>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

GRR-10Defense in depth architecture

IL4 Mod
IL4 High
IL5
IL6

>Control Description

How robust is the CSP's required boundary protection (defense-in-depth security/protective measures) implemented between the internet and the CSO for its protection from internet-based threats?

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

See Section 5.10.3, and all subsections, of CC SRG V1R4 for additional details.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What documented policies and procedures address defense in depth architecture?
  • Who is accountable for implementing and maintaining defense in depth architecture controls?
  • How frequently are defense in depth architecture requirements reviewed, and what triggers updates?
  • What process ensures changes to systems maintain compliance with defense in depth architecture requirements?
  • How are exceptions to defense in depth architecture requirements documented and approved?

Technical Implementation:

  • What technical controls enforce defense in depth architecture in your environment?
  • How are defense in depth architecture controls configured and maintained across all systems?
  • What automated mechanisms support defense in depth architecture compliance?
  • How do you validate that defense in depth architecture implementations achieve their intended security outcome?
  • What compensating controls exist if primary defense in depth architecture controls cannot be fully implemented?

Evidence & Documentation:

  • What documentation proves defense in depth architecture is implemented and operating effectively?
  • Can you provide configuration evidence showing how defense in depth architecture is technically enforced?
  • What audit logs or monitoring data demonstrate ongoing defense in depth architecture compliance?
  • Can you show evidence of a recent review or assessment of defense in depth architecture controls?
  • What artifacts would you provide during an assessment to demonstrate defense in depth architecture compliance?

Ask AI

Configure your API key to use AI features.