Implementation level and assurance tag for new controls.

usnistgov · Nov 7, 2023 · 09507c5 · 09507c5
1 parent 17a13c8
commit 09507c5
Showing 1 changed file with 13 additions and 13 deletions.
diff --git a/src/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_catalog.xml b/src/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_catalog.xml
@@ -5859,7 +5859,7 @@
           <prop name="alt-identifier" value="ac-7.2_prm_2"/>
           <prop name="alt-label" class="sp800-53" value="purging or wiping requirements and techniques"/>
           <prop name="label" class="sp800-53a" value="AC-07(02)_ODP[02]"/>
-          <label>purging and wiping requirements or techniques</label>
+          <label>purging or wiping requirements and techniques</label>
           <guideline>
             <p>purging and wiping requirements and techniques to be used when mobile devices are purged or wiped of information are defined;</p>
           </guideline>
@@ -10132,7 +10132,7 @@
       <param id="ac-24_odp.01">
         <prop name="alt-identifier" value="ac-24_prm_1"/>
         <prop name="label" class="sp800-53a" value="AC-24_ODP[01]"/>
-        <select how-many="one">
+        <select how-many="one-or-more">
           <choice>establish procedures</choice>
           <choice>implement mechanisms</choice>
         </select>
@@ -17961,7 +17961,7 @@
         <param id="ca-08.03_odp.02">
           <prop name="alt-identifier" value="ca-8.3_prm_2"/>
           <prop name="label" class="sp800-53a" value="CA-08(03)_ODP[02]"/>
-          <select how-many="one">
+          <select how-many="one-or-more">
             <choice>announced</choice>
             <choice>unannounced</choice>
           </select>
@@ -30942,9 +30942,9 @@
       <prop name="label" value="IA-13"/>
       <prop name="label" class="sp800-53a" value="IA-13"/>
       <prop name="sort-id" value="ia-13"/>
-      <!-- TODO: Determine if organization and/or system control? -->
-      <!--<prop ns="http://csrc.nist.gov/ns/rmf" name="implementation-level" value="organization"/>-->
-      <!--<prop ns="http://csrc.nist.gov/ns/rmf" name="implementation-level" value="system"/>-->
+      <prop ns="http://csrc.nist.gov/ns/rmf" name="implementation-level" value="organization"/>
+      <prop ns="http://csrc.nist.gov/ns/rmf" name="implementation-level" value="system"/>
+      <prop ns="http://csrc.nist.gov/ns/rmf" name="contributes-to-assurance" value="false"/>
       <link rel="related" href="#ac-3"/>
       <link rel="related" href="#ia-2"/>
       <link rel="related" href="#ia-3"/>
@@ -31019,9 +31019,9 @@
         <prop name="label" value="IA-13(1)"/>
         <prop name="label" class="sp800-53a" value="IA-13(01)"/>
         <prop name="sort-id" value="ia-13.01"/>
-        <!-- TODO: Determine if organization and/or system control? -->
-        <!--<prop ns="http://csrc.nist.gov/ns/rmf" name="implementation-level" value="organization"/>-->
-        <!--<prop ns="http://csrc.nist.gov/ns/rmf" name="implementation-level" value="system"/>-->        
+        <prop ns="http://csrc.nist.gov/ns/rmf" name="implementation-level" value="organization"/>
+        <prop ns="http://csrc.nist.gov/ns/rmf" name="implementation-level" value="system"/>
+        <prop ns="http://csrc.nist.gov/ns/rmf" name="contributes-to-assurance" value="false"/>
         <link rel="required" href="#ia-13"/>
         <link rel="related" href="#ia-13"/>
         <link rel="related" href="#sc-12"/>
@@ -31082,9 +31082,9 @@
         <prop name="label" value="IA-13(2)"/>
         <prop name="label" class="sp800-53a" value="IA-13(02)"/>
         <prop name="sort-id" value="ia-13.02"/>
-        <!-- TODO: Determine if organization and/or system control? -->
-        <!--<prop ns="http://csrc.nist.gov/ns/rmf" name="implementation-level" value="organization"/>-->
-        <!--<prop ns="http://csrc.nist.gov/ns/rmf" name="implementation-level" value="system"/>-->        
+        <prop ns="http://csrc.nist.gov/ns/rmf" name="implementation-level" value="organization"/>
+        <prop ns="http://csrc.nist.gov/ns/rmf" name="implementation-level" value="system"/>
+        <prop ns="http://csrc.nist.gov/ns/rmf" name="contributes-to-assurance" value="false"/>
         <link rel="required" href="#ia-13"/>
         <link rel="related" href="#ia-13"/>
         <part name="statement" id="ia-13.2_smt">
@@ -69544,7 +69544,7 @@
         <p>Employ the following out-of-band channels for the physical delivery or electronic transmission of <insert type="param" id-ref="sc-37_odp.02"/> to <insert type="param" id-ref="sc-37_odp.03"/>: <insert type="param" id-ref="sc-37_odp.01"/>.</p>
       </part>
       <part name="guidance" id="sc-37_gdn">
-        <p>Out-of-band channels include local, non-network accesses to systems; network paths physically separate from network paths used for operational traffic; or non-electronic paths, such as the U.S. Postal Service. The use of out-of-band channels is contrasted with the use of in-band channels (i.e., the same channels) that carry routine operational traffic. Out-of-band channels do not have the same vulnerability or exposure as in-band channels. Therefore, the confidentiality, integrity, or availability compromises of in-band channels will not compromise or adversely affect the out-of-band channels. Organizations may employ out-of-band channels in the delivery or transmission of organizational items, including authenticators and credentials; cryptographic key management information; system and data backups; configuration management changes for hardware, firmware, or software; security updates; maintenance information; and malicious code protection updates.</p>
+        <p>Out-of-band channels include local, non-network accesses to systems; network paths physically separate from network paths used for operational traffic; or non-electronic paths, such as the U.S. Postal Service. The use of out-of-band channels is contrasted with the use of in-band channels (i.e., the same channels) that carry routine operational traffic. Out-of-band channels do not have the same vulnerability or exposure as in-band channels. Therefore, the confidentiality, integrity, or availability compromises of in-band channels will not compromise or adversely affect the out-of-band channels. Organizations may employ out-of-band channels in the delivery or transmission of organizational items, including authenticators and credentials; cryptographic key management information; system and data backups; configuration management changes for hardware, firmware, or software; security updates; maintenance information; and malicious code protection updates. For example, cryptographic keys for encrypted files are delivered using a different channel than the file.</p>
       </part>
       <part id="sc-37_obj" name="assessment-objective">
         <prop name="label" class="sp800-53a" value="SC-37"/>