File: disa-cci-list.xml

package info (click to toggle)
scap-security-guide 0.1.39-2
links: PTS, VCS
area: main
in suites: buster
size: 31,836 kB
sloc: xml: 129,736; python: 7,462; sh: 3,796; makefile: 27
file content (18330 lines) | stat: -rw-r--r-- 1,139,680 bytes
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type='text/xsl' href='cci2html.xsl' ?>
<cci_list xmlns="http://iase.disa.mil/cci" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://iase.disa.mil/cci cci.xsd">
	<metadata>
		<version>2011-02-28</version>
		<publishdate>2011-02-28</publishdate>
	</metadata>
	<cci_items>
		<cci_item id="CCI-001545">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency of access control policy revew/updates</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-1 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-1.2 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001546">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency of access control procedures review/updates.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-1.2 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000001">
			<status>draft</status>
			<publishdate>2009-05-13</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a formal, documented, access control policy that addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities and compliance.</definition>
			<type>policy</type>
			<parameter>Access Control Policy Document</parameter>
			<note>The policy will address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</note>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-1 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-1.1 (i&amp;ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000004">
			<status>draft</status>
			<publishdate>2009-05-13</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops formal, documented procedures to facilitate the implementation of the access control policy.</definition>
			<type>policy</type>
			<parameter>Access Control Policy Procedures</parameter>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-1.1 (iv &amp; v)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000002">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disseminates a formal, documented, access control policy to elements within the organization having associated access control roles and responsibilities.</definition>
			<type>policy</type>
			<parameter>Record of distribution history of access control policy</parameter>
			<note>The policy will address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</note>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-1 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-1.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000003">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization periodically reviews/updates the formal, documented, access control policy in accordance with organization-defined frequency.</definition>
			<type>policy</type>
			<parameter>Document of Review, Comments, and Changes of access control policy</parameter>
			<note>The policy will address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</note>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-1 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-1.2 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000005">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disseminates a formal, documented, access control procedure to elements within the organization having associated access control roles and responsibilities.</definition>
			<type>policy</type>
			<parameter>Record of distribution history of procedures for implementing access control policy</parameter>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-1.1 (vi)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000006">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization periodically reviews/updates the formal, documented, access control procedures in accordance with organization-defined frequency.</definition>
			<type>policy</type>
			<parameter>Document of Changes of procedures for implementing access control policy</parameter>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-1.2 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000054">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system limits the number of concurrent sessions for each system account to an organization-defined number of sessions.</definition>
			<type>technical</type>
			<note>The organization may define the maximum number of concurrent sessions for an information system account globally, by account type, by account, or a combination. This control addresses concurrent sessions for a given information system account and does not address concurrent sessions by a single user via multiple system accounts.</note>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-10"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-10.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000055">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the maximum number of concurrent sessions to be allowed for each system account.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-10"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-10.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000056">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system retains the session lock until the user reestablishes access using established identification and authentication procedures.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-11 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-11.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000057">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system initiates a session lock after the organization-defined time period of inactivity.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-11 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-11.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000058">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system provides the capability for users to directly initiate session lock mechanisms.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-11 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-11"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000059">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the time period of inactivity after which the information system initiates a session lock.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-11 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-11.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000060">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system session lock mechanism, when activated on a device with a display screen, places a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-11 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-11 (1).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000061">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization identifies specific user actions that can be performed on the information system without identification or authentication.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-14 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-14.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000062">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization permits actions to be performed without identification and authentication only to the extent necessary to accomplish mission/business objectives.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-14 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-14 (1).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000232">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification and authentication.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-14.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-14 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001559">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization identifies the entities authorized to change security attributes.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16 (2).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001560">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization identifies users authorized to associate security attributes with information.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16 (4).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001424">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system dynamically reconfigures security attributes in accordance with an identified security policy as information is created and combined.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001425">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system allows authorized entities to change security attributes.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16 (2).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001426">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system maintains the binding of security attributes to information with sufficient assurance that the information--attribute association can be used as the basis for automated policy actions.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16 (3).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001427">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system allows authorized users to associate security attributes with information.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16 (4).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001428">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system displays security attributes in human-readable form on each object output from the system to system output devices to identify an organization-identified set of special dissemination, handling, or distribution instructions using organization-identified human readable, standard naming conventions.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16 (5).1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16 (5)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001429">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization identifies a set of special dissemination, handling, or distribution instructions for identifying security attributes on output.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16 (5).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16 (5)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001430">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization identifies human readable, standard naming conventions for identifying security attributes on output.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16 (5).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16 (5)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001396">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines security attributes for which the information system supports and maintains the bindings for information in storage.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001397">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines security attributes for which the information system supports and maintains the bindings for information in process.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001398">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines security attributes for which the information system supports and maintains the bindings for information in transmission.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001399">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system supports and maintains the binding of organization-defined security attributes to information in storage.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001400">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system supports and maintains the binding of organization-defined security attributes to information in process.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001401">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system supports and maintains the binding of organization-defined security attributes to information in transmission.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-16.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001561">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines managed access control points for remote access to the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (3).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001562">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the appropriate action(s) to be taken if an unauthorized remote connection is discovered.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (5)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (5).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000063">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents allowed methods of remote access to the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000064">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes usage restrictions and implementation guidance for each allowed remote access method.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000065">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization authorizes remote access to the information system prior to connection.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 d"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000066">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization enforces requirements for remote connections to the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17.1 (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 e"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000067">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to facilitate the monitoring and control of remote access methods.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000068">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization uses cryptography to protect the confidentiality of remote access sessions.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000069">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system routes all remote accesses through managed access control points.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (3).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000070">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization authorizes the execution of privileged commands and access to security-relevant information via remote access only for compelling operational needs.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (4).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000071">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization monitors for unauthorized remote connections to the information system on an organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (5).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (5)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000072">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that users protect information about remote access mechanisms from unauthorized use and disclosure.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (6).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (6)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000079">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that remote sessions for accessing an organization-defined list of security functions and security-relevant information employ organization-defined additional security measures.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (7).1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (7)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001431">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency for monitoring for unauthorized remote connections to the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (5).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (5)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001432">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization takes appropriate action if an unauthorized remote connection to the information system is discovered.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (5).1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (5)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001433">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a list of security functions and security-relevant information that for remote access sessions, have organization-defined security measures employed, and are audited.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (7).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (7)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001434">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines additional security measures to be employed when an organization-defined list of security functions and security-relevant information is accessed remotely.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (7).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (7)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001435">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines networking protocols within the information system deemed to be nonsecure.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (8).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (8)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001436">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disables organization-defined networking protocols within the information system deemed to be nonsecure except for explicitly identified components in support of specific operational requirements.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (8).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (8)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001437">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents the rationale for the execution of privileged commands and access to security-relevant information in the security plan for the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (4).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001453">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization uses cryptography to protect the integrity of remote access sessions.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001454">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that remote sessions for accessing an organization-defined list of security functions and security-relevant information are audited.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (7).1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (7)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001455">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization explicitly identifies components needed in support of specific operational requirements.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (8).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 (8)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001402">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization monitors for unauthorized remote access to the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-17.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001563">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the appropriate action(s) to be taken if an unauthorized wireless connection is discovered.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18 (2).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001438">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes usage restrictions for wireless access.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001439">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes implementation guidance for wireless access.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001440">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization monitors for unauthorized wireless access to the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001441">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization authorizes wireless access to the information system prior to connection.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001442">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization enforces requirements for wireless connections to the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18 d"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001443">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system protects wireless access to the system using authentication.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001444">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system protects wireless access to the system using encryption.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001445">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization monitors for unauthorized wireless connections to the information system on an organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18 (2).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001446">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization scans for unauthorized wireless access points on an organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18 (2).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001447">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency of monitoring for unauthorized wireless connections to information system, including scans unauthorized wireless access points.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18 (2).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001448">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization takes appropriate action if an unauthorized wireless connection is discovered.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18 (2).1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001449">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18 (3).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001450">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization does not allow users to independently configure wireless networking capabilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18 (4).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001451">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization confines wireless communications to organization-controlled boundaries.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18 (5).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-18 (5)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000082">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes usage restrictions for organization-controlled portable and mobile devices.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000083">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes implementation guidance for organization-controlled portable and mobile devices.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000084">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization authorizes connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information systems.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000085">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization monitors for unauthorized connections of mobile devices to organizational information systems.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000086">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization enforces requirements for the connection of mobile devices to organizational information systems.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 d"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000087">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19.1 (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 e"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000088">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19.1 (vi)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 f"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000089">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization applies organization-defined inspection and preventative measures to mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19.1 (viii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 g"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000090">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization restricts the use of writable, removable media in organizational information systems.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000091">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization prohibits the use of personally-owned, removable media in organizational information systems.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000092">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization prohibits the use of removable media in organizational information systems when the media has no identifiable owner.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 (3).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001456">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines locations that the organization deems to be of significant risk in accordance with organizational policies and procedures.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19.1 (vi)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 f"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001457">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines inspection and preventative measures to be applied on mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19.1 (vii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 g"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001458">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that if classified information is found on mobile devices, the incident handling policy is followed.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 (4).1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 (4) (b)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001330">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the appropriate authorizing official(s).</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 (4) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 (4).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001331">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization prohibits connection of unclassified mobile devices to classified information systems.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 (4) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 (4).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001332">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires approval from the appropriate authorizing official(s) for the connection of unclassified mobile devices to unclassified information systems.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 (4) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 (4).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001333">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization prohibits use of internal or external modems or wireless interfaces within mobile devices in facilities containing information systems processing, storing, or transmitting classified information.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 (4) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 (4).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001334">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that mobile devices used in facilities containing information systems processing, storing, or transmitting classified information and the information stored on those devices are subject to random reviews/inspections by organization-defined security officials.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 (4) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 (4).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001335">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines security officials to perform reviews/inspections of mobile devices in facilities containing information systems processing, storing, or transmitting classified information.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 (4) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-19 (4).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001547">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages informaiton system accounts by defining the frequency of information system account reviews.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 j"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000007">
			<status>draft</status>
			<publishdate>2009-05-13</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system accounts by identifying account types (i.e., individual, group, system, application, guest/anonymous and temporary)</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000008">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system accounts by establishing conditions for group membership.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000009">
			<status>draft</status>
			<publishdate>2009-05-13</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system accounts by identifying authorized users of the information system and specifying access privileges</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000010">
			<status>draft</status>
			<publishdate>2009-05-13</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system accounts by requiring appropriate approvals for requests to establish accounts.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 d"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000011">
			<status>draft</status>
			<publishdate>2009-05-13</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system accounts by establishing, activating, modifying, disabling, and removing accounts.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 e"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000012">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system accounts by periodically reviewing information system accounts in accordance with organization-defined frequency.</definition>
			<type>policy</type>
			<note>Organization-defined frequency</note>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 j"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000013">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system accounts by notifying account managers when temporary accounts are no longer required and when information system users are terminated; transferred, or information system usage or need-to-know/need-to-share changes.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 g"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000014">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system accountsby granting access to the system based on a valid access authorization; intended system usage; and other attributes as required by the organization or associated missions/business functions.</definition>
			<type>policy</type>
			<parameter>Organizational Policy identifying the process for user accounts.</parameter>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 i"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000015">
			<status>draft</status>
			<publishdate>2009-05-13</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to support the information system account management functions.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (1).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000016">
			<status>draft</status>
			<publishdate>2009-05-13</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system automatically terminates temporary and emergency accounts after an organization-defined time period for each type of account.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (2).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000017">
			<status>draft</status>
			<publishdate>2009-05-13</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system automatically disables inactive accounts after an organization-defined time period.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (3).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000018">
			<status>draft</status>
			<publishdate>2009-05-13</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system automatically audits account creation and notifies, as required, appropriate individuals.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (4).1 (i&amp;ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000019">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that users log out in accordance with the organization-defined-time-period of inactivity and/or description of when to log out.</definition>
			<type>policy</type>
			<note>Other defined situation could be policy that users must log out at the end of the day.</note>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (5) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (5).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000020">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system dynamically manages user privileges and associated access authorizations.</definition>
			<type>technical</type>
			<parameter>TBD</parameter>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (6)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (6).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000237">
			<status>draft</status>
			<publishdate>2009-06-23</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system accounts by specifically authorizing and monitoring the use of guest/anonymous accounts and temporary accounts.</definition>
			<type>policy</type>
			<parameter>Procedures for the monitoring of assigned guest/anonymous accounts.</parameter>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 f"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000208">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization determines normal time-of-day and duration usage for information system accounts.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (5).1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (5) (b)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001361">
			<status>draft</status>
			<publishdate>2009-09-24</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a time period after which temporary accounts are automatically terminated.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (2).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001365">
			<status>draft</status>
			<publishdate>2009-09-24</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a time period after which emergency accounts are automatically terminated.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (2).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000217">
			<status>draft</status>
			<publishdate>2009-09-24</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a time period after which inactive accounts are automatically disabled.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (3).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001403">
			<status>draft</status>
			<publishdate>2009-09-24</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system automatically audits account modification and notifies, as required, appropriate individuals.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (4).1 (i&amp;ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001404">
			<status>draft</status>
			<publishdate>2009-09-24</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system automatically audits account disabling actions and notifies, as required, appropriate individuals.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (4).1 (i&amp;ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001405">
			<status>draft</status>
			<publishdate>2009-09-24</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system automatically audits account termination and notifies, as required, appropriate individuals.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (4).1 (i&amp;ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001406">
			<status>draft</status>
			<publishdate>2009-09-24</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a time period of expected inactivity and/or description of when users are required to log out.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (5).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (5) (a)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001407">
			<status>draft</status>
			<publishdate>2009-09-24</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization administers privileged user accounts in accordance with a role-based access scheme that organizes information system and network privileges into roles.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (7).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (7) (a)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001354">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system accounts by deactivating temporary accounts that are no longer required.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 h"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001355">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system accounts by deactivating accounts of terminated or transferred users.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 h"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001356">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization monitors for atypical usage of information system accounts.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (5) (c)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (5).1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001357">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reports atypical usage to designated organizational officials.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (5) (d)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (5).1 (v)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001358">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes privileged user accounts in accordance with a role-based access scheme that organizes information system and network privileges into roles.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (7) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (7).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001359">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization tracks privileged role assignments.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (7) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (7).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001360">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization monitors privileged role assignments.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (7) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-2 (7).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000093">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to access the information system from the external information systems.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-20.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-20 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000094">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to process organization-controlled information using the external information systems.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-20.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-20 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000095">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization prohibits authorized individuals from using an external information system to access the information system except in situations where the organization can verify the implementation of required security controls on the external system as specified in the organization?s information security policy and security plan.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-20 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-20 (1) (a)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000096">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization prohibits authorized individuals from using an external information system to access the information system or to process, store, or transmit organization-controlled information except in situations where the organization has approved information system connection or processing agreements with the organizational entity hosting the external information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-20 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-20 (1) (b)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000097">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization limits the use of organization-controlled portable storage media by authorized individuals on external information systems.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-20 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-20 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001465">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to store organization-controlled information using the external information systems.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-20 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-20.1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001466">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to transmit organization-controlled information using the external information systems.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-20 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-20.1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001467">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization prohibits authorized individuals from using an external information system to process organization-controlled information except in situations where the organization can verify the implementation of required security controls on the external system as specified in the organization?s information security policy and security plan.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-20 (1) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-20 (1).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001468">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization prohibits authorized individuals from using an external information system to store organization-controlled information except in situations where the organization can verify the implementation of required security controls on the external system as specified in the organization?s information security policy and security plan.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-20 (1) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-20 (1).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001469">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization prohibits authorized individuals from using an external information system to transmit organization-controlled information except in situations where the organization can verify the implementation of required security controls on the external system as specified in the organization?s information security policy and security plan.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-20 (1) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-20 (1).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000098">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for organization-defined information circumstances.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-21.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-21 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000099">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system employs automated mechanisms to enable authorized users to make information sharing decisions based on access authorizations of sharing partners and access restrictions on information to be shared.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-21 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-21 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001470">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines information sharing circumstances where user discretion is required.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-21 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-21.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001471">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs a list of organization-defined information sharing circumstances and automated mechanisms or manual processes required to assist users in making information sharing/collaboration decisions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-21 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-21.1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001472">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a list of information sharing circumstances and automated mechanisms or manual processes required to assist users in making information sharing/collaboration decisions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-21 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-21.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001473">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization designates individuals authorized to post information onto an organizational information system that is publicly accessible.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-22 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-22.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001474">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-22 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-22.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001475">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews the proposed content of publicly accessible information for nonpublic information prior to posting onto the organizational information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-22 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-22.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001476">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews the content on the publicly accessible organizational information system for nonpublic information on an organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-22 d"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-22.1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001477">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency for reviewing the content on the publicly accessible organizational information system for nonpublic information.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-22 d"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-22.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001478">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization removes nonpublic information from the publicly accessible organizational information system, if discovered.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-22 e"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-22.1 (v)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000021">
			<status>draft</status>
			<publishdate>2009-05-13</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system enforces dual authorization, based on organizational policies and procedures for organization-defined privileged commands.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3 (2).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000022">
			<status>draft</status>
			<publishdate>2009-05-13</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system enforces one or more organization-defined nondiscretionary access control policies over an organization-defined set of users and resources.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3 (3) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3 (3).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000024">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system prevents access to organization-defined security-relevant information except during secure, non-operable system states.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3 (5)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3 (5).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000213">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system enforces approved authorizations for logical access to the system in accordance with applicable policy.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000214">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes a Discretionary Access Control (DAC) policy that limits propagation of access rights.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3 (4).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3 (4) (b)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000215">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes a Discretionary Access Control (DAC) policy that includes or excludes access to the granularity of a single user.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3 (4).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3 (4) (c)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001408">
			<status>draft</status>
			<publishdate>2009-09-24</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines privileged commands for which dual authorization is to be enforced.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001409">
			<status>draft</status>
			<publishdate>2009-09-24</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines nondiscretionary access control policies to be enforced over organization-defined set of users and resources, where the rule set for each policy specifies access control information employed by the policy rule set (e.g., position, nationality, age, project, time of day) and required relationships among the access control information to permit access.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3 (3).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001410">
			<status>draft</status>
			<publishdate>2009-09-24</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines set of users and resources over which the information system is to enforce nondiscretionary access control policies.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3 (3).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001411">
			<status>draft</status>
			<publishdate>2009-09-24</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines security-relevant information to which the information system prevents access except during secure, nonoperable system states.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3 (5).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3 (5)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001412">
			<status>draft</status>
			<publishdate>2009-09-24</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization encrypts or stores off-line in a secure location organization-defined user information.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3 (6).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3 (6)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001413">
			<status>draft</status>
			<publishdate>2009-09-24</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization encrypts or stores off-line in a secure location organization-defined system information.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3 (6).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3 (6)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001362">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system enforces an organization-defined  Discretionary Access Control (DAC) policy that allows users to specify and control sharing by named individuals or groups of individuals, or by both, limits propagation of access rights and includes or excludes access to the granularity of a single user.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3 (4).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001363">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes a Discretionary Access Control (DAC) policy that allows users to specify and control sharing by named individuals or groups of individuals, or by both.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3 (4) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3 (4).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001366">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines user information to be encrypted or stored off-line in a secure location.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3 (6)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3 (6).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001367">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines system information to be encrypted or stored off-line in a secure location.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3 (6)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-3 (6).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001548">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines applicable policy for controlling the flow of information within the system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001549">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines applicable policy for controlling the flow of information between interconnected systems.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001550">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines approved authorizations for controlling the flow of information within the system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001551">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines approved authorizations for controlling the flow of information between interconnected systems.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001552">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines policy that allows or disallows information flows based on changing conditions or operational considerations.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (3).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001553">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the security policy filters that privileged administrators have the capability to enable/disable.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (10)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (10).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001554">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the security policy filters that privileged administrators have the capability to configure.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (11)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (11).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001555">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system uniquely identifies destination domains for information transfer.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (17) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (17).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001556">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system uniquely authenticates destination domains for information transfer.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (17) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (17).1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001557">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system tracks problems associated with the information transfer.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (17) ?"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (17).1 (vii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000025">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system enforces information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (1).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000026">
			<status>draft</status>
			<publishdate>2009-05-13</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system enforces information flow control using protected processing domains (e.g., domain type-enforcement) as a basis for flow control decisions.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000027">
			<status>draft</status>
			<publishdate>2009-05-13</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system enforces dynamic information flow control based on policy that allows or disallows information flows based upon changing conditions or operational considerations.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (3).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000028">
			<status>draft</status>
			<publishdate>2009-05-13</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system prevents encrypted data from bypassing content-checking mechanisms.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (4).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000029">
			<status>draft</status>
			<publishdate>2009-05-13</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system enforces organization-defined limitations on the embedding of data types within other data types.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (5)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (5).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000030">
			<status>draft</status>
			<publishdate>2009-05-13</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system enforces information flow control on metadata.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (6)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (6).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000031">
			<status>draft</status>
			<publishdate>2009-05-13</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system enforces organization-defined one-way flows using hardware mechanisms.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (7)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (7).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000032">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system enforces information flow control using organization-defined security policy filters as a basis for flow control decisions.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (8)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (8).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000033">
			<status>draft</status>
			<publishdate>2009-05-13</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system enforces the use of human review for organization-defined security policy filters when the system is not capable of making an information flow control decision.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (9)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (9).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000034">
			<status>draft</status>
			<publishdate>2009-05-13</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system provides the capability for a privileged administrator to enable/disable organization-defined security policy filters.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (10)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (1).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000035">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system provides the capability for a privileged administrator to configure the [Assignment: organization-defined security policy filters] to support different security policies.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (11)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (11).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000218">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system, when transferring information between different security domains, identifies information flows by data type specification and usage.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (12).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (12)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000219">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system, when transferring information between different security domains, decomposes information into policy-relevant subcomponents for submission to policy enforcement mechanisms.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (13).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (13)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000221">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system enforces security policies regarding information on interconnected systems.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (16).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (16)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000223">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system binds security attributes to information to facilitate information flow policy enforcement</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (17).1 (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (17) (b)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000224">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system tracks problems associated with the security attribute binding.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (17).1 (vi)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (17) (c)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001414">
			<status>draft</status>
			<publishdate>2009-09-24</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system enforces approved authorizations for controlling the flow of information between interconnected systems in accordance with applicable policy.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001415">
			<status>draft</status>
			<publishdate>2009-09-24</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines limitations of the embedding of data types within other data types.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (5).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (5)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001416">
			<status>draft</status>
			<publishdate>2009-09-24</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines one-way information flows to be enforced by the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (7).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (7)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001417">
			<status>draft</status>
			<publishdate>2009-09-24</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines security policy filters to be enforced by the information system and used as a basis for flow control decisions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (8).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (8)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001418">
			<status>draft</status>
			<publishdate>2009-09-24</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines security policy filters that the information enforces the use of human review.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (9).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (9)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001368">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system enforces approved authorizations for controlling the flow of information within the system in accordance with applicable policy.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001371">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines information security policy requirements for constraining data structure and content.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (14)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (14).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001372">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system, when transferring information between different security domains, implements policy filters that constrain data structure and content to organization-defined information security policy requirements.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (14)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (14).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001373">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system, when transferring information between different security domains, detects unsanctioned information.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (15)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (15).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001374">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system, when transferring information between different security domains, prohibits the transfer of unsanctioned information in accordance with the security policy.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (15)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (15).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001376">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system uniquely identifies source domains for information transfer.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (17) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (17).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001377">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system uniquely authenticates source domains for information transfer.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (17) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-4 (17).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000036">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization separates duties of individuals as necessary, to prevent malevolent activity without collusion.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-5 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-5.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000037">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization implements separation of duties through assigned information system access authorizations</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-5 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-5.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001380">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents separation of duties.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-5 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-5.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001558">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization explicitly defines the security functions (deployed in hardware, software, and firmware) and security-relevant information for which access must be explicitly authorized.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-6 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-6 (1).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000038">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization explicitly authorizes access to organization-defined security functions and security-relevant information.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-6 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-6 (1).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000039">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that users of information system accounts or roles, with access to an organization-defined security functions or security-relevant information, use non-privileged accounts, or roles, when accessing other system functions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-6 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-6 (2).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000040">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization audits any use of privileged accounts, or roles, with access to organization-defined security functions or security-relevant information, when accessing other system functions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-6 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-6 (2).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000041">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization authorizes network access to organization-defined privileged commands only for compelling operational needs.</definition>
			<type>policy</type>
			<note>The organization employs the concept of least privilege, limiting authorized access for users (and processes acting on behalf of users) as necessary, to accomplish assigned tasks.</note>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-6 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-6 (3).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000042">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents the rationale for authorized network access toorganization-defined privileged commands in the security plan for the information system.</definition>
			<type>policy</type>
			<note>The organization employs the concept of least privilege, limiting authorized access for users (and processes acting on behalf of users) as necessary, to accomplish assigned tasks.</note>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-6 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-6 (3).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000225">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-6.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-6"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000226">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system provides the capability for a privileged administrator to configure organization-defined security policy filters to support different security policies.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-6 (4).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-6 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001419">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the security functions or security-relevant information to which users of information system accounts, or roles, have access.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-6 (2).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-6 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001420">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the privileged commands to which network access is to be authorized only for compelling operational needs.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-6 (3).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-6 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001421">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization limits authorization to super user accounts on the information system to designated system administration personnel.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-6 (5).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-6 (5)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001422">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization prohibits privileged access to the information system by non-organizational users.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-6 (6).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-6 (6)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000043">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the maximum number of consecutive invalid access attempts to the information system by a user.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-7"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-7.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000044">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system enforces the organization-defined limit of consecutive invalid access attempts by a user during the organization-defined time period.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-7 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-7.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000045">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines in the security plan, explicitly or by reference, the time period for lock out mode or delay period.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-7 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-7.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000046">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization selects either a lock out mode for the organization-defined time period or delays next login prompt for the organization-defined delay period for information system responses to consecutive invalid access attempts.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-7 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-7.1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000047">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system, when the maximum number of unsuccessful attempts is exceeded, automatically locks the account/node for an organization-defined time period or locks the account/node until released by an administrator IAW organizational policy.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-7 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-7.1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001423">
			<status>draft</status>
			<publishdate>2009-09-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the time period in which consecutive invalid access attempts occur..</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-7.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-7"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001452">
			<status>draft</status>
			<publishdate>2009-05-25</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system enforces the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-7.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-7 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001382">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organziation defines the number of consecutive, unsuccessful login attempts to the mobile device.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-7 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-7 (2).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001383">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system provides additional protection for mobile devices accessed via login by purging information from the device after organization-defined number of consecutive, unsuccessful login attempts to the mobile device.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-7 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-7 (2).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000048">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system displays an approved system use notification message or banner before granting access to the system.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-8 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-8.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000049">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a system use notification message or banner displayed before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: (i) users are accessing a U.S. Government information system; (ii) system usage may be monitored, recorded, and subject to audit; (iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and (iv) use of the system indicates consent to monitoring and recording.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-8 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-8.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000050">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system retains the notification message or banner on the screen until users take explicit actions to log on to or further access.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-8 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-8.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000051">
			<status>draft</status>
			<publishdate>2009-05-19</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization approves the information system use notification message before its use.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-8 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-8.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001384">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system for publicly accessible systems displays the system use information when appropriate, before granting further access.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-8 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-8.2 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001385">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system for publicly accessible systems displays references, if any, to monitoring that are consistent with privacy accommodations for such systems that generally prohibit those activities.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-8 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-8.2 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001386">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system for publicly accessible systems displays references, if any, to recording that are consistent with privacy accommodations for such systems that generally prohibit those activities.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-8 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-8.2 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001387">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system for publicly accessible systems displays references, if any, to auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-8 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-8.2 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001388">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system for publicly accessible systems includes in the notice given to public users of the information system, a description of the authorized uses of the system.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-8 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-8.2 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000052">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system, upon successful logon, displays to the user the date and time of the last logon (access).</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-9"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-9.1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000053">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system, upon successful logon/access, displays to the user the number of unsuccessful logon/access attempts since the last successful logon/access.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-9 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-9 (1).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001389">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the time period that the information system notifies the user of the number of successful logon/access attempts.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-9 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-9 (2).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001390">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the time period that the information system notifies the user of the number of unsuccessful logon/access attempts.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-9 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-9 (2).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001391">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system notifies the user of the number of successful logins/accesses that occur during the organization-defined time period.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-9 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-9 (2).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001392">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system notifies the user of the number of unsuccessful login/access attempts that occur during organization-defined time period.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-9 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-9 (2).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001393">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines set of security-related changes to the user?s account resulting in notification to the user during an organization-defined time period.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-9 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-9 (3).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001394">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the time period for which security-related changes to the user's account.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-9 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-9 (3).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001395">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system notifies the user of organization-defined security-related changes to the user?s account that occur during the organization-defined time period.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-9 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AC-9 (3).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001564">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency of security awareness and traning policy reviews/updates.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-1 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-1.2 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001565">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency of security awareness and training procedure reviews/updates.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-1.2 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000100">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a formal, documented, security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-1.1 (i&amp;ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000101">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disseminates a formal, documented, security awareness and training policy to elements within the organization having associated security awareness and training roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-1.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000102">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization periodically reviews/updates a formal, documented, security awareness and training policy in accordance with organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-1.2 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000103">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops formal, documented procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-1.1 (iv&amp;v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000104">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disseminates formal, documented procedures to elements within the organization having associated security awareness and training roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-1.1 (vi)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000105">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization periodically reviews/updates formal, documented procedures in accordance with organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-1.2 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000106">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides basic security awareness training to all information system users (including managers, senior executives, and contractors) as part of initial training for new users.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-2.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-2"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000107">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization includes practical exercises in security awareness training that simulate actual cyber attacks.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-2 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-2 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000112">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides basic security awareness training to all information system users (including managers, senior executives, and contractors) when required by system changes.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-2.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-2"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001479">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides refresher security awareness training to all information system users (including managers, senior executives, and contractors) in accordance with the organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-2"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-2.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001480">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency for providing refresher security awareness training to all information system users (including managers, senior executives, and contractors).</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-2"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-2.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001566">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides employees with initial training in the employment and operation of physical security controls.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-3 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-3 (2).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001567">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides employees with refresher training in the employment and operation of physical security controls or an organization defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-3 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-3 (2).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001568">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency for providing employees with refresher training in the employment and operation of physical security controls.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-3 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-3 (2).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000108">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides role-based security-related training before authorizing access to the system or performing assigned duties.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-3.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-3"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000109">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides role-based security-related training when required by system changes.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-3.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-3"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000110">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides refresher role-based security-related training on an organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-3.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-3"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000111">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency for providing refresher role-based security-related training.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-3.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-3"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001481">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides employees with initial training in the employment and operation of environmental controls.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-3 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-3 (1).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001482">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides employees with refresher training in the employment and operation of environmental controls or an organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-3 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-3 (1).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001483">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency for providing employees with refresher training in the employment and operation of environmental controls.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-3 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-3 (1).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000113">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents individual information system security training activities including basic security awareness training and specific information system security training.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-4.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-4 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000114">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization monitors individual information system security training activities including basic security awareness training and specific information system security training.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-4.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-4 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001336">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization retains individual training records for an organization-defined time period.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-4 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-4.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001337">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a time period for retaining individual training records.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-4 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-4.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000115">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes contact with selected groups and associations within the security community to facilitate ongoing security education and training, to stay up to date with the latest recommended security practices, techniques, and technologies and to share current security-related information including threats, vulnerabilities, and incidents.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-5.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-5"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000116">
			<status>draft</status>
			<publishdate>2009-09-14</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization institutionalizes contact with selected groups and associations within the security community to facilitate ongoing security education and training, to stay up to date with the latest recommended security practices, techniques, and technologies and to share current security-related information including threats, vulnerabilities, and incidents.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-5.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AT-5"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001569">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency of audit and accountability policy reviews/updates.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-1 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-1.2 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001570">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency of audit and accountability procedures.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-1.2 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000117">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a formal, documented, audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-1.1 (I &amp; ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000118">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disseminates a formal, documented, audit and accountability policy to elements within the organization having associated audit and accountability roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-1.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000119">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization periodically reviews/updates a formal, documented, audit and accountability policy in accordance with organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-1.2 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000120">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops formal, documented procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-1.1 (iv&amp;v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000121">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disseminates formal, documented procedures to elements within the organization having associated audit and accountability roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-1.1 (vi)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000122">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization periodically reviews/updates formal, documented audit and accountability procedures in accordance with organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-1.2 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000166">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system protects against an individual falsely denying having performed a particular action.</definition>
			<type>technical</type>
			<note>Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. Non-repudiation services can be used to determine if information originated from an individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Non-repudiation services are obtained by employing various techniques or mechanisms (e.g., digital signatures, digital message receipts).</note>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-10.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-10"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001338">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system associates the identity of the information producer with the information.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-10 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-10 (1).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001339">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system validates the binding of the information producer?s identity to the information.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-10 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-10 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001340">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system maintains reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-10 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-10 (3).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001341">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system validates the binding of the reviewer?s identity to the information at the transfer/release point prior to release/transfer from one security domain to another security domain.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-10 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-10 (4).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001342">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs either FIPS-validated or NSA-approved cryptography to implement digital signatures.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-10 (5)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-10 (5).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000167">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization retains audit records for an organization-defined time period to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-11.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-11"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000168">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines in the security plan, explicitly or by reference, the organization-defined time period for retention of audit records.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-11.1 (i&amp;ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-11"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001576">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system produces a system-wide (logical or physical) audit trail of informaiton system audit records.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-12 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-12 (1).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001577">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the information system components from which audit records are to be compiled into the system-wide audit trail.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-12 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-12 (1).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000169">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system provides audit record generation capability for the auditable events defined in AU-2 at organization-defined information system components.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-12.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-12 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000171">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system allows designated organizational personnel to select which auditable events are to be audited by specific components of the system.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-12.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-12 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000172">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system generates audit records for the selected list of auditable events defined in AU-2.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-12.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-12 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000173">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the level of tolerance for relationship between time stamps of individual records in the audit trail that will be used for correlation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-12 (1).1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-12 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000174">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system provides the capability to compile audit records from multiple components within the system into a system-wide (logical or physical) audit trail that is time-correlated to within organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-12 (1).1 (iii&amp;v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-12 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001459">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines information system components that provide audit record generation capability.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-12.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-12 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001353">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-12 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-12 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001460">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization monitors open source information for evidence of unauthorized exfiltration or disclosure of organizational information on an organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-13.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-13"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001461">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency for monitoring open source information for evidence of unauthorized exfiltration or disclosure of organizational information.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-13.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-13"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001462">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system provides the capability to capture/record and log all content related to a user session.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-14 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-14.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001463">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system provides the capability to remotely view/hear all content related to an established user session in real time.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-14 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-14.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001464">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system initiates session audits at system start-up.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-14 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-14 (1).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001571">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the list of informatio nsystem auditable events.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-2 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-2.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000123">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization determines, based on a risk assessment and mission/business needs, that the information system must be capable of auditing an organization-defined list of auditable events.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-2.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-2 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000124">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-2.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-2 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000125">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides a rationale for why the list of auditable events are deemed to be adequate to support after-the-fact investigations of security incidents.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-2.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-2 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000126">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization determines, based on current threat information and ongoing assessment of risk, that the organization-defined subset of the auditable events defined in AU-2 a  are to be audited within the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-2.1 (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-2 d"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000127">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews and updates the list of organization-defined auditable events on an organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-2 (3).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-2 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000128">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization includes execution of privileged functions in the list of events to be audited by the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-2 (4).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-2 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000129">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines in the auditable events that the information system must be capable of auditing based on a risk assessment and mission/business needs.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-2.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-2 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001484">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines frequency of (or situation requiring) auditing for each identified event.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-2 d"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-2.1 (v)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001485">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization determines, based on current threat information and ongoing assessment of risk, that events are to be audited on the information system on an organization-defined frequency of (or situation requiring) auditing for each identified event.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-2 d"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-2.1 (vi)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001486">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency for reviewing and updating the list of organization-defined auditable events.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-2 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-2 (3).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000130">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system produces audit records that contain sufficient information to establish what type of events occurred.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-3.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-3"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000131">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system produces audit records that contain sufficient information to establish when (date and time) the events occurred.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-3.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-3"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000132">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system produces audit records that contain sufficient information to establish where the events occurred.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-3.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-3"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000133">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system produces audit records that contain sufficient information to establish the sources of the events.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-3.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-3"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000134">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system produces audit records that contain sufficient information to establish the outcome (success or failure) of the events.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-3.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-3"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000135">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system includes organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-3 (1).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-3 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000136">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization centrally manages the content of audit records generated by organization-defined information system components.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-3 (2).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-3 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001487">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system produces audit records that contain sufficient information to establish the the identity of any user/subject associated with the event.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-3"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-3.1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001488">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines additional, more detailed information to be included in the audit records for audit events identified by type, location, or subject.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-3 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-3 (1).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001489">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines information system components for which generated audit records are centrally managed by the organization.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-3 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-3 (2).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000137">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization allocates audit record storage capacity.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-4.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-4"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000138">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization configures auditing to reduce the likelihood of such storage capacity being exceeded.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-4.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-4"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001572">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines designated organizational officials to be alerted in the event of audit processing failure.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-5 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-5.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001573">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines if the network traffic above configurable traffic volume thresholds are rejected or delayed.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-5 ((3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-5 (3).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001574">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system rejects or delays, as defined by the organization, network traffic generated above configurable traffic volume thresholds.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-5 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-5 (3).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000139">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system alerts designated organizational officials in the event of an audit processing failure.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-5.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-5 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000140">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system takes organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records).</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-5.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-5 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000143">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system provides a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-5 (1).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-5 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000144">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system provides a real-time alert when organization-defined audit failure events occur.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-5 (2).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-5 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000145">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system enforces configurable traffic volume thresholds representing auditing capacity for network traffic.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-5 (3).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-5 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000146">
			<status>draft</status>
			<publishdate>2009-05-20</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the percentage of maximum audit record storage capacity that when exceeded, a warning is provided.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-5 (1).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-5 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000147">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the audit failure events requiring real-time alerts.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-5 (2).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-5 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001343">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system invokes a system shutdown in the event of an audit failure, unless an alternative audit capability exists.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-5 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-5 (4).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001490">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines actions to be taken by the information system upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records).</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-5 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-5.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000148">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews and analyzes information system audit records on an organization-defined frequency for indications of inappropriate or unusual activity.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-6.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-6 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000149">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reports findings to designated organizational officials for indications of inappropriate or unusual activity.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-6.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-6 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000150">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk to organizational operations, organizational assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-6.2"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-6 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000151">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency for the review and analysis of information system audit records for inappropriate or unusual activity.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-6.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-6 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000152">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system integrates audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-6 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-6 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000153">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-6 (3).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-6 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000154">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system centralizes the review and analysis of audit records from multiple components within the system.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-6 (4).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-6 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000155">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization integrates analysis of audit records with analysis of vulnerability scanning information, performance data, and network monitoring information to further enhance the ability to identify inappropriate or unusual activity.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-6 (5).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-6 (5)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001344">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization specifies the permitted actions for each authorized information system process, role, and/or user in the audit and accountability policy.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-6 (7)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-6 (7).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001345">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to alert security personnel of any organization-defined inappropriate or unusual activities with security implications.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-6 (8)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-6 (8).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001346">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a list of inappropriate or unusual activities with security implications that are to result in alerts to security personnel.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-6 (8)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-6 (8).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001347">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization performs, in a physically dedicated information system, full-text analysis of privileged functions executed.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-6 (9)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-6 (9).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001491">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-6 (6)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-6 (6).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000156">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system provides an audit reduction capability.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-7.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-7"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000157">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system provides a report generation capability.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-7.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-7"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000158">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system provides the capability to automatically process audit records for events of interest based upon selectable, event criteria.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-7 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-7 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000159">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system uses internal system clocks to generate time stamps for audit records.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-8.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-8"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000160">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system synchronizes internal information system clocks on an organization-defined frequency with an organization-defined authoritative time source.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-8 (1).1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-8 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000161">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency for the synchronization of internal information system clocks.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-8 (1).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-8 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001492">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines an authoritative time source for the synchronization of internal information system clocks.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-8 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-8 (1).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001575">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the system or media for storing audit records that is a different system or media other than the system being audited.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-9 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-9 (2).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000162">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system protects audit information from unauthorized access.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-9.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-9"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000163">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system protects audit information from unauthorized modification.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-9.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-9"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000164">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system protects audit information from unauthorized deletion.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-9.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-9"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000165">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system produces audit records on hardware-enforced, write-once media.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-9 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-9 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001348">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system backs up audit records on an organization-defined frequency onto a different system or media than the system being audited.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-9 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-9 (2).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001349">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency for backing up system audit records onto a different system or media than the system being audited.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-9 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-9 (2).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001350">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system uses cryptographic mechanisms to protect the integrity of audit information.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-9 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-9 (3).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001351">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization authorizes access to management of audit functionality to only a limited subset of privileged users.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-9 (4) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-9 (4).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001352">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization protects the audit records of non-local accesses to privileged accounts and the execution of privileged functions.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-9 (4) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-9 (4).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001493">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system protects audit tools from unauthorized access.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-9"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-9.1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001494">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system protects audit tools from unauthorized modification.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-9"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-9.1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001495">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system protects audit tools from unauthorized deletion.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-9"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-9.1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001496">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system uses cryptographic mechanisms to protect the integrity of audit tools.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-9 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="AU-9 (3).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001578">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency of security assessment and authorization procedure reviews/updates.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-1.2 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000238">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency to review security assessment and authorization policies and procedures.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-1"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-1.2 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000239">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops formal, documented security assessment and authorization policies that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-1 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-1.1 (i&amp;ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000240">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disseminates formal, documented security assessment and authorization policies to elements within the organization having associated security assessment and authorization roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-1 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-1.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000241">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews, on an organization-defined frequency, formal, documented security assessment and authorization policy in accordance with organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-1 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-1.2 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000242">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops formal, documented procedures to facilitate the implementation of the security assessment and authorization policies and associated security assessment and authorization controls.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-1.1 (iv&amp;v)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000243">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization dissiminates formal, documented security assessment and authorization procedures to elements within the organization having associated security assessment and authorization roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-1.1 (vi)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000244">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization periodically reviews/updates formal, documented security assessment and authorization procedures in accordance with organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-1.2 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001579">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization conducts security control assessments using organization-defined forms of testing in accordance with organization-defined frequency and assessment techniques.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-2 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-2 (2).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000245">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a security assessment plan for the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-2 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-2.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000246">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization's security assessment plan describes the security controls and control enhancements under assessment.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-2 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-2.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000247">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization's security assessment plan describes assessment procedures to be used to determine security control effectiveness.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-2 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-2.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000248">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization's security assessment plan describes assessment environment.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-2 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-2.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000249">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization's security assessment plan describes assessment team.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-2 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-2.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000250">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization's security assessment plan describes assessment roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-2 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-2.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000251">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization assesses, on an organization-defined frequency, the security controls in the information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-2 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-2.2 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000252">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization determines the frequency in which security controls are assessed.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-2 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-2.2 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000253">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization produces a security assessment report that documents the results of the assessment.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-2 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-2.2 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000254">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides the results of the security control assessment, in writing, to the authorizing official or authorizing official designated representative.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-2 d"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-2.2 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000255">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs an independent assessor or assessment team to conduct an assessment of the security controls in the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-2 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-2 (1).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000256">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization includes as part of security control assessment, announced or unannounced testing (in-depth monitoring, malicious user testing, penetration testing, red team exercises, or other organization-defined forms of security testing), on an organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-2 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-2 (2).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001580">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organziation identifies connections to external information systems (i.e., information systems outside of the authorization boundary).</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-3 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-3.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000257">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization authorizes connections from the information system to other information systems outside of the authorization boundary through the use of Interconnection Security Agreements.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-3 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-3.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000258">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents, for each connection, the interface characteristics.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-3 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-3.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000259">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents, for each connection, the security requirements.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-3 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-3.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000260">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents, for each connection the nature of the information communicated.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-3 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-3.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000261">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization monitors the information system connections on an ongoing basis to verify enforcement of security requirements.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-3 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-3.1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000262">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization prohibits the direct connection of an unclassified, national security system to an external network.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-3 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-3 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000263">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization prohibits the direct connection of a classified, national security system to an external network.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-3 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-3 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000264">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a plan of action and milestones for the information system to document the organization?s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-5-1 (i) &amp; (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-5 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000265">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines frequency to update POAM.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-5-1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-5 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000266">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization updates, on an organization-defined frequency, existing plan of action and milestones based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-5-1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-5 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000267">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is accurate.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-5 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-5 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000268">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is up to date.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-5 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-5 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000269">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is readily available.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-5 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-5 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000270">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization assigns a senior-level executive or manager to the role of authorizing official for the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-6.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-6 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000271">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that the authorizing official authorizes the information system for processing before commencing operations.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-6.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-6 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000272">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization updates the security authorization on an organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-6.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-6 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000273">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency of updating the security authorization.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-6.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-6 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001581">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines organizational officials to whom the security state of the information system should be reported.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001582">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organizatoin defines the forms of security testing (e.g., in depth monitoring, malicious user testing, penetration testing, red team exercises) to be inlcuded in planning, scheduling, and conducting assessments to ensure compliance with all vulnerability mitigation procedures.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7 (2).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001583">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency and organizationally-sanctioned assessment techniques (i.e., announced, unannounced) for each form of security testing.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7 (2).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000274">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes a continuous monitoring strategy and program.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000275">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization implements a continuous monitoring program that includes a configuration management process for the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000276">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization implements a continuous monitoring program that includes a configuration management process for the information system constituent components.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000277">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization implements a continuous monitoring program that includes a determination of the security impact of changes to the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000278">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization implements a continuous monitoring program that includes a determination of the security impact of changes to the environment of operation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000279">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization implements a continuous monitoring program that includes ongoing security control assessments in accordance with the organizational continuous monitoring strategy.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000280">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization implements a continuous monitoring program that includes reporting, on an organization-defined frequency, the security state of the information system to appropriate organizational officials.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7 d"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000281">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency of reporting the security state of the information system to appropriate organizational officials.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7 d"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000282">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs an independent assessor or assessment team to monitor the security controls in the information system on an ongoing basis.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000283">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization plans announced or unannounced assessments (in-depth monitoring, malicious user testing, penetration testing, red team exercises, or other organization-defined forms of security assessment), on an organization-defined frequency, to ensure compliance with all vulnerability mitigation procedures.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7 (2).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000284">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization schedules announced or unannounced assessments (in-depth monitoring, malicious user testing, penetration testing, red team exercises, or other organization-defined forms of security assessment), on an organization-defined frequency, to ensure compliance with all vulnerability mitigation procedures.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7 (2).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000285">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization conducts announced or unannounced assessments (in-depth monitoring, malicious user testing, penetration testing, red team exercises, or other organization-defined forms of security assessment), on an organization-defined frequency, to ensure compliance with all vulnerability mitigation procedures.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7 (2).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CA-7 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001584">
			<status>draft</status>
			<publishdate>2010-05-11</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency to update configuration management procedures.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-1"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-1.2 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000286">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency to review configuration management policies.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-1.2 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000287">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a formal, documented configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-1.1 (i) (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000288">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization dissiminates a formal, documented configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-1.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000289">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews, on an organization-defined frequency, the formal, documented configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-1.2 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000290">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops formal, documented procedures to facilitate the implementation of the configuration management policy and associated configuration management controls.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-1.1 (iv) (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000291">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization dissiminates formal, documented procedures to facilitate the implementation of the configuration management policy and associated configuration management controls.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-1.1 (vi)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000292">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews, on an organization-defined frequency, the formal, documented procedures to facilitate the implementation of the configuration management policy and associated configuration management controls and updates if required.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001585">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the circumstances that require reviews and updates to the baseline configuration of the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (1) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (1).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000293">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a current baseline configuration of the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000294">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents a current baseline configuration of the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000295">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization maintains under configuration control, a current baseline configuration of the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000296">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews and updates the baseline configuration of the information system at an organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (1).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (1) (a)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000297">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews and updates the baseline configuration of the information system when required due to organization-defined circumstances.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (1).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (1) (b)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000298">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews and updates the baseline configuration of the information system as an integral part of information system component installations.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (1).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (1) (c)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000299">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews and updates the baseline configuration of the information system as an integral part of information system component upgrades.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (1).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (1) (c)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000300">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to maintain complete baseline configuration of the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000301">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to maintain an up-to-date baseline configuration of the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000302">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to maintain accurate baseline configuration of the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000303">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to maintain readily available baseline configuration of the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000304">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization retains older versions of baseline configurations as deemed necessary to support rollback.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (3).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000305">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a list of software programs not authorized to execute on the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (4).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (4) (a)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000306">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization maintains the list of software programs not authorized to execute on the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (4).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (4) (a)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000307">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs an allow-all, deny-by-exception authorization policy to identify software allowed to execute on the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (4).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (4) (b)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000308">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops list of software programs authorized to execute on the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (5).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (5) (a)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000309">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization maintains list of software programs authorized to execute on the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (5).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (5) (a)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000310">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs a deny-all, permit-by-exception authorization policy to identify software allowed to execute on the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (5).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (5) (b)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000311">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization maintains a baseline configuration for development environments that is managed separately from the operational baseline configuration.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (6).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (6)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000312">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization maintains a baseline configuration for test environments that is managed separately from the operational baseline configuration.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (6).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (6)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001497">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency for the reviews and updates to the baseline configuration of the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (1) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-2 (1).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001586">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the configuration change control element (e.g., committee, board) responsible for coordinating and providing oversight for configuration change control activities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 f"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3.1 (vi)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000313">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization determines the types of changes to the information system that are configuration controlled.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000314">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization approves configuration-controlled changes to the system with explicit consideration for security impact analyses</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000315">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents approved configuration-controlled changes to the system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000316">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization retains records of configuration-controlled changes to the system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 d"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000317">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews records of configuration-controlled changes to the system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 d"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000318">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization audits activities associated with configuration-controlled changes to the system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3.1 (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 e"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000319">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization coordinates and provides oversight for configuration change control activities through an organization-defined configuration change control element (e.g., committee, board) that convenes at the organization-defined frequency and/or for any organization-defined configuration change conditions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3.1 (vii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 f"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000320">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines frequency to convene configuration change control element.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3.1 (vi)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 f"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000321">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines configuration change conditions that prompt the configuration change control element to convene.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3.1 (vi)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 f"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000322">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to document proposed changes to the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 (1).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 (1) (a)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000323">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to notify designated approval authorities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 (1).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 (1) (b)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000324">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to highlight approvals that have not been received by organization-defined time period.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 (1).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 (1) (c)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000325">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to inhibit change until designated approvals are received.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 (1).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 (1) (d)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000326">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to document completed changes to the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 (1).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 (1) (e)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000327">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization tests changes to the information system before implementing the changes on the operational system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000328">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization validates changes to the information system before implementing the changes on the operational system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000329">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents changes to the information system before implementing the changes on the operational system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000330">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to implement changes to the current information system baseline.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 (3).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000331">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization deployes the updated information system baseline across the installed base.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 (3).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000332">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires an information security representative to be a member of the organization-defined configuration change control element (e.g., committee, board).</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 (3).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001498">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a time period after which approvals that have not been received for proposed changes to the information system are highlighted.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 (1) (c)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-3 (1).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001587">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization, when analyzing new software in a separate test environment, looks for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-4 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-4 (1).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000333">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-4.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-4"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000334">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization analyzes new software in a separate test environment before installation in an operational environment.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-4 (1).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-4 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000335">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization, after the information system is changed, checks the security functions to verify that the functions are implemented correctly.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-4 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-4 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000336">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization, after the information system is changed, checks the security functions to verify that the functions are operating as intended.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-4 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-4 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000337">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization, after the information system is changed, checks the security functions to verify that the functions are producing the desired outcome with regard to meeting the security requirements for the system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-4 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-4 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000338">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines physical access restrictions associated with changes to the information system.</definition>
			<type>policy</type>
			<note>Defined by Homeland Security Presidential Directive 12 (HSPD 12)</note>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000339">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents physical access restrictions associated with changes to the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000340">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization approves physical access restrictions associated with changes to the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000341">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization enforces physical access restrictions associated with changes to the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000342">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines logical access restrictions associated with changes to the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000343">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents logical access restrictions associated with changes to the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000344">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization approves logical access restrictions associated with changes to the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000345">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization enforces logical access restrictions associated with changes to the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000346">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to enforce access restrictions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000347">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to support auditing of the enforcement actions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000348">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency to conduct audits of information system changes.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (2).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000349">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization conducts audits of information system changes per organization-defined frequency to determine whether unauthorized changes have occurred.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (2).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000350">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization, when indications so warrant, conducts audits of information system changes to determine whether unauthorized changes have occurred.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (2).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000351">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines critical software programs that the information system will prevent from being installed if such software programs are not signed with a recognized and approved certificate.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (3).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000352">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system prevents the installation of organization-defined critical software programs that are not signed with a certificate that is recognized and approved by the organization.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (3).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000353">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines information system components and system-level information requiring enforcement of a two-person rule for information system changes.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (4).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000354">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization enforces a two-person rule for changes to organization-defined information system components and system-level information.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (4).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000355">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization limits information system developer/integrator privileges to change hardware components directly within a production environment.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (5).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (5) (a)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000356">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization limits information system developer/integrator privileges to change software components directly within a production environment.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (5).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (5) (a)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000357">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization limits information system developer/integrator privileges to change firmware components directly within a production environment.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (5).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (5) (a)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000358">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization limits information system developer/integrator privileges to change system information directly within a production environment.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (5).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (5) (a)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000359">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines frequency to review information system developer/integrator privileges.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (5).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (5) (b)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000360">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines frequency to reevaluate information system developer/integrator privileges.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (5).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (5) (b)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000361">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews information system developer/integrator privileges per organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (5).1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (5) (b)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000362">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reevaluates information system developer/integrator privileges per organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (5).1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (5) (b)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001499">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization limits privileges to change software resident within software libraries (including privileged programs).</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (6)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (6).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001500">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system automatically implements organization-defined safeguards and countermeasures if security functions (or mechanisms) are changed inappropriately.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (7)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (7).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001501">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines safeguards and countermeasures to be employed by the information system if security functions (or mechanisms) are changed inappropriately.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (7)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-5 (7).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001588">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization-defined security configuration checklists reflect the most restrictive mode consistent with operational requirements.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001589">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that unauthorized, security-relevant configuration changes detected are tracked.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 (3).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000363">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines security configuration checklists to be used to establish and document mandatory configuration settings for the information system technology products employed.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000364">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes mandatory configuration settings for information technology products employed within the information system using organization-defined security configuration checklists.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000365">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents mandatory configuration settings for information technology products employed within the information system using organization-defined security configuration checklists that reflect the most restrictive mode consistent with operational requirements.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000366">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization implements the security configuration settings.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000367">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization identifies exceptions from the mandatory configuration settings for individual components within the information system based on explicit operational requirements.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6.1 (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000368">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents exceptions from the mandatory configuration settings for individual components within the information system based on explicit operational requirements.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6.1 (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000369">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization approves exceptions from the mandatory configuration settings for individual components within the information system based on explicit operational requirements.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6.1 (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000370">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to centrally manage configuration settings.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000371">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to centrally apply configuration settings.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000372">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to centrally verify configuration settings.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000373">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines configuration settings for which unauthorized changes are responded to by automated mechanisms.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 (2).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000374">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to respond to unauthorized changes to organization-defined configuration settings.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 (2).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000375">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization incorporates detection of unauthorized, security-relevant configuration changes into the organization?s incident response capability.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 (3).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000376">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that unauthorized, security-relevant configuration changes detected are monitored.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 (3).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000377">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that unauthorized, security-relevant configuration changes detected are corrected.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 (3).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000378">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that unauthorized, security-relevant configuration changes detected are available for historical purposes.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 (3).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000379">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system (including modifications to the baseline configuration) demonstrates conformance to security configuration guidance (i.e., security checklists), prior to being introduced into a production environment.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 (4).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001502">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization monitors changes to the configuration settings in accordance with organizational policies and procedures.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 d"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6.1 (vi)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001503">
			<status>draft</status>
			<publishdate>2009-09-29</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization controls changes to the configuration settings in accordance with organizational policies and procedures.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6 d"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-6.1 (vi)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001590">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a list of software programs authorized to execute on the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-7 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-7 (2).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001591">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a list of software programs not authorized to execute on the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-7 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-7 (2).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001592">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops rules authorizing the terms and conditions of software program usage on the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-7 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-7 (2).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001593">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization maintains a list of software programs authorized to execute on the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-7 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-7 (2).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001594">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization maintains a list of software programs not authorized to execute on the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-7 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-7 (2).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001595">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization maintains rules authorizing the terms and conditions of software program usage on the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-7 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-7 (2).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000380">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines for the information system prohibited or restricted functions, ports, protocols, and/or services.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-7.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-7"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000381">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization configures the information system to provide only essential capabilities.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-7.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-7"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000382">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization configures the information system to specifically prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-7.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-7"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000383">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency of information system reviews to identify and eliminate unnecessary functions, ports, protocols and/or services.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-7 (1).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-7 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000384">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews the information system per organization-defined frequency to identify unnecessary functions, ports, protocols, and/or services.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-7 (1).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-7 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000385">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews the information system per organization-defined frequency to eliminate unnecessary functions, ports, protocols, and/or services.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-7 (1).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-7 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000386">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to prevent program execution on the information system in accordance with the organization defined specifications.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-7 (2).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-7 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000387">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines registration requirements for ports, protocols, and services.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM- 7(3).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-7 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000388">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures compliance with organization-defined registration requirements for ports, protocols, and services.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-7 (3).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-7 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000389">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops an inventory of information system components that accurately reflects the current information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000390">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents an inventory of information system components that accurately reflects the current information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000391">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization maintains an inventory of information system components that accurately reflects the current information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000392">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops an inventory of information system components that is consistent with the authorization boundary of the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000393">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents an inventory of information system components that is consistent with the authorization boundary of the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000394">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization maintains an inventory of information system components that is consistent with the authorization boundary of the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000395">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000396">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000397">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization maintains an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000398">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines information deemed necessary to achieve effective property accountability.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 d"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000399">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops an inventory of information system components that includes organization-defined information deemed necessary to achieve effective property accountability.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 d"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000400">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents an inventory of information system components that includes organization-defined information deemed necessary to achieve effective property accountability.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 d"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000401">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization maintains an inventory of information system components that includes organization-defined information deemed necessary to achieve effective property accountability.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 d"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000402">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops an inventory of information system components that is available for review by designated organizational officials.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 e"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000403">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents an inventory of information system components that is available for review by designated organizational officials.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 e"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000404">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization maintains an inventory of information system components that is available for review by designated organizational officials.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 e"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000405">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops an inventory of information system components that is available for audit by designated organizational officials.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 e"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000406">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents an inventory of information system components that is available for audit by designated organizational officials.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 e"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000407">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization maintains an inventory of information system components that is available for audit by designated organizational officials.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 e"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000408">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization updates the inventory of information system components as an integral part of component installations.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000409">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization updates the inventory of information system components as an integral part of component removals.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000410">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization updates the inventory of information system components as an integral part of information system updates.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000411">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to help maintain an up-to-date inventory of information system components.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000412">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to help maintain a complete inventory of information system components.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000413">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to help maintain a accurate inventory of information system components.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000414">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to help maintain a readily available inventory of information system components.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000415">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency of employing automated mechanism to detect the addition of unauthorized components/devices into the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 (3).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 (3) (a)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000416">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms, per organization-defined frequency, to detect the addition of unauthorized components/devices into the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 (3).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 (3) (a)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000417">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disables network access by such components/devices or notifies designated organizational officials.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 (3).1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 (3) (b)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000418">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization includes in property accountability information for information system components, a means for identifying by name, position, or role, individuals responsible for administering those components.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 (4).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000419">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization verifies that all components within the authorization boundary of the information system are either inventoried as a part of the system or recognized by another system as a component within that system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 (5).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 (5)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000420">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 (6).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-8 (6)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000421">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000422">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000423">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization implements a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000424">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a configuration management plan for the information system that defines the configuration items for the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000425">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents a configuration management plan for the information system that defines the configuration items for the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000426">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization implements a configuration management plan for the information system that defines the configuration items for the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000427">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a configuration management plan for the information system when in the system development life cycle the configuration items are placed under configuration management.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000428">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents a configuration management plan for the information system when in the system development life cycle the configuration items are placed under configuration management.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000429">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization implements a configuration management plan for the information system when in the system development life cycle the configuration items are placed under configuration management.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000430">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a configuration management plan for the information system that establishes the means for identifying configuration items throughout the system development life cycle.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000431">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents a configuration management plan for the information system that establishes the means for identifying configuration items throughout the system development life cycle.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000432">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization implements a configuration management plan for the information system that establishes the means for identifying configuration items throughout the system development life cycle.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000433">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000434">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000435">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization implements a configuration management plan for the information system that establishes a process for managing the configuration of the configuration items.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000436">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization assigns responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CM-9 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001596">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency to review/update contingency planning procedure.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-1"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-1.2 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001597">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disseminates a formal, documente contingency planning procedure to elements within the organization having associated contingency planning roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-1"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-1.1 (vi)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001598">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews/updates a formal, documented contingency planning procedure in accordance with organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-1"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-1.2 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000437">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency to review/update contingency planning policy.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-1.2 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000438">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a formal, documented contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-1.1 (i) (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000439">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization dissiminates a formal, documented contingency planning policy to elements within the organization having associated contingency planning roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-1.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000440">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews/updates a formal, documented contingency planning policy in accordance with organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-1.2 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000441">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops formal, documented procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-1.1 (iv) (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000550">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides automated mechanicsms and/or manual procedures for the recovery and reconstitution of the information system to a known state after a disruption.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-10"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-10.1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000551">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides fautomated mechanicsms and/or manual procedures for the recovery and reconstitution of the information system to a known state after a compromise.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-10"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-10.1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000552">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides automated mechanicsms and/or manual procedures for the recovery and reconstitution of the information system to a known state after a failure.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-10"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-10.1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000553">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system implements transaction recovery for systems that are transaction-based.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-10 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-10 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000554">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines in the security plan, explicitly or by reference, the circumstatnces that can inhibit recovery and reconstitution of the information system to a known state.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-10 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-10 (3).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000555">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides compensating security controls for organization-defined circumstances that can inhibit recovery and reconstitution of the information system to a known state.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-10 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-10 (3).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000556">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines restoration time-periods to reimage information system components from configuration-controlled and integrity-protected disk images representing a secure, operational state for the components.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-10 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-10 (4).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000557">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides the capability to reimage information system components within organization-defined restoration time-periods from configuration-controlled and integrity-protected disk images representing a secure, operational state for the components.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-10 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-10 (4).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000558">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the real-time or near-real-time failover capability to be provided for the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-10 (5)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-10 (5).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000559">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides real-time or near-real-time organization-defined failover capability for the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-10 (5)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-10 (5).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000560">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization protects backup and restoration hardware.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-10 (6)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-10 (6).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000561">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization protects backup and restoration firmware.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-10 (6)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-10 (6).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000562">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization protects backup and restoration software.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-10 (6)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-10 (6).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001599">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization sustains operational continuity of essential missions until full informatin system restoration at primary processing and/or storage sites.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (5)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (5).1 (b)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001600">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization sustains operaitonal continuity of business functions until full information system restoration at primary processing and/or storage sites.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (5)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (5).1 (b)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001601">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization sustains operational continuity of essential missions through restoration to primary processing and/or storage sites.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (6)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (6).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001602">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization sustains operational continuity of business functions through restoration to primary processing and/or storage sites.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (6)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (6).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000443">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a contingency plan for the information system that identifies essential missions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000444">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a contingency plan for the information system that identifies business functions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000445">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a contingency plan for the information system that identifies associated contingency requirements.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000446">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a contingency plan for the information system that provides recovery objectives.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000447">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a contingency plan for the information system that provides restoration priorities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000448">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a contingency plan for the information system that provides metrics.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000449">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a contingency plan for the information system that addresses contingency roles, responsibilities, assigned individuals with contact information.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000450">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a contingency plan for the information system that addresses maintaining essential missions despite an information system disruption.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000451">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a contingency plan for the information system that addresses maintaining business functions despite an information system disruption.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2.1 I)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000452">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a contingency plan for the information system that addresses maintaining essential missions despite an information system compromise.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000453">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a contingency plan for the information system that addresses maintaining business functions despite an information system compromise.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000454">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a contingency plan for the information system that addresses maintaining essential missions despite an information system failure.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000455">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a contingency plan for the information system that addresses maintaining business functions despite an information system failure.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000456">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a contingency plan for the information system that addresses eventual, full information system restoration without deterioration of the security measures originally planned and implemented.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000457">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a contingency plan for the information system that is reviewed and approved by designated officials within the organization.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000458">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a list of key contingency personnel (identified by name and/or by role) and organizational elements desginated to receive copies of the contigency plan.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000459">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization distributes copies of the contingency plan to an organization-defined list of key contingency personnel (identified by name and/or by role) and organizational elements.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000460">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization coordinates contingency planning activities with incident handling activities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2.2 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000461">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency to review the contingency plan for the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2.2 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000462">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews the contingency plan for the information system per organization-defined freqency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2.2 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000463">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization revises the contingency plan to address changes to the organization.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2.2 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 e"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000464">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization revises the contingency plan to address changes to the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2.2 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 e"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000465">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization revises the contingency plan to address changes to the environment of operation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2.2 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 e"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000466">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization revises the contingency plan to address problems encountered during contingency plan implementation, execution, or testing.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2.2 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 e"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000468">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization communicates contingency plan changes to organization-defined list of key contingency personnel (identified by name and/or by role) and organizational elements.</definition>
			<type>policy</type>
			<note>This is nearly identical to CP-2 (e).</note>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2.2 (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 f"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000469">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization coordinates contingency plan development with organizational elements responsible for related plans.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000470">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization conducts capacity planning so that necessary capacity for information processing exists during contingency operations.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000471">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization conducts capacity planning so that necessary capacity for telecommunications exists during contingency operations.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000472">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization conducts capacity planning so that necessary capacity for environmental support exists during contingency operations.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000473">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the time period for planning the resumption of essential missions as a result of contingency plan activation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (3).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000474">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the time period for planning the resumption of business functions as a result of contingency plan activation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (3).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000475">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization plans for the resumption of essential missions within organization-defined time period of contingency plan activation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (3).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000476">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization plans for the resumption of business functions within organization-defined time period of contingency plan activation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (3).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000477">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the time period for planning the full resumption of affected missions as a result of contingency plan activation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (4).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000478">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the time period for planning the full resumption of business functions as a result of contingency plan activation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (4).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000479">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization plans for the full resumption of affected missions within organzation-defined time period of contigency plan activation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (4).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000480">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization plans for the full resumption of business functions within organization-defined time period of contingency plan activation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (4).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000481">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization plans for the continuance of essential missions with little or no loss of operational continuity.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (5).1 (a)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (5)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000482">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization plans for the continuance of business functions with little or no loss of operational continuity.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (5).1 (a)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (5)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000483">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides for the transfer of all essential missions to alternate processing and/or storage sites with little or no loss of operational continuity.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (6).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (6)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000484">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides for the transfer of all business functions to alternate processing and/or storage sites with little or no loss of operational continuity.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (6).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-2 (6)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000485">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency of refresher contingency training.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-3.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-3"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000486">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides initial contingency training to personnel with contingency roles and responsibilities with respect to the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-3.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-3"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000487">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides refresher contingency training per organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-3.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-3"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000488">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-3 (1).1 (i) (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-3 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000489">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to provide a more thorough and realistic training environment.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-3 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-3 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000490">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency to test the contingency plan for the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000491">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency to exercise the contingency plan for the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000492">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines contingency plan tests to be conducted for the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000493">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines contingency plan exercises to be conducted for the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000494">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization tests the contingency plan using the organization-defined tests in accordance with organziation-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000495">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization exercises the contingency plan using organization-defined exercises in accordance with organziation-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000496">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews the contingency plan test results and initiates corrective actions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000497">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews the contingency plan exercise results and initiates corrective actions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000498">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization coordinates contingency plan testing with organizational elements responsible for related plans.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000499">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization coordinates contingency plan exercises with organizational elements responsible for related plans.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4 (1).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000500">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization tests the contingency plan at the alternate processing site to familiarize contingency personnel with the facility and available resources and to evaluate the site?s capabilities to support contingency operations.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000501">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization exercises the contingency plan at the alternate processing site to familiarize contingency personnel with the facility and available resources and to evaluate the site?s capabilities to support contingency operations.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000502">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to more thoroughly and effectively test the contingency plan by providing more complete coverage of contingency issues, selecting more realistic test scenarios and environments, and more effectively stressing the information system and supported missions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4 (3).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000503">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to more thoroughly and effectively exercise the contingency plan by providing more complete coverage of contingency issues, selecting more realistic exercise scenarios and environments, and more effectively stressing the information and supported missions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4 (3).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000504">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization includes a full recovery and reconstitution of the information system to a known state as part of contingency plan testing.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-4 (4).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001603">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The contingency plan identifies the primary storage site hazards.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-6 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-6 (1).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001604">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization outlines explicit mitigation actions for organization identified accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-6 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-6 (3).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000505">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes an alternate storage site.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-6"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-6.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000506">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization initiates necessary alternate storage site agreements to permit the storage and recovery of information system backup information.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-6"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-6.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000507">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization identifies an alternate storage site that is separated from the primary storage site so as not to be susceptible to the same hazards identified at the primary site.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-6 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-6 (1).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000508">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-6 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-6 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000509">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-6 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-6 (3).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001605">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The contingency plan identifies the primary processing site hazards.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-7 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-7 (1).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001606">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization outlines explicit mitigation actions for organization identified accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-7 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-7 (2).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000510">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the time period for achieving the recovery time objectives for business functions within which processing must be resumed at the alternate processing site.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-7"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-7.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000511">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organiztion defines the time period for achieving the recovery time objectives for business functions within which processing must be resumed at the atlernate processing site.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-7"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-7.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000512">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes an alternate processing site.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-7 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-7.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000513">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization includes necessary alternate processing site agreements to permit the resumption of information system operations for essential missions within organization-defined time period.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-7 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-7.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000514">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization includes necessary alternate processing site agreements to permit the resumption of information system operations for business functions within organization-defined time period.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-7 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-7.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000515">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that equipment and supplies required to resume operations are available at the alternate site or contracts are in place to support delivery to the site in time to support the organization-defined time period for resumption.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-7 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-7.1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000516">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization identifies an alternate processing site that is separated from the primary processing site so as not to be susceptible to the same hazards identified at the primary site.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-7 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-7 (1).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000517">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-7 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-7 (2).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000518">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with the organization?s availability requirements.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-7 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-7 (3).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000519">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization configures the alternate processing site so that it is ready to be used as the operational site supporting essential missions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-7 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-7 (4).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000520">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization configures the alternate processing site so that it is ready to be used as the operational site supporting business functions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-7 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-7 (4).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000521">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that the alternate processing site provides information security measures equivalent to that of the primary site.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-7 (5)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-7 (5).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001607">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes alternate telecommunications services to support the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-8 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-8.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001608">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization identifies the primary provider's telecommunications service hazards.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-8 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-8 (3).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000522">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the time period to to permit the resumption of information system operations for essential missions when the primary telecommunications capabilities are unavailable..</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-8"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-8.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000523">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the time period to to permit the resumption of information system operations for business functions when the primary telecommunications capabilities are unavailable..</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-8"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-8.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000524">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes necessary alternate telecommunications service agreements to permit the resumption of telecommunications services for essential missions within the organization-defined time period when the primary telecommunications capabilities are unavailable.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-8"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-8.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000525">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes alternate telecommunications service agreements to permit the resumption of telecommunications services for business functions within the organization-defined time period when the primary telecommunications capabilities are unavailable.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-8"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-8.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000526">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops primary telecommunications service agreement that contain priority-of-service provisions in accordance with the organization?s availability requirements.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-8 (1) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-8 (1).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000527">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops alternate telecommunications service agreement that contain priority-of-service provisions in accordance with the organization?s availability requirements.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-8 (1) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-8 (1).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000528">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary telecommunications services are provided by a common carrier.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-8 (1) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-8 (1).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000529">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the alternate telecommunications services are provided by a common carrier.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-8 (1) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-8 (1).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000530">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization obtains alternate telecommunications services with consideration for reducing the likelihood of sharing a single point of failure with primary telecommunications services.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-8 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-8 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000531">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization obtains alternate telecommunications service providers that are separated from primary service providers so as not to be susceptible to the same hazards.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-8 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-8 (3).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000532">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires primary telecommunications service providers to have contingency plans.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-8 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-8 (4).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000533">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires alternate telecommunications service providers to have contingency plans.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-8 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-8 (4).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001609">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The redundant secondary system, not colocated with the primary backup system for the information system can be activated to accomplish information system backups without causing loss of information or disruption to the operation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9 (6)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9 (6).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000534">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines frequency of conducting user-level information backups to support recovery time objectives and recovery point objectives.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9 (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9 (6).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000535">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization conducts backups of user-level information contained in the information system per organization-defined frequency to conduct backups that is consistent with recovery time and recovery point objectives.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9 (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9.1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000536">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines frequency of conducting system-level information backups to support recovery time objectives and recovery point objectives.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9 (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000537">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization conducts backups of system-level information contained in the information system per organization-defined frequency to conduct backups that is consistent with recovery time and recovery point objectives.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9 (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9.1 (v)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000538">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency of conducting information system documentation backups (including security-related information) to support recovery time objectives and recovery point objectives.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9 (c)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000539">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization conducts backups of information system documentation including security-related documentation per organization-defined frequency to conduct backups that is consistent with recovery time and recovery point objectives.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9 (c)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9.1 (vi)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000540">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization protects the confidentiality and integrity of backup information at the storage location.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9 (d)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9.2"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000541">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines frequency to tests backup information to verify media reliability and information integrity.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9 (1).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000542">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization tests backup information per organization-defined frequency to verify media reliability and information integrity.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9 (1).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000543">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000544">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization stores backup copies of the operating system in a separate facility or in a fire-rated container that is not colocated with the operational system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9 (3).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000545">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization stores backup copies of critical information system software in a separate facility or in a fire-rated container that is not colocated with the operational system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9 (3).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000546">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization stores backup copies of the information system inventory (including hardware, software, and firmware components) in a separate facility or in a fire-rated container that is not colocated with the operational system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9 (3).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000547">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines time period and transferring information system backup information to the atlernate storage site to support recovery time objectives and recovery point objectives.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9 (5)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9 (5).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000548">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization transfers information system backup information to the alternate storage site in accordance with the organization-defined frequency and transfer rate.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9 (5)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9 (5).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000549">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization maintains a redundant, secondary backup system that is not colocated with the primary backup system for the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9 (6)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="CP-9 (6).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000756">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a formal, documented identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-1 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-1.1 (i) (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000757">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization dissemenates a formal, documented identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-1 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-1.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000758">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews the formal, documented identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance, and updates if required in accordance with the organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-1 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-1.2 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000759">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a freqency for reviewing/updating  the formal, documented identification and authentication policy.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-1 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-1.2 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000760">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops formal, documented procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-1.1 (v)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000761">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization dissemenates formal, documented procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-1.1 (vi)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000762">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews the formal, documented procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls, and updates if required in accordance with the organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-1.2 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000763">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a freqency for reviewing/updating the formal, documented procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-1.2 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000764">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-2.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-2"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000765">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system uses multifactor authentication for network access to privileged accounts.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-2 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-2 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000766">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system uses multifactor authentication for network access to non-privileged accounts.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-2 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-2 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000767">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system uses multifactor authentication for local access to privileged accounts.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-2 (3).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-2 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000768">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system uses multifactor authentication for local access to non-privileged accounts.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-2 (4).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-2 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000769">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization allows the use of group authenticators only when used in conjunction with an individual/unique authenticator.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-2 (5).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-2 (5) (a)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000770">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires individuals to be authenticated with an individual authenticator prior to using a group authenticator.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-2 (5).2 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-2 (5) (b)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000771">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system uses multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the information system being accessed.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-2 (6).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-2 (6)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000772">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system uses multifactor authentication for network access to non-privileged accounts where one of the factors is provided by a device separate from the information system being accessed.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-2 (7).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-2 (7)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000773">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines replay-resistant authentication mechanisms to be used for network access to privileged accounts.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-2 (8).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-2 (8)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000774">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system uses organization-defined replay-resistant authentication mechanisms for network access to privileged accounts.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-2 (8).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-2 (8)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000775">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines replay-resistant authentication mechanisms to be used for network access to non-privileged accounts.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-2 (9).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-2 (9)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000776">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system uses organization-defined replay-resistant authentication mechanisms for network access to non-privileged accounts.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-2 (9).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-2 (9)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000777">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a list of specific and/or types of devices for which identification and authentication is required before establishing a connection to the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-3.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-3"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000778">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system uniquely identifies and authenticates an organization-defined list of specific and/or types of devices before establishing a connection.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-3.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-3"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000779">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system authenticates devices before establishing remote network connections using bidirectional authentication between devices that is cryptographically based.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-3 (1).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-3 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000780">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system authenticates devices before establishing wireless network connections using bidirectional authentication between devices that is cryptographically based.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-3 (1).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-3 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000781">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system authenticates devices before establishing network connections using bidirectional authentication between devices that is cryptographically based.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-3 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-3 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000782">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization standardizes, with regard to dynamic address allocation, Dynamic Host Control Protocol (DHCP) lease information and the time assigned to DHCP enabled devices.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-3 (3).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-3 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000783">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization audits DHCP lease information Iincluding IP addresses) when assigned to a device.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-3 (3).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-3 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000784">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system identifiers for users and devices by receiving authorization from a designated organizational official to assign a user identifier.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000785">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system identifiers for users and devices by receiving authorization from a designated organizational official to assign a device identifier.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000786">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system identifiers for users and devices by selecting an identifier that uniquely identifies an individual.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000787">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system identifiers for users and devices by selecting an identifier that uniquely identifies a device.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000788">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system identifiers for users and devices by assigning the user identifier to the intended party.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000789">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system identifiers for users and devices by assigning the device identifier to the intended device.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000790">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a time period for which the reuse of user identifiers is prohibited.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4 d"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000791">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a time period for which the reuse of device identifiers is prohibited.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4 d"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000792">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system identifiers for users and devices by preventing reuse of user identifiers for an organization-defined time period.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4 d"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000793">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system identifiers for users and devices by preventing reuse of device identifiers for an organization-defined time period.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4 d"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000794">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a time period of inactivity after which the user identifier is disabled.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4 e"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000795">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system identifiers for users and devices by disabling the user identifier after an organization-defined time period of inactivity.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4 e"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000796">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization prohibits the use of information system account identifiers as public identifiers for user electronic mail accounts (i.e., user identifier portion of the electronic mail address).</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000797">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that registration to receive a user ID and password include authorization by a supervisor.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4 (2) (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000798">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that registration to receive a user ID and password be done in person before a designated registration authority.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4 (2) (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000799">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires multiple forms of certification of individual identification such as documentary evidence or a combination of documents and biometrics be presented to the registration authority.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4 (3).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000800">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines characteristics for identifying user status.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4 (4).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000801">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages user identifiers by uniquely identifying the user with the organization-defined characteristic identifying user status.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4 (4).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000802">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system dynamically manages identifiers, attributes, and associated access authorizations.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4 (5).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-4 (5)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001610">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the time period (by authenticator type) for changing/refreshing authenticators.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 g"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001611">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the number of special characters used.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001612">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the number of upper case characters used.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001613">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the number of lower case characters used.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001614">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the number of numeric characters used.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001615">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the minimum number of characters that are changed when new passwords are created.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001616">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines minimum lifetime restrictions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001617">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines maximum lifetime restrictions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1) (d)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001618">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the number of generations for which password reuse is prohibited.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1) (d)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1).1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001619">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization enforces password complexity by the number of special characters used.</definition>
			<type>technical</type>
			<parameter>number of characters</parameter>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1).1 (v)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001620">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the types of and/or specific authenticators in which the registration process must be carried out in person before a designated registration authority with authorization by a designated organizational official (e.g., a supervisor).</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (3).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001621">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization takes organization-defined measures to manage the risk of compromise due to individuals having accounts on multiple information systems.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (8)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (8).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000175">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system authenticators for users and devices by verifying, as part of the initial authenticator distribution, the identity of the individual and/or device receiving the authenticator.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000176">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system authenticators for users and devices by establishing initial authenticator content for authenticators defined by the organization.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000177">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system authenticators for users and devices by establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking authenticators.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 d"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000178">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system authenticators for users and devices by changing default content of authenticators upon information system installation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 e"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000179">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system authenticators for users and devices by establishing minimum lifetime restrictions  for authenticators (if appropriate).</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 f"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000180">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system authenticators for users and devices by establishing maximum lifetime restrictions for authenticators (if appropriate).</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 f"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000181">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system authenticators for users and devices by establishing reuse conditions for authenticators (if appropriate).</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 f"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000182">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system authenticators for users and devices by changing/refreshing authenticators in accordance with the organization-defined time period by authenticator type.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 g"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000183">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system authenticators for users and devices by protecting authenticator content from unauthorized disclosure and modification.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 h"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000184">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system authenticators for users and devices by requiring users to take, and having devices implement, specific measures to safeguard authenticators.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 i"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000185">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system, for PKI-based authentication validates certificates by constructing a certification path with status information to an accepted trust anchor.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000186">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system, for PKI-based authentication enforces authorized access to the corresponding private key.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000187">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system, for PKI-based authentication maps the authenticated identity to the user account.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000188">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that the registration process to receive an organizationally defined type of authenticator, to be carried out in person before a designated registration authority with authorization by a designated organizational official (e.g., a supervisor).</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (3).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000189">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated tools to determine if authenticators are sufficiently strong to resist attacks intended to discover or otherwise compromise the authenticators.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (4).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000190">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires vendors/manufacturers of information system components to provide unique authenticators or change default authenticators prior to delivery.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (5).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (5)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000191">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization enforces password complexity by the number of special characters used.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1).1 (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1) (a)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000201">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization protects authenticators commensurate with the classification or sensitivity of the information accessed.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (6).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (6)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000202">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures unencrypted passwords are not embedded in access scripts.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (7).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (7)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000204">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization has defined measures to manage the risk of compromise due to individuals having accounts on multiple information systems.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (8).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (8)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000192">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization enforces password complexity by the number of upper case characters used.</definition>
			<type>technical</type>
			<parameter>number of characters</parameter>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1).1 (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1) (a)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000193">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization enforces password complexity by the number of lower case characters used.</definition>
			<type>technical</type>
			<parameter>number of characters</parameter>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1).1 (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1) (a)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000194">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization enforces password complexity by the number of numeric characters used.</definition>
			<type>technical</type>
			<parameter>number of characters</parameter>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1).1 (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1) (a)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000195">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization enforces the number of characters that are changed when passwords are changed.</definition>
			<type>technical</type>
			<parameter>number of characters</parameter>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1).1 (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1) (b)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000196">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization enforces password encryption for storage.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1).1 (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1) (c)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000197">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization enforces password encryption for transmission.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1).1 (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1) (c)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000198">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization enforces minimum lifetime restrictions.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1).1 (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1) (d)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000199">
			<status>draft</status>
			<publishdate>2009-09-15</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization enforces maximum lifetime restrictions.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1).1 (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1) (d)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000200">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization prohibits password reuse for the organization-defined number of generations.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1).1 (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1) (e)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000203">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures unencrypted passwords are not embedded in function keys.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (7).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (7)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000205">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization enforces minimum password length.</definition>
			<type>technical</type>
			<parameter>number of characters</parameter>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 (1) (a)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001544">
			<status>draft</status>
			<publishdate>2009-11-30</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages information system authenticators for users and devices by ensuring that authenticators have sufficient strength of mechanism for their intended use.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-5 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000206">
			<status>draft</status>
			<publishdate>2009-05-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.</definition>
			<type>technical</type>
			<note>The feedback from the information system does not provide information that would allow an unauthorized user to compromise the authentication mechanism. Displaying asterisks when a user types in a password is an example of obscuring feedback of authentication information.</note>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-6.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-6"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000803">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system uses mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-7.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-7"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000804">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-8.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IA-8"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000805">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a formal, documented incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-1.1 (i) (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000806">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disseminates a formal, documented incident response policy to elements within the organization having associated incident response roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-1.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000807">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews/updates the formal, documented incident response policy in accordance with organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-1.2 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000808">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency for reviewing/updating the formal, documented incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-1.2 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000809">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops formal, documented procedures to facilitate the implementation of the incident response policy and associated incident response controls.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-1.1 (iv) (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000810">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disseminates formal, documented incident response procedures to elements within the organization having associated incident response roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-1.1 (vi)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000811">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews/updates formal, documented incident response procedures in accordance with organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-1.2 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000812">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency for reviewing/updating  the formal, documented incident response procedures.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-1.2 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001622">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization identifies personnel with incident response roles and responsibilities with respect to the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-2"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-2.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001623">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The incident response training material addresses the procedures and activities necessary to fulfill identified organizational incident response roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-2"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-2.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000813">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides incident response training to personnel with incident response roles and responsibilities with respect to the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-2.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-2 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000814">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides refresher incident response training in accordance with the organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-2.1 (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-2 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000815">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency for refresher incident response training.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-2.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-2 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000816">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-2 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-2 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000817">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to provide a more thorough and realistic incident response training environment.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-2 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-2 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001624">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents the results of incident response tests and/or exercises.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-3"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-3.1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000818">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization tests and/or exercises the incident response capability for the information system on an organization-defined frequency using organization-defined tests and/or exercises to determine the effectiveness of the incident response capability.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-3.1 (iii) (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-3"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000819">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency for incident response tests and/or exercises.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-3.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-3"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000820">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines tests and/or exercises for incident response.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-3.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-3"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000821">
			<status>draft</status>
			<publishdate>2009-09-17</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to more thoroughly and effectively test/exercise the incident response capability for the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-3 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-3 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001625">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization implements the resulting incident handling activity changes to incident response procedures, training and testing/exercise accordingly.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-4 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-4.1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000822">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-4.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-4 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000823">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization coordinates incident handling activities with contingency planning activities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-4.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-4 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000824">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-4.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-4 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000825">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to support the incident handling process.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-4 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-4 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000826">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization includes dynamic reconfiguration of the information system as part of the incident response capability.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-4 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-4 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000827">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization identifies classes of incidents.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-4 (3).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-4 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000828">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines appropriate actions to take in response to each class of incidents to ensure continuation of organizational missions and business functions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-4 (3).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-4 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000829">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-4 (4).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-4 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000830">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a list of security violations that, if detected, initiate a configurable capability to automatically disable the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-4 (5).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-4 (5)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000831">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization implements a configurable capability to automatically disable the information system if any of the organization-defined list of security violations are detected.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-4 (5).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-4 (5)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001626">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to assist in the collection of security incident information.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-5 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-5 (1).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001627">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to assist in the analysis of security incident information.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-5 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-5 (1).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000832">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization tracks and documents information system security incidents.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-5.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-5"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000833">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to assist in the tracking of security incidents.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-5 (1).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-5 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000834">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a time-period for personnel to report suspected security incidents to the organizational incident response capability.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-6.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-6 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000835">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires personnel to report suspected security incidents to the organizational incident response capability within the organization-defined time-period.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-6.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-6 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000836">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reports security incident information to designated authorities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-6.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-6 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000837">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to assist in the reporting of security incidents.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-6 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-6 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000838">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reports information system weaknesses, deficiencies, and/or vulnerabilities associated with reported security incidents to appropriate organizational officials.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-6 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-6 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000839">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the information system for the handling and reporting of security incidents.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-7.1 (i) (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-7"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000840">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to increase the availability of incident response-related information and support.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-7 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-7 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000841">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-7 (2).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-7 (2) (a)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000842">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization identifies organizational incident response team members to the external providers.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-7 (2).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-7 (2) (b)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000843">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops an incident response plan that provides the organization with a roadmap for implementing its incident response capability, describes the structure and organization of the incident response capability, provides a high-level approach for how the incident response capability fits into the overall organziation , meets the unique requirements of the organizationk, which relate to mission, size, structure, and functions, defines reportable incidents, provides metrics for measuring the incident response capability within the organization and defines the resources and management support needed to effectively maintain and mature an incident response capability.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-8.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-8 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000844">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops an incident response plan that is reviewed and approved by designated officials within the organization.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-8.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-8 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000845">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a list of incident response personnel (identified by name and/or by role) and organizational elements.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-8.2 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-8 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000846">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization distributes copies of the incident response plan to an organization-defined list of incident response personnel (identified by name and/or by role) and organizational elements.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-8.2 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-8 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000847">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines, in the incident response plan, the frequency for reviewing the incident response plan.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-8.2 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-8 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000848">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews the incident response plan on an organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-8.2 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-8 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000849">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization revises the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-8.2 (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-8 d"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000850">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization communicates incident response plan changes to an organization-defined list of incident response personnel (identified by name and/or by role) and organizational elements.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-8.2 (vi)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="IR-8 e"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001628">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency for reviewing the formal, documented information system maintenance procedures.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-1"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-1.2 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000854">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews/updates system maintenance policy in accordance with organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-1.2 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000855">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops formal, documented procedures to facilitate the implementation of the information system maintenance policy and associated system maintenance controls.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-1.1 (iv&amp;v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000856">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disseminates formal, documented system maintenance procedures to elements within the organization having associated system maintenance roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-1.1 (vi)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000857">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews/updates system maintenance procedures in accordance with organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-1.2 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000851">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency for reviews/updates for the formal, documented information system maintenance policy.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-1.2 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000852">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a formal, documented information system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-1.1 (i&amp;ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000853">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disseminates a formal, documented system maintenance policy to elements within the organization having associated system maintenance roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-1.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001629">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to produce up-to-date, accurate, complete, and available records of all maintenance and repair actions, needed, in process, and complete.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-2 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-2 (2).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000858">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-2.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-2 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000859">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization controls all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-2.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-2 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000860">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that a designated official explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-2.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-2 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000861">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-2.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-2 d"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000862">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-2.1 (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-2 e"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000863">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization maintains maintenance records for the information system that include the date and time of maintenance, the name of the individual performing the maintenance, the name of escort, if necessary, a description of the maintenance performed, a list of equipment removed or replaced (including identification numbers, if applicable).</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-2 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-2 (1) (a)(b)(c)(d)(e)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000864">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to schedule, conduct, and document maintenance and repairs as required.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-2 (2).1(i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-2 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000865">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization approves information system maintenance tools.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-3.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-3"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000866">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization controls information system maintenance tools.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-3.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-3"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000867">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization monitors the use of information system maintenance tools.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-3.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-3"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000868">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization maintains on an ongoing basis, information system maintenance tools.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-3.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-3"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000869">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization inspects all maintenance tools carried into a facility by maintenance personnel for obvious improper modifications.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-3 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-3 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000870">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization checks all media containing diagnostic and test programs for malicious code before the media are used in the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-3 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-3 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000871">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization prevents the unauthorized removal of maintenance equipment by one of the following: (i) verifying that there is no organizational information contained on the equipment; (ii) sanitizing or destroying the equipment; (iii) retaining the equipment within the facility; or (iv) obtaining an exemption from a designated organization official explicitly authorizing removal of the equipment from the facility.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-3 (3).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-3 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000872">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to restrict the use of maintenance tools to authorized personnel only.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-3 (4).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-3 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001630">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>Designated organizational personnel review the maintenance records of the sessions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 (1).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001631">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization after the removed component service is performed, inspects and sanitizes the component before reconnecting to the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 (3) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 (3).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001632">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization protects non-local maintenance sessions by separating the maintenance session from other network sessions with the information system by either physically separated communications paths; or logically separated communications paths based upon encryption.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 (4) (a) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 (4).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000873">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization authorizes non-local maintenance and diagnostic activities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000874">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization monitors non-local maintenance and diagnostic activities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000875">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization controls non-local maintenance and diagnostic activities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000876">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization allows the use of non-local maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000877">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000878">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization maintains records for non-local maintenance and diagnostic activities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4.1 (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 d"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000879">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization terminates all sessions and network connections when non-local maintenance is completed.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4.1 (vi)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 e"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000880">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization audits non-local maintenance and diagnostic sessions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 (1).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000881">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents, in the security plan for the information system, the installation and use of non-local maintenance and diagnostic connections.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000882">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that non-local maintenance and diagnostic services be performed from an information system that implements a level of security at least as high as that implemented on the system being serviced</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 (3).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 (3) (a)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000883">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization removes the component to be serviced from the information system and prior to non-local maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities,</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 (3).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 (3) (b)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000884">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization protects non-local maintenance sessions through the use of a strong authenticator tightly bound to the user.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 (4).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000885">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that maintenance personnel notify organization-defined personnel when non-local maintenance is planned (i.e., date/time).</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 (5).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 (5) (a)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000886">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines personel to be notified when non-local maintenance is planned (i.e., date/time).</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 (5).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 (5) (a)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000887">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that a designated organizational official with specific information security/information system knowledge approves the non-local maintenance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 (5).1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 (5) (b)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000888">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 (6).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 (6)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000889">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs remote disconnect verification at the termination of non-local maintenance and diagnostic sessions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 (7).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-4 (7)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000890">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes a process for maintenance personnel authorization.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-5.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-5 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000891">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization maintains a current list of authorized maintenance organizations or personnel.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-5.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-5 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000892">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that personnel performing maintenance on the information system have required access authorizations or designates organizational personnel with required access authorizations and technical competence deemed necessary to supervise </definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-5.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-5 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000893">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization maintains procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-5 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-5 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000894">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-5 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-5 (1) (a)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000895">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-5 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-5 (1) (b)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000896">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that in the event an information system component cannot be sanitized, the procedures contained in the security plan for the system are enforced.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-5 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-5 (1) (c)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000897">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information are cleared (i.e., possess appropriate security clearances) for the highest level of information on the system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-5 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-5 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000898">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that personnel performing maintenance and diagnostic activities on an information system processing, storing, or transmitting classified information are U.S. citizens.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-5 (3).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-5 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000899">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that cleared foreign nationals (i.e., foreign nationals with appropriate security clearances), are used to conduct maintenance and diagnostic activities on an information system only when the system is jointly owned and operated by the United States and foreign allied governments, or owned and operated solely by foreign allied governments.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-5 (4).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-5 (4) (a)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000900">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on an information system are fully documented within a Memorandum of Agreement.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-5 (4).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-5 (4) (b)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000901">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a list of security-critical information system components and/or key information technology components.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-6.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-6"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000902">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a time period for obtaining maintenance support and/or spare parts for security-critical information system components and/or key information technology components.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-6.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-6"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000903">
			<status>draft</status>
			<publishdate>2009-09-18</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization obtains maintenance support and/or spare parts for an organization-defined list of security-critical information system components and/or key information technology components within an organization-defined time period of failure.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-6.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MA-6"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000995">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a formal, documented media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-1.1 (i&amp;ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000996">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disseminates a formal, documented media protection policy to elements within the organization having associated media protection roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-1.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000997">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews/updates media protection policy in accordance with organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-1.2 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000998">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency for reviewing/updating the formal, documented media protection policy.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-1.2 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000999">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops formal, documented media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-1.1 (iv&amp;v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001000">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disseminates formal, documented media protection procedures to elements within the organization having associated media protection roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-1.1 (vi)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001001">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews/updates  the formal, documented media protection procedures in accordance with organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-1.2 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001002">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency for reviewing the formal, documented media protection procedures to facilitate the implementation of the media protection policy and associated media protection controls.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-1.2 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001003">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization restricts access to organization-defined information system media to organization-defined authorized individuals using organization-defined security measures.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-2.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-2"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001004">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines types of digital and non-digital media for which access is to be restricted.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-2.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-2"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001005">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a list of individuals authorized for access to restricted media.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-2.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-2"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001006">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines security measures for restricting access to media.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-2.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-2"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001007">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to restrict access to media storage areas.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-2 (1).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-2 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001008">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to audit access attempts and access granted to media storage areas.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-2 (1).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-2 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001009">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system uses cryptographic mechanisms to protect and restrict access to information on portable digital media.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-2 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-2 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001633">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines removable media types and information output requiring marking.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-3 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-3.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001010">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization marks, in accordance with organizational policies and procedures, removable information system media and information system output indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-3.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-3 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001011">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization exempts an organization-defined list of removable media types from marking as long as the exempted items remain within organization-defined controlled areas.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-3.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-3 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001012">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a list of removable media types exempted from marking when remaining in a controlled area.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-3.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-3 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001013">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines controlled areas in which defined media types are exempted from marking.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-3.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-3 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001014">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization physically controls and securely stores organization-defined types of digital and non-digital media within organization-defined controlled areas using organization-defined security measures.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-4.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-4 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001015">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines digital and non-digital media types for secure storage.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-4.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-4 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001016">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines controlled areas for the secure storage of digital and non-digital media.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-4.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-4 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001017">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines security measures for securing media storage.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-4.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-4 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001018">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-4.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-4 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001019">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs cryptographic mechanisms to protect information in storage.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-4 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-4 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001020">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization protects and controls organization-defined types of digital and non-digital media during transport outside of controlled areas using  organization-defined security measures.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-5.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-5 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001021">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines types of digital and non-digital media to be protected during transport.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-5"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-5 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001022">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines security measures for protecting digital and non-digital media during transport.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-5.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-5 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001023">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization maintains accountability for information system media during transport outside of controlled areas.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-5.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-5 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001024">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization restricts the activities associated with transport of such media to authorized personnel.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-5.1 (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-5 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001025">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents activities associated with the transport of information system media.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-5 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-5 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001026">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs an identified custodian throughout the transport of information system media.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-5 (3).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-5 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001027">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-5 (4).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-5 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001028">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization sanitizes information system media, both digital and non-digital, prior to disposal, release out of organizational control, or release for reuse.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-6.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-6"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001029">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization tracks, documents, and verifies media sanitization and disposal actions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-6 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-6 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001030">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization tests sanitization equipment and procedures to verify correct performance on an organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-6 (2).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-6 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001031">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency for testing sanitization equipment and procedures to verify correct performance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-6 (2).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-6 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001032">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization sanitizes portable, removable storage devices prior to connecting such devices to the information system for an organization-defined list of circumstances.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-6 (3).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-6 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001033">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a list of circumstances requiring sanitization of portable, removable storage devices.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-6 (3).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-6 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001034">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization sanitizes information system media containing Controlled Unclassified Information (CUI) or other sensitive information in accordance with applicable organizational and/or federal standards and policies.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-6 (4).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-6 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001035">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization sanitizes information system media containing classified information in accordance with NSA standards and policies.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-6 (5).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-6 (5)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001036">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization destroys information system media that cannot be sanitized.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-6 (6).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="MP-6 (6)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000904">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a formal, documented physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-1.1 (i&amp;ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000905">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disseminates a formal, documented physical and environmental protection policy to elements within the organization having associated physical and environmental protection roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-1.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000906">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews/updates  the formal, documented physical and environmental protection policy in accordance with organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-1.2 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000907">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency of formal, documented physical and environmental protection policy reviews/updates.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-1.2 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000908">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops formal, documented physical and environmental protection procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-1.1 (iv&amp;v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000909">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disseminates formal, documented physical and environmental protection procedures to elements within the organization having associated physical and environmental protection roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-1.1 (vi)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000910">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews/updates the formal, documented physical and environmental protection procedures in accordance with organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-1.2 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000911">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequencyof physical and environmental protection procedure reviews/updates.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-1.2 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000956">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides the capability of shutting off power to the information system or individual system components in emergency situations.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-10.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-10 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000957">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization places emergency shutoff switches or devices in an organization-defined location by information system or system component to facilitate safe and easy access for personnel.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-10.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-10 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000958">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a location for emergency shutoff switches or devices by information system or system component..</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-10.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-10 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000959">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization protects emergency power shutoff capability from unauthorized activation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-10.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-10 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000960">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-11.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-11"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000961">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-11 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-11 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000962">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides a long-term alternate power supply for the information system that is self-contained and not reliant on external power generation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-11 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-11 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000963">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-12.1 (i) (ii)(iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-12"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000964">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides emergency lighting for all areas within the facility supporting essential missions and business functions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-12 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-12 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000968">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-13 (3).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-13 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000969">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that the facility undergoes, on an organization-defined frequency, fire marshal inspections and promptly resolves identified deficiencies.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-13 (4).1 (ii&amp;iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-13 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000970">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency for fire marshal inspections.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-13 (4).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-13 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000965">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-13.1 (i) (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-13"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000966">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs fire detection devices/systems for the information system that activate automatically and notify the organization and emergency responders in the event of a fire.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-13 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-13 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000967">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to the organization and emergency responders.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-13 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-13 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000971">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization maintains temperature and humidity levels within the facility where the information system resides at organization-defined acceptable levels.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-14.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-14 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000972">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines acceptable temperature and humidity levels within the facility where the information system resides.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-14.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-14 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000973">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization monitors temperature and humidity levels within the facility where the information system resides on an organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-14.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-14 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000974">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency for monitoring temperature and humidity levels.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-14.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-14 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000975">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automatic temperature and humidity controls in the facility to prevent fluctuations potentially harmful to the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-14 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-14 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000976">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-14 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-14 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000977">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization protects the information system from damage resulting from water leakage by providing master shutoff valves that are accessible.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-15.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-15"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000978">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization protects the information system from damage resulting from water leakage by providing master shutoff valves that are working properly.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-15.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-15"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000979">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>Key personnel within the organization have knowledge of the master water shutoff valves.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-15.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-15"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000980">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs mechanisms that, without the need for manual intervention, protect the information system from water damage in the event of a water leak.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-15 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-15 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000981">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization authorizes organization-defined information system components entering and exiting the facility.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-16.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-16"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000982">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization monitors organization-defined information system components entering and exiting the facility.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-16.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-16"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000983">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization controls organization-defined information system components entering and exiting the facility.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-16.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-16"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000984">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization maintains records of information system components entering and exiting the facility.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-16.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-16"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000985">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs organization-defined management, operational, and technical information system security controls to be employed at alternate work sites.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-17.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-17 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000986">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines management, operational, and technical information system security controls to be employed at alternate work sites.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-17.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-17 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000987">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization assesses as feasible, the effectiveness of security controls at alternate work sites.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-17.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-17 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000988">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides a means for employees to communicate with information security personnel in case of security incidents or problems.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-17.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-17 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000989">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization positions information system components within the facility to minimize potential damage from physical hazards.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-18.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-18"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000990">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization positions information system components within the facility to minimize potential damage from environmental hazards.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-18.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-18"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000991">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization positions information system components within the facility to minimize the opportunity for unauthorized access.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-18.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-18"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000992">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization plans the location or site of the facility where the information system resides with regard to physical and environmental hazards and for existing facilities, considers the physical and environmental hazards in its risk mitigation strategy.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-18 (1).1 (i&amp;ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-18 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000993">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization protects the information system from information leakage due to electromagnetic signals emanations.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-19.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-19"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000994">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that information system components, associated data communications, and networks are protected in accordance with: (i) national emissions and TEMPEST policies and procedures; and (ii) the sensitivity of the information being transmitted.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-19 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-19 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001634">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization identifies authorized personnel with appropriate clearances and access authorizations for gaining physical access to the facility containing an information system that processes classified information.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-2 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-2 (3).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001635">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization removes from the access list personnel no longer requiring access.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-2 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-2.2 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000912">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops and keeps current a list of personnel with authorized access to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible).</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-2 (1).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-2 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000913">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization issues authorization credentials.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-2.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-2 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000914">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews and approves the access list and authorization credentials in accordance with the organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-2.2 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-2 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000915">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency to review and approve the physical access list and uathorization credentials for the facility.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-2.2 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-2 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000916">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization authorizes physical access to the facility where the information system resides based on position or role.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-2 (1).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-2 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000917">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires two forms of identification to gain access to the facility where the information system resides.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-2 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-2 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000918">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization restricts physical access to the facility containing an information system that processes classified information to authorized personnel with appropriate clearances and access authorizations.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-2 (3).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-2 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000919">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization enforces physical access authorizations for all physical access points (including designated entry/exit points) to the facility where the information system resides (excluding those areas within the facility officially designated as publicly accessible).</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000920">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization verifies individual access authorizations before granting access to the facility.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000921">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization controls entry to the facility containing the information system using physical access devices(e.g., keys, locks, combinations, card readers)  and/or guards.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000922">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization controls access to areas officially designated as publicly accessible in accordance with the organization?s assessment of risk.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3 d"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000923">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization secures keys, combinations, and other physical access devices.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3.1 (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3 e"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000924">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization inventories physical access devices on an organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3.2 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3 f"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000925">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency for conducting invenotires of physical access devices.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3.2 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3 f"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000926">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization changes combinations and keys on an organization-defined frequency, and when keys are lost, combinations are compromised, or individuals are transferred or terminated.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3.2 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3 g"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000927">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency for changing combinations and keys.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3.2 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3 g"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000928">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization enforces physical access authorizations to the information system independent of the physical access controls for the facility.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000929">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization performs security checks at the physical boundary of the facility or information system for unauthorized exfiltration of information or information system components.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000930">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization guards, alarms, and monitors every physical access point to the facility where the information system resides 24 hours per day, 7 days per week.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3 (3).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000931">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization uses lockable physical casings to protect organization-defined information system components from unauthorized physical access.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3 (4).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000932">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines information system components to be protected from unauthorized physical access using lockable physical casings.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3 (4).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000933">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system detects/prevents physical tampering or alteration of hardware components within the system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3 (5).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3 (5)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000934">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs a penetration testing process that includes unannounced attempts, in accordance with the organization-defined frequency, to bypass or circumvent security controls associated with physical access points to the facility.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3 (6).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3 (6)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000935">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency of unannounced attempts to be included in a penetration testing process to bypass or circumvent security controls associated with physical access points to the facility.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3 (6).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-3 (6)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000936">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization controls physical access to information system distribution and transmission lines within organizational facilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-4.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-4"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000937">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-5.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-5"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000938">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization monitors physical access to the information system to detect and respond to physical security incidents.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-6.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-6 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000939">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews physical access logs on an organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-6.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-6 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000940">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency for reviewing physical access logs.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-6.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-6 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000941">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization coordinates results of reviews and investigations with the organization?s incident response capability.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-6.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-6 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000942">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization monitors real-time physical intrusion alarms and surveillance equipment.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-6 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-6 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000943">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to recognize potential intrusions and initiate designated response actions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-6 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-6 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000944">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization controls physical access to the information system by authenticating visitors before authorizing access to the facility where the information system resides other than areas designated as publicly accessible.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-7.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-7"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000945">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization escorts visitors and monitors visitor activity, when required.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-7 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-7 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000946">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires two forms of identification for visitor access to the facility.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-7 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-7 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000947">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization maintains visitor access records to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-8.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-8 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000948">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews visitor access records on an organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-8.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-8 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000949">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency for reviewing visitor access records.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-8.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-8 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000950">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to facilitate the maintenance and review of access records.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-8 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-8 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000951">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization maintains a record of all physical access, both visitor and authorized individuals.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-8 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-8 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000952">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization protects power equipment and power cabling for the information system from damage and destruction.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-9.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-9"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000953">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs redundant and parallel power cabling paths.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-9 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-9 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000954">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automatic voltage controls for an organization-defined list of critical information system components.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-9 (2).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-9 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000955">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a list of critical information system components that require automatic voltage controls.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-9 (2).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PE-9 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001636">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency of security planning policy reviews/updates.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-1"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-1.2 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001637">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews/updates security planning policy in accordance with organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-1.2 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001638">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency of security planning procedure reviews/updates.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-1.2 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000563">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a formal, documented security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-1 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-1.1 (i) (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000564">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization dissiminates a formal, documented security planning policy to elements within the organization having associated security planning roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-1 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-1.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000565">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews/updates, per organization-defined frequency, a formal, documented security planning policy.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-1 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-1.2 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000566">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops formal, documented security planning procedures to facilitate the implementation of the security planning policy and associated security planning controls.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-1.1 (iv) (v)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000567">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disseminates formal, documented security planning procedures to facilitate the implementation of the security planning policy and associated security planning controls.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-1.1 (vi)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000568">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews/updates formal, documented security planning procedures in accordance with organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-1.2 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000570">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a security plan for the information system that is consistent with the organization?s enterprise architecture; explicitly defines the authorization boundary for the system; describes the operational context of the information system in terms of mission and business processes; provides the security category and impact level of the information system including supporting rationale; describes the operational environment for the information system; describes relationships with or connections to other information systems; provides an overview of the security requirements for the system; describes the security controls in place or planned for meeting those reuqirements including a rationale for the tailoring and supplemental decisions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000571">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a security plan for the information system that is reviewed and approved by the authorizing official or designated representative prior to plan implementation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000572">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency of security plan reviews.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000573">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews the security plan for the information system per organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000574">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2.1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000576">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a security Concept of Operations (CONOPS) for the information system containing, at a minimum: the purpose of the system; a description of the system architecture; the security authorization schedule; and the security categorization and associated factors considered in determining the categorization.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (1) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (1).1 (i) (ii) (iii) (iv) (v)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000577">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency to reviews and updates to the  CONOPS.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (1) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (1).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000578">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews and updates the CONOPS per organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (1) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (1).1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000580">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a functional architecture for the information system that identifies and maintains external interfaces.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (2) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000581">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a functional architecture for the information system that identifies and maintains the information being exchanged across the interfaces.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (2) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000582">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a functional architecture for the information system that identifies and maintains the protection mechanisms associated with each interface.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (2) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000583">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a functional architecture for the information system that identifies and maintains user roles.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (2) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000584">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a functional architecture for the information system that identifies and maintains the access privileges assigned to each role.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (2) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000585">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a functional architecture for the information system that identifies and maintains unique security requirements.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (2) (c)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000586">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a functional architecture for the information system that identifies and maintains types of information processed by the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (2) (d)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000587">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a functional architecture for the information system that identifies and maintains types of information stored by the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (2) (d)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000588">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a functional architecture for the information system that identifies and maintains types of information transmitted by the information.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (2) (d)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000589">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a functional architecture for the information system that identifies and maintains any specific protection needs in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (2) (d)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000590">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a functional architecture for the information system that identifies and maintains restoration priority of information.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (2) (e)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000591">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a functional architecture for the information system that identifies and maintains restoration priority of information system services.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (2) (e)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-2 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001639">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization makes the rules that describe information system user responsibilities available to all information system users.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-4 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-4.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000592">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes the rules that describe information system user responsibilities and expected behavior with regard to information and information system usage.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-4 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-4.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000593">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization receives signed acknowledgment from users indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-4 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-4.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000594">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization includes in the rules of behavior, explicit restrictions on the use of social networking sites.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-4 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-4 (1).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000595">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization includes in the rules of behavior, explicit restrictions on posting information on commercial websites.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-4 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-4 (1).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000596">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization includes in the rules of behavior, explicit restrictions on sharing information system account information.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-4 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-4 (1).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000597">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization conducts a privacy impact assessment on the information system in accordance with OMB policy.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-5"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-5.1 (i) (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000598">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization plans and coordinates security-related activities affecting the information system before conducting such activities in order to reduce the impact on organizational operations (i.e., mission, functions, image, and reputation).</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-6"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-6.1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000599">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization plans and coordinates security-related activities affecting the information system before conducting such activities in order to reduce the impact on organizational assets.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-6"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-6.1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000600">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization plans and coordinates security-related activities affecting the information system before conducting such activities in order to reduce the impact on organizational individuals.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-6"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PL-6.1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001680">
			<status>draft</status>
			<publishdate>2010-06-09</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops an organization-wide information security program plan that includes roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-1 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-1.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000023">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops an organization-wide information security program plan that provides sufficient information about the program management controls and common controls (including specification of parameters for any assignment and selection operations either explicitly or by reference) to enable an implementation that is unambiguously compliant with the intent of the plan and a determination of the risk to be incurred if the plan is implemented as intended;</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-1 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-1.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000073">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops an organization-wide information security program plan that provides an overview of the requirements for the security program; provides a description of the security program management controls and common controls in place or planned for meeting security program requirements.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-1.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000074">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops an information security program plan for the organization that is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations and the Nation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-1.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000075">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews the organization-wide information security program plan on an organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-1.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000076">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency to review the organization-wide information security program plan.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-1.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000077">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization revises the plan to address organizational changes and problems identified during plan implementation or security control assessments.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-1.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-1 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001543">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disseminates the most recent information security program plan to appropriate entities in the organization that includes roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-1 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-1.1 (v)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000229">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents the security state of organizational information systems through security authorization processes.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-10.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-10 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000230">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization tracks the security state of organizational information systems through security authorization processes.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-10.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-10 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000231">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reports the security state of organizational information systems through security authorization processes.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-10.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-10 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000233">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization designates individuals to fulfill specific roles and responsibilities within the organizational risk management process.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-10.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-10 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000234">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization fully integrates the security authorization processes into an organization-wide risk management program.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-10.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-10 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000235">
			<status>draft</status>
			<publishdate>2009-11-04</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-11.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-11 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000236">
			<status>draft</status>
			<publishdate>2009-11-04</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs is obtained.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-11.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-11 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000078">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization appoints and empowers a senior information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-2.1 (i&amp;ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-2"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000080">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-3.1 (i&amp;ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-3 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000081">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs a business case/Exhibit 300/Exhibit 53 to record the resources required.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-3.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-3 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000141">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that information security resources are available for expenditure as planned.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-3.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-3 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000142">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization implements a process for ensuring that plans of action and milestones for the security program and the associated organizational information systems are maintained.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-4.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-4"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000170">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization implements a process to document the remedial information security actions that mitigate risk to organizational operations and assets, individuals, other organizations, and the Nation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-4.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-4"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000207">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops and maintains an inventory of its information systems.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-5.1 (i&amp;ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-5"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000209">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops the results of information security measures of performance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-6.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-6"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000210">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization monitors the results of information security measures of performance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-6.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-6"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000211">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reports on the results of information security measures of performance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-6"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-6.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000212">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops an enterprise architecture with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-7.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-7"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001640">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organizaiton updates the critical infrastructure and key resource protection plan.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-8"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-8.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000216">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops and documents a critical infrastructure and key resource protection plan that addresses information security issues.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-8.1 (I &amp; iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-8"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000227">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-9.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-9 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000228">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization implements a comprehensive strategy to manage risk to organization operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems consistently across the organization.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-9.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PM-9 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001504">
			<status>draft</status>
			<publishdate>2009-11-02</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a formal, documented personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-1 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-1.1 (i) (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001505">
			<status>draft</status>
			<publishdate>2009-11-02</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disseminates a formal, documented personnel security policy to elements within the organization having associated personnel security roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-1 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-1.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001506">
			<status>draft</status>
			<publishdate>2009-11-02</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization, reviews/updates the formal, documented personnel security policy in accordance with organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-1 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-1.2 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001507">
			<status>draft</status>
			<publishdate>2009-11-02</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency of personnel security procedure reviews/updates.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-1 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-1.2 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001508">
			<status>draft</status>
			<publishdate>2009-11-02</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency of the personnel securiy procedure reviews/updates.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-1.2 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001509">
			<status>draft</status>
			<publishdate>2009-11-02</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops formal, documented personnel securityprocedures to facilitate the implementation of the personnel security policy and associated personnel security controls.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-1.1 (iv) (v)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001510">
			<status>draft</status>
			<publishdate>2009-11-02</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disseminates formal, documented procedures to elements within the organization having associated personnel security roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-1.1 (vi)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001511">
			<status>draft</status>
			<publishdate>2009-11-02</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization, on an organization-defined frequency, reviews/updates formal, documented personnel security procedures.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-1.2 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001512">
			<status>draft</status>
			<publishdate>2009-11-02</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization assigns a risk designation to all positions within the organization.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-2 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-2.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001513">
			<status>draft</status>
			<publishdate>2009-11-02</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes screening criteria for individuals filling organizational positions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-2 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-2.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001514">
			<status>draft</status>
			<publishdate>2009-11-02</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews and revises position risk designations on an organizationally-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-2 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-2.1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001515">
			<status>draft</status>
			<publishdate>2009-11-02</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency of risk designation reviews and updates for organizational positions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-2 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-2.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001516">
			<status>draft</status>
			<publishdate>2009-11-02</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization screens individuals prior to authorizing access to the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-3 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-3.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001517">
			<status>draft</status>
			<publishdate>2009-11-02</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization rescreens individuals according to an organization-defined list of conditions requiring rescreening and, where re-screening is so indicated, based on the organizational defined frequency of such rescreening.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-3 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-3.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001518">
			<status>draft</status>
			<publishdate>2009-11-02</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines an organization-defined list of conditions requiring rescreening.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-3 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-3.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001519">
			<status>draft</status>
			<publishdate>2009-11-02</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency for rescreening of organization-defined list of conditions requiring rescreening.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-3 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-3.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001520">
			<status>draft</status>
			<publishdate>2009-11-02</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that every user accessing an information system processing, storing, or transmitting classified information is cleared and indoctrinated to the highest classification level of the information on the system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-3 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-3 (1).1 (i) (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001521">
			<status>draft</status>
			<publishdate>2009-11-02</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that every user accessing an information system processing, storing, or transmitting types of classified information which require formal indoctrination, is formally indoctrinated for all of the relevant types of information on the system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-3 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-3 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001522">
			<status>draft</status>
			<publishdate>2009-11-02</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization, upon termination of individual employment, terminates information system access.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-4 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-4.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001523">
			<status>draft</status>
			<publishdate>2009-11-02</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization, upon termination of individual employment, conducts exit interviews.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-4 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-4.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001524">
			<status>draft</status>
			<publishdate>2009-11-02</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization, upon termination of individual employment, retrieves all security-related organizational information systems-related property.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-4 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-4.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001525">
			<status>draft</status>
			<publishdate>2009-11-02</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization, upon termination of individual employment, retains access to organizational information formerly controlled by terminated individual.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-4 d"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-4.1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001526">
			<status>draft</status>
			<publishdate>2009-11-02</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization, upon termination of individual employment, retains access to organizational information systems formerly controlled by terminated individual.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-4 d"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-4.1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001527">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews logical and physical access authorizations to information systems/facilities when personnel are reassigned or transferred to other positions within the organization.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-5"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-5.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001528">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization initiates organization-defined transfer or reassignment actions when personnel are reassigned or transferred to other positions within the organization within an organization-defined time period following the formal transfer action.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-5"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-5.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001529">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines transfer or reassignment actions when personnel are reassigned or transferred to other positions within the organization.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-5"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-5.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001530">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the time period to initiate reassignment actions when personnel are reassigned or transferred to other positions within the organization following the formal transfer action.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-5"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-5.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001531">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-6 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-6.1 (i) (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001532">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews/updates the access agreements on an organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-6 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-6.1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001533">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency to review/update access agreements..</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-6 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-6.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001534">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that access to information with special protection measures is granted only to individuals who have a valid access authorization that is demonstrated by assigned official government duties.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-6 (1) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-6 (1).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001535">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that access to information with special protection measures is granted only to individuals who satisfy associated personnel security criteria.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-6 (1) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-6 (1).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001536">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that access to classified information with special protection measures is granted only to individuals who have a valid access authorization that is demonstrated by assigned official government duties.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-6 (2) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-6 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001537">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that access to classified information with special protection measures is granted only to individuals who satisfy associated personnel security criteria consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-6 (2) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-6 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001538">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that access to classified information with special protection measures is granted only to individuals who have read, understand, and signed a nondisclosure agreement.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-6 (2) (c)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-6 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001539">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes personnel security requirements including security roles and responsibilities for third-party providers.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-7 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-7.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001540">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents personnel security requirements for third-party providers..</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-7 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-7.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001541">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization monitors third-party provider compliance with personnel security requirements.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-7 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-7.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001542">
			<status>draft</status>
			<publishdate>2009-11-03</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs a formal sanctions process for personnel failing to comply with established information security policies and procedures.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-8"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="PS-8.1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001037">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a formal, documented risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-1.1 (i) (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001038">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disseminates a formal, documented risk assessment policy to elements within the organization having associated risk assessment roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-1.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001039">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews/updates the risk assessment policy in accordance with organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-1.2 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001040">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency of risk assessment policy reviews/updates.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-1.2 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001041">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops formal, documented risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-1.1 (iv) (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001042">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disseminates formal, documented risk assessment procedures to elements within the organization having associated risk assessment roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-1.1 (vi)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001043">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews/updates risk assessment procedures in accordance with organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-1.2 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001044">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency of risk assessment procedure reviews/updates.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-1.2 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001045">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-2.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-2 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001046">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents the security categorization results (including supporting rationale) in the security plan for the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-2.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-2 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001047">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-2.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-2 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001642">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the organizational document in which risk assessment results are documented (e.g. security plan, risk assessment report).</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-3 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-3.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001048">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization conducts an assessment of risk of the information system and the information it processes, stores, or transmits that includes the likelihood and magnitue of harm from the unauthorized access, use, disclosure, disruption, modification, or destruction.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-3.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-3 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001049">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents risk assessment results in the organization-defined document..</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-3.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-3 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001050">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews risk assessment results on an organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-3.1 (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-3 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001051">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency for reviewing risk assessment results.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-3.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-3 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001052">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization updates the risk assessment on an organization-defined frequency or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-3"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-3 d"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001053">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency for updating the risk assessment.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-3"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-3 d"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001641">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the process for conducting random vulnerability scans on the information system and hosted applications.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001643">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization scans for vulnerabilities in the information system and hosted applications in accordance with the organization-defined process for random scans.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001644">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employes vulnerability scanning procedures that can demonstrate the depth of coverage (i.e. vulnerabilities checked).</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 (3).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001645">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the list of information system components to which privileged access is authorized for selected vulnerability scanning activities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 (5)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 (5).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001054">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization scans for vulnerabilities in the information system and hosted applications on an organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001055">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency for scanning for vulnerabilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001056">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization scans for vulnerabilities in the information system and hosted applications when new vulnerabilities potentially affecting the system/applications are identified and reported.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001057">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs vulnerability scanning tools and techniques that promote interoperability among tools and automate parts of the vulnerability management process by using standards for: Enumerating platforms, software flaws, and improper configurations; formatting/and making transparent checklists and test procedures; and measuring vulnerability impact.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001058">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization analyzes vulnerability scan reports and results from security control assessments.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5.1 (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001059">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization remediates legitimate vulnerabilities in organization-defined response times.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5.2 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 d"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001060">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines response times for remediating legitimate vulnerabilities in accordance with an organization assessment of risk.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5.2 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 d"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001061">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization shares information obtained from the vulnerability scanning process and security control assessments with designated personnel throughout the organization to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5.2 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 e"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001062">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs vulnerability scanning tools that include the capability to readily update the list of information system vulnerabilities scanned.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5  (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001063">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization updates the list of information system vulnerabilities scanned on an organization-defined frequency or when new vulnerabilities are identified and reported.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 (2).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001064">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency for updating the list of information system vulnerabilities scanned.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 (2).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001065">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs vulnerability scanning procedures that can demonstrate the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked).</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 (3).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001066">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization attempts to discern what information about the information system is discoverable by adversaries.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 (4).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001067">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization includes privileged access authorization to organization-defined information system components identified for selected vulnerability scanning activities to facilitate more thorough scanning.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 (5).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 (5)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001068">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 (6).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 (6)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001069">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization-defined frequency..</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 (7).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 (7)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001070">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency for employing automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 (7).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 (7)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001071">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 (8).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 (8)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001072">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs an independent penetration agent or penetration team to conduct a vulnerability analysis on the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 (9).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 (9) (a)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001073">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system based on the vulnerability analysis to determine the exploitability of identified vulnerabilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 (9).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="RA-5 (9) (b)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000601">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency to review/update system services and acquisition policy.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-1"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-1.2 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000602">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a formal, documented system services and acquisition policy that addresses addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-1 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-1.1 (i) (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000603">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization dissiminates a formal, documented system services and acquisition policy to elements within the organization having associated system services and acquisition roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-1 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-1.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000604">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews/updates, per organization-defined frequency, a formal, documented system services acquisition policy.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-1 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-1.2 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000605">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops formal, documented system services and acquisition procedures to facilitate the implementation of the system services and acquisition policy and associated system services and acquisition controls.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-1.1 (iv) (v)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000606">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization dissiminates formal, documented system services and acquisition procedures to elements within the organization having associated system services and acquisition roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-1.1 (vi)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000607">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews/updates, per organization-defined frequency, formal, documented system services and acquisition procedures.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-1.2 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001650">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that the information system developers manage and control changes to the information system development.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001651">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that the information system integrators manage and control changes to the information system development.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001652">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that the information system developers manage and control changes to the information system implementation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001653">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that the information system integrators manage and control changes to the information system implementation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001654">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that the information system developers manage and control changes to the information system modification.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001655">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that the information system integrators manage and control changes to the information system modification.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000682">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system developers perform configuration management during information system design.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000683">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system developers perform configuration management during information system development.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000684">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system developers perform configuration management during information system implementation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000685">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system developers perform configuration management during information system operation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000686">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system integrators perform configuration management during information system design.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000687">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system integrators perform configuration management during information system development.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000688">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system integrators perform configuration management during information system implementation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000689">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system integrators perform configuration management during information system operation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000690">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system developers manage and control changes to the information system design.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000691">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system integrators manage and control changes to the information system design.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000692">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system developers implement only organization-approved changes.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (c)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000693">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system integrators implement only organization-approved changes.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (c)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000694">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system developers document approved changes to the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (d)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10.1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000695">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system integrators document approved changes to the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (d)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10.1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000696">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system developers track security flaws and flaw resolution.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (e)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10.1 (v)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000697">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system integrators track security flaws and flaw resolution.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (e)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10.1 (v)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000698">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system developers provide an integrity check of software to facilitate organizational verification of software integrity after delivery.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (1).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000699">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system integrators provide an integrity check of software to facilitate organizational verification of software integrity after delivery.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (1).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000700">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides an alternative configuration management process with organizational personnel in the absence of dedicated developer configuration management team.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000701">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides an alternative configuration management process with organizational personnel in the absence of dedicated integrator configuration management team.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-10 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000702">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system developers, in consultation with associated security personnel (including security engineers) create a security test and evaluation plan.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11 (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11.1 SA-11(3).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000703">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system developers, in consultation with associated security personnel (including security engineers) implement a security test and evaluation plan.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11 (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11.1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000704">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system integrators, in consultation with associated security personnel (including security engineers) create a security test and evaluation plan.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11 (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11.1 SA-11(3).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000705">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system integrators, in consultation with associated security personnel (including security engineers) implement a security test and evaluation plan.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11 (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11.1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000706">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system developers, in consultation with associated security personnel (including security engineers) implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the security testing and evaluation process.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11 (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11.1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000707">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system integrators, in consultation with associated security personnel (including security engineers) implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the security testing and evaluation process.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11 (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11.1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000708">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system developers, in consultation with associated security personnel (including security engineers) document the results of the security testing/evaluation processes.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11 (c)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11.1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000709">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system developers, in consultation with associated security personnel (including security engineers) document the results of the security flaw remediation processes.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11 (c)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11.1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000710">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system integrators, in consultation with associated security personnel (including security engineers) document the results of the security testing/evaluation processes.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11 (c)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11.1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000711">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system integrators, in consultation with associated security personnel (including security engineers) document the results of the security flaw remediation processes.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11 (c)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11.1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000712">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system developers employ code analysis tools to examine software for common flaws and document the results of the analysis.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11 (1).1 (i) (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000713">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system integrators employ code analysis tools to examine software for common flaws and document the results of the analysis.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11 (1).1 (i) (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000714">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system developers perform a vulnerability analysis to document vulnerabilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11 (*2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000715">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system developers perform a vulnerability analysis to document exploitation potential.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000716">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system developers perform a vulnerability analysis to document risk mitigations.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000717">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system integrators perform a vulnerability analysis to document vulnerabilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000718">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system integrators perform a vulnerability analysis to document exploitation potential.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000719">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system integrators perform a vulnerability analysis to document risk mitigations.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000720">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system developers implement the security test and evaluation plan under the witness of an independent verification and validation agent.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-1 1(3).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000721">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system integrators implement the security test and evaluation plan under the witness of an independent verification and validation agent.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-11 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-1 1(3).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000722">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines list of measures to to be employed to protect against supply chain threats.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000723">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization protects against supply chain threats by employing organization-defined list of measures as part of a comprehensive, defense-in-breadth information security strategy.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000724">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization purchases all anticipated information system components and spares in the initial acquisition.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (1).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000725">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization conducts a due diligence review of suppliers prior to entering into contractual agreements to acquire information system hardware.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000726">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization conducts a due diligence review of suppliers prior to entering into contractual agreements to acquire information system software.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000727">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization conducts a due diligence review of suppliers prior to entering into contractual agreements to acquire information system firmware.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000728">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization conducts a due diligence review of suppliers prior to entering into contractual agreements to acquire information system services.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000729">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization uses trusted shipping for information systems.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (3).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000730">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization uses trusted shipping for information system components.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (3).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000731">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization uses trusted shipping for information technology products.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (3).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000732">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization uses trusted warehousing for information systems.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (3).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000733">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization uses trusted warehousing for information system components.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (3).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000734">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization uses trusted warehousing for information technology products.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (3).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000735">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs a diverse set of suppliers for information systems.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (4).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000736">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs a diverse set of suppliers for information system components.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (4).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000737">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs a diverse set of suppliers for information technology products.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (4).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000738">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs a diverse set of suppliers for information system services.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (4).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000739">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs standard configurations for information systems.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (5)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (5).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000740">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs standard configurations for information system components.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (5)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (5).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000741">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs standard configurations for information technology products.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (5)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (5).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000742">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization minimizes the time between purchase decisions and delivery of information systems.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (6)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (6).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000743">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization minimizes the time between purchase decisions and delivery of information system components.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (6)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (6).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000744">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization minimizes the time between purchase decisions and delivery of information technology products.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (6)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (6).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000745">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs independent analysis and penetration testing against delivered information systems.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (7)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (7).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000746">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs independent analysis and penetration testing against delivered information system components.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (7)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (7).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000747">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs independent analysis and penetration testing against delivered information technology products.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (7)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-12 (7).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000748">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines level of trustworthiness for the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-13"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-13.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000749">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that the information system meets organization-defined level of trustworthiness.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-13"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-13.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000750">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines list of critical information system components that require re-implementation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-14"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-14.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000751">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization determines organization-defined list of critical information system components that require re-implementation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-14 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-14"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000752">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization re-implements organization-defined critical information system components.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-14 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-14.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000753">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization identifies information system components for which alternative sourcing is not viable.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-14 (1) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-14 (1).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000754">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines measures to be employed to prevent critical security controls for information system components from being compromised.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-14 (1) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-14 (1).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000755">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs organization-defined measures to ensure that critical security controls for the information system components are not compromised.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-14 (1) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-14 (1).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001646">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency of system services and acquisition procedure reviews/updates.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-2 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-1.2 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000608">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization includes a determination of information security requirements for the information system in mission process planning.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-2 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-2.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000609">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization includes a determination of information security requirements for the information system in business process planning.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-2 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-2.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000610">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization determines the resources required to protect the information system as part of its capital planning and investment control process.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-2 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-2.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000611">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents the resources required to protect the information system as part of its capital planning and investment control process.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-2 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-2.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000612">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization allocates the resources required to protect the information system as part of its capital planning and investment control process.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-2 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-2.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000613">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes a discrete line item for information security in organizational programming documentation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-2 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-2.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000614">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes a discrete line item for information security in organizational financial documentation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-2 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-2.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000615">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages the information system using a system development life cycle methodology that includes information security considerations.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-3 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-3.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000616">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines information system security roles and responsibilities throughout the system development life cycle</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-3 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-3.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000617">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents information system security roles and responsibilities throughout the system development life cycle</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-3 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-3.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000618">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization identifies individuals having information system security roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-3 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-3.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001647">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires the use of a FIPS-validated, cryptographic module for a technology product that relies on cryptographic functionality to enforce its security policy when no U.S. Government Protection Profile exists for such a specific technology type.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 (7) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 (7).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000619">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization includes the following requirements and/or specifications, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards: security functional requirements/specifications.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4.1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000620">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization includes the following requirements and/or specifications, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards: security-related documentation requirements.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4.1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000621">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization includes the following requirements and/or specifications, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards: developmental and evaluation-related assurance requirements.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4.1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000623">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires in acquisition documents that vendors/contractors provide information describing the functional properties of the security controls to be employed within the information system, information system components, or information system services in sufficient detail to permit analysis and testing of the controls.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 (1).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000624">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires in acquisition documents that vendors/contractors provide information describing the design details of the security controls to be employed within the information system, information system components, or information system services (including functional interfaces among control components) in sufficient detail to permit analysis and testing of the controls.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000625">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires in acquisition documents that vendors/contractors provide information describing the implementation details of the security controls to be employed within the information system, information system components, or information system services (including functional interfaces among control components) in sufficient detail to permit analysis and testing of the controls.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000626">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires software vendors/manufacturers to minimize flawed or malformed software by demonstrating that their software development process employs state-of-the practice software and security engineering methods..</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 (3).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000627">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires software vendors/manufacturers to minimize flawed or malformed software by demonstrating that their software development process employ quality control processes.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 (3).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000628">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires software vendors/manufacturers to minimize flawed or malformed software by demonstrating that their software development processes employ validation techniques.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 (3).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000629">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that each information system component acquired is explicitly assigned to an information system, and that the owner of the system acknowledges this assignment.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 (4).1 (i) (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000630">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires in acquisition documents, that information system components are delivered in a secure, documented configuration, and that the secure configuration is the default configuration for any software reinstalls or upgrades.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 (5)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 (5).1 (i) (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000631">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs only government off-the-shelf (GOTS) information assurance (IA) and IA-enabled information technology products that composes an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 (6) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 (6).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000632">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs only commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that composes an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 (6) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 (6).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000633">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that government off-the-shelf (GOTS) or commercial-off-the-shelf(COTS) information assurance (IA) and IA-enabled information technology products have been evaluated and/or validated by the NSA or in accordance with NSA-approved procedures.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 (6) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 (6).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000634">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization limits the use of commercially provided information technology products to those products that have been successfully evaluated against a validated U.S. Government Protection Profile for a specific technology type, if such a profile exists</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 (7) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 (7).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000635">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires a commercially-provided information technology product to rely on cryptographic functionality to enforce its security policy when no U.S. Government Protection Profile exists for such a specific technology type.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 (7) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-4 (7).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001648">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization makes available to authorized personnel the source code for the information system to permit analysis and testing.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5 (5)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5 (5).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000636">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization obtains administrator documentation for the information system that describes secure configuration, installation, and operation of the information system; effective use and maintaenance of the security features/functions; and known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000637">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization protects as required administrator documentation for the information system that describes secure configuration, installation, and operation of the information system; effective use and maintaenance of the security features/functions; and known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000638">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization makes available to authorized personnel, administrator documentation for the information system that describes secure configuration, installation, and operation of the information system; effective use and maintenance of the security features/functions; and known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000639">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization obtains user documentation for the information system that describes user-accessible security features/functions and how to effectively use those security features/functions; methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and user responsibilities in maintaining the security of the information and information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000640">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization  protects as required user documentation for the information system that describes user-accessible security features/functions and how to effectively use those security features/functions; methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and user responsibilities in maitaining the security of the information and information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000641">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization makes available to authorized personnel user documentation for the information system that describes user-accessible security features/functions and how to effectively use those security features/functions; methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and user responsibilities in maintaining the security of the information and information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000642">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents attempts to obtain information system documentation when such documentation is either unavailable or nonexistent.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000643">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization obtains vendor/manufacturer documentation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5 (1).1 (i) SA-5(2).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000644">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization protects as required vendor/manufacturer documentation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5 (1).1 (i) SA-5(2).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000645">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization makes available to authorized personnel vendor/manufacturer documentation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5 (1).1 SA-5(2).1 SA-5(3).1 SA-5(4).1 (i)s"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000646">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The vendor/manufacturer documentation describes the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing; security-relevant external interfaces to the information system with sufficient detail to permit analysis and testing; high-level design of the information system in terms of subsystems and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing; low-level design of the information system in terms of modules and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5 (1).1 SA-5(2).1 SA-5(3).1 SA-5(4) (ii)s"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000647">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization obtains, protects as required, and makes available to authorized personnel, vendor/manufacturer documentation that describes the high-level design of the information system in terms of subsystems.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5 (3).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000648">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization obtains, protects as required, and makes available to authorized personnel, vendor/manufacturer documentation that describes the high-level design of the information system in terms of implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5 (3).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000650">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization obtains, protects as required, and makes available to authorized personnel, vendor/manufacturer documentation that describes the low-level design of the information system in terms of modules.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5 (4).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000651">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization obtains, protects as required, and makes available to authorized personnel, vendor/manufacturer documentation that describes the low-level design of the information system in terms of implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5 (4).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000653">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization obtains the source code for the information system to permit analysis and testing.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5 (5)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5 (5).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000654">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization protects as required the source code for the information system to permit analysis and testing.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5 (5)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-5 (5).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000655">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization uses software and associated documentation in accordance with contract agreements and copyright laws.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-6 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-6.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000656">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs tracking systems for software and associated documentation protected by quantity licenses to control copying and distribution.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-6 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-6.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000657">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization controls the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-6 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-6.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000658">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-6 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-6.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000659">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization prohibits the use of binary executable code from sources with limited or no warranty without accompanying source code.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-6 (1) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-6 (1).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000660">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization prohibits the use of machine executable code from sources with limited or no warranty without accompanying source code.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-6 (1) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-6 (1).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000661">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides exceptions to the source code requirement only when no alternative solutions are available to support compelling mission/oeprational requirements.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-6 (1) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-6 (1).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000662">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization obtains express written consent of the authorizing official for exceptions to the source code requirement.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-6 (1) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-6 (1).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001649">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization identifies and documents (as appropriate) explicit rules to be enforced when governing the installation of software by users.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-7"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-7.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000663">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization (or information system) enforces explicit rules governing the installation of software by users.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-7"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-7.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000664">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization applies information system security engineering principles in the specification of the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-8"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-8.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000665">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization applies information system security engineering principles in the design of the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-8"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-8.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000666">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization applies information system security engineering principles in the development of the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-8"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-8.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000667">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization applies information system security engineering principles in the implementation of the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-8"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-8.1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000668">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization applies information system security engineering principles in the modification of the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-8"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-8.1 (v)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000669">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that providers of external information system services comply with organizational information security requirements.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-9 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-9.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000670">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that providers of external information system services employ appropriate security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-9 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-9.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000671">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines government oversight with regard to external information system services.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-9 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-9.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000672">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents government oversight with regard to external information system services.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-9 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-9.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000673">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines user roles and responsibilities with regard to external information system services.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-9 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-9.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000674">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents user roles and responsibilities with regard to external information system services.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-9 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-9.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000675">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization monitors security control compliance by external service providers.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-9 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-9.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000676">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization conducts an organizational assessment of risk prior to the acquisition of dedicated information security services.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-9 (1) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-9 (1).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000677">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization conducts an organizational assessment of risk prior to the outsourcing of dedicated information security services.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-9 (1) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-9 (1).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000678">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the senior organizational official designated to approve acquisition of dedicated information security services.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-9 (1) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-9 (1).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000679">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the senior organizational official designated to approve outsourcing of dedicated information security services.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-9 (1) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-9 (1).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000680">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that the acquisition of dedicated information security services is approved by organization-designated senior organizational official.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-9 (1) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-9 (1).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-000681">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures that the outsourcing of dedicated information security services is approved by organization-designated senior organizational official.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-9 (1) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SA-9 (1).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001074">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a formal, documented system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-1.1 (i) (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001075">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disseminates a formal, documented system and communications protection policy to elements within the organizatin having associated system and communications protection roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-1.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001076">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews/updates the formal, documented system and communications protection policy in accordance with organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-1.2 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001077">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency of system and communications protection policy reviews/updates.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-1.2 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001078">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops formal, documented system and communications protection procedures to facilitate the implementation of the system and communications protection policy and communications protection controls.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-1.1 (iv) (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001079">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disseminates formal, documented system and communications protection procedures to elements within the organization having associated system and communications protection roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-1.1 (vi)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001080">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews/updates system and communications protection procedures in accordance with organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-1.2 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001081">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency of system and communications protection procedure reviews/updates.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-1.2 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-1 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001133">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system terminates the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-10.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-10"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001134">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the time period of inactivity before the information system terminates a network connection associated with a communications session.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-10.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-10"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001661">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the security functions within the information system to be included in a trusted communciations path.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-11.1"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-11.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001135">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system establishes a trusted communications path between the user and organization-defined security functions within the information system.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-11.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-11"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001136">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines security functions include information system authentication and reauthentication.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-11.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-11"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001137">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes cryptographic keys for required cryptography employed within the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-12.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-12"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001138">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manages cryptographic keys for required cryptography employed within the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-12.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-12"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001139">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization maintains availability of information in the event of the loss of cryptographic keys by users.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-12 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-12 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001140">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization produces, controls, and distributes symmetric cryptographic keys using NIST-approved or NSA-approved key management technology and processes.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-12 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-12 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001141">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization produces, controls, and distributes symmetric and asymmetric cryptographic keys using NSA-approved key management technology and processes.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-12 (3).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-12 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001142">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization produces, controls, and distributes asymmetric cryptographic keys using approved PKI Class 3 certificates or prepositioned keying material.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-12 (4).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-12 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001143">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization produces, controls, and distributes asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user?s private key.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-12 (5).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-12 (5)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001144">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system implements required cryptographic protections using cryptographic modules that comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-13.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-13"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001145">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs, at a minimum, FIPS-validated cryptography to protect unclassified information.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-13 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-13 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001146">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs NSA-approved cryptography to protect classified information.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC013 (2(.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-13 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001147">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs, at a minimum, FIPS-validated cryptography to protect information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-13 (3).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-13 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001148">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs FIPS-validate or NSA-approved cryptography to implement digital signatures.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-13 (4).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-13 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001149">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system protects the integrity and availability of publicly available information and applications.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-14.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-14"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001150">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization prohibits remote activation of collaborative computing devices excluding the organization-defined exceptions where remote activation is to be allowed.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-15.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-15 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001151">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines exceptions to the prohibiting of collaborative computing devices where remote activation is to be allowed.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-15.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-15 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001152">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides an explicit indication of use to users physically present at collaborative computing devices.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-15.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-15 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001153">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system provides physical disconnect of collaborative computing devices in a manner that supports ease of use.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-15 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-15 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001154">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system or supporting environment blocks both inbound and outbound traffic between instant messaging clients that are independently configured by end users and external service providers.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-15 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-15 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001155">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disables or removes collaborative computing devices from information systems in organization-defined secure work areas.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-15 (3).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-15 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001156">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines secure work areas where collaborative computing devices are prohibited.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-15 (3).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-15 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001157">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system associates security attributes with information exchanged between information systems.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-16.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-16"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001158">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system validates the integrity of security attributes exchanged between systems.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-16 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-16 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001159">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization issues public key certificates under an appropriate certificate policy or obtains public key certificates under an appropriate certificate policy from an approved service provider.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-17.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-17"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001662">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system takes corrective actions, when unauthorized mobile code is identified.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-18 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-18 (1).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001162">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes implementation guidance for acceptable mobile code and mobile code technologies</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-18.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-18 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001163">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organizations authorizes the use of mobile code within the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-18.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-18 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001164">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization monitors the use of mobile code within the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-18.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-18 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001165">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organizaiton controls the use of mobile code within the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-18.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-18 c"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001166">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system implements detection and inspection mechanisms to identify unauthorized mobile code.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-18 (1).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-18 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001167">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization ensures the acquisition, development, and/or use of mobile code to be deployed in information systems meets organization-defined mobile code requirements.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-18 (2).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-18 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001168">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines requirements for the acquisition, development and/or use of mobile code.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-18 (2).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-18 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001169">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system prevents the download and execution of prohibited mobile code.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-18 (3).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-18 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001170">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system prevents the automatic execution of mobile code in organization-defined software applications and requires organization-defined actions prior to executing the code.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-18 (4).1 (iii) (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-18 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001171">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines software applications for which automatic mobile code execution is to be prohibited.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-18 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-18 (4).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001172">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines actions required by the information system before executing mobile code.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-18 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-18 (4).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001160">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines acceptable and unacceptable mobile code and mobile code technologies</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-18.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-18 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001161">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes usage restrictions for acceptable mobile code and mobile code technologies</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-18.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-18 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001173">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes usage restrictions for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-19 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-19.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001174">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-19.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-19 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001175">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization authorizes the use of VoIP within the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-19.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-19 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001176">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization monitors the use of VoIP within the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-19.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-19 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001177">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization controls the use of VoIP within the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-19.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-19 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001082">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system separates user functionality (including user interface services) from information system management functionality.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-2.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-2"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001083">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system prevents the presentation of information system management-related functionality at an interface for general (i.e., non-privileged) users.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-2 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-2 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001663">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system, when operating as part of a distributed, hierarchical namespace, provides the means to enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-20 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-20 (1).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001178">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system provides additional data origin and integrity artifacts along with the authoritative data the system returns in response to name/address resolution queries.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-20.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-20"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001179">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system, when operating as part of a distributed, hierarchical namespace, provides the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-20 (1).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-20 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001180">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-21.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-21"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001181">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system performs data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-21 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-21 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001182">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information systems that collectively provide name/address resolution service for an organization are fault-tolerant.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-22.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-22"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001183">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information systems that collectively provide name/address resolution service for an organization implement internal/external role separation.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-22.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-22"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001664">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system recognizes only session identifiers that are system-generated.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-23 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-23 (3).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001184">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system provides mechanisms to protect the authenticity of communications sessions.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-23"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-23.1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001185">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system invalidates session identifiers upon user logout or other session termination.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-23 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-23 (1).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001186">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system provides a readily observable logout capability whenever authentication is used to gain access to web pages.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-23 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-23 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001187">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system generates a unique session identifier for each session.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-23 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-23 (3).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001188">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system generates unique session identifiers with organization-defined randomness requirements.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-23 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-23 (4).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001189">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines randomness requirements for generating unique session identifiers.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-23 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-23 (4).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001665">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system preserves organization-defined system state information in the event of a system failure.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-24"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-24.1 (v)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001190">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system fails to an organization-defined known-state for organization-defined types of failures.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-24"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-24.1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001191">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the known-states the information system should fail to in the event of a system failure.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-24"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-24.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001192">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines types of failures for which the information system should fail to an organization-defined known-state.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-24"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-24.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001193">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines system state information that should be preserved in the event of a system failure.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-24.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-24"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001194">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system employs processing components that have minimal functionality and information storage.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-25.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-25"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001195">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system includes components specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, and analyzing such attacks.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-26.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-26"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001196">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system includes components that proactively seek to identify web-based malicious code.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-26 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-26 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001197">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system includes organization-defined operating system-independent applications.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-27.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-27"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001198">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines applications that are operating system-independent.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-27.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-27"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001666">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs cryptographic mechanisms to prevent unauthorized modification of information at rest unless otherwise protected by alternative physical measures.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-28 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-28 (1).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001199">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system protects the confidentiality and integrity of information at rest.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-28.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-28"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001200">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs cryptographic mechanisms to prevent unauthorized disclosure of information at rest unless otherwise protected by alternative physical measures.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-28 (1).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-28 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001201">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs diverse information technologies in the implementation of the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-29.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-29"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001656">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the security functions of the information system to be isolated from non security functions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-3"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-3.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001084">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system isolates security functions from nonsecurity functions.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-3.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-3"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001085">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system implements underlying hardware separation mechanisms to facilitate security function isolation.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-3 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-3 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001086">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system isolates security functions enforcing access and information flow control from both nonsecurity functions and from other security functions.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-3 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-3 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001087">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization implements an information system isolation boundary to minimize the number of nonsecurity functions included within the boundary containing security functions.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-3 (3).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-3 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001088">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization implements security functions as largely independent modules that avoid unnecessary interactions between modules.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-3 (4).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-3 (4)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001089">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-3 (5).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-3 (5)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001202">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs virtualization techniques to present information system components as other types of components, or components with differing configurations.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-30.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-30"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001203">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed on an organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-30 (1).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-30 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001204">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency of changes to operation system applications through the use of virtualization techniques.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-30 (1).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-30 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001205">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs randomness in the implementation of the virtualization techniques.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-30 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-30 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001206">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires that information system developers/integrators perform a covert channel analysis to identify those aspects of system communication that are potential avenues for covert storage and timing channels.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-31.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-31"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001207">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization tests a subset of the vendor-identified covert channel avenues to determine if they are exploitable.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-31 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-31 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001208">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization partitions the information system into components residing in separate physical domains (or environments) as deemed necessary.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-32.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-32"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001209">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system protects the integrity of information during the processes of data aggregation, packaging, and transformation in preparation for transmission.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-33.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-33"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001210">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system at organization-defined information system components loads and executes the operating environment from hardware-enforced, read-only media.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-34.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-34 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001211">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system at organization-defined information system components loads and executes organization-defined applications from hardware-enforced, read-only media.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-34.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-34 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001212">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines information system components for which the operating environment and organization-defined applications are loaded and executed from hardware-enforced, read-only media.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-34.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-34"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001213">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines applications that will be loaded and executed from hardware-enforced, read-only media.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-34.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-34 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001214">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs organization-defined information system components with no writeable storage that are persistent across component restart or power on/off.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-34 (1).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-34 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001215">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the information system components to be employed with no writeable storage..</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-34 (1).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-34 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001216">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization protects the integrity of the information on read-only media.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-34 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-34 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001090">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system prevents unauthorized and unintended information transfer via shared system resources.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-4.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-4"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001091">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system does not share resources that are used to interface with systems operating at different security levels.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-4 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-4 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001092">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system protects against or limits the effects of the organization-defined or referenced types of denial of service attacks.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-5.1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-5"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001093">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a list of types of denial of service attacks (or provides references to sources of current denial of service attacks) that can be addressed by the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-5.1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-5"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001094">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system restricts the ability of users to launch denial of service attacks against other information systems or networks.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-5 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-5 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001095">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-5 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-5 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001096">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system limits the use of resources by priority</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-6.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-6"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001657">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the external boundary of the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001658">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines key internal boundaries of the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001659">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the mediation necessary for public access to the organization's internal networks.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (2).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001660">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the measures to protect against unauthorized physical connections across boundary protections implemented at organization-defined managed interfaces.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (14)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (14).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001097">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7.1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001098">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7.1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 b"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001099">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization physically allocates publicly accessible information system components to separate subnetworks with separate physical network interfaces.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001100">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system prevents public access into the organization?s internal networks except as appropriately mediated by managed interfaces employing boundary protection devices.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (2).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001101">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization limits the number of access points to the information system to allow for more comprehensive monitoring of inbound and outbound communications and network traffic.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (3).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (3)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001102">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization implements a managed interface for each external telecommunication service.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (4).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (4) (a)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001103">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization establishes a traffic flow policy for each managed interface.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (4).1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (4) (b)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001104">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs security controls as needed to protect the confidentiality and integrity of the information being transmitted.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (4).1 (iv)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (4) (c)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001105">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (4).1 (v)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (4) (d)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001106">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews exceptions to the traffic flow policy on an organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (4).1 (vi)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (4) (e)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001107">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency for the review of exceptions to the traffic flow policy.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (4).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (4) (e)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001108">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization removes traffic flow policy exceptions that are no longer supported by an explicit mission/business need.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (4).1 (vii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (4) (f)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001109">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system at managed interfaces, denies network traffic by default and allows network traffic by exception (i.e., deny all, permit by exception).</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (5).1 (i) (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (5)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001110">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization prevents the unauthorized release of information outside of the information system boundary or any unauthorized communication through the information system boundary when there is an operational failure of the boundary protection mechanisms.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (6).1 (i) (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (6)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001111">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system prevents remote devices that have established a non-remote connection with the system from communicating outside of that communications path with resources in external networks.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (7).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (7)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001112">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system routes organization-defined internal communications traffic to organization-defined external networks through authenticated proxy servers within the managed interfaces of boundary protection devices.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (8).1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (8)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001113">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the internal communications traffic to be routed to external networks.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (8).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (8)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001114">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the external networks to which the organization-defined internal communications traffic should be routed.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (8).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (8)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001115">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system, at managed interfaces, denies network traffic and audits internal users (or malicious code) posing a threat to external information systems.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (9).1 (i) (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (9)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001116">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization prevents the unauthorized exfiltration of information across managed interfaces.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (10).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (10)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001117">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system checks incoming communications to ensure that the communications are coming from an authorized source and routed to an authorized destination.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (11).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (11)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001118">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system implements host-based boundary protection mechanisms for servers, workstations, and mobile devices.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (12).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (12)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001119">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization isolates organization-defined key information security tools, mechanisms, and support components from other internal information system components via physically separate subnets with managed interfaces to other portions of the system.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (13).1 (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (13)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001120">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines key information security tools, mechanisms, and support components to be isolated.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (13).1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (13)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001121">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization protects against unauthorized physical connections across the boundary protections implemented at an organization-defined list of managed interfaces.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (14).1 (iii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (14)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001122">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a list of managed interfaces where boundary protections are to be implemented.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (14).1 (i)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (14)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001123">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system routes all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (15).1 (i) (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (15)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001124">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system prevents discovery of specific system components (or devices) composing a managed interface.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (16).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (16)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001125">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to enforce strict adherence to protocol format.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (17).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (17)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001126">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system fails securely in the event of an operational failure of a boundary protection device.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (18)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-7 (18)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001127">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system protects the integrity of transmitted information.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-8.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-8"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001128">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-8 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-8 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001129">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system maintains the integrity of information during aggregation, packaging, and transformation in preparation for transmission.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-8 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-8 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001130">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system protects the confidentiality of transmitted information.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-9.1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-9"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001131">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by alternative physical measures.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-9 (1).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-9 (1)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001132">
			<status>draft</status>
			<publishdate>2009-09-21</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system maintains the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-9 (2).1"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SC-9 (2)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001217">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops a formal, documented system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-1.1 (i) (ii)"/>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-1 a"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001218">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disseminates a formal, documented system and information integrity policy to elements within the organization having associated system and information integrity roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-1 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-1.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001219">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews/updates system and information integrity policy in accordance with origanization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-1 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-1.2 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001220">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops formal, documented system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-1.1 (iv) (v)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001221">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disseminates formal, documented system and information integrity procedures to elements within the organization having associated system and information integrity roles and responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-1.1 (vi)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001222">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reviews/updates  formal, documented system and information integrity procedures in accordance with organization-defined frequency.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-1.2 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001223">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency of system and information integrity policy reviews/updates.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-1 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-1.2 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001224">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency of system and information integrity procedure reviews/updates.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-1 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-1.2 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001310">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system checks the validity of information inputs.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-10"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-10.1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001311">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system Identifies potentially security-relevant error conditions.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-11 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-11.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001312">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system generates error messages that provide information necessary for corrective actions without revealing organization-defined sensitive or potentially harmful information in error logs and administrative messages that could be exploited by adversaries.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-11 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-11.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001313">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines sensitive or potentially harmful information that should not to be contained in error logs and administrative messages.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-11 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-11.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001314">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system reveals error messages only to authorized personnel.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-11 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-11.1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001678">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization retains both information within and output from the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-12"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-12.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001315">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization handles both information within and output from the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-12"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-12.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001679">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides a mechanism to exchange and standby roles of the components.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13.1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001316">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization protects the information system from harm by considering mean time to failure rates for organization-defined list of information system components in specific environments of operation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001317">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a list of information system components for which mean time to failure rates should be considered to protect the information system from harm.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001318">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization provides substitute information system components, when needed,.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001319">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization takes the information system component out of service by transferring component responsibilities to a substitute component no later than an organization-defined fraction or percentage of mean time to failure.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13 (1).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001320">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the maximum fraction or percentage of mean time to failure in order to transfer the responsibilities of an information system component that is out of service to a substitute component.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13 (1).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001321">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization does not allow a process to execute without supervision for more than an organization-defined time period.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13 (2).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001322">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a time period that is the most a process is allowed to execute without supervision.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13 (2).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001323">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization manually initiates a transfer between active and standby information system components at least once per organization-defined frequency if the mean time to failure exceeds an organization-defined time period.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13 (3).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001324">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the minimum frequency in which the organization manually initiates a transfer between active and standby information system components if the mean time to failure exceeds the organization-defined time period.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13 (3).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001325">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a time period that the mean time to failure must exceed before the organization manually initiates a transfer between active and standby information system components.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13 (3).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001326">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization, if an information system component failure is detected ensures that the standby information system component successfully and transparently assumes its role within an organization-defined time period.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13 (4) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13 (4).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001327">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a time period for a standby information system component to successfully and transparently assume the role of an information system component that has failed.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13 (4) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13 (4).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001328">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization, if an information system component failure is detected activates an organization-defined alarm and/or automatically shuts down the information system.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13 (4) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13 (4).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001329">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the organization-defined alarm when an information system component failure is detected.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13 (4) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-13 (4).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001667">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization compares the time measured between flaw identification and flaw remediation with organization-defined benchmarks.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2 (3).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001225">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization identifies information system flaws.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001226">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reports information system flaws.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001227">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization corrects information system flaws.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001228">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization tests software updates related to flaw remediation for effectiveness on organizational information systems before installation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001229">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization tests software updates related to flaw remediation for potential side effects on organizational information systems before installation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001230">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization incorporates flaw remediation into the organizational configuration management process.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2.1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001231">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization centrally manages the flaw remediation process.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2 (1).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001232">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization installs software updates automatically.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2 (1).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001233">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms on an organization-defined frequency to determine the state of information system components with regard to flaw remediation.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2 (2).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001234">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a frequency for employing automated mechanisms to determine the state of information system components with regard to flaw remediation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2 (2).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001235">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization measures the time between flaw identification and flaw remediation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2 (3).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001236">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines benchmarks to which the organization's measurement of time elapsed between flaw identification and flaw remediation should be compared..</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2 (3).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001237">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated patch management tools to facilitate flaw remediation to organization-defined information system components.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2 (4).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001238">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines information system components for which automated patch management tools are to be employed to facilitate flaw remediation.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-2 (4).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001668">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs malicious code protection mechanicsms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means or inserted through the exploitation of information system vulnerabilities.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001669">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency of testing malicious code protection mechanisms.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3 (6)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3 (6).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001239">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means or inserted trhough the exploitation of information system vulnerabilities.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001240">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization updates malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordance with organizational configuration management policy and procedures.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001241">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization configures malicious code protection mechanisms to perform periodic scans of the information system on an organization-defined frequency.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3.1 (vi)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001242">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization configures malicious code protection mechanisms to perform real-time scans of files from external sources as the files are downloaded, opened, or executed in accordance with organizational security policy.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3.1 (vi)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001243">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization configures malicious code protection mechanisms to perform organization-defined action(s) in response to malicious code detection.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3.1 (vi)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001244">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines one or more actions to perform in response to malicious code detection, such as blocking malicious code, quarantining malicious code, or sending alert to administrator.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3.1 (v)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001245">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3 d"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3.1 (vii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001246">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization centrally manages malicious code protection mechanisms.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3 (1).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001247">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system automatically updates malicious code protection mechanisms, including signature definitions.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001248">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system prevents non-privileged users from circumventing malicious code protection capabilities.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3 (3).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001249">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system updates malicious code protection mechanisms only when directed by a privileged user.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3 (4).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001250">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization does not allow users to introduce removable media into the information system.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3 (5)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3 (5).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001251">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization tests malicious code protection mechanisms on an organization-defined frequency by introducing a known benign, non-spreading test case into the information system and subsequently verifying that both detection of the test case and associated incident reporting occur, as required.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3 (6)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-3 (6).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001670">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system takes organization-defined list of least-disruptive actions to terminate suspicious events.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (7)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (7).1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001671">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization analyses outbound communciations traffic at selected interior points within the system (e.g., subnets, subsystems), as deemed necessary, to discover anomalies.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (11)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 ( 11).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001672">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs a wireless intrusion detection system to detect attack attempts to the information system.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (14)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (14).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001673">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs a wireless intrusion detection system to detect potential compromises/breaches to the information system.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (14)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (14).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001252">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization monitors events on the information system in accordance with organization-defined monitoring objectives and detects information system attacks.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001253">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines objectives for monitoring events on the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001254">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization identifies unauthorized use of the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001255">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization deploys monitoring devices strategically within the information system to collect organization-determined essential information.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4.1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001256">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization deploys monitoring devices at ad hoc locations within the system to track specific types of transactions of interest to the organization.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4.1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001257">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 d"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4.1 (v)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001258">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 e"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4.1 (vi)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001259">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization interconnects and configures individual intrusion detection tools into a systemwide intrusion detection system using common protocols.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (1).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001260">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated tools to support near real-time analysis of events.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001261">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (3).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001262">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system monitors inbound and outbound communications for unusual or unauthorized activities or conditions.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001263">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system provides near real-time alerts when any of the  organization-defined list of compromise or potential compromise indicators occurs.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (5)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (5).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001264">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines indicators of of compromise or potential compromise to the security of the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (5)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (5).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001265">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system prevents non-privileged users from circumventing intrusion detection and prevention capabilities.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (6)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (6).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001266">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system notifies an organization-defined list of incident response personnel (identified by name and/or by role) of suspicious events.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (7)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (7).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001267">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a list of incident response personnel (identified by name and/or by role) to be notified of suspicious events..</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (7)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (7).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001268">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a list of least-disruptive actions to be taken by the information system to terminate suspicious events</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (7)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (7).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001269">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (8)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (8).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001270">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization tests/exercises intrusion-monitoring tools on an organization-defined time-period.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (9)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (9).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001271">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a time-period for tests/exercises of the intrusion-monitoring tools.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (9)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (9).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001272">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization makes provisions so that encrypted traffic is visible to information system monitoring tools.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (10)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (10).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001273">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization analyzes outbound communications traffic at the external boundary of the system (i.e., system perimeter).</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (11)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (11).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001274">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to alert security personnel of an organization-defined list of inappropriate or unusual activities with security implications.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (12)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (12).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001275">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a list of inappropriate or unusual activities with security implications that should trigger alters to security personnel.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (12)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (12).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001276">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization analyzes communications traffic/event patterns for the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (13) (a)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (13).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001277">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization develops profiles representing common traffic patterns and/or events.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (13) (b)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (13).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001278">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives to an organization-defined measure of false positives and the number of false negatives to an organization-defined measure of false negatives.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (13) (c)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (13).1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001279">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the respective measurements to which the organization must tune system monitoring devices to reduce the number of false positives.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (13) (c)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (13).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001280">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the respective measurements to which the organization must tune system monitoring devices to reduce the number of false negatives.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (13) (c)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (13).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001281">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs a wireless intrusion detection system to identify rogue wireless devices to the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (14)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (14).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001282">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (15)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (15).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001283">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization correlates information from monitoring tools employed throughout the information system to achieve organization-wide situational awareness.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (16)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (16).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001284">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization correlates results from monitoring physical, cyber, and supply chain activities to achieve integrated situational awareness.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (17)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-4 (17).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001285">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization receives information system security alerts, advisories, and directives from designated external organizations on an ongoing basis.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-5 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-5.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001286">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization generates internal security alerts, advisories, and directives.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-5 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-5.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001287">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization disseminates security alerts, advisories, and directives to an organization-defined list of personnel (identified by name and/or by role).</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-5 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-5.1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001288">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines a list of personnel (identified by name and/or by role) to receive security alerts, advisories, and directives.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-5 c"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-5.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001289">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-5 d"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-5.1 (v)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001290">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated mechanisms to make security alert and advisory information available throughout the organization.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-5 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-5 (1).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001674">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system responds to security function anomalies in accordance with organization-defined responses and alternative action(s).</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-6"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-6.1 (v)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001675">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization identifies organizational officials with information security responsibilities designated to receive the results of security function verification.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-6 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-6 (3).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001676">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines for periodic security function verification, the frequency of the verifications.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-6"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-6.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001291">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system verifies the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification).</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-6"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-6.1 (iv)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001292">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the appropriate conditions, including the system transitional states if applicable, for verifying the correct operation of security functions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-6"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-6.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001293">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the information system responses and alternative action(s) to anomalies discovered during security function verification.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-6"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-6.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001294">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system provides notification of failed automated security tests.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-6 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-6 (1).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001295">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system provides automated support for the management of distributed security testing.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-6 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-6 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001296">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reports the result of security function verification to designated organizational officials with information security responsibilities.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-6 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-6 (3).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001297">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system detects unauthorized changes to software and information.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-7"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-7.1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001298">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization reassesses the integrity of software and information by performing, on an organization-defined frequency, integrity scans of the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-7 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-7 (1).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001299">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines the frequency of integrity scans to be performed on the information system.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-7 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-7 (1).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001300">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs automated tools that provide notification to designated individuals upon discovering discrepancies during integrity verification.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-7 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-7 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001301">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs centrally managed integrity verification tools.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-7 (3)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-7 (3).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001302">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization requires use of tamper-evident packaging for organization-defined information system components during organization-defined conditions.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-7 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-7 (4).1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001303">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines information system components that require use tamper-evident packaging.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-7 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-7 (4).1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001304">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization defines conditions (i.e., transportation from vendor to operational site, during operation, both) under which tamper-evident packaging must be used for organization-defined information system components.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-7 (4)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-7 (4).1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001677">
			<status>draft</status>
			<publishdate>2010-05-12</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, removable media or common means.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-8 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-8.1 (ii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001305">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization employs malicious code protection mechanicsms at information system entry and exit points to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-8 a"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-8.1 (i)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001306">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization updates spam protection mechanisms (including signature definitions) when new releases are available in accordance with organizational configuration management policy and procedures.</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-8 b"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-8.1 (iii)"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001307">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization centrally manages spam protection mechanisms.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-8 (1)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-8 (1).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001308">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The information system automatically updates spam protection mechanisms (including signature definitions).</definition>
			<type>technical</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-8 (2)"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-8 (2).1"/>
			</references>
		</cci_item>
		<cci_item id="CCI-001309">
			<status>draft</status>
			<publishdate>2009-09-22</publishdate>
			<contributor>DISA FSO</contributor>
			<definition>The organization restricts the capability to input information to the information system to authorized personnel.</definition>
			<type>policy</type>
			<references>
				<reference creator="NIST" title="NIST SP 800-53" version="3" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-9"/>
				<reference creator="NIST" title="NIST SP 800-53A" version="1" location="http://csrc.nist.gov/publications/PubsSPs.html" index="SI-9.1"/>
			</references>
		</cci_item>
	</cci_items>
</cci_list>