| 8-600 | This section describes the implementation requirements for different protection measure. |
| 8-601 | An alternate power source ensures that the system availability is maintained in the event of a loss of primary power. An APS can also provide a time period for orderly system shutdown or the transfer of system operations to another system or power source. |
| 8-602 | Security auditing involves recognizing, recording, storing, and analyzing information related to security-relevant activities. The audit records can be used to determine which activities occurred and which user or process was responsible for them. |
| 8-603 | The regular backup of information is necessary to ensure that users have continuing access to the information. The periodic checking of backup inventory and testing of the ability to restore information validates that the overall backup process is working. |
| 8-604 | The control of changes to data includes deterring, detecting, and reporting of successful and unsuccessful attempts to change data. Control of changes to data may range from simply detecting a change attempt to the ability to ensure that only authorized changes are allowed. |
| 8-605 | Information protection is required whenever classified information is to be transmitted through areas or components where individuals not authorized to have access to the information may have unescorted physical or uncontrolled electronic access to the information or communications media (e.g., outside the system perimeter). |
| 8-606 | The IS shall store and preserve the integrity of the sensitivity of all information internal to the IS. |
| 8-607 | a. I&A 1Requirements.
b. I&A 2 Requirements. |
| 8-608 | The system shall ensure that resources contain no residual data before being assigned, allocated, or reallocated. |
| 8-609 | Session controls are requirements, over and above identification and authentication, for controlling the establishment of a user's session. |
| 8-610 | Security documentation includes all descriptions of the security features, design descriptions of security-relevant software and hardware, certification packages, and system security plans. The SSP is the basic system protection document and evidence that the proposed system, or update to an existing system, meets the protection profile requirements. The SSP is used throughout the certification and approval process and serves for the lifetime of the system as the formal record of the system and its environment as approved for operation. The SSP also serves as the basis for inspections of the system. Information common to several systems at a facility or information contained in other documents may be attached to or referenced in the SSP. |
| 8-611 | At Protection Level 3 the functions of the ISSO and the system manager shall not be performed by the same person. |
| 8-612 | System recovery addresses the functions that respond to failures in the SSS or interruptions in operation. Recovery actions ensure that the SSS is returned to a condition where all security-relevant functions are operational or system operation is suspended. |
| 8-613 | System assurance includes those components of a system (hardware, software, firmware, and communications) that are essential to maintaining the security policy(ies) of the system, (e.g. Security Support Structure). |
| 8-614 | Certification and ongoing security testing are the verification of correct operation of the protection measures in a system. The ISSM will perform and document the required tests. |
| 8-615 | If disaster recovery planning is contractually mandated, the ISSM will develop a plan that identifies the facility's mission essential applications and information, procedures for the backup of all essential information and software on a regular basis, and testing procedures. |