Difference between revisions of "User:Shawndouglas/sandbox/sublevel25"
Shawndouglas (talk | contribs) |
Shawndouglas (talk | contribs) |
||
Line 18: | Line 18: | ||
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.8.6]<br /> | [https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.8.6]<br /> | ||
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.9.1 and 4.9.7]<br /> | [https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.9.1 and 4.9.7]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, SI-12] | ||
| style="background-color:white;" |'''31.2''' The system shall protect entered data so as to prevent it from being obscured by new data, keeping both the old and current data available for review. | | style="background-color:white;" |'''31.2''' The system shall protect entered data so as to prevent it from being obscured by new data, keeping both the old and current data available for review. | ||
|- | |- | ||
Line 33: | Line 33: | ||
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.8.9]<br /> | [https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.8.9]<br /> | ||
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.9.9]<br /> | [https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.9.9]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, SI-12]<br /> | ||
[https://www.oecd.org/chemicalsafety/testing/oecdseriesonprinciplesofgoodlaboratorypracticeglpandcompliancemonitoring.htm OECD GLP Principles 10]<br /> | [https://www.oecd.org/chemicalsafety/testing/oecdseriesonprinciplesofgoodlaboratorypracticeglpandcompliancemonitoring.htm OECD GLP Principles 10]<br /> | ||
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.2.1]<br /> | [https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.2.1]<br /> | ||
Line 114: | Line 114: | ||
[https://www.iso.org/standard/56115.html ISO 15189:2012 4.3]<br /> | [https://www.iso.org/standard/56115.html ISO 15189:2012 4.3]<br /> | ||
[https://www.iso.org/standard/66912.html ISO/IEC 17025:2017 8.4.2]<br /> | [https://www.iso.org/standard/66912.html ISO/IEC 17025:2017 8.4.2]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, AT-4]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, AU-11 and AU-11(1)]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, SI-12]<br /> | ||
[https://www.wadsworth.org/regulatory/clep/clinical-labs/laboratory-standards NYSDOH CLEP Clinical Laboratory Standards of Practice, General Systems Standards]<br /> | [https://www.wadsworth.org/regulatory/clep/clinical-labs/laboratory-standards NYSDOH CLEP Clinical Laboratory Standards of Practice, General Systems Standards]<br /> | ||
[https://www.oecd.org/chemicalsafety/testing/oecdseriesonprinciplesofgoodlaboratorypracticeglpandcompliancemonitoring.htm OECD GLP Principles 10]<br /> | [https://www.oecd.org/chemicalsafety/testing/oecdseriesonprinciplesofgoodlaboratorypracticeglpandcompliancemonitoring.htm OECD GLP Principles 10]<br /> | ||
Line 124: | Line 124: | ||
| style="background-color:white;" |'''31.4''' The system shall have a mechanism to securely retain data in the system for a specific time period and enable protections that ensure the accurate and ready retrieval of that data throughout the records retention period. | | style="background-color:white;" |'''31.4''' The system shall have a mechanism to securely retain data in the system for a specific time period and enable protections that ensure the accurate and ready retrieval of that data throughout the records retention period. | ||
|- | |- | ||
| style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 E-17-6]<br />[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.4.4]<br />[https:// | | style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 E-17-6]<br />[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.4.4]<br />[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, AU-8] | ||
| style="background-color:white;" |'''31.5''' The system shall accurately reflect the system date and time in its use of electronic record time stamps. | | style="background-color:white;" |'''31.5''' The system shall accurately reflect the system date and time in its use of electronic record time stamps. | ||
|- | |- | ||
Line 135: | Line 135: | ||
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.4.5]<br /> | [https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.4.5]<br /> | ||
[https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf E.U. Annex 11-9]<br /> | [https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf E.U. Annex 11-9]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, AU-9] | ||
| style="background-color:white;" |'''31.7''' The system shall prevent the modification, deletion, or disabling of its audit trail, as well as record such attempts. | | style="background-color:white;" |'''31.7''' The system shall prevent the modification, deletion, or disabling of its audit trail, as well as record such attempts. | ||
|- | |- | ||
| style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.4.2]<br />[https:// | | style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.4.2]<br />[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, AU-5]<br />[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, SI-4] | ||
| style="background-color:white;" |'''31.8''' The system shall be capable of identifying instances of audit processing failure (e.g., write errors, general failure of the audit tool, etc.), sending alerts or notifications to appropriate personnel in such cases. | | style="background-color:white;" |'''31.8''' The system shall be capable of identifying instances of audit processing failure (e.g., write errors, general failure of the audit tool, etc.), sending alerts or notifications to appropriate personnel in such cases. | ||
|- | |- | ||
Line 214: | Line 214: | ||
| style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 S-1-17]<br /> | | style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 S-1-17]<br /> | ||
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.7.1]<br /> | [https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.7.1]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, AC-6(1)]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, CM-7] | ||
| style="background-color:white;" |'''32.18''' The system should provide an interface for administrative access that permits approved users to configure the system without extra programming or manipulation of data storage systems. | | style="background-color:white;" |'''32.18''' The system should provide an interface for administrative access that permits approved users to configure the system without extra programming or manipulation of data storage systems. | ||
|- | |- | ||
Line 227: | Line 227: | ||
[https://www.astm.org/e1578-18.html ASTM E1578-18 S-1-20]<br /> | [https://www.astm.org/e1578-18.html ASTM E1578-18 S-1-20]<br /> | ||
[https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf E.U. Annex 11-14]<br /> | [https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf E.U. Annex 11-14]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, CM-5(1)] | ||
| style="background-color:white;" |'''32.21''' The system should support rules governing electronic records and electronic signatures in regulated environments. | | style="background-color:white;" |'''32.21''' The system should support rules governing electronic records and electronic signatures in regulated environments. | ||
|- | |- | ||
Line 257: | Line 257: | ||
[https://ichgcp.net/ ICH GCP 2.10]<br /> | [https://ichgcp.net/ ICH GCP 2.10]<br /> | ||
[https://www.iso.org/standard/66912.html ISO/IEC 17025:2017 7.11.3]<br /> | [https://www.iso.org/standard/66912.html ISO/IEC 17025:2017 7.11.3]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, CM-5 and CM-5(1)]<br /> | ||
[https://www.wadsworth.org/regulatory/clep/clinical-labs/laboratory-standards NYSDOH CLEP Clinical Laboratory Standards of Practice, General Systems Standards]<br /> | [https://www.wadsworth.org/regulatory/clep/clinical-labs/laboratory-standards NYSDOH CLEP Clinical Laboratory Standards of Practice, General Systems Standards]<br /> | ||
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.2.4]<br /> | [https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.2.4]<br /> | ||
Line 264: | Line 264: | ||
|- | |- | ||
| style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.2.2–3]<br />[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.1.14–15]<br /> | | style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.2.2–3]<br />[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.1.14–15]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, AC-2(11)] | ||
| style="background-color:white;" |'''32.23''' The system shall be able to granularly define access control down to the object level, role level, physical location, logical location, network address, and chronometric restriction level for the protection of regulated, patented, confidential, and classified data, methods, or other types of information. | | style="background-color:white;" |'''32.23''' The system shall be able to granularly define access control down to the object level, role level, physical location, logical location, network address, and chronometric restriction level for the protection of regulated, patented, confidential, and classified data, methods, or other types of information. | ||
|- | |- | ||
| style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 S-1-22]<br />[https:// | | style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 S-1-22]<br />[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, IA-2(10)] | ||
| style="background-color:white;" |'''32.24''' The system should support single sign-on such that a user can log in once and access all permitted functions and data. | | style="background-color:white;" |'''32.24''' The system should support single sign-on such that a user can log in once and access all permitted functions and data. | ||
|- | |- | ||
Line 285: | Line 285: | ||
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.9.4]<br /> | [https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.9.4]<br /> | ||
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br /> | [https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, AC-2(7) and AC-3]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, IA-2, IA-5, and IA-8]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, MA-4]<br /> | ||
[https://extranet.who.int/prequal/content/who-technical-report-series WHO Technical Report Series, #986, Annex 2, 15.9] | [https://extranet.who.int/prequal/content/who-technical-report-series WHO Technical Report Series, #986, Annex 2, 15.9] | ||
| style="background-color:white;" |'''32.25''' The system shall provide initial login access using at least two unique identification components, e.g., a user identifier and password, or biometric information linked to and used by the genuine user. | | style="background-color:white;" |'''32.25''' The system shall provide initial login access using at least two unique identification components, e.g., a user identifier and password, or biometric information linked to and used by the genuine user. | ||
Line 297: | Line 297: | ||
[https://nepis.epa.gov/Exe/ZyPDF.cgi?Dockey=30006MXP.PDF EPA 815-R-05-004 Chap. VI, Sec. 8.6]<br /> | [https://nepis.epa.gov/Exe/ZyPDF.cgi?Dockey=30006MXP.PDF EPA 815-R-05-004 Chap. VI, Sec. 8.6]<br /> | ||
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br /> | [https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, IA-4 and IA-5] | ||
| style="background-color:white;" |'''32.26''' The system shall prevent the same combination of identification components from being used across more than one account. | | style="background-color:white;" |'''32.26''' The system shall prevent the same combination of identification components from being used across more than one account. | ||
|- | |- | ||
Line 305: | Line 305: | ||
[https://clsi.org/standards/products/quality-management-systems/documents/qms22/ CLSI QMS22 2.4.2]<br /> | [https://clsi.org/standards/products/quality-management-systems/documents/qms22/ CLSI QMS22 2.4.2]<br /> | ||
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br /> | [https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, IA-5 and IA-5(1)] | ||
| style="background-color:white;" |'''32.27''' The system shall allow the administrator to define a time period in days after which a user will be prompted to change their password. | | style="background-color:white;" |'''32.27''' The system shall allow the administrator to define a time period in days after which a user will be prompted to change their password. | ||
|- | |- | ||
| style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.6.3.1]<br />[https:// | | style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.6.3.1]<br />[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, AC-2(3)]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, IA-4 and IA-5(1)]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, PS-4] | ||
| style="background-color:white;" |'''32.28''' The system shall allow the administrator to define a time period of inactivity for a user identifier, after which it will be disabled and archived. | | style="background-color:white;" |'''32.28''' The system shall allow the administrator to define a time period of inactivity for a user identifier, after which it will be disabled and archived. | ||
|- | |- | ||
| style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.2.2]<br />[https:// | | style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.2.2]<br />[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, AC-10] | ||
| style="background-color:white;" |'''32.29''' The system shall allow the administrator or authorized personnel to configure the allowance or prevention of multiple concurrent active sessions for one unique user. | | style="background-color:white;" |'''32.29''' The system shall allow the administrator or authorized personnel to configure the allowance or prevention of multiple concurrent active sessions for one unique user. | ||
|- | |- | ||
| style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.4]<br />[https:// | | style="padding:5px; width:500px;" |[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.4]<br />[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, AC-8] | ||
| style="background-color:white;" |'''32.30''' The system shall allow the administrator or authorized personnel to configure approved system use (e.g., "you are accessing a restricted information system," "system use indicates consent to being monitored, recorded, and audited") and other types of notifications to appear before or after a user logs in to the system. These notifications should remain on the screen until acknowledged by the user. | | style="background-color:white;" |'''32.30''' The system shall allow the administrator or authorized personnel to configure approved system use (e.g., "you are accessing a restricted information system," "system use indicates consent to being monitored, recorded, and audited") and other types of notifications to appear before or after a user logs in to the system. These notifications should remain on the screen until acknowledged by the user. | ||
|- | |- | ||
Line 333: | Line 333: | ||
[https://eur-lex.europa.eu/eli/dir/2003/94/oj E.U. Commission Directive 2003/94/EC Article 9.2]<br /> | [https://eur-lex.europa.eu/eli/dir/2003/94/oj E.U. Commission Directive 2003/94/EC Article 9.2]<br /> | ||
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br /> | [https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, CM-5(1)]<br /> | ||
[https://www.who.int/medicines/areas/quality_safety/quality_assurance/expert_committee/trs_986/en/ WHO Technical Report Series, #986, Annex 2, 15.9] | [https://www.who.int/medicines/areas/quality_safety/quality_assurance/expert_committee/trs_986/en/ WHO Technical Report Series, #986, Annex 2, 15.9] | ||
| style="background-color:white;" |'''32.31''' The system shall keep an accurate audit trail of login activities, including failed login attempts, unauthorized logins, and electronic signings. | | style="background-color:white;" |'''32.31''' The system shall keep an accurate audit trail of login activities, including failed login attempts, unauthorized logins, and electronic signings. | ||
Line 342: | Line 342: | ||
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.3]<br /> | [https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.3]<br /> | ||
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br /> | [https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, AC-7] | ||
| style="background-color:white;" |'''32.32''' The system shall allow the administrator or authorized personnel to define the number of failed login attempts before the system locks the user out. | | style="background-color:white;" |'''32.32''' The system shall allow the administrator or authorized personnel to define the number of failed login attempts before the system locks the user out. | ||
|- | |- | ||
Line 359: | Line 359: | ||
[https://www.astm.org/e1578-18.html ASTM E1578-18 S-3-1]<br /> | [https://www.astm.org/e1578-18.html ASTM E1578-18 S-3-1]<br /> | ||
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.6.3.2]<br /> | [https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.6.3.2]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, IA-5] | ||
| style="background-color:white;" |'''32.34''' The vendor shall provide training materials emphasizing the importance of not sharing unique identification components with other individuals and promoting compliance review for ensuring such practices are followed. | | style="background-color:white;" |'''32.34''' The vendor shall provide training materials emphasizing the importance of not sharing unique identification components with other individuals and promoting compliance review for ensuring such practices are followed. | ||
|- | |- | ||
Line 374: | Line 374: | ||
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.1]<br /> | [https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.1]<br /> | ||
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.1.14–15]<br /> | [https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.1.14–15]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, AC-3]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, IA-2, IA-5, and IA-8] | ||
| style="background-color:white;" |'''32.35''' The system shall support the ability to initially assign new individual users to system groups, roles, or both. | | style="background-color:white;" |'''32.35''' The system shall support the ability to initially assign new individual users to system groups, roles, or both. | ||
|- | |- | ||
Line 394: | Line 394: | ||
| style="background-color:white;" |'''32.39''' The system should provide a means to migrate static data into the system. | | style="background-color:white;" |'''32.39''' The system should provide a means to migrate static data into the system. | ||
|- | |- | ||
| style="padding:5px; width:500px;" |[https:// | | style="padding:5px; width:500px;" |[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, IA-5(1)]<br />[https://clsi.org/standards/products/quality-management-systems/documents/qms22/ CLSI QMS22 2.4.2] | ||
| style="background-color:white;" |'''32.40''' The system should provide a means for automatically authenticating if a user's proposed password meets the length, complexity, minimum number of changed characters, and other requirements as configured by the administrator or another authorized system user. | | style="background-color:white;" |'''32.40''' The system should provide a means for automatically authenticating if a user's proposed password meets the length, complexity, minimum number of changed characters, and other requirements as configured by the administrator or another authorized system user. | ||
|- | |- | ||
| style="padding:5px; width:500px;" |[https:// | | style="padding:5px; width:500px;" |[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, IA-6] | ||
| style="background-color:white;" |'''32.41''' The system should provide a means for obscuring authentication feedback as it is entered into the system, e.g., displaying asterisks rather than the typed password or displaying actual typed feedback for a distinctly short period of time before obscuring it. | | style="background-color:white;" |'''32.41''' The system should provide a means for obscuring authentication feedback as it is entered into the system, e.g., displaying asterisks rather than the typed password or displaying actual typed feedback for a distinctly short period of time before obscuring it. | ||
|- | |- | ||
Line 412: | Line 412: | ||
! style="color:brown; background-color:#ffffee; width:700px;"| Requirement | ! style="color:brown; background-color:#ffffee; width:700px;"| Requirement | ||
|- | |- | ||
| style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 S-2-1]<br />[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy Appendix G.8]<br />[https:// | | style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 S-2-1]<br />[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy Appendix G.8]<br />[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, SA-4(3)] | ||
| style="background-color:white;" |'''33.1''' The vendor should be able to demonstrate the use of software development standards, secure coding practices, formal change control, and software revision control within its development practices. The vendor should also document its staff's skills and certifications. | | style="background-color:white;" |'''33.1''' The vendor should be able to demonstrate the use of software development standards, secure coding practices, formal change control, and software revision control within its development practices. The vendor should also document its staff's skills and certifications. | ||
|- | |- | ||
| style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 S-2-2]<br />[https:// | | style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 S-2-2]<br />[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, SA-4(2)] | ||
| style="background-color:white;" |'''33.2''' The vendor should be willing to provide access to source code through a suitable escrow. | | style="background-color:white;" |'''33.2''' The vendor should be willing to provide access to source code through a suitable escrow. | ||
|- | |- | ||
Line 426: | Line 426: | ||
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br /> | [https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.3]<br /> | ||
[https://www.iso.org/standard/66912.html ISO/IEC 17025:2017 7.11.5]<br /> | [https://www.iso.org/standard/66912.html ISO/IEC 17025:2017 7.11.5]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, SA-4(1), SA-4(2), and SA-5] | ||
| style="background-color:white;" |'''33.4''' The system should be well documented by the vendor in comprehensive training material for all aspects of system use, including administration, operation, and troubleshooting. | | style="background-color:white;" |'''33.4''' The system should be well documented by the vendor in comprehensive training material for all aspects of system use, including administration, operation, and troubleshooting. | ||
|- | |- | ||
Line 469: | Line 469: | ||
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.5]<br /> | [https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.5.5]<br /> | ||
[https://clsi.org/standards/products/quality-management-systems/documents/qms22/ CLSI QMS22 2.4.2]<br /> | [https://clsi.org/standards/products/quality-management-systems/documents/qms22/ CLSI QMS22 2.4.2]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, AC-11 and AC-12] | ||
| style="background-color:white;" |'''34.1''' The system shall provide administrators with a configurable period of time to apply to user access or inactivity before again prompting a user for authentication credentials. The system shall also be able to display an explicit message indicating how much time remains before the user session terminates. | | style="background-color:white;" |'''34.1''' The system shall provide administrators with a configurable period of time to apply to user access or inactivity before again prompting a user for authentication credentials. The system shall also be able to display an explicit message indicating how much time remains before the user session terminates. | ||
|- | |- | ||
Line 496: | Line 496: | ||
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.1.14–15]<br /> | [https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.1.14–15]<br /> | ||
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.2]<br /> | [https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.2]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, AC-2(7) and AC-3]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, IA-2 and IA-8]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, MA-4]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, PS-4 and PS-5]<br /> | ||
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.2.4]<br /> | [https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.2.4]<br /> | ||
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.5.1.2] | [https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.5.1.2] | ||
Line 509: | Line 509: | ||
| style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 S-3-9]<br /> | | style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 S-3-9]<br /> | ||
[https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf E.U. Annex 11-3.3]<br /> | [https://ec.europa.eu/health/sites/health/files/files/eudralex/vol-4/annex11_01-2011_en.pdf E.U. Annex 11-3.3]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, SA-16]<br /> | ||
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.2.4] | [https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.2.4] | ||
| style="background-color:white;" |'''34.6''' The vendor shall provide help desk, training, and installation support, as well as high-quality system documentation. The documentation should be reviewed to ensure that user requirements are fulfilled. | | style="background-color:white;" |'''34.6''' The vendor shall provide help desk, training, and installation support, as well as high-quality system documentation. The documentation should be reviewed to ensure that user requirements are fulfilled. | ||
Line 530: | Line 530: | ||
[https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.2]<br /> | [https://www.iso.org/standard/56115.html ISO 15189:2012 5.10.2]<br /> | ||
[https://www.iso.org/standard/66912.html ISO/IEC 17025:2017 7.11.3]<br /> | [https://www.iso.org/standard/66912.html ISO/IEC 17025:2017 7.11.3]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, MA-5]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, MP-2]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, PE-3, PE-3(1), PE-6, PE-6(1), and PE-6(4)]<br /> | ||
[https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.2.1] | [https://www.ams.usda.gov/datasets/pdp/pdp-standard-operating-procedures USDA Administrative Procedures for the PDP 5.2.1] | ||
| style="background-color:white;" |'''34.7''' The vendor shall restrict logical access to database storage components to authorized individuals. If providing a hosted service, the vendor should also restrict physical access to database storage components to authorized individuals. (In the case of an on-site solution, the buyer is responsible for limiting physical access to database storage components to meet 21 CFR Part 11, HIPAA, and CJIS guidelines.) | | style="background-color:white;" |'''34.7''' The vendor shall restrict logical access to database storage components to authorized individuals. If providing a hosted service, the vendor should also restrict physical access to database storage components to authorized individuals. (In the case of an on-site solution, the buyer is responsible for limiting physical access to database storage components to meet 21 CFR Part 11, HIPAA, and CJIS guidelines.) | ||
Line 557: | Line 557: | ||
[https://clsi.org/standards/products/quality-management-systems/documents/qms22/ CLSI QMS22 2.6.1]<br /> | [https://clsi.org/standards/products/quality-management-systems/documents/qms22/ CLSI QMS22 2.6.1]<br /> | ||
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.9.13]<br /> | [https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.9.13]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, SI-2(5)]<br /> | ||
[https://www.wadsworth.org/regulatory/clep/clinical-labs/laboratory-standards NYSDOH CLEP Clinical Laboratory Standards of Practice, General Systems Standards] | [https://www.wadsworth.org/regulatory/clep/clinical-labs/laboratory-standards NYSDOH CLEP Clinical Laboratory Standards of Practice, General Systems Standards] | ||
| style="background-color:white;" |'''34.10''' The vendor should provide timely upgrades and patches, with complete documentation, that have been tested before installation and can be rolled back. | | style="background-color:white;" |'''34.10''' The vendor should provide timely upgrades and patches, with complete documentation, that have been tested before installation and can be rolled back. | ||
Line 579: | Line 579: | ||
| style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 S-3-15]<br /> | | style="padding:5px; width:500px;" |[https://www.astm.org/e1578-18.html ASTM E1578-18 S-3-15]<br /> | ||
[https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.9.13]<br /> | [https://www.epa.gov/sites/production/files/documents/erln_lab_requirements.pdf EPA ERLN Laboratory Requirements 4.9.13]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, CM-3(2)]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, SI-2] | ||
| style="background-color:white;" |'''34.15''' The system shall be able to install an upgrade into a test environment for testing purposes before upgrading the actual production environment. | | style="background-color:white;" |'''34.15''' The system shall be able to install an upgrade into a test environment for testing purposes before upgrading the actual production environment. | ||
|- | |- | ||
Line 606: | Line 606: | ||
[https://clsi.org/standards/products/quality-management-systems/documents/qms22/ CLSI QMS22 2.2.3.2]<br /> | [https://clsi.org/standards/products/quality-management-systems/documents/qms22/ CLSI QMS22 2.2.3.2]<br /> | ||
[https://www.ema.europa.eu/en/human-regulatory/research-development/compliance/good-manufacturing-practice/guidance-good-manufacturing-practice-good-distribution-practice-questions-answers EMA Guidance on Good Manufacturing Practice and Good Distribution Practice]<br /> | [https://www.ema.europa.eu/en/human-regulatory/research-development/compliance/good-manufacturing-practice/guidance-good-manufacturing-practice-good-distribution-practice-questions-answers EMA Guidance on Good Manufacturing Practice and Good Distribution Practice]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, AC-17(2)] | ||
| style="background-color:white;" |'''35.1''' The system should use secure communication protocols like SSL/TLS over Secure Hypertext Transfer Protocol with 256 bit encryption. | | style="background-color:white;" |'''35.1''' The system should use secure communication protocols like SSL/TLS over Secure Hypertext Transfer Protocol with 256 bit encryption. | ||
|- | |- | ||
Line 618: | Line 618: | ||
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.10.1.2]<br /> | [https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.10.1.2]<br /> | ||
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy Appendix G.6]<br /> | [https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy Appendix G.6]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, SC-13 and SC-28(1)] | ||
| style="background-color:white;" |'''35.2''' The system should support database encryption and be capable of recording the encryption status of the data contained within. | | style="background-color:white;" |'''35.2''' The system should support database encryption and be capable of recording the encryption status of the data contained within. | ||
|- | |- | ||
Line 624: | Line 624: | ||
[https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.6.2.2.1]<br /> | [https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center CJIS Security Policy 5.6.2.2.1]<br /> | ||
[https://clsi.org/standards/products/quality-management-systems/documents/qms22/ CLSI QMS22 2.4.2.2]<br /> | [https://clsi.org/standards/products/quality-management-systems/documents/qms22/ CLSI QMS22 2.4.2.2]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, AC-3]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, IA-2, IA-2(1–4), and IA-8]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, MA-4] | ||
| style="background-color:white;" |'''35.3''' The system should be able to support multifactor authentication. | | style="background-color:white;" |'''35.3''' The system should be able to support multifactor authentication. | ||
|- | |- | ||
Line 632: | Line 632: | ||
| style="background-color:white;" |'''35.4''' The system should support Office of the National Coordinator for Health Information Technology (ONC) transport standards and protocols for the reception and distribution of personal health information. | | style="background-color:white;" |'''35.4''' The system should support Office of the National Coordinator for Health Information Technology (ONC) transport standards and protocols for the reception and distribution of personal health information. | ||
|- | |- | ||
| style="padding:5px; width:500px;" |[https:// | | style="padding:5px; width:500px;" |[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, IA-7] | ||
| style="background-color:white;" |'''35.5''' The system should provide a means for authenticating an individual seeking to access any embedded cryptographic module within the system, as well as the individual's role in performing services within the module. | | style="background-color:white;" |'''35.5''' The system should provide a means for authenticating an individual seeking to access any embedded cryptographic module within the system, as well as the individual's role in performing services within the module. | ||
|- | |- | ||
| style="padding:5px; width:500px;" |[https:// | | style="padding:5px; width:500px;" |[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, SC-15] | ||
| style="background-color:white;" |'''35.6''' The system should prevent connected collaborative computing devices (e.g., cameras, microphones, interactive whiteboards) from being activated without explicit permission from the end user, and it should provide a clear indication of any activation to the end user. | | style="background-color:white;" |'''35.6''' The system should prevent connected collaborative computing devices (e.g., cameras, microphones, interactive whiteboards) from being activated without explicit permission from the end user, and it should provide a clear indication of any activation to the end user. | ||
|- | |- | ||
Line 667: | Line 667: | ||
|- | |- | ||
| style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/45/part-164/subpart-E 45 CFR Part 164 Subpart E]<br /> | | style="padding:5px; width:500px;" |[https://www.law.cornell.edu/cfr/text/45/part-164/subpart-E 45 CFR Part 164 Subpart E]<br /> | ||
[https:// | [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, AC-6] | ||
| style="background-color:white;" |'''36.4''' The system shall be able to verify and ensure that users authorized to view de-identified data are also not a member of a role that permits access to information that re-identifies the data, i.e., segregate duties. | | style="background-color:white;" |'''36.4''' The system shall be able to verify and ensure that users authorized to view de-identified data are also not a member of a role that permits access to information that re-identifies the data, i.e., segregate duties. | ||
|- | |- | ||
| style="padding:5px; width:500px;" |[https:// | | style="padding:5px; width:500px;" |[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST 800-53, Rev. 5, SI-19(7)] | ||
| style="background-color:white;" |'''36.5''' The system should use validated algorithms to de-identify data in the system and be validated to use those algorithms. | | style="background-color:white;" |'''36.5''' The system should use validated algorithms to de-identify data in the system and be validated to use those algorithms. | ||
|- | |- | ||
|} | |} | ||
|} | |} |
Revision as of 23:37, 3 May 2022
|
|
|
|
|