Body
Issue/Question
Overview
This Knowledge Base article contains the criteria that the security team will base approval decisions on.
Environment
Resolution
Our review process is based on NIST 800-171r2
-
Access Control: Ensure the software allows for proper user access control, limiting access to authorized users and providing mechanisms for controlling, managing, and logging user access.
-
Configuration Management: Check whether the software supports secure configurations and allows for the management of security features and functions.
-
Identification and Authentication: Confirm that the software has robust mechanisms for user identification and authentication, including multi-factor authentication if necessary.
-
System and Communications Protection: Evaluate whether the software offers protection mechanisms for data transmission, including data encryption for both at-rest and in-transit.
-
System and Information Integrity: Check if the software has features to identify, report, and correct system flaws, and protect against malicious code.
-
Security Assessment: Understand if the software has been tested or certified for security by a reputable third-party organization.
-
Incident Response: Ensure the software has capabilities for incident detection, response, and reporting if applicable.
-
Maintenance: Ensure the vendor provides regular security updates and patches.
-
Risk Assessment: Evaluate whether the vendor or the software itself has any known security vulnerabilities or risks.
-
Data Protection: Ensure that the software provides mechanisms for protecting CUI data, such as encryption or tokenization.