Recommended Security Controls for Federal Information Systems and Organizations for Microsoft Windows Server 2016
|ID: xccdf_org.secpod_benchmark_NIST_800_171_R1_Windows_Server_2016||Date: (C)2017-09-28 (M)2018-11-15|
|Status: draft||Version: 4.0|
|Platform: cpe:/o:microsoft:windows_server_2016||Source: [https://www.nist.gov]|
The purpose of this publication is to provide guidelines for selecting and specifying security controls for information systems supporting the executive agencies of the federal government to meet the requirements of FIPS 200, Minimum Security Requirements for Federal Information and Information Systems. The guidelines apply to all components11 of an information system that process, store, or transmit federal information. The guidelines have been developed to help achieve more secure information systems and effective risk management within the federal government by:
* Facilitating a more consistent, comparable, and repeatable approach for selecting and specifying security controls for information systems and organizations;
Providing a recommendation for minimum security controls for information systems categorized in accordance with FIPS 199, Standards for Security Categorization of Federal Information and Information Systems;
* Providing a stable, yet flexible catalog of security controls for information systems and organizations to meet current organizational protection needs and the demands of future protection needs based on changing requirements and technologies;
* Creating a foundation for the development of assessment methods and procedures for determining security control effectiveness; and
* Improving communication among organizations by providing a common lexicon that supports discussion of risk management concepts.
The guidelines in this special publication are applicable to all federal information systems12 other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542. The guidelines have been broadly developed from a technical perspective to complement similar guidelines for national security systems and may be used for such systems with the approval of appropriate federal officials exercising policy authority over such systems.13 State, local, and tribal governments, as well as private sector organizations are encouraged to consider using these guidelines, as appropriate.
1.2 TARGET AUDIENCE
This publication is intended to serve a diverse audience of information system and information security professionals including:
* Individuals with information system or security management and oversight responsibilities (e.g., authorizing officials, chief information officers, senior information security officers,14 information system managers, information security managers);
* Individuals with information system development responsibilities (e.g., program and project managers, information technology product developers, information system designers and developers, systems integrators);
* Individuals with information security implementation and operational responsibilities (e.g., mission/business owners, information system owners, common control providers, information owners/stewards, information system security engineers, information system administrators, information system security officers); and
* Individuals with information system and information security assessment and monitoring responsibilities (e.g., auditors, Inspectors General, system evaluators, assessors/assessment teams, independent verification and validation assessors, information system owners).
Commercial companies producing information technology products and systems, creating information security-related technologies, and providing information security services can also benefit from the information in this publication.