What is the importance of a customer shared responsibility matrix (SRM)? Many defense contractors that make up the Defense Industry Base (DIB) rely on external service providers to meet federal requirements like DFARS 7012, NIST SP 800-171, and eventually CMMC 2.0. Add to that the confusion around how to meet specific requirements and what the DIB is responsible for when much of the infrastructure is outsourced becomes even more complex. A SRM should be an initial guide for the DIB when selecting a vendor to partner with on their compliance journey.
At KTL our clients rely on our expertise in Microsoft’s GCC/GCC High, Azure, Azure Government, and Dynamics along with providing the assistance in compliance efforts. Whether it entails building out an environment that can be made compliant with requirements or providing the assistance in ongoing maintenance and documentation KTL is there to stand shoulder to shoulder through the process.
Overview
KTL 360 for the Secure Enclave was developed from a need of our Defense Industry Base customers to be able to assist in simplifying the process for preparing to meet NIST 800-171 and CMMC. As part of the process, we have developed this Shared Responsibility Matrix (SRM) to outline what you as the customer should be performing as part of your requirements to achieving compliance with NIST 800-171 and CMMC. For details on what documentation and services are covered under KTL 360 please refer to our KTL 360 – Defense & Aerospace brochure.
Customer Responsibility Assumptions
Throughout the document there will be many references to a customer having no responsibility for a practice within a domain. It is assumed that a customer will have the appropriate policies, procedures, and documentation in place to meet each practice. KTL will assist in the development of the appropriate documentation (Policy, procedure, system security plan, etc.) as they relate to the secure enclave. The customer will be responsible for working with the assigned KTL resource(s) to create/update/review all the required documentation once created on a periodic basis. The customer will be responsible to have a senior member of their company sign off on acceptance of policies and procedures once in place.
NOTE: If a customer has IT staff that will be co-managing the environment with KTL many of the ‘No responsibility’ items will be shared.
Practices |
Requirement |
KTL Responsibilities |
Customer Responsibilities |
Access Control |
|||
AC.L1-3.1.1 |
Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). |
KTL is responsible for adding/removing user access, processes, and devices into Active Directory (AD), Azure Active Directory (AAD), and other services as required. |
Providing a list of authorized users and roles. |
AC.L1-3.1.2 |
Limit system access to the types of transactions and functions that authorized users are permitted to execute. |
KTL is responsible for assigning the appropriate configured role, roles, or permissions to a user, processes, or device(s). |
Define the various roles and system access requirements for configuration by KTL. |
AC.L1-3.1.20 |
Verify and control/limit connections to and use of external information systems. |
KTL will configure logical access controls to control and limit the connection to external systems based on customer defined sites. |
Provide a list of authorized external sites. |
AC.L1-3.1.22 |
Control information posted or processed on publicly accessible systems. |
No responsibility |
This is a customer only responsibility. |
AC.L2-3.1.3 |
Control the flow of CUI in accordance with approved authorizations. |
KTL will configure access controls in the secure enclave to control the flow of CUI to authorized users in the environment. Configurations are based on information provided from AC.L1-3.1.1/2. KTL will also create a data flow diagram of the information system. |
No responsibility |
AC.L2-3.1.4 |
Separate the duties of individuals to reduce the risk of malevolent activity without collusion. |
KTL will separate administrator duties within the secure enclave. All administrative activities will be monitored and logged in the SIEM to reduce the risk of malevolent activity without collusion. |
No responsibility |
AC.L2-3.1.5 |
Employ the principle of least privilege, including for specific security functions and privileged accounts. |
KTL administrative staff will have limited access rights based on duties performed. Access rights will be assigned based on the principle of least privilege with appropriate security functions to perform a specific assigned duty. |
No responsibility |
AC.L2-3.1.6 |
Use non-privileged accounts or roles when accessing nonsecurity functions. |
All customer users will be assigned a specific role(s) and access rights based on information provided from AC.L1-3.1.1/2. |
No responsibility |
AC.L2-3.1.7 |
Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs. |
KTL will configure the system to prevent non-privileged users from executing privileged functions. All privileged functions will be captured in the SIEM. |
No responsibility |
AC.L2-3.1.8 |
Limit unsuccessful logon attempts. |
KTL will set configurations to limit unsuccessful logon attempts based on customers organizational policy. |
Responsible for defining unsuccessful login attempts in policy. |
AC.L2-3.1.9 |
Provide privacy and security notices consistent with applicable CUI rules. |
KTL will configure logon banners with privacy and security notices based on the customer defined organizational policy. |
Responsible for defining content for privacy and security notices in policy. |
AC.L2-3.1.10 |
Use session lock with pattern-hiding displays to prevent access and viewing of data after period of inactivity. |
KTL will set configurations to perform a session lock with screen saver displayed after 15 minutes of inactivity. |
Responsible for providing modification requests for deviation to standard configuration time limits for inactivity. |
AC.L2-3.1.11 |
Terminate (automatically) a user session after a defined condition. |
KTL will configure the Azure Virtual Desktop (AVD) hosts to disconnect after 2 hours of activity. |
Responsible for providing modification requests for deviation to standard configuration time limits for session termination. |
AC.L2-3.1.12 |
Monitor and control remote access sessions. |
KTL will configure logical access controls on all remote access to the environment. Remote access session logs will be audited and monitored. |
No responsibility |
AC.L2-3.1.13 |
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. |
KTL will configure the environment to utilize encryption for remote access sessions to environment. |
No responsibility |
AC.L2-3.1.14 |
Route remote access via managed access control points. |
KTL will configure all connections to route/authenticate through a managed access point. |
No responsibility |
AC.L2-3.1.15 |
Authorize remote execution of privileged commands and remote access to security-relevant information. |
KTL will authorize assigned administrative users with the rights to execute privileged command for security relevant tasks. |
No responsibility |
AC.L2-3.1.16 |
Authorize wireless access prior to allowing such connections. |
NOTE: There are no wireless access points set up for the secure enclave environment. |
No responsibility |
AC.L2-3.1.17 |
Protect wireless access using authentication and encryption. |
NOTE: There are no wireless access points set up for the secure enclave environment. |
No responsibility |
AC.L2-3.1.18 |
Control connection of mobile devices. |
NOTE: Mobile devices are not configured to have access into the secure enclave. |
No responsibility |
AC.L2-3.1.19 |
Encrypt CUI on mobile devices and mobile computing platforms. |
NOTE: Mobile devices are not configured to have access into the secure enclave. |
No responsibility |
AC.L2-3.1.21 |
Limit use of portable storage devices on external systems. |
KTL will configure the system to not allow connection and use of portable storage devices. |
No responsibility |
Awareness and Training |
|||
AT.L2-3.2.1 |
Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems. |
KTL will provide administrative staff with the appropriate security awareness training. |
Provide customer staff with the appropriate security awareness training. |
AT.L2-3.2.2 |
Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities. |
KTL will provide administrative staff with the appropriate training to perform assigned duties. |
No responsibility |
AT.L2-3.2.3 |
Provide security awareness training on recognizing and reporting potential indicators of insider threat. |
KTL provide administrative staff with the appropriate insider threat training. |
Provide customer staff with the appropriate insider threat training. |
Audit and Accountability |
|||
AU.L2-3.3.1 |
Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. |
KTL will configure the system to retain system audit logs and records for monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. |
No responsibility |
AU.L2-3.3.2 |
Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. |
KTL will configure the system with customer’s user information, and log user actions in the system. |
No responsibility |
AU.L2-3.3.3 |
Review and update logged events. |
KTL will review logs on a bi-annual basis and update the types of logs being reviewed as required. |
No responsibility |
AU.L2-3.3.4 |
Alert in the event of an audit logging process failure. |
KTL will configure the system to alert in the event of an audit logging failure. |
No responsibility |
AU.L2-3.3.5 |
Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. |
KTL will configure the system to pull in and correlate log data from various components to support alerting of indicators of potentially unauthorized activity. |
No responsibility |
AU.L2-3.3.6 |
Provide audit record reduction and report generation to support on-demand analysis and reporting. |
KTL will configure the system to provide reduction in audit records to support on-demand reporting for analysis. |
No responsibility |
AU.L2-3.3.7 |
Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records. |
KTL will configure the system to utilize the Microsoft Network Time Servers as the authoritative source. |
No responsibility |
AU.L2-3.3.8 |
Protect audit information and audit logging tools from unauthorized access, modification, and deletion. |
KTL will use role-based access controls, separation of responsibilities, and a SIEM to log and protect audit information and tools. |
No responsibility |
AU.L2-3.3.9 |
Limit management of audit logging functionality to a subset of privileged users. |
KTL will limit the management of audit logging functionality to a subset of privileged users. |
No responsibility |
Configuration Management |
|||
CM.L2-3.4.1 |
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. |
KTL will maintain the baseline configurations of all systems in the environment. |
No responsibility |
CM.L2-3.4.2 |
Establish and enforce security configuration settings for information technology products employed in organizational systems. |
KTL will configure the access controls to enforce established security configurations. |
No responsibility |
CM.L2-3.4.3 |
Track, review, approve or disapprove, and log changes to organizational systems. |
KTL will track, review, and log changes to the environment. |
Customer is responsible for approving/disapproving changes. |
CM.L2-3.4.4 |
Analyze the security impact of changes prior to implementation. |
KTL will analyze the security impact of changes prior to implementation. |
No responsibility |
CM.L2-3.4.5 |
Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems. |
KTL will configure and document all logical access controls that are approved and enforced in the environment. |
No responsibility |
CM.L2-3.4.6 |
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities. |
KTL will utilize configuration baselines from Microsoft and additional vendor configuration baselines to employ the principle of least functionality in the environment. |
No responsibility |
CM.L2-3.4.7 |
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. |
KTL will utilize configuration baselines from Microsoft and additional vendor baseline configurations to prevent the use of nonessential programs, functions, ports, protocols, and services in the environment. |
No responsibility |
CM.L2-3.4.8 |
Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. |
KTL will configure the system to prevent the execution of applications that are not explicitly authorized to run in the environment. |
Responsible for informing KTL of any additional applications that will need to be authorized for the environment. |
CM.L2-3.4.9 |
Control and monitor user-installed software. |
KTL will configure the environment to disallow the installation of unauthorized software. |
No responsibility |
Identification and Authentication |
|||
IA.L1-3.5.1 |
Identify information system users, processes acting on behalf of users, or devices. |
KTL will configure the system to identify users, processes, and device accessing the environment. |
No responsibility |
IA.L1-3.5.2 |
Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. |
KTL will configure the environment to require authentication prior to access. |
No responsibility |
IA.L2-3.5.3 |
Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. |
KTL will configure the environment to require MFA for all access. |
No responsibility |
IA.L2-3.5.4 |
Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. |
KTL will configure and validate the system is utilizing replay-resistant technology. |
No responsibility |
IA.L2-3.5.5 |
Prevent reuse of identifiers for a defined period. |
KTL will follow a customer’s preference around the reuse of identifiers. |
Customer must define the period of time for reuse of identifiers. |
IA.L2-3.5.6 |
Disable identifiers after a defined period of inactivity. |
KTL will configure the system to disable identifiers based on a customer’s policy. |
Customer must define the period of time before an identifier is disabled. |
IA.L2-3.5.7 |
Enforce a minimum password complexity and change of characters when new passwords are created. |
KTL will configure identity services to enforce a minimum password complexity requirement. |
No responsibility |
IA.L2-3.5.8 |
Prohibit password reuse for a specified number of generations. |
KTL will configure the system to prohibit password reuse for a specified number of generations. |
No responsibility |
IA.L2-3.5.9 |
Allow temporary password use for system logons with an immediate change to a permanent password. |
KTL will configure the system to allow for temporary password use with immediate change requirement to a permanent password. |
No responsibility |
IA.L2-3.5.10 |
Store and transmit only cryptographically-protected passwords. |
KTL will configure and validate the system is only storing or transmitting cryptographically protected passwords. |
No responsibility |
IA.L2-3.5.11 |
Obscure feedback of authentication information. |
KTL will configure and validate that the system is obscuring feedback of authentication information. |
No responsibility |
Incident Response |
|||
IR.L2-3.6.1 |
Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities. |
KTL will configure the information system to alert for potential indicators of compromise in the environment. |
Customer is responsible for creating an IR policy and plan along with participating in any IR activities. |
IR.L2-3.6.2 |
Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization. |
KTL will track incidents that are reported by client or vendors in an IT ticketing system. |
Customer is responsible for reporting any incidents regarding IT systems in the environment. |
IR.L2-3.6.3 |
Test the organizational incident response capability. |
KTL will perform tabletop exercises annually to test and validate the organizations IR plan. |
Customer is responsible for participating in IR test as necessary. |
Maintenance |
|||
MA.L2-3.7.1 |
Perform maintenance on organizational systems. |
KTL will perform ongoing maintenance and patching of systems in the environment. |
Customer is responsible for notifying KTL of any maintenance window constraints.* |
MA.L2-3.7.2 |
Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance. |
KTL will control all tools, techniques, mechanisms, and personnel used to conduct system maintenance. |
No responsibility |
MA.L2-3.7.3 |
Ensure equipment removed for off-site maintenance is sanitized of any CUI. |
NOTE: All equipment that the secure enclave resides on are managed by Microsoft. |
No responsibility |
MA.L2-3.7.4 |
Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems. |
NOTE: Azure hosted resources do not allow introduction of physical media. Any diagnostic and test programs that are downloaded into the environment are scanned by Microsoft Defender Antivirus and analyzed by Defender for Endpoint for malicious code before execution and activity while executing. |
No responsibility |
MA.L2-3.7.5 |
Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete. |
KTL will configure the system to enforce the use of multifactor authentication for all remote connections to the environment. In addition, automated mechanisms will be configured to terminate sessions after a defined period of inactivity. |
No responsibility |
MA.L2-3.7.6 |
Supervise the maintenance activities of maintenance personnel without required access authorization. |
KTL will supervise the maintenance activity of personnel without prior access authorizations. |
No responsibility |
Media Protection |
|||
MP.L1-3.8.3 |
Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. |
KTL will configure the system to not allow connections of external media. |
No responsibility |
MP.L2-3.8.1 |
Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. |
KTL will configure the system to not allow connections of external media. |
No responsibility |
MP.L2-3.8.2 |
Limit access to CUI on system media to authorized users. |
KTL will configure logical access to CUI on system media to authorized users based on the customers’ requirements. |
Customer is responsible for notifying KTL of who should have logical access to CUI in the secure enclave. |
MP.L2-3.8.4 |
Mark media with necessary CUI markings and distribution limitations. |
KTL will configure the system to not allow connections of external media. |
Customer is responsible for marking any physical media received prior to data entry into the environment. |
MP.L2-3.8.5 |
Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas. |
KTL will configure the system to not allow connections of external media. |
No responsibility |
MP.L2-3.8.6 |
Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. |
KTL will configure the system to not allow connections of external media. |
No responsibility |
MP.L2-3.8.7 |
Control the use of removable media on system components. |
KTL will configure the system to not allow connections of external media. |
No responsibility |
MP.L2-3.8.8 |
Prohibit the use of portable storage devices when such devices have no identifiable owner. |
KTL will configure the system to not allow connections of external media. |
No responsibility |
MP.L2-3.8.9 |
Protect the confidentiality of backup CUI at storage locations. |
KTL will configure the system to perform backups. NOTE: This is a shared responsibility handled by Microsoft and AvePoint. |
No responsibility |
Personnel Security |
|||
PS.L2-3.9.1 |
Screen individuals prior to authorizing access to organizational systems containing CUI. |
KTL will screen all staff with prior to access to the system. |
Customer is responsible for their own screening process. |
PS.L2-3.9.2 |
Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. |
KTL will remove/change access of users based on a customer’s request. |
Customer is responsible for notifying KTL of terminations or transfers of staff. |
Physical Protection |
|||
PE.L1-3.10.1 |
Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. |
NOTE: All physical access to information systems/equipment is a shared responsibility managed by Microsoft. |
No responsibility |
PE.L1-3.10.3 |
Escort visitors and monitor visitor activity. |
KTL maintains physical access logs for visitors when at the office. KTL also has a secure enclave configured for KTL 360 services.
NOTE: All physical access to information systems/equipment is a shared responsibility managed by Microsoft. |
Customer is responsible for escorting visitors that are on premise if there is a physical corporate location that staff are working from. |
PE.L1-3.10.4 |
Maintain audit logs of physical access. |
KTL maintains physical access logs for visitors when at the office. KTL also has a secure enclave configured for KTL 360 services.
NOTE: All physical access to information systems/equipment is a shared responsibility managed by Microsoft. |
Customer is responsible for audit logs of physical access if there is a physical corporate location that staff are working from. |
PE.L1-3.10.5 |
Control and manage physical access devices. |
KTL manages and administers all keycard access to the office. NOTE: The secure enclave utilizes only IaaS and SaaS as part of its security boundary. Microsoft and AvePoint implement this requirement as part of their FedRAMP ATO. |
Customer is responsible for managing and administrating all physical access devices if there is a corporate owned/leased facility. |
PE.L2-3.10.2 |
Protect and monitor the physical facility and support infrastructure for organizational systems. |
NOTE: All physical access to information systems/equipment is a shared responsibility managed by Microsoft. |
No responsibility |
PE.L2-3.10.6 |
Enforce safeguarding measures for CUI at alternate work sites. |
KTL will configure the system to not allow information to be extracted/copied/printed outside of the environment. |
Customer is responsible for have a work from home policy if staff are not working on premise. |
Risk Assessment |
|||
RA.L2-3.11.1 |
Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. |
KTL can work with the customer to perform a periodic assessment of the environment. |
Customer is responsible for either performing an periodic risk assessment or requesting assistance from KTL. |
RA.L2-3.11.2 |
Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. |
KTL will configure the system to scan for vulnerabilities periodically and when new vulnerabilities are identified. |
No responsibility |
RA.L2-3.11.3 |
Remediate vulnerabilities in accordance with risk assessments. |
KTL will handle all vendor documented remediation on system components in the environment. |
No responsibility |
Security Assessment |
|||
CA.L2-3.12.1 |
Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. |
KTL will periodically assess the security controls in the environment to determine if the control is still effective in its application. |
Customer is responsible for applicable controls defined herein. |
CA.L2-3.12.2 |
Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. |
KTL will maintain and execute on a plan of action and milestone. |
Customer is responsible for reviewing and approving plan of action remediation activities. |
CA.L2-3.12.3 |
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. |
KTL will monitor the security controls in the environment. |
No responsibility |
CA.L2-3.12.4 |
Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. |
KTL will maintain a system security plan (SSP) representative of the customer environment. |
Customer is responsible for all controls not already documented in the SSP provided by KTL. |
System and Communication Protection |
|||
SC.L1-3.13.1 |
Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. |
KTL will define internal and external systems in a supplied network diagram. In addition, KTL will use logical access restrictions to monitor, control, and protect communications in the environment. |
No responsibility |
SC.L1-3.13.5 |
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. |
KTL will implement subnetworks for publicly accessible system as requested by the customer. |
No responsibility |
SC.L2-3.13.2 |
Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. |
KTL will configure the system to utilize architectural designs and system engineering principles that promote effective information security. |
Customer is responsible for software development techniques if they create/design software for use in the system. |
SC.L2-3.13.3 |
Separate user functionality from system management functionality. |
KTL will separate user functionality from system management functionality and maintain the administrative functions of the environment. |
No responsibility |
SC.L2-3.13.4 |
Prevent unauthorized and unintended information transfer via shared system resources. |
NOTE: The environment uses logical restrictions within the Windows operating system that prevents users from access to the processes and memory of other users. File and folder access control lists prevent the unauthorized and unintended access of user storage by other users outside of the intended user or system administrator. |
No responsibility |
SC.L2-3.13.6 |
Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). |
KTL will configure the system to deny all and permit by exception. |
No responsibility |
SC.L2-3.13.7 |
Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling). |
NOTE: Connections into the environment utilize publicly accessible endpoints, but does not allow for split tunneling outside of the environment once logged in. |
No responsibility |
SC.L2-3.13.8 |
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. |
NOTE: The environment utilizes TLS encryption which is managed by Microsoft. |
No responsibility |
SC.L2-3.13.9 |
Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. |
KTL will configure the system to terminate user sessions after 2 hours of inactivity. |
Customer can request a non-standard configuration request for session termination. |
SC.L2-3.13.10 |
Establish and manage cryptographic keys for cryptography employed in organizational systems. |
NOTE: The environment utilizes only IaaS and SaaS. Microsoft and AvePoint manage cryptographic keys as part of their FedRAMP ATO. |
No responsibility |
SC.L2-3.13.11 |
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. |
KTL will configure the system to enforce the use of only FIPS validated cryptography. |
No responsibility |
SC.L2-3.13.12 |
Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device. |
NOTE: Collaborative computing devices are not configured and/or utilized in the environment. |
No responsibility |
SC.L2-3.13.13 |
Control and monitor the use of mobile code. |
KTL will configure the environment to control and monitor the use of mobile code. |
No responsibility |
SC.L2-3.13.14 |
Control and monitor the use of Voice over Internet Protocol (VoIP) technologies. |
KTL will configure the system to deny-all and allow-by exception what VoIP technology is allowed to run within the environment based on a customer request. |
Customer is responsible for providing KTL with which VoIP provider they may be utilizing within the secure enclave (i.e. – CallTower, AT&T, etc.). |
SC.L2-3.13.15 |
Protect the authenticity of communications sessions. |
KTL will configure the system to use TLS based encryption and provide notifications if TLS based encryption fails. |
No responsibility |
SC.L2-3.13.16 |
Protect the confidentiality of CUI at rest. |
NOTE: This is a shared responsibility that is managed by Microsoft and AvePoint. The implementation of encryption at rest is covered as part of the IaaS and SaaS and documented in their respective FedRAMP documentation. |
No responsibility |
System and Information Integrity |
|||
SI.L1-3.14.1 |
Identify, report, and correct information and information system flaws in a timely manner. |
KTL will be responsible for identifying, reporting, and correcting information system flaws of system that are configured for the environment. |
Customer is responsible for identifying, reporting, and correcting information system flaws for any customer deployed systems (i.e. – HR, payroll, etc.). |
SI.L1-3.14.2 |
Provide protection from malicious code at appropriate locations within organizational information systems. |
KTL will configure the system to utilize security features in the environment to protect against malicious code at all appropriate locations. |
No responsibility |
SI.L1-3.14.4 |
Update malicious code protection mechanisms when new releases are available. |
KTL will configure automate updates to malicious code protection mechanisms. |
No responsibility |
SI.L1-3.14.5 |
Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. |
KTL will configure the system to perform periodic scans on a daily basis or real-time scans of files from external sources prior to downloading, opening, or execution of files. |
No responsibility |
SI.L2-3.14.3 |
Monitor system security alerts and advisories and take action in response. |
KTL will monitor security alerts and advisories for the environment and take the appropriate response actions. |
Customer is responsible for subscribing to alerts (e.g. – CISA, ISAC, etc.). |
SI.L2-3.14.6 |
Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. |
KTL will configure the system to monitor and detect attacks and indicators of potential attacks. |
No responsibility |
SI.L2-3.14.7 |
Identify unauthorized use of organizational systems. |
KTL will configure the environment to monitor and audit system use for potential unauthorized use. |
No responsibility |