Automatic updates from trestlebot

markdown/profiles/example/ac/ac-1.md

@@ -54,30 +54,46 @@ x-trestle-global:
   - \[1.\] Policy {{ insert: param, ac-01_odp.05 }} and following {{ insert: param, ac-01_odp.06 }} ; and
   - \[2.\] Procedures {{ insert: param, ac-01_odp.07 }} and following {{ insert: param, ac-01_odp.08 }}.
 
+## Control Assessment Objective
+
+- \[AC-01a.\]
+
+  - \[AC-01a.[01]\] an access control policy is developed and documented;
+  - \[AC-01a.[02]\] the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};
+  - \[AC-01a.[03]\] access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;
+  - \[AC-01a.[04]\] the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};
+  - \[AC-01a.01\]
+
+    - \[AC-01a.01(a)\]
+
+      - \[AC-01a.01(a)[01]\] the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;
+      - \[AC-01a.01(a)[02]\] the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;
+      - \[AC-01a.01(a)[03]\] the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;
+      - \[AC-01a.01(a)[04]\] the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;
+      - \[AC-01a.01(a)[05]\] the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;
+      - \[AC-01a.01(a)[06]\] the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;
+      - \[AC-01a.01(a)[07]\] the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;
+
+    - \[AC-01a.01(b)\] the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
+
+- \[AC-01b.\] the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;
+
+- \[AC-01c.\]
+
+  - \[AC-01c.01\]
+
+    - \[AC-01c.01[01]\] the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};
+    - \[AC-01c.01[02]\] the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};
+
+  - \[AC-01c.02\]
+
+    - \[AC-01c.02[01]\] the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};
+    - \[AC-01c.02[02]\] the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}.
+
 ## Control guidance
 
 Access control policy and procedures address the controls in the AC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of access control policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies reflecting the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to access control policy and procedures include assessment or audit findings, security incidents or breaches, or changes in laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
 
-## Control assessment-objective
-
-an access control policy is developed and documented;
-the access control policy is disseminated to {{ insert: param, ac-01_odp.01 }};
-access control procedures to facilitate the implementation of the access control policy and associated controls are developed and documented;
-the access control procedures are disseminated to {{ insert: param, ac-01_odp.02 }};
-the {{ insert: param, ac-01_odp.03 }} access control policy addresses purpose;
-the {{ insert: param, ac-01_odp.03 }} access control policy addresses scope;
-the {{ insert: param, ac-01_odp.03 }} access control policy addresses roles;
-the {{ insert: param, ac-01_odp.03 }} access control policy addresses responsibilities;
-the {{ insert: param, ac-01_odp.03 }} access control policy addresses management commitment;
-the {{ insert: param, ac-01_odp.03 }} access control policy addresses coordination among organizational entities;
-the {{ insert: param, ac-01_odp.03 }} access control policy addresses compliance;
-the {{ insert: param, ac-01_odp.03 }} access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
-the {{ insert: param, ac-01_odp.04 }} is designated to manage the development, documentation, and dissemination of the access control policy and procedures;
-the current access control policy is reviewed and updated {{ insert: param, ac-01_odp.05 }};
-the current access control policy is reviewed and updated following {{ insert: param, ac-01_odp.06 }};
-the current access control procedures are reviewed and updated {{ insert: param, ac-01_odp.07 }};
-the current access control procedures are reviewed and updated following {{ insert: param, ac-01_odp.08 }}.
-
 # Editable Content
 
 <!-- Make additions and edits below -->

markdown/profiles/example/ac/ac-2.md

@@ -76,6 +76,62 @@ x-trestle-global:
 
 - \[l.\] Align account management processes with personnel termination and transfer processes.
 
+## Control Assessment Objective
+
+- \[AC-02a.\]
+
+  - \[AC-02a.[01]\] account types allowed for use within the system are defined and documented;
+  - \[AC-02a.[02]\] account types specifically prohibited for use within the system are defined and documented;
+
+- \[AC-02b.\] account managers are assigned;
+
+- \[AC-02c.\] {{ insert: param, ac-02_odp.01 }} for group and role membership are required;
+
+- \[AC-02d.\]
+
+  - \[AC-02d.01\] authorized users of the system are specified;
+  - \[AC-02d.02\] group and role membership are specified;
+  - \[AC-02d.03\]
+
+    - \[AC-02d.03[01]\] access authorizations (i.e., privileges) are specified for each account;
+    - \[AC-02d.03[02]\] {{ insert: param, ac-02_odp.02 }} are specified for each account;
+
+- \[AC-02e.\] approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;
+
+- \[AC-02f.\]
+
+  - \[AC-02f.[01]\] accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};
+  - \[AC-02f.[02]\] accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};
+  - \[AC-02f.[03]\] accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};
+  - \[AC-02f.[04]\] accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};
+  - \[AC-02f.[05]\] accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};
+
+- \[AC-02g.\] the use of accounts is monitored; 
+
+- \[AC-02h.\]
+
+  - \[AC-02h.01\] account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;
+  - \[AC-02h.02\] account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;
+  - \[AC-02h.03\] account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;
+
+- \[AC-02i.\]
+
+  - \[AC-02i.01\] access to the system is authorized based on a valid access authorization;
+  - \[AC-02i.02\] access to the system is authorized based on intended system usage;
+  - \[AC-02i.03\] access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};
+
+- \[AC-02j.\] accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};
+
+- \[AC-02k.\]
+
+  - \[AC-02k.[01]\] a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;
+  - \[AC-02k.[02]\] a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;
+
+- \[AC-02l.\]
+
+  - \[AC-02l.[01]\] account management processes are aligned with personnel termination processes;
+  - \[AC-02l.[02]\] account management processes are aligned with personnel transfer processes.
+
 ## Control guidance
 
 Examples of system account types include individual, shared, group, system, guest, anonymous, emergency, developer, temporary, and service. Identification of authorized system users and the specification of access privileges reflect the requirements in other controls in the security plan. Users requiring administrative privileges on system accounts receive additional scrutiny by organizational personnel responsible for approving such accounts and privileged access, including system owner, mission or business owner, senior agency information security officer, or senior agency official for privacy. Types of accounts that organizations may wish to prohibit due to increased risk include shared, group, emergency, anonymous, temporary, and guest accounts.
@@ -84,35 +140,6 @@ Where access involves personally identifiable information, security programs col
 
 Temporary and emergency accounts are intended for short-term use. Organizations establish temporary accounts as part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts, including local logon accounts used for special tasks or when network resources are unavailable (may also be known as accounts of last resort). Such accounts remain available and are not subject to automatic disabling or removal dates. Conditions for disabling or deactivating accounts include when shared/group, emergency, or temporary accounts are no longer required and when individuals are transferred or terminated. Changing shared/group authenticators when members leave the group is intended to ensure that former group members do not retain access to the shared or group account. Some types of system accounts may require specialized training.
 
-## Control assessment-objective
-
-account types allowed for use within the system are defined and documented;
-account types specifically prohibited for use within the system are defined and documented;
-account managers are assigned;
-{{ insert: param, ac-02_odp.01 }} for group and role membership are required;
-authorized users of the system are specified;
-group and role membership are specified;
-access authorizations (i.e., privileges) are specified for each account;
-{{ insert: param, ac-02_odp.02 }} are specified for each account;
-approvals are required by {{ insert: param, ac-02_odp.03 }} for requests to create accounts;
-accounts are created in accordance with {{ insert: param, ac-02_odp.04 }};
-accounts are enabled in accordance with {{ insert: param, ac-02_odp.04 }};
-accounts are modified in accordance with {{ insert: param, ac-02_odp.04 }};
-accounts are disabled in accordance with {{ insert: param, ac-02_odp.04 }};
-accounts are removed in accordance with {{ insert: param, ac-02_odp.04 }};
-the use of accounts is monitored;
-account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.06 }} when accounts are no longer required;
-account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred;
-account managers and {{ insert: param, ac-02_odp.05 }} are notified within {{ insert: param, ac-02_odp.08 }} when system usage or the need to know changes for an individual;
-access to the system is authorized based on a valid access authorization;
-access to the system is authorized based on intended system usage;
-access to the system is authorized based on {{ insert: param, ac-02_odp.09 }};
-accounts are reviewed for compliance with account management requirements {{ insert: param, ac-02_odp.10 }};
-a process is established for changing shared or group account authenticators (if deployed) when individuals are removed from the group;
-a process is implemented for changing shared or group account authenticators (if deployed) when individuals are removed from the group;
-account management processes are aligned with personnel termination processes;
-account management processes are aligned with personnel transfer processes.
-
 # Editable Content
 
 <!-- Make additions and edits below -->

markdown/profiles/example/ac/ac-4.4.md

@@ -28,14 +28,18 @@ x-trestle-global:
 
 Prevent encrypted information from bypassing {{ insert: param, ac-04.04_odp.01 }} by {{ insert: param, ac-04.04_odp.02 }}.
 
-## Control guidance
+- \[4_fr\]
 
-Flow control mechanisms include content checking, security policy filters, and data type identifiers. The term encryption is extended to cover encoded data not recognized by filtering mechanisms.
+  - \[Requirement:\] The service provider must support Agency requirements to comply with M-21-31 (https://www.whitehouse.gov/wp-content/uploads/2021/08/M-21-31-Improving-the-Federal-Governments-Investigative-and-Remediation-Capabilities-Related-to-Cybersecurity-Incidents.pdf) and M-22-09 (https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf).
 
-## Control assessment-objective
+## Control Assessment Objective
 
 encrypted information is prevented from bypassing {{ insert: param, ac-04.04_odp.01 }} by {{ insert: param, ac-04.04_odp.02 }}.
 
+## Control guidance
+
+Flow control mechanisms include content checking, security policy filters, and data type identifiers. The term encryption is extended to cover encoded data not recognized by filtering mechanisms.
+
 # Editable Content
 
 <!-- Make additions and edits below -->