3.14.3—System and Information Integrity - Basic
>Control Description
>Discussion
There are many publicly available sources of system security alerts and advisories. For example, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness across the federal government and in nonfederal organizations. Software vendors, subscription services, and industry information sharing and analysis centers (ISACs) may also provide security alerts and advisories.
Examples of response actions include notifying relevant external organizations, for example, external mission/business partners, supply chain partners, external service providers, and peer or supporting organizations. [SP 800-161] provides guidance on supply chain risk management.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern multi-factor authentication (MFA) for privileged accounts?
- •What procedures ensure MFA is consistently applied?
- •Who is responsible for MFA implementation and enforcement?
- •What governance addresses MFA for all privileged users?
- •What exceptions exist for privileged account MFA requirements?
Technical Implementation:
- •What MFA technologies are implemented (tokens, biometrics, SMS)?
- •How do you enforce MFA for all privileged account access?
- •What identity platforms integrate MFA (Azure AD, Okta, etc.)?
- •How do you prevent privileged access without MFA?
- •What monitoring tracks MFA usage and bypass attempts?
Evidence & Documentation:
- •Can you demonstrate MFA implementation for privileged accounts?
- •What logs show MFA authentication for privileged access?
- •Can you provide evidence all privileged accounts require MFA?
- •What reports track MFA enrollment and usage?
- •What audit findings verify privileged MFA compliance?
Ask AI
Configure your API key to use AI features.