zydronium/manage.get.gov
1
0
Fork 0
mirror of https://github.com/cisagov/manage.get.gov.git synced 2025-08-05 09:21:54 +02:00
Code Issues Projects Releases Packages Wiki Activity
manage.get.gov/docs/compliance/dist/system-security-plans/ato/cm-12.md
Logan McDonald 1d3dfdb8d5
Add compliance documentation to source control (#116) 
* add initial setup of compliance-trestle
2022-09-14 08:46:43 -04:00

2.9 KiB
Raw Blame History

implementation-status control-origination
c-not-implemented
c-inherited-cloud-gov
c-inherited-cisa
c-common-control
c-system-specific-control

cm-12 - [catalog] Information Location

Control Statement

  • [a] Identify and document the location of information and the specific system components on which the information is processed and stored;

  • [b] Identify and document the users who have access to the system and system components where the information is processed and stored; and

  • [c] Document changes to the location (i.e., system or system components) where the information is processed and stored.

Control guidance

Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and information reside in system components and how information is being processed so that information flow can be understood and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see FIPS 199 ). The location of the information and system components is also a factor in the architecture and design of the system (see SA-4, SA-8, SA-17).

Control assessment-objective

the location of information is identified and documented; the specific system components on which information is processed are identified and documented; the specific system components on which information is stored are identified and documented; the users who have access to the system and system components where information is processed are identified and documented; the users who have access to the system and system components where information is stored are identified and documented; changes to the location (i.e., system or system components) where information is processed are documented; changes to the location (i.e., system or system components) where information is stored are documented.

What is the solution and how is it implemented?

Implementation a.

Add control implementation description here for item cm-12_smt.a

Implementation b.

Add control implementation description here for item cm-12_smt.b

Implementation c.

Add control implementation description here for item cm-12_smt.c