You are on page 1of 11

IRS Office of Safeguards SCSEM

Internal Revenue Service


Office of Safeguards

SCSEM Subject: Network Assessment


SCSEM Version: 1.5
SCSEM Release Date: June 3, 2015

NOTICE:
The IRS strongly recommends agencies test all Safeguard Computer Security Evaluation Matrix (SCSEM) settings in a development or test
environment prior to deployment in production. In some cases a security setting may impact a systems functionality and usability. Consequently,
it is important to perform testing to determine the impact on system security, functionality, and usability. Ideally, the test system configuration
should match the production system configuration. Prior to making changes to the production system, agencies should back up all critical data
files on the system and if possible, make a full backup of the system to ensure it can be restored to its pre-SCSEM state if necessary.

General Testing Information


Agency Name:
Agency Code:
Test Location:
Test Date:
Closing Date:
Shared Agencies:
Name of Tester:

Agency Representatives and Contact Information

Name:
Org:
Title:
Phone:
E-mail:

Name:
Org:
Title:
Phone:
E-mail:

This SCSEM was designed to comply with Section 508 of the Rehabilitation Act
Please submit SCSEM feedback and suggestions to SafeguardReports@IRS.gov
Obtain SCSEM updates online at http://www.irs.gov/uac/Safeguards-Program

348117775.xls Page 1 of 11
IRS Office of Safeguards SCSEM
Testing Results
INSTRUCTIONS:
Sections below are automatically calculated.

The 'Info' status is provided for use by the tester during test execution to indicate more information is needed to complete the test.
It is not an acceptable final test status, all test cases should be Pass, Fail or N/A at the conclusion of testing.

All SCSEM Test Results


Final Test Results (This table calculates all tests in the Test Cases tab) Overall SCSEM Statistics
Additional
Total Number of Weighted
Passed Failed Information N/A
Tests Performed Pass Rate
All SCSEM Tests Complete Blank Available
Requested
0 0 0 0 0 0 Totals 0 20 20

Weighted Score

348117775.xls Page 2 of 11
IRS Office of Safeguards SCSEM
Instructions
Introduction and Purpose:
This SCSEM is used by the IRS Office of Safeguards to evaluate an agencys network, focusing on key perimeter and internal network segment entry
points for network segments containing systems that receive, store, process or transmit FTI; and logical placement of networking equipment to ensure
control of the flow of FTI to and from the systems with FTI.

Agencies should use this SCSEM to prepare for an upcoming Safeguard review, but it is also an effective tool for agencies to use as part of internal
periodic security assessments or internal inspections to ensure continued compliance in the years when a Safeguard review is not scheduled. Also the
agency can use the SCSEM to identify the types of policies to have in place to ensure continued compliance with IRS Publication 1075.

Test Cases Legend:


Test ID Pre-populated number to uniquely identify SCSEM test cases. The ID format includes the platform, platform version
and a unique number (01-XX) and can therefore be easily identified after the test has been executed.
NIST ID Mapping of test case requirements to one or more NIST SP 800-53 control identifiers for reporting purposes.
NIST Control Name Full name which describes the NIST ID.
Test Method: The test case is executed by Interview, Examine or Test methods in accordance with the test methodology specified
in NIST SP 800-53A. In test plans where SCAP testing is available, Automated and Manual indicators are added to
the Test method to indicate whether the test can be accomplished through the SCAP tool.
Test Objective Description of specifically what the test is designed to accomplish. The objective should be a summary of the
test case and expected results.
Test Procedures A detailed description of the step-by-step instructions to be followed by the tester. The test procedures should be
executed using the applicable NIST 800-53A test method (Interview, Examine, Test).
Expected Results Provides a description of the acceptable conditions allowed as a result of the test procedure execution.
Actual Results The tester shall provide appropriate detail describing the outcome of the test. The tester is responsible for identifying
Interviewees and Evidence to validate the results in this field or the separate Notes/Evidence field.
Status The tester indicates the status for the test results (Pass, Fail, Info, N/A). "Pass" indicates that the expected results
were met. "Fail" indicates the expected results were not met. "Info" is temporary and indicates that the test execution
is not completed and additional information is required to determine a Pass/Fail status. "N/A" indicates that the
test subject is not capable of implementing the expected results and doing so does not impact security. The tester
must determine the appropriateness of the "N/A" status.
Notes/Evidence As determined appropriate to the tester or as required by the test method, procedures or expected results, the tester
may need to provide additional information pertaining to the test execution (Interviewee, Documentation, etc.)
Criticality A baseline risk category has been pre-populated next to each control to assist agencies in establishing priorities for
corrective action. The reviewer has the discretion to change the prioritization to accurately reflect the risk and the overall
security posture based on environment specific testing.

348117775.xls Page 3 of 11
IRS Office of Safeguards SCSEM
Test Cases
Test ID NIST ID NIST Control Name Test Method Test Objective Test Procedures Expected Results Actual Results Status Notes/Evidence

NET-01 AU-12 Audit Generation Examine/ Network boundary devices, 1. Review the network boundary device 1. Verbose logging is enabled on all network
Interview including firewalls, network- configurations. boundary devices.
based IPS, and inbound and 2. Ensure that logs are being captured on
outbound proxies, are network boundary devices, including all activity
configured to verbosely log related to firewalls, network-based IPS,
all traffic (both allowed and inbound and outbound proxies (verbose
blocked) arriving at the logging is enabled).
device.

NET-02 AU-3 Content of Audit Examine/ Audit log settings capture 1. Validate audit log settings for each hardware 1. Systems record logs in a standardized
Records Interview consistent information in a device and the software installed on it, ensuring format such as syslog entries or those
standard format. that logs include a date, timestamp, source outlined by the Common Event Expression
addresses, destination addresses, and various initiative.
other useful elements of each packet and/or 2. If systems cannot generate logs in a
transaction. standardized format, log normalization tools
are deployed to convert logs into a
standardized format.

NET-03 AU-3 Content of Audit Examine/ All remote access (i.e., VPN, 1. Review the remote access points to the 1. All remote access to the network with FTI is
Records Interview dial-up, or other mechanism) network with FTI and determine how the logged.
to the network that contains remote access it being logged.
the systems with FTI, 2. Review the point where the external
whether to the DMZ or an demarcation point is to the internal FTI network
internal network, is logged. (DMZ or other location) and determine whether
the method of connection (VPN, dial-up, etc.) is
being logged.
3. Review the logs and ensure that remote
access users connection information is being
tracked from the demarcation point through to
the internal destination.

NET-04 AU-4 Audit Storage Examine/ Logs for network devices 1. Ensure that all network devices that store 1. Network device logs have adequate storage
Capacity Interview have been allocated logs have adequate storage space for the logs space and logs are backed up and archived
adequate storage space to generated, so that log files will not fill up off of the system for storage in accordance
retain audit records for the between log rotation intervals. with IRS requirements of 7 years.
required audit retention 2. Ensure that the logs are backed up, archived
period of 7 years. off of the system, and retained for a period of 7
years.
Note: At a minimum these
logs should contain security-
relevant events that satisfy
the (AU-2) requirements fom
IRS Publication 1075.

348117775.xls Page 4 of 11
IRS Office of Safeguards SCSEM

Test ID NIST ID NIST Control Name Test Method Test Objective Test Procedures Expected Results Actual Results Status Notes/Evidence

NET-05 AU-6 Audit Review, Examine/ Network and host-based logs 1. Interview the system administrator and 1. System administrators/security personnel
Analysis, and Interview are reviewed on a weekly ensure that network and host-based logs are regularly review all network and host-based
Reporting basis for anomalies. reviewed on a weekly basis or more frequently logs on a weekly basis, are reviewing
at the discretion of the information system anomalies, and are documenting findings and
owner for indications of unusual activity related reporting in accordance with the agency's
to potential unauthorized access. incident reporting procedures.
2. Ask the system administrator to walk through 2. The agency's log review process includes
the review process and determine how regularly reviewing network activity for
anomalies are identified and handled. abnormal increases in network traffic from the
3. Ask about the agency's process for agency's normal traffic threshold.
monitoring increases in network activity. 3. Abnormal increases in network traffic
activity are reported in accordance with the
agency's incident reporting procedures

NET-06 CM-8 Information System Examine/ A software asset inventory of 1. Obtain the agency's IT software asset 1. The software inventory includes a list of
Component Inventory Interview all software used to receive, inventory (including software used in pre- authorized software that is required in the
process, store or transmit FTI production/development environments). enterprise for each type of system, including
is maintained in production 2. Review the IT software asset inventory to servers, workstations, and laptops of various
and pre-production verify systems that receive process, store or kinds and uses in production and pre-
environments. transmit FTI are included and identified. production environments.
3. Determine the process used to keep the
inventory current, and verify the inventory is up 2. The inventory tracks the version number
to date in accordance with the agency's policy. and patch level of the underlying operating
4. Determine if the agency has the capability to system as well as the installed applications.
monitor for unauthorized software on the
network. 3. The network is monitored for deviations
from the expected inventory of software, and
security and/or operations personnel are
alerted when deviations or unauthorized
software is discovered.

NET-07 CM-8 Information System Examine/ A hardware asset inventory 1. Obtain the agency's IT hardware asset 1. The organization maintains an asset
Component Inventory Interview of all systems and devices inventory (including hardware used in pre- inventory of the systems and devices that
that receive, process, store production/development environments). receive, process, store and transmit FTI in
or transmit FTI is maintained 2. Review the IT hardware asset inventory to production and pre-production environments,
in production and pre- verify systems that receive process, store or including but not limited to desktops, laptops,
production environments. transmit FTI are included and identified. servers, network equipment (routers,
3. Determine the process used to keep the switches, firewalls, etc.), printers, storage area
inventory current, and verify the inventory is up networks, voiceover-IP telephones, etc. The
to date in accordance with the agency's policy. inventory of information system components
4. Determine if the agency has the capability to includes detail such as make, model, OS,
monitor for unauthorized hosts on the network. type, model, serial number, physical location,
owner, and machine name.
2. The inventory includes systems and
devices that receive, store, process and
transmit FTI in a pre-production environment.
3. The inventory is kept current through
periodic manual inventory checks or a network
monitoring tool automatically maintains the
inventory.
4. The network is monitored for deviations
from the expected inventory of assets on the
network, and security and/or operations
personnel are alerted when deviations or
unauthorized hosts are discovered.

348117775.xls Page 5 of 11
IRS Office of Safeguards SCSEM

Test ID NIST ID NIST Control Name Test Method Test Objective Test Procedures Expected Results Actual Results Status Notes/Evidence

NET-08 RA-5 Vulnerability Scanning Examine/ Network and system 1. Interview agency personnel to determine the 1. The agency conducts automated
Interview vulnerability scanning is frequency for automated vulnerability scanning vulnerability scanning against systems and
performed on a monthly of systems and networks that receive, store, networks that receive, store, process and
basis to identify process and transmit FTI. transmit FTI at least monthly.
vulnerabilities. 2. Examine procedures to determine the 2. The agency compares the results from
process for analyzing vulnerability scan reports back-to-back vulnerability scans to verify that
and results from security control assessments. vulnerabilities were addressed either by
3. Examine procedures to determine the patching, implementing a compensating
process for reporting vulnerabilities to control, or documenting and accepting a
designated personnel in the agency. reasonable business risk.
4. Examine the procedures for remediating 3. Security personnel share vulnerability
vulnerabilities in accordance with an agency reports indicating critical issues with senior
acceptance of risk. management.
4. Any vulnerability identified is remediated in
a timely manner, with critical vulnerabilities
taking highest priority.

NET-09 SC-7 Boundary Protection Examine/ The network architecture is 1. Review the agency's network diagram to 1. The agency's internal network is segmented
Interview layered to provide protection determine how traffic to systems that receive, into separate trust zones to provide more
to systems that receive, process, store or transmit FTI is limited only granular control of system access and
store, process or transmit services needed for authorized business use additional intranet boundary defenses.
FTI. and limited access to authorized personnel. Segmentation limits traffic to systems that
2. Identify all access points into the information receive, process, store or transmit FTI to only
system and how segmentation is handled, and services needed for business use and to
determine what protection is employed at each authorized personnel.
network segment where FTI is present. This 2.The network segment where the systems
review should cover the point where FTI enters that receive, store, process and transmit FTI
the network from the perimeter to where it is are located are protected with a firewall to
stored or currently resides. control the traffic into that network. There are
multiple layers of protection (defense-in-
depth).

NET-10 SC-7 Boundary Protection Examine/ Network Address Translation 1. Review the network traffic flow/data flow 1. The agency employs NAT to protect internal
Interview (NAT) is implemented at the diagram and determine where the demarcation IPs from being publicly disclosed.
public traffic demarcation point is for public traffic on the network. 2. If NAT is not implemented at the agencys
point on the network to 2. Review the boundary device located at that boundary firewall or router then it must be
protect internal addresses point and ensure that the router or firewall is implemented on each firewall or router that
from being disclosed publicly. configured with NAT enabled. protects network segments that contain
components which receive, process, store, or
transmit FTI.

NET-11 SC-7 Boundary Protection Examine/ The network architecture 1. Review the network traffic flow/data flow 1. Publicly accessible components reside in a *Criticality may be
Interview separates internal systems diagram to determine how publicly accessible screened subnet (DMZ) architecture to upgraded to Critical if FTI
from DMZ systems. information system components are protected provide boundary protection. systems are directly
and arranged. 2. DMZ systems do not contain FTI and accessible from the
internal systems with FTI are not directly Internet
accessible from the Internet.

348117775.xls Page 6 of 11
IRS Office of Safeguards SCSEM

Test ID NIST ID NIST Control Name Test Method Test Objective Test Procedures Expected Results Actual Results Status Notes/Evidence

NET-12 SC-7 Boundary Protection Examine/ Managed interfaces 1. Review the agency's network diagram and 1. Firewalls and routers are configured to
Interview employing boundary FTI-applicable inventory devices. prohibit any Transmission Control Protocol
protection at Internet 2. Review the managed interfaces employing (TCP) or User Datagram Protocol (UDP)
gateways and internal boundary protection at the network perimeter service or other protocol/service that is not
network segments with FTI and network segment where FTI systems are explicitly permitted
implement ingress and located and determine what services (TCP and 2. For each permitted service, the following
egress filtering to allow only UDP) are permitted. information is documented:
those ports and protocols 3. For each permitted service, examine the - Service allowed (including TCP or UDP port
with an explicit and documented business need. number);
documented business need. 4. Determine if inbound filtering is enabled on - Service description;
managed interfaces employing boundary - Business case necessitating the service; and
protection at the network perimeter and
network segment where FTI systems are - Internal controls associated with the service.
located. 3. There are no services (TCP or UDP)
allowed except for the documented services.
4. Inbound filtering is implemented to reject
all data packets that have an internal agency
IP address.

NET-13 SC-7 Boundary Protection Examine/ Managed interfaces 1. Review the agency's network diagram and 1. The agency's managed interfaces
Interview employing boundary FTI-applicable inventory devices. employing boundary protection are configured
protection to systems with 2. Identify the managed interfaces employing to deny all traffic by default and allow traffic by
FTI are configured with a boundary protection (Firewall, IDS) and review exception.
default-deny rule that drops the settings to determine whether they are 2. Firewalls are configured to prohibit any
all traffic except those configured to deny all traffic by default and Transmission Control Protocol (TCP) or User
services and ports that are allow by exception. Firewalls shall be Datagram Protocol (UDP) service or other
explicitly allowed configured to prohibit any Transmission Control protocol/service that is not explicitly permitted
Protocol (TCP) or User Datagram Protocol
(UDP) service or other protocol/service that is
not explicitly permitted.

NET-14 SI-4 Information System Examine/ An intrusion detection system 1. Examine the logical network design to 1. Network-based IDS sensors are deployed
Monitoring Interview (IDS) is used to monitor identify the location of IDS sensors on the to monitor traffic on Internet and extranet DMZ
traffic at the agency's network. systems and networks, and network segments
network perimeter and the 2. Review the IDS settings and the network with FTI that look for unusual attack
perimeter of the network configuration to ensure that an IDS monitors mechanisms and detect compromise of these
segment with FTI. all traffic. systems.
2. The IDS is configured to look for attacks
from external sources directed at DMZ and
internal systems, as well as attacks originating
from internal systems against the DMZ or
Internet.

NET-15 Si-4 Information System Examine/ Systems employing boundary 1. Meet with the firewall and/or IDS 1. When agency firewalls, IDS, HIPS, and
Monitoring Interview protection (Firewall, IDS and administrator and/or the administrator(s) for other systems employing boundary protection
HIPS) generate an alert or e- systems employing boundary protection, to generate a real-time alert or e-mail notice
mail notice upon detection of determine how administrators are notified of regarding unauthorized packets based on a
a suspected attack. alerts for suspected attacks or attempts to suspected attack, or suspected attempt to
bypass system security measures (e.g., bypass system security occurs, administrators
through console dashboard or reporting are notified.
mechanism) 2. The alert is written to local and remote
consoles, an administrator must acknowledge
the alert, and the alert and administrator
acknowledgement are logged.

348117775.xls Page 7 of 11
IRS Office of Safeguards SCSEM

Test ID NIST ID NIST Control Name Test Method Test Objective Test Procedures Expected Results Actual Results Status Notes/Evidence

NET-16 SI-4 Information System Examine/ Systems that receive, 1. Determine whether there are any host-to- 1. If host-to-gateway VPN connections exist to
Monitoring Interview process, store or transmit FTI gateway VPN connections to systems with FTI. systems with FTI where the traffic between the
that are accessible by a host- 2. For host-to-gateway VPN connections, VPN gateway and the destination host is not
to-gateway VPN employ at determine if the destination host with FTI protected by IPSec, a HIPS is installed on the
Host Intrusion Prevention employs a HIPS. destination host to provide defense-in-depth
System (HIPS). by detecting attacks and monitoring for
potentially malicious traffic.

NET-17 SI-4 Information System Examine/ Where network boundary 1. Review the network boundary protection 1. A HIPS is installed on each FTI-applicable
Monitoring Interview protection mechanisms are components and their settings. system which is logically positioned for
not granular enough to 2. Determine whether the boundary protection protection behind the boundary device. The
protect FTI components (for mechanisms are granular enough to HIPS should be specifically configured for
example a firewall is specifically protect FTI components or if the each individual device and those settings
employed which allows more firewall is too permissive (e.g., if the firewall should be documented.
ports/protocols than is allows more ports/protocols than necessary for
necessary for communication communication to the FTI component)
to the FTI component), a
Host Intrusion Prevention Note: This would be applicable if any of test
System (HIPS) is employed. cases 9-13 for the SC-7 control do not pass.

NET-18 SI-3 Malicious Code Examine Malicious code protection is 1. Interview agency personnel to determine 1. The agency employs malicious code *Criticality may be
Protection Interview implemented and current. whether malicious code protection software is protection mechanisms at information system upgraded to Critical if
configured to scan files transported by email, entry and exit points and at workstations, malicious code protection
email attachments, and web accesses. servers, or mobile computing devices on the mechanisms are not
2. Examine procedures to determine the network to detect and eradicate malicious implemented
process for updating malicious code protection code transported by email, email attachments,
software for signature definition releases. and web accesses.
3. Examine malicious code protection software 2. The malicious code protection software
to determine it is configured to perform periodic employs signature auto update features or
scans of the information system and real-time administrators manually push updates to all
scans of files from external sources as the files machines on a daily basis. After applying an
are downloaded, opened, or executed. update, each system is verified it has received
4. Examine procedures to determine the its signature update.
process for addressing the receipt of false 3. Malicious code protection software is
positives during malicious code detection and configured to perform periodic scans of the
eradication and the resulting potential impact information system and real-time scans of files
on the availability of the information system. from external sources as the files are
downloaded, opened, or executed.
4. Procedures are in place to address the
receipt of false positives during malicious
code detection and eradication and the
resulting potential impact on the availability of
the information system.

NET-19 SI-3 Malicious Code Examine/ Laptops, workstations, and 1. Interview system administrators and 1. Servers, workstations, and laptops are not
Protection Interview servers are configured to not determine whether servers, workstations, and configured to auto-run removable media.
auto-run content from USB laptops are configured to ensure that
tokens (i.e., "thumb drives"), removable media does not auto-run when
USB hard drives, CDs/DVDs, connected (i.e. USB hard drives, CD/DVD
Firewire devices, external drives).
serial advanced technology 2. Sample the FTI-applicable inventory and
attachment devices, mounted choose at least one server, workstation, and
network shares, or other laptop, review the configuration to make sure
removable media. that the infrastructure is not configured to auto
run removable media.

348117775.xls Page 8 of 11
IRS Office of Safeguards SCSEM

Test ID NIST ID NIST Control Name Test Method Test Objective Test Procedures Expected Results Actual Results Status Notes/Evidence

NET-20 SI-3 Malicious Code Examine/ Laptops, workstations, and 1. Interview system administrators and ensure 1. Servers, workstations, and laptops are
Protection Interview servers are configured to that FTI-applicable infrastructure is configured configured to automatically scan removable
conduct an automated anti- to automatically run an anti-malware scan media for malware when inserted.
malware scan of removable (such as Symantec or McAfee) when the
media when it is inserted. removable media is inserted.
2. Sample the FTI-applicable inventory and
choose at least, one server, workstation, and
laptop, review the configuration to make sure
that the infrastructure automatically scans
removable media for malware when it is
inserted.

348117775.xls Page 9 of 11
IRS Office of Safeguards SCSEM
Appendix
SCSEM Sources:
This SCSEM was created for the IRS Office of Safeguards based on the following resources.
IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies
NIST SP 800-53 Rev. 4, Recommended Security Controls for Federal Information Systems and Organizations (April 2013)
NIST SP 800-41 Guidelines on Firewalls and Firewall Policy
DISA Network Policy Security Technical Implementation Guide Version 8 Release 4 29 October 2010
DISA Firewall Security Technical Implementation Guide Version 8 Release 3 27 August 2010
Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines (CAG) Version 3.0 15 April 2011

Out of Scope Controls - Unselected NIST 800-53 Controls


Reason: Not required by Publication 1075. See Publication 1075 for more details.
AC-21, AU-13, AU-14, CP-3, CP-8, CP-9, CP-10, IA-8, PE-9, PE-10, PE-11, PE-12, PE-13, PE-14, PE-15, PM-1, PM-3, PM-5, PM-6, PM-7, PM-8,
PM-9, PM-10, PM-11, SA-12, SA-13, SA-14, SC-16, SC-20, SC-22, SC-25, SC-26, SC-27, SC-28, SC-29, SC-30, SC-31, SC-33, SC-34, SI-8, SI-13

Out of Scope Controls - Policy & Procedural Controls


Reason: Tested in the Management, Operational and Technical (MOT) SCSEM
AC-1, AC-14, AC-18, AC-19, AC-20, AC-22, AT-3, AT-4, AU-1, AU-7, AU-11, CA-1, CA-2, CA-3, CA-5, CA-6, CA-7, CM-1, CM-2, CM-3, CM-4, CM-5,
CM-6, CM-7, CM-8, CM-9, CP-1, CP-2, CP-4, CP-6, IA-1, IR-3, IR-7, IR-8, MA-1, MA-2, MA-3, MA-4, MA-5, PL-1, PL-2, PL-4, PL-5, PL-6, PM-2, RA-1,
RA-2, RA-3, RA-5, SA-1, SA-2, SA-3, SA-4, SA-5, SA-6, SA-7, SA-8, SA-10, SA-11, SC-1, SC-5, SC-7, SC-12, SC-15, SC-17, SC-18, SC-19, SC-32,
SI-1, SI-4, SI-5, SI-7, SI-9, SI-10, SI-11

Out of Scope Controls - Physical Security or Disclosure Controls


Reason: Tested in the Safeguard Disclosure Security Evaluation Matrix (SDSEM)
AT-1, AT-2, CP-7, IR-1, IR-2, IR-4, IR-5, IR-6, MP-1, MP-2, MP-3, MP-4, MP-5, MP-6, MP-7, PE-1, PE-2, PE-3, PE-4, PE-5, PE-6, PE-7, PE-8, PE-16,
PE-17, PE-18, PM-4, PS-1, PS-2, PS-3, PS-4, PS-5, PS-6, PS-7, PS-8, SA-9, SI-12

348117775.xls Page 10 of 11
IRS Office of Safeguards SCSEM
Change Log
Version Date Description of Changes Author
0.1 2/18/2011 First Release Booz Allen Hamilton
0.2 6/29/2011 Updated based on Network Defense-in-Depth Memo Release Booz Allen Hamilton
0.3 11/24/2011 Updated based on Top 20 Critical Security Controls Booz Allen Hamilton
0.4 12/8/2011 Updated based on internal feedback session. Booz Allen Hamilton
1.0 9/28/2012 Update to new template. Increase version to 1.0. Booz Allen Hamilton
1.1 2/12/2013 Minor update to correct worksheet locking capabilities. Added back NIST control name to Test Cases Tab. Booz Allen Hamilton

1.2 9/26/2013 Update test cases based on NIST 800-53 R4 Booz Allen Hamilton
1.3 4/11/2014 No major updates. Template update. Booz Allen Hamilton
1.4 1/9/2015 Added baseline Criticality Score and Issue Codes, weighted test cases based on criticality, and updated Results Booz Allen Hamilton
1.4.1 1/28/2015 Updated baseline Criticality Scores per risk management initiative and feedback Booz Allen Hamilton
1.5 6/3/2015 Updated NET-08 to meet IRS Requirement for monthly scanning. NET-05 & NET-04 updated to IRS Booz Allen Hamilton
Requirement for weekly review of audit logs and 7 years of log retention.

348117775.xls Page 11 of 11