (5) |
| Records of integrity scans | SI-7 SI-7 (1) SI-7 (2) SI-7 (3) SI-7 (5) SI-7 (8) SI-7 (9) SI-7 (10) |
| Records of integrity verification scans | SI-7 (9) SI-7 (10) |
| Records of malicious code protection updates | SI-3 SI-3 (4) SI-3 (7) |
| Records of recent security-relevant software and firmware updates automatically installed to information system components | SI-2 (5) |
| Records of security alerts and advisories | SI-5 SI-5 (1) |
| Records of security function verification results | SI-6 (3) |
| Records of software and firmware component removals after updated versions are installed | SI-2 (6) |
| Records of spam protection updates | SI-8 SI-8 (2) |
| Records providing evidence of test cases executed on malicious code protection mechanisms | SI-3 (6) |
| Records providing time stamps of flaw identification and subsequent flaw remediation activities | SI-2 (3) |
| Results from malicious code analyses | SI-3 (10) |
| Review records of information input validation errors and resulting resolutions | SI-10 (2) |
| Scan results from malicious code protection mechanisms | SI-3 |
| Separation of duties POLICY & PROCEDURES | SI-10 SI-10 (1) SI-10 (2) |
| Spam protection mechanisms | SI-8 SI-8 (1) SI-8 (2) SI-8 (3) |
| Test cases | SI-3 (6) |
| Test results from the installation of software and firmware updates to correct information system flaws | SI-2 |
| Warning messages sent upon detection of unauthorized operating system command execution | SI-3 (8) SI-3 (9) |
System & Information Security (SI) Related Lists
These are the ASystem & Information Security (SI) related lists you may need to support your security program. For the lists applicable to your systems and informations supply chain you should know the source of the list and the data it contains; how the lists are generated, where they are stored, and how they are maintained, and how to get the when you have an incident, an incident investigation or an audit.
| LIST | APPLICABLE CONTROL(S) |
| List of acceptable formats for input restrictions | SI-10 (5) |
| List of acceptable thresholds for false positives and false negatives | SI-4 (13) |
| List of actions to be taken once information system component failure is detected | SI-13 (4) |
| List of benchmarks for taking corrective action on flaws identified | SI-2 (3) |
| List of flaws and vulnerabilities potentially affecting the information system | SI-2 |
| List of inappropriate or unusual activities (with security implications) that trigger alerts | SI-4 (12) |
| List of individuals who have been identified as posing an increased level of risk | SI-4 (19) |
| List of information inputs requiring validity checks | SI-10 |
| List of information system components requiring host-based monitoring | SI-4 (23) |
| List of MTTF substitution criteria | SI-13 |
| List of privileged users | SI-4 (20) |
| List of profiles representing common traffic patterns and/or events | SI-4 (13) |
| List of recent security flaw remediation actions performed on the information system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct information system flaws) | SI-2 |
| List of security safeguards protecting information system memory from unauthorized code execution | SI-16 SI-17 |
| List of security-relevant changes to the information system | |
| List of system transition states requiring security functionality verification | SI-6 |
| List of trusted sources for information inputs | SI-10 (5) |