Fundamental requirement | SL1 | SL2 | SL3 | SL4 |
FR 1 – Identification and authentication control (IAC) | ||||
SR 1.1 – Human user identification and authentication | x | x | x | x |
SR 1.1 RE 1 – Unique identification and authentication | x | x | ||
SR 1.1 RE 2 – Multifactor authentication for untrusted networks | x | x | ||
SR 1.1 RE 3 – Multifactor authentication for all networks | x | |||
SR 1.2 – Software process and device identification and authentication | x | x | x | |
SR 1.2 RE 1 – Unique identification and authentication | x | x | ||
SR 1.3 – Account management | x | x | x | x |
SR 1.3 RE 1 – Unified account management | x | x | ||
SR 1.4 – Identifier management | x | x | x | x |
SR 1.5 – Authenticator management | x | x | x | x |
SR 1.5 RE 1 – Hardware security for software process identity credentials | x | x | ||
SR 1.6 – Wireless access management | x | x | x | x |
SR 1.6 RE 1 – Unique identification and authentication | x | x | ||
SR 1.7 – Strength of password-based authentication | x | x | x | x |
SR 1.7 RE 1 – Password generation and lifetime restrictions for human users | x | x | ||
SR 1.7 RE 2 – Password lifetime restrictions for all users | x | |||
SR 1.8 – Public key infrastructure certificates | x | x | x | |
SR 1.9 – Strength of public key authentication | x | x | x | |
SR 1.9 RE 1 – Hardware security for public key authentication | x | x | ||
SR 1.10 – Authenticator feedback | x | x | x | x |
SR 1.11 – Unsuccessful login attempts | x | x | x | x |
SR 1.12 – System use notification | x | x | x | x |
SR 1.13 – Access via untrusted networks | x | x | x | x |
SR 1.13 RE 1 – Explicit access request approval | x | x | x | |
FR 2 – Use control (UC) | ||||
SR 2.1 – Authorization enforcement | x | x | x | x |
SR 2.1 RE 1 – Authorization enforcement for all users | x | x | x | |
SR 2.1 RE 2 – Permission mapping to roles | x | x | x | |
SR 2.1 RE 3 – Supervisor override | x | x | ||
SR 2.1 RE 4 – Dual approval | x | |||
SR 2.2 – Wireless use control | x | x | x | x |
SR 2.2 RE 1 – Identify and report unauthorized wireless devices | x | x | ||
SR 2.3 – Use control for portable and mobile devices | x | x | x | x |
SR 2.3 RE 1 – Enforcement of security status of portable and mobile devices | x | x | ||
SR 2.4 – Mobile code | x | x | x | x |
SR 2.4 RE 1 – Mobile code integrity check | x | x | ||
SR 2.5 – Session lock | x | x | x | x |
SR 2.6 – Remote session termination | x | x | x | |
SR 2.7 – Concurrent session control | x | x | ||
SR 2.8 – Auditable events | x | x | x | x |
SR 2.8 RE 1 – Centrally managed, system-wide audit trail | x | x | ||
SR 2.9 – Audit storage capacity | x | x | x | x |
SR 2.9 RE 1 – Warn when audit record storage capacity threshold reached | x | x | ||
SR 2.10 – Response to audit processing failures | x | x | x | x |
SR 2.11 – Timestamps | x | x | x | |
SR 2.11 RE 1 – Internal time synchronization | x | x | ||
SR 2.11 RE 2 – Protection of time source integrity | x | |||
SR 2.12 – Non-repudiation | x | x | ||
SR 2.12 RE 1 – Non-repudiation for all users | x | |||
FR 3 – System integrity (SI) | ||||
SR 3.1 – Communication integrity | x | x | x | x |
SR 3.1 RE 1 – Cryptographic integrity protection | x | x | ||
SR 3.2 – Malicious code protection | x | x | x | x |
SR 3.2 RE 1 – Malicious code protection on entry and exit points | x | x | ||
SR 3.2 RE 2 – Central management and reporting for malicious code protection | x | x | ||
SR 3.3 – Security functionality verification | x | x | x | x |
SR 3.3 RE 1 – Automated mechanisms for security functionality verification | x | x | ||
SR 3.3 RE 2 – Security functionality verification during normal operation | x | |||
SR 3.4 – Software and information integrity | x | x | x | |
SR 3.4 RE 1 – Automated notification about integrity violations | x | x | ||
SR 3.5 – Input validation | x | x | x | x |
SR 3.6 – Deterministic output | x | x | x | x |
SR 3.7 – Error handling | x | x | x | |
SR 3.8 – Session integrity | x | x | x | |
SR 3.8 RE 1 – Invalidation of session IDs after session termination | x | x | ||
SR 3.8 RE 2 – Unique session ID generation | x | x | ||
SR 3.8 RE 3 – Randomness of session IDs | x | |||
SR 3.9 – Protection of audit information | x | x | x | |
SR 3.9 RE 1 – Audit records on write-once media | x | |||
FR 4 – Data confidentiality (DC) | ||||
SR 4.1 – Information confidentiality | x | x | x | x |
SR 4.1 RE 1 – Protection of confidentiality at rest or in transit via untrusted networks | x | x | ||
SR 4.1 RE 2 – Protection of confidentiality across zone boundaries | x | |||
SR 4.2 – Information persistence | x | x | x | |
SR 4.2 RE 1 – Purging of shared memory resources | x | x | ||
SR 4.3 – Use of cryptography | x | x | x | x |
FR 5 – Restricted data flow (RDF) | ||||
SR 5.1 – Network segmentation | x | x | x | x |
SR 5.1 RE 1 – Physical network segmentation | x | x | x | |
SR 5.1 RE 2 – Independence from non-control system networks | x | x | ||
SR 5.1 RE 3 – Logical and physical isolation of critical networks | x | |||
SR 5.2 – Zone boundary protection | x | x | x | x |
SR 5.2 RE 1 – Deny by default, allow by exception | x | x | x | |
SR 5.2 RE 2 – Island mode | x | x | ||
SR 5.2 RE 3 – Fail close | x | x | ||
SR 5.3 – General purpose person-to-person communication restrictions | x | x | x | x |
SR 5.3 RE 1 – Prohibit all general purpose person-to-person communications | x | x | ||
SR 5.4 – Application partitioning | x | x | x | x |
FR 6 – Timely response to events (TRE) | ||||
SR 6.1 – Audit log accessibility | x | x | x | x |
SR 6.1 RE 1 – Programmatic access to audit logs | x | x | ||
SR 6.2 – Continuous monitoring | x | x | x | |
FR 7 – Resource availability (RA) | ||||
SR 7.1 – Denial of service protection | x | x | x | x |
SR 7.1 RE 1 – Manage communication loads | x | x | x | |
SR 7.1 RE 2 – Limit DoS effects to other systems or networks | x | x | ||
SR 7.2 – Resource management | x | x | x | x |
SR 7.3 – Control system backup | x | x | x | x |
SR 7.3 RE 1 – Backup verification | x | x | x | |
SR 7.3 RE 2 – Backup automation | x | x | ||
SR 7.4 – Control system recovery and reconstitution | x | x | x | x |
SR 7.5 – Emergency power | x | x | x | x |
SR 7.6 – Network and security configuration settings | x | x | x | x |
SR 7.6 RE 1 – Machine-readable reporting of current security settings | x | x | ||
SR 7.7 – Least functionality | x | x | x | x |
SR 7.8 – Control system component inventory | x | x | x |
18.119.139.50