The following is the NIST SSDF Readiness Questionnaire. Evidence is mapped according to the checklist and policies.
| SCF Control | SCF # | Secure Controls Framework (SCF) Control Description | SCF Control Question | NIST SSDF | Evidence |
|---|---|---|---|---|---|
| Asset Management | |||||
| Provenance | FII-SCF-002-AST-03.2 | Mechanisms exist to track the origin, development, ownership, location and changes to systems, system components and associated data. | Does the organization govern the chronology of the origin, development, ownership, location and changes to a system, system components and associated data? | PW.4 PW.4.1 |
|
| Change Management | |||||
| Library Privileges | FII-SCF-004-CHG-04.5 | Mechanisms exist to restrict software library privileges to those individuals with a pertinent business need for access. | Does the organization restrict software library privileges to those individuals with a pertinent business need for access? | PS.1.1 | |
| Human Resources Security | |||||
| Roles & Responsibilities | FII-SCF-011-HRS-03 | Mechanisms exist to define cybersecurity responsibilities for all personnel. | Does the organization define cybersecurity responsibilities for all personnel? | PO.2.1 | Security Awareness Training |
| Information Assurance | |||||
| Plan of Action & Milestones (POA&M) | FII-SCF-014-IAO-05 | Mechanisms exist to generate a Plan of Action and Milestones (POA&M), or similar risk register, to document planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities. | Does the organization use a Plan of Action and Milestones (POA&M), or similar mechanisms, to document planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities? | RV.2.2 | |
| Project & Resource Management | |||||
| Security Portfolio Management | FII-SCF-019-PRM-01 | Mechanisms exist to facilitate the implementation of cybersecurity and privacy-related resource planning controls that define a viable plan for achieving cybersecurity & privacy objectives. | Does the organization facilitate the implementation of cybersecurity and privacy-related resource planning controls? | PO.2.3 | |
| Strategic Plan & Objectives | FII-SCF-019-PRM-01.1 | Mechanisms exist to establish a strategic cybersecurity and privacy-specific business plan and set of objectives to achieve that plan. | Does the organization establish a strategic cybersecurity and privacy-specific business plan and set of objectives to achieve that plan? | PO.2.3 | |
| Targeted Capability Maturity Levels | FII-SCF-019-PRM-01.2 | Mechanisms exist to define and identify targeted capability maturity levels. | Does the organization define and identify targeted capability maturity levels? | PO.2.3 | |
| Security & Privacy Resource Management | FII-SCF-019-PRM-02 | Mechanisms exist to address all capital planning and investment requests, including the resources needed to implement the security & privacy programs and document all exceptions to this requirement. | Does the organization address all capital planning and investment requests, including the resources needed to implement the security & privacy programs and document all exceptions to this requirement? | PO.2.3 | |
| Allocation of Resources | FII-SCF-019-PRM-03 | Mechanisms exist to identify and allocate resources for management, operational, technical and privacy requirements within business process planning for projects / initiatives. | Does the organization identify and allocate resources for management, operational, technical and privacy requirements within business process planning for projects / initiatives? | PO.2.3 | |
| Security & Privacy In Project Management | FII-SCF-019-PRM-04 | Mechanisms exist to assess cybersecurity and privacy controls in system project development to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the requirements. | Does the organization assess cybersecurity and privacy controls in system project development to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting the requirements? | PO.1 PO.2 RV.3 RV.3.1 RV.3.2 | |
| Security & Privacy Requirements Definition | FII-SCF-019-PRM-05 | Mechanisms exist to identify critical system components and functions by performing a criticality analysis for critical systems, system components or services at pre-defined decision points in the Secure Development Life Cycle (SDLC). | Does the organization identify critical system components and functions by performing a criticality analysis for critical systems, system components or services at pre-defined decision points in the Secure Development Life Cycle (SDLC)? | PO.1 PO.1.1 |
|
| Business Process Definition | FII-SCF-019-PRM-06 |
Mechanisms exist to define business processes with consideration for
cybersecurity and privacy that determines: ▪ The resulting risk to organizational operations, assets, individuals and other organizations; and ▪ Information protection needs arising from the defined business processes and revises the processes as necessary, until an achievable set of protection needs is obtained. |
Does the organization define business processes with consideration for
cybersecurity and privacy that determines: ▪ The resulting risk to organizational operations, assets, individuals and other organizations; and ▪ Information protection needs arising from the defined business processes and revises the processes as necessary, until an achievable set of protection needs is obtained? |
PO.1 | |
| Secure Development Life Cycle (SDLC) Management | FII-SCF-019-PRM-07 | Mechanisms exist to ensure changes to systems within the Secure Development Life Cycle (SDLC) are controlled through formal change control procedures. | Does the organization ensure changes to systems within the Secure Development Life Cycle (SDLC) are controlled through formal change control procedures? | PO.1 RV.3.4 |
Software Development Lifecycle Policy Code Quality Policy |
| Manage Organizational Knowledge | FII-SCF-019-PRM-08 | Mechanisms exist to manage the organizational knowledge of the cybersecurity and privacy staff. | Does the organization manage the organizational knowledge. of the cybersecurity and privacy staff? | RV.3 RV.3.1 RV.3.2 |
|
| Risk Management | |||||
| Risk Ranking | FII-SCF-020-RSK-05 | Mechanisms exist to identify and assign a risk ranking to newly discovered security vulnerabilities that is based on industry-recognized practices. | Does the organization identify and assign a risk ranking to newly discovered security vulnerabilities that is based on industry-recognized practices? | RV.3 RV.3.1 RV.3.2 | Risk Register |
| Supply Chain Risk Management (SCRM) Plan | FII-SCF-020-RSK-09 | Mechanisms exist to develop a plan for Supply Chain Risk Management (SCRM) associated with the development, acquisition, maintenance and disposal of systems, system components and services, including documenting selected mitigating actions and monitoring performance against those plans. | Does the organization develop a plan for Supply Chain Risk Management (SCRM) associated with the development, acquisition, maintenance and disposal of systems, system components and services, including documenting selected mitigating actions and monitoring performance against those plans? | PW.4.1 | Risk Register |
| Security Awareness & Training | |||||
| Security & Privacy-Minded Workforce | FII-SCF-023-SAT-01 | Mechanisms exist to facilitate the implementation of security workforce development and awareness controls. | Does the organization facilitate the implementation of security workforce development and awareness controls? | PO.2.2 | Professional Education Training |
| Role-Based Security & Privacy Training | FII-SCF-023-SAT-03 |
Mechanisms exist to provide role-based security-related training: ▪ Before authorizing access to the system or performing assigned duties; ▪ When required by system changes; and ▪ Annually thereafter. |
Does the organization provide role-based security-related
training: ▪ Before authorizing access to the system or performing assigned duties; ▪ When required by system changes; and ▪ Annually thereafter? |
PO.2.2 | Professional Education Training |
| Technology Development & Acquisition | |||||
| Technology Development & Acquisition | FII-SCF-024-TDA-01 | Mechanisms exist to facilitate the implementation of tailored development and acquisition strategies, contract tools and procurement methods to meet unique business needs. | Does the organization facilitate the implementation of tailored development and acquisition strategies, contract tools and procurement methods to meet unique business needs? | PO.2.3 | |
| Product Management | FII-SCF-024-TDA-01.1 | Mechanisms exist to design and implement product management processes to update products, including systems, software and services, to improve functionality and correct security deficiencies. | Does the organization design and implement product management processes to update products, including systems, software and services, to improve functionality and correct security deficiencies? | PW.4 PW.4.1 RV.3 RV.3.1 RV.3.2 RV.3.3 RV.3.4 |
|
| Secure Coding | FII-SCF-024-TDA-06 | Mechanisms exist to develop applications based on secure coding principles. | Does the organization develop applications based on secure coding principles? | PW.1 PW.1.1 PW.4 PW.4.1 PW.4.2 PW.4.3 PW.5 PW.5.1 |
|
| Criticality Analysis | FII-SCF-024-TDA-06.1 | Mechanisms exist to require the developer of the system, system component or service to perform a criticality analysis at organization-defined decision points in the Secure Development Life Cycle (SDLC). | Does the organization require the developer of the system, system component or service to perform a criticality analysis at organization-defined decision points in the Secure Development Life Cycle (SDLC)? | PW.1.1 | |
| Threat Modeling | FII-SCF-024-TDA-06.2 | Mechanisms exist to perform threat modelling and other secure design techniques, to ensure that threats to software and solutions are identified and accounted for. | Does the organization perform threat modelling and other secure design techniques, to ensure that threats to software and solutions are identified and accounted for? | PW.1.1 | Threat Modeling |
| Software Assurance Maturity Model (SAMM) | FII-SCF-024-TDA-06.3 | Mechanisms exist to utilize a Software Assurance Maturity Model (SAMM) to govern a secure development lifecycle for the development of systems, applications and services. | Does the organization utilize a Software Assurance Maturity Model (SAMM) to govern a secure development lifecycle for the development of systems, applications and services? | PW.1 PW.1.1 PW.4.2 PW.4.3 PW.5 PW.5.1 PW.5.2 |
|
| Supporting Toolchain | FII-SCF-024-TDA-06.4 | Automated mechanisms exist to improve the accuracy, consistency and comprehensiveness of secure practices throughout the asset's lifecycle. | Does the organization utilize automation to improve the accuracy, consistency and comprehensiveness of secure practices throughout the asset's lifecycle? | PO.3 PO.3.1 PO.3.2 PO.3.3 PW.6 PW.6.1 PW.6.2 |
|
| Software Design Review | FII-SCF-024-TDA-06.5 | Mechanisms exist to have an independent review of the software design to confirm that all cybersecurity and privacy requirements are met and that any identified risks are satisfactorily addressed. | Does the organization have an independent review of the software design to confirm that all cybersecurity and privacy requirements are met and that any identified risks are satisfactorily addressed? | PW.2 PW.2.1 |
|
| Security & Privacy Testing Throughout Development | FII-SCF-024-TDA-09 |
Mechanisms exist to require system developers/integrators consult with
cybersecurity and privacy personnel to: ▪ Create and implement a Security Test and Evaluation (ST&E) plan; ▪ Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the security testing and evaluation process; and ▪ Document the results of the security testing/evaluation and flaw remediation processes. |
Does the organization require system developers/integrators consult
with cybersecurity and privacy personnel to: ▪ Create and implement a Security Test and Evaluation (ST&E) plan; ▪ Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the security testing and evaluation process; and ▪ Document the results of the security testing/evaluation and flaw remediation processes? |
PO.4 PO.4.1 PO.4.2 PW.3 PW.3.1 PW.3.2 PW.5.2 RV.1 RV.1.1 RV.1.2 RV.1.3 |
Penetration Tests Reports |
| Static Code Analysis | FII-SCF-024-TDA-09.2 | Mechanisms exist to require the developers of systems, system components or services to employ static code analysis tools to identify and remediate common flaws and document the results of the analysis. | Does the organization require the developers of systems, system components or services to employ static code analysis tools to identify and remediate common flaws and document the results of the analysis? | PW.5.2 PW.7 PW.7.1 PW.7.2 PW.8 PW.8.1 PW.8.2 |
Code Liniting Policy |
| Dynamic Code Analysis | FII-SCF-024-TDA-09.3 | Mechanisms exist to require the developers of systems, system components or services to employ dynamic code analysis tools to identify and remediate common flaws and document the results of the analysis. | Does the organization require the developers of systems, system components or services to employ dynamic code analysis tools to identify and remediate common flaws and document the results of the analysis? | PW.5.2 PW.7 PW.7.1 PW.7.2 PW.8 PW.8.1 PW.8.2 |
Automation Test Report (Playwright/Puppeteer) |
| Malformed Input Testing | FII-SCF-024-TDA-09.4 | Mechanisms exist to utilize testing methods to ensure systems, services and products continue to operate as intended when subject to invalid or unexpected inputs on its interfaces. | Does the organization utilize testing methods to ensure systems, services and products continue to operate as intended when subject to invalid or unexpected inputs on its interfaces? | PW.5.2 PW.7 PW.7.1 PW.7.2 PW.8 PW.8.1 PW.8.2 |
Penetration Tests Reports |
| Application Penetration Testing | FII-SCF-024-TDA-09.5 | Mechanisms exist to perform application-level penetration testing of custom-made applications and services. | Does the organization perform application-level penetration testing of custom-made applications and services? | PW.5.2 PW.7 PW.7.1 PW.7.2 PW.8 PW.8.1 PW.8.2 |
Penetration Tests Reports |
| Secure Settings By Default | FII-SCF-024-TDA-09.6 | Mechanisms exist to implement secure configuration settings by default to reduce the likelihood of software being deployed with weak security settings that would put the asset at a greater risk of compromise. | Does the organization implement secure configuration settings by default to reduce the likelihood of software being deployed with weak security settings that would put the asset at a greater risk of compromise? | PW.9 PW.9.1 PW.9.2 |
|
| Developer Configuration Management | FII-SCF-024-TDA-14 | Mechanisms exist to require system developers and integrators to perform configuration management during system design, development, implementation and operation. | Does the organization require system developers and integrators to perform configuration management during system design, development, implementation and operation? | PW.3 PW.3.1 |
|
| Access to Program Source Code | FII-SCF-024-TDA-20 | Mechanisms exist to limit privileges to change software resident within software libraries. | Does the organization limit privileges to change software resident within software libraries? | PS.1 PS.1.1 |
|
| Software Release Integrity Verification | FII-SCF-024-TDA-20.1 | Mechanisms exist to publish integrity verification information for software releases. | Does the organization publish integrity verification information for software releases? | PS.2 PS.2.1 |
File Integrity Monitoring |
| Archiving Software Releases | FII-SCF-024-TDA-20.2 | Mechanisms exist to archive software releases and all of their components (e.g., code, package files, third-party libraries, documentation) to maintain integrity verification information. | Does the organization archive software releases and all of their components (e.g., code, package files, third-party libraries, documentation) to maintain integrity verification information? | PS.3 PS.3.1 |
|
| Third-Party Management | |||||
| Third-Party Management | FII-SCF-025-TPM-01 | Mechanisms exist to facilitate the implementation of third-party management controls. | Does the organization facilitate the implementation of third-party management controls? | PW.3 PW.3.1 |
Vendor Management Policy |
| Supply Chain Protection | FII-SCF-025-TPM-03 | Mechanisms exist to evaluate security risks associated with the services and product supply chain. | Does the organization evaluate security risks associated with the services and product supply chain? | PW.3 PW.3.1 |
|
| Third-Party Contract Requirements | FII-SCF-025-TPM-05 | Mechanisms exist to identify, regularly review and document third-party confidentiality, Non-Disclosure Agreements (NDAs) and other contracts that reflect the organization's needs to protect systems and data. | Does the organization identify, regularly review and document third-party confidentiality, Non-Disclosure Agreements (NDAs) and other contracts that reflect the organization's needs to protect systems and data? | PW.3 PW.3.1 |
|
| Review of Third-Party Services | FII-SCF-025-TPM-08 | Mechanisms exist to monitor, regularly review and audit Third-Party Service Providers (TSP) for compliance with established contractual requirements for cybersecurity and privacy controls. | Does the organization monitor, regularly review and audit Third-Party Service Providers (TSP) for compliance with established contractual requirements for cybersecurity and privacy controls? | PW.3 PW.3.1 PW.3.2 |
Vendor Risk Assessment |
| Vulnerability & Patch Management | |||||
| Vulnerability & Patch Management Program (VPMP) | FII-SCF-027-VPM-01 | Mechanisms exist to facilitate the implementation and monitoring of vulnerability management controls. | Does the organization facilitate the implementation and monitoring of vulnerability management controls? | RV.1 RV.1.1 RV.1.2 RV.1.3 RV.3 RV.3.1 RV.3.2 |
Vulnerability Management Policy |
| Vulnerability Remediation Process | FII-SCF-027-VPM-02 | Mechanisms exist to ensure that vulnerabilities are properly identified, tracked and remediated. | Does the organization ensure that vulnerabilities are properly identified, tracked and remediated? | RV.2 RV.2.1 RV.2.2 |
Vulnerability Scan/Penetration Tests Reports |
| Continuous Vulnerability Remediation Activities | FII-SCF-027-VPM-04 | Mechanisms exist to address new threats and vulnerabilities on an ongoing basis and ensure assets are protected against known attacks. | Does the organization address new threats and vulnerabilities on an ongoing basis and ensure assets are protected against known attacks? | RV.1 RV.1.1 RV.1.2 RV.1.3 |
Vulnerability Scan/Penetration Tests Reports |
Last Updated by
Sreejith K
on
August 10, 2023