diff --git a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac01.md b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac01.md index 27d551c704d..a070e6e043d 100644 --- a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac01.md +++ b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac01.md @@ -38,7 +38,7 @@ The organizational risk management strategy is a key factor in establishing poli The following controls are related to this control: -* PM-9. +* PM-09 For more information, refer to the NIST Special Publications 800-12 and 800-100. diff --git a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac02.md b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac02.md index 0f1ec23598a..eed451ceb1a 100644 --- a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac02.md +++ b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac02.md @@ -44,7 +44,7 @@ The organization: ### Supplemental Guidance - Information system account types include the following: +Information system account types include the following: * Individual * Shared @@ -73,27 +73,27 @@ The organization: The following controls are related to this control: -* AC-3 -* AC-4 -* AC-5 -* AC-6 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) +* AC-04 +* AC-05 +* AC-06 * AC-10 * AC-17 * AC-19 * AC-20 -* AU-9 -* IA-2 -* IA-4 -* IA-5 -* IA-8 -* CM-5 -* CM-6 -* CM-11 -* MA-3 -* MA-4 -* MA-5 -* PL-4 -* SC-13. +* AU-09 +* IA-02 +* IA-04 +* IA-05 +* IA-08 +* CM-05 +* CM-06 +* CM-011 +* MA-03 +* MA-04 +* MA-05 +* PL-04 +* SC-13 ## Responsibility diff --git a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac0202.md b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac0202.md new file mode 100644 index 00000000000..30aa3286c9b --- /dev/null +++ b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac0202.md @@ -0,0 +1,42 @@ +--- +title: "AC-02 (02) Account Management - Removal Of Temporary / Emergency Accounts" +linktitle: "AC-02 (02)" +url: /private-mendix-platform/nist-controls/ac-0202/ +description: "Documents the Private Mendix Platform's compliance with the AC-02 (02) control of the NIST 800-53 framework." +weight: 20 +--- + +## Introduction + +This document describes how Private Mendix Platform fulfills the AC-02 (02) control. + +| Control ID | AC-02 (02) | +| --- | --- | +| Control category | AC - Access Control | +| Requirement baseline | FEDRAMP MODERATE | +| Responsibility and ownership | Customer - Org | + +## Control + +The information system automatically removes or; disables temporary and emergency accounts after an: organization-defined time period for each type of account. + +### Supplemental Guidance + +This control enhancement requires the removal of both temporary and emergency accounts automatically after a predefined period of time has elapsed, rather than at the convenience of the systems administrator. + +## Responsibility + +### Customer Responsibility + +Private Mendix Platform does not provision temporary or emergency accounts outside of normal pre-provisioning and login (SSO) mechanisms. + +## Guidance + +### Customer Responsibility + +To effectively manage temporary and emergency accounts, organizations should: + +* Define specific time limits for each type of account based on operational needs and security requirements. +* Configure the information system to automatically disable or remove these accounts once the defined period expires. +* Regularly review account activity and ensure that no temporary or emergency account remains active beyond its authorized timeframe. +* Document the procedures for account creation, monitoring, and removal to ensure compliance and accountability. diff --git a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac0207.md b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac0207.md new file mode 100644 index 00000000000..a82fee1b458 --- /dev/null +++ b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac0207.md @@ -0,0 +1,71 @@ +--- +title: "AC-02 (07) Account Management - Role-Based Schemes" +linktitle: "AC-02 (07)" +url: /private-mendix-platform/nist-controls/ac-0207/ +description: "Documents the Private Mendix Platform's compliance with the AC-02 (07) control of the NIST 800-53 framework." +weight: 20 +--- + +## Introduction + +This document describes how Private Mendix Platform fulfills the AC-02 (07) control. + +| Control ID | AC-02 (07) | +| --- | --- | +| Control category | AC - Access Control | +| Requirement baseline | FEDRAMP MODERATE | +| Responsibility and ownership | Customer - Org | + +## Control + +The organization: + +* Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles. +* Monitors privileged role assignments. +* Takes organization-defined actions when privileged role assignments are no longer appropriate. + +### Supplemental Guidance + +Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. These privileged roles include, for example, key management, account management, network and system administration, database administration, and web administration. + +## Responsibility + +### Customer Responsibility + +Customers are responsible for defining and documenting their organization-specific privileged roles in alignment with job functions and the principle of least privilege, establishing formal processes for requesting, approving, and provisioning privileged access within Private Mendix Platform. They must conduct periodic access reviews to ensure role assignments remain appropriate, and supplement the platform's built-in monitoring audit logging tools to capture a complete trail of privileged role changes. + +Additionally, customers are responsible for defining and enforcing actions when privileged access is no longer appropriate — including integrating role revocation with Identity Provider (IdP) workflows to ensure timely de-provisioning upon employee offboarding or role changes, and establishing internal SLAs to govern the timeliness of such actions. + +## Guidance + +### Customer Responsibility + +Privileged access to Private Mendix Platform is controlled through Role-Based Access Control (RBAC) that is driven by the customer's Identity Provider (IdP): + +#### Authentication + +Users authenticate through the customer's IdP (for example, Azure AD, Entra ID, or other SAML 2.0 or OIDC-compliant provider). The platform does not maintain independent credential stores for end users. + +#### Role Assignment through IdP Claims or Groups + +The customer's IdP asserts group memberships or role claims during authentication. These IdP groups or claims are mapped to corresponding Private Mendix Platform roles. This ensures that the customer retains centralized control over who holds privileged roles. + +#### Access Enforcement + +Upon authentication, the platform evaluates the user's IdP-asserted roles and grants or denies access to privileged actions accordingly. Users without the required privileged role mapping cannot access or execute privileged functions. + +#### Lifecycle Management + +When a user's group membership or role claim is modified or removed in the customer's IdP, their privileged access within Private Mendix Platform and Mendix applications is updated at the next authentication event. This ensures that privilege revocation is handled centrally through the IdP. + +## Proof and Remarks + +For more information on how Private Mendix Platform manages dynamic roles and groups, see [Dynamic Role Management in Private Mendix Platform](/private-mendix-platform/dynamic-role-management/#role-editing). + +{{< figure src="/attachments/private-platform/nist-ac/nist-ac-0207-1.png" class="no-border" >}} + +{{< figure src="/attachments/private-platform/nist-ac/nist-ac-0207-2.png" class="no-border" >}} + +{{< figure src="/attachments/private-platform/nist-ac/nist-ac-0207-3.png" class="no-border" >}} + +{{< figure src="/attachments/private-platform/nist-ac/nist-ac-0207-4.png" class="no-border" >}} \ No newline at end of file diff --git a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac05.md b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac05.md index ee4213cfc46..8e2bf08e6d2 100644 --- a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac05.md +++ b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac05.md @@ -34,7 +34,7 @@ Separation of duties addresses the potential for abuse of authorized privileges The following controls are related to this control: -* AC-3 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) * AC-6 * PE-3 * PE-4 diff --git a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac17.md b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac17.md index 9bf4c046d9d..4416a8592db 100644 --- a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac17.md +++ b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac17.md @@ -34,7 +34,7 @@ Remote access controls apply to information systems other than public web server The following controls are related to this control: * AC-2 -* AC-3 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) * AC-18 * AC-19 * AC-20 diff --git a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac18.md b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac18.md index fd75b43c763..e313bd5e915 100644 --- a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac18.md +++ b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac18.md @@ -30,7 +30,7 @@ Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 8 The following controls are related to this control: * AC-2 -* AC-3 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) * AC-17 * AC-19 * CA-3 diff --git a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac19.md b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac19.md index b0a577bf24c..80b96a08133 100644 --- a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac19.md +++ b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac19.md @@ -51,7 +51,7 @@ Organizations are cautioned that the need to provide adequate security for mobil The following controls are related to this control: -* AC-3 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) * AC-7 * AC-18 * AC-20 diff --git a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac20.md b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac20.md index f1f9e84244e..15e358c7c77 100644 --- a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac20.md +++ b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac20.md @@ -35,7 +35,7 @@ This control does not apply to the use of external information systems to access The following controls are related to this control: -* AC-3 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) * AC-17 * AC-19 * CA-3 diff --git a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac21.md b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac21.md index 052d5b395fc..abff3c5ba87 100644 --- a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac21.md +++ b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac21.md @@ -29,7 +29,7 @@ This control applies to information that may be restricted in some manner (for e The following controls are related to this control: -* AC-3 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) ## Responsibility diff --git a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac22.md b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac22.md index 8a2ec8d2d1f..07fda3c1cb6 100644 --- a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac22.md +++ b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac22.md @@ -31,7 +31,7 @@ In accordance with federal laws, Executive Orders, directives, policies, regulat The following controls are related to this control: -* AC-3 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) * AC-4 * AT-2 * AT-3 diff --git a/content/en/docs/private-platform/nist-controls/au/pmp-nist-au09.md b/content/en/docs/private-platform/nist-controls/au/pmp-nist-au09.md index 8a1bffcb492..2a47d24151c 100644 --- a/content/en/docs/private-platform/nist-controls/au/pmp-nist-au09.md +++ b/content/en/docs/private-platform/nist-controls/au/pmp-nist-au09.md @@ -17,8 +17,6 @@ This document describes how Private Mendix Platform fulfills the AU-09 control. ## Control -### AU-08 - The information system protects audit information and audit tools from unauthorized access, modification, and deletion. ### Supplemental Guidance @@ -27,7 +25,7 @@ The audit information includes all information needed to successfully audit info The following controls are related to this control: -* AC-3 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) * AC-6 * MP-2 * MP-4 diff --git a/content/en/docs/private-platform/nist-controls/au/pmp-nist-au0902.md b/content/en/docs/private-platform/nist-controls/au/pmp-nist-au0902.md new file mode 100644 index 00000000000..c826133a193 --- /dev/null +++ b/content/en/docs/private-platform/nist-controls/au/pmp-nist-au0902.md @@ -0,0 +1,56 @@ +--- +title: "AU-09 (02) Protection of Audit Information - Audit Backup on Separate Physical Systems or Components" +linktitle: "AU-09 (02)" +url: /private-mendix-platform/nist-controls/au-0902/ +description: "Documents the Private Mendix Platform's compliance with the AU-09 (02) control of the NIST 800-53 framework." +weight: 20 +--- + +## Introduction + +This document describes how Private Mendix Platform fulfills the AU-09 (02) control. + +| Control ID | AU-09 (02) | +| --- | --- | +| Requirement baseline | FEDRAMP MODERATE | +| Responsibility and ownership | Customer - Org, Customer - Infra | + +## Control + +The information system backs up audit records at an organization-defined frequency onto a physically different system or system component than the system or component being audited. + +### Supplemental Guidance + +This control enhancement helps to ensure that a compromise of the information system being audited does not also result in a compromise of the audit records. + +The following controls are related to this control: + +* AU-04 +* AU-05 +* AU-11 + +## Responsibility + +### Customer Responsibility + +The customer is responsible for implementing this control in an appropriate manner in their organization. This includes establishing audit record backup policies and procedures that ensure logs are regularly replicated to a physically separate system to comply with federal requirements. The customer must ensure that backup destinations, frequencies, and retention periods for audit records are documented, reviewed, and enforced within their environment. + +## Guidance + +### Customer Responsibility + +This control is governed by NIST SP 800-53 Rev 4 and NIST SP 800-92, which establish requirements for the protection and backup of audit information for federal information systems. Customers operating within a FedRAMP or DoD SRG environment must ensure their audit record backup mechanisms meet the baseline requirements for physical separation and data integrity. + +To meet these requirements, the customer must carry out the following actions: + +1. Define audit record backup destinations and frequency. + + Establish and document where audit records and logs should be backed up to, ensuring the backup target is on a physically different system or system component than the one being audited. The customer must dictate backup frequency, retention periods, and acceptable storage locations in accordance with NIST SP 800-92 guidelines for log management. + +2. Ensure infrastructure-level backup configuration. + + Direct the Infra Implementer to ensure that audit record backups are properly created, configured, and populated on the designated physically separate system. This includes verifying that backup processes are automated, monitored for failures, and aligned with the organization's contingency planning requirements per NIST SP 800-34. + +3. Ensure application-level audit log backup. + + Direct the App Implementer to ensure that the Mendix App's custom audit logs are properly directed to the backup system as dictated by the Customer. This includes configuring log forwarding mechanisms within the application to target the designated backup infrastructure and validating that all auditable events are captured in the backup trail. diff --git a/content/en/docs/private-platform/nist-controls/ca/_index.md b/content/en/docs/private-platform/nist-controls/ca/_index.md new file mode 100644 index 00000000000..4fdfcf1848d --- /dev/null +++ b/content/en/docs/private-platform/nist-controls/ca/_index.md @@ -0,0 +1,15 @@ +--- +title: "NIST 800-53 Security Assessment and Authorization for Private Mendix Platform" +linktitle: "Security Assessment and Authorization" +url: /private-mendix-platform/nist-controls-ca/ +description: "Documents the Private Mendix Platform's compliance with the Security Assessment and Authorization (CA) category of the NIST 800-53 security framework." +weight: 10 +no_list: false +simple_list: true +--- + +## Introduction + +Documents in this section provide more information about Private Mendix Platform's compliance with the Security Assessment and Authorization (CA) category of the [NIST 800-53](https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final) security framework. For each applicable control, we have listed which party (Mendix or the customer) is responsible for which component or aspect. + +In general, Mendix is responsible for the Private Mendix Platform, Mendix Operator, Mendix Studio Pro, Mendix Runtime, and so on. Customer responsibilities are related to infra and organization processes. For more information, refer to detailed documentation below. diff --git a/content/en/docs/private-platform/nist-controls/ca/pmp-nist-ca07.md b/content/en/docs/private-platform/nist-controls/ca/pmp-nist-ca07.md new file mode 100644 index 00000000000..192e45c9107 --- /dev/null +++ b/content/en/docs/private-platform/nist-controls/ca/pmp-nist-ca07.md @@ -0,0 +1,87 @@ +--- +title: "CA-07 Continuous Monitoring" +linktitle: "CA-07" +url: /private-mendix-platform/nist-controls/ca-07/ +description: "Documents the Private Mendix Platform's compliance with the CA-07 control of the NIST 800-53 framework." +weight: 20 +--- + +## Introduction + +This document describes how Private Mendix Platform fulfills the CA-07 control. + +| Control ID | CA-07 | +| --- | --- | +| Control category | CA - Security Assessment and Authorization | +| Requirement baseline | FEDRAMP MODERATE | +| Responsibility and ownership | Customer - Infra, Customer - Org | + +## Control + +The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: + +* Establishment of organization-defined metrics to be monitored +* Establishment of organization-defined frequencies for monitoring and organization-defined frequencies for assessments supporting such monitoring +* Ongoing security control assessments in accordance with the organizational continuous monitoring strategy +* Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy +* Correlation and analysis of security-related information generated by assessments and monitoring +* Response actions to address results of the analysis of security-related information +* Reporting the security status of organization and the information system to organization-defined personnel or roles at an organization-defined frequency. + +### Supplemental Guidance + +Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. + +Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports or dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. + +Automation supports more frequent updates to security authorization packages, hardware, software, or firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. + +The following controls are related to this control: + +* CA-02 +* CA-05 +* CA-06 +* CM-03 +* CM-04 +* PM-06 +* PM-09 +* RA-05 +* SA-11 +* SA-12 +* SI-02 +* SI-04 + +For more information, refer to the following: + +* OMB Memorandum 11-33 +* NIST Special Publications 800-37, 800-39, 800-53A, 800-115, and 800-137 +* US-CERT Technical Cyber Security Alerts +* DoD Information Assurance Vulnerability Alerts + +## Responsibility + +### Customer Responsibility + +The customer is responsible for implementing this control in an appropriate manner in their organization. This includes developing and maintaining a comprehensive continuous monitoring strategy that defines metrics, monitoring frequencies, and assessment procedures to ensure compliance with federal requirements. The customer must ensure that all continuous monitoring activities, including security control assessments, status reporting, and risk response actions, are documented, reviewed, and enforced within their environment. + +## Guidance + +### Customer Responsibility + +This control is governed by NIST SP 800-137, which provides guidelines for Information Security Continuous Monitoring (ISCM) for federal information systems, and NIST SP 800-53 Rev 4, which establishes the foundational continuous monitoring requirements. Customers operating within a FedRAMP or DoD SRG environment must ensure their continuous monitoring program is comprehensive, automated where possible, and aligned with organizational risk management strategies. + +To meet these requirements, the customer must carry out the following actions: + +1. Develop and implement a continuous monitoring program. + + The customer must develop a continuous monitoring strategy that defines the metrics to be monitored, monitoring frequencies, and assessment schedules. + + The Infra Implementer must implement the infrastructure in a way that complies with the continuous monitoring program, including deploying monitoring tools, configuring alerting thresholds, and enabling security event collection in accordance with NIST SP 800-137. + +2. Ensure application-level monitoring compliance. + + The App Implementer must implement the Mendix app in a way that complies with the continuous monitoring program as dictated by the customer. This includes integrating application-level logging, health checks, and security metrics into the organization's centralized monitoring framework as required by NIST SP 800-53A assessment procedures. + +3. Maintain ongoing monitoring and reporting. + + The Infra Operator and App Operator must ensure that the infrastructure and Mendix App remain in compliance with the customer's continuous monitoring program as it evolves. This includes performing regular security control assessments, correlating and analyzing security-related information, generating compliance reports, and executing response actions to address identified risks per OMB Memorandum 11-33. \ No newline at end of file diff --git a/content/en/docs/private-platform/nist-controls/ca/pmp-nist-ca09.md b/content/en/docs/private-platform/nist-controls/ca/pmp-nist-ca09.md new file mode 100644 index 00000000000..23d1976dd47 --- /dev/null +++ b/content/en/docs/private-platform/nist-controls/ca/pmp-nist-ca09.md @@ -0,0 +1,70 @@ +--- +title: "CA-09 Internal System Connections" +linktitle: "CA-09" +url: /private-mendix-platform/nist-controls/ca-09/ +description: "Documents the Private Mendix Platform's compliance with the CA-09 control of the NIST 800-53 framework." +weight: 20 +--- + +## Introduction + +This document describes how Private Mendix Platform fulfills the CA-09 control. + +| Control ID | CA-09 | +| --- | --- | +| Control category | CA - Security Assessment and Authorization | +| Requirement baseline | FEDRAMP MODERATE | +| Responsibility and ownership | Customer - Infra, Customer - Org | + +## Control + +The organization: + +* Authorizes internal connections of organization-defined information system components or classes of components to the information system. +* Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated. + +### Supplemental Guidance + +This control applies to connections between organizational information systems and (separate) constituent system components (that is, intra-system connections) including, for example, system connections with mobile devices, notebook or desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. + +Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration. + +The following controls are related to this control: + +* AC-03 +* AC-04 +* AC-18 +* AC-19 +* AU-02 +* AU-12 +* CA-07 +* CM-02 +* IA-03 +* SC-07 +* SI-04 + +## Responsibility + +### Customer Responsibility + +Customer is responsible for implementing this control in an appropriate manner in their organization. This includes establishing policies and procedures for authorizing and documenting all internal connections between information system components to ensure compliance with federal requirements. The customer must ensure that interface characteristics, security requirements, and the nature of information communicated for each internal connection are documented, reviewed, and enforced within their environment. + +## Guidance + +### Customer Responsibility + +This control is governed by NIST SP 800-53 Rev 4 and FIPS 200, which establish requirements for authorizing and documenting internal system connections within federal information systems. Customers operating within a FedRAMP or DoD SRG environment must ensure all internal connections are formally authorized, documented with interface characteristics and security requirements, and monitored throughout their lifecycle. + +To meet these requirements, the customer must carry out the following actions: + +1. Authorize and socument internal connections. + + The customer must authorize and document all internal connections made by the Mendix app and associated infrastructure. For each connection, the documentation must include interface characteristics, security requirements, and the nature of the information communicated, in accordance with NIST SP 800-53 Rev 4 CA-09 requirements. + +2. Ensure authorized connections only. + + The Infra Implementer and App Implementer must ensure the infrastructure and Mendix app only make authorized connections as documented by the customer. This includes implementing network segmentation, access control lists, and connection validation mechanisms to prevent unauthorized internal connections per NIST SP 800-53 AC-3 and SC-7. + +3. Maintain connection documentation over lifecycle. + + The Infra Operator and App Operator must ensure that these internal connections and the associated documentation stay current over the lifecycle of the solution. This includes performing periodic reviews of authorized connections, updating documentation when connections change, and removing or re-authorizing connections as the system evolves. \ No newline at end of file diff --git a/content/en/docs/private-platform/nist-controls/cm/pmp-nist-cm04.md b/content/en/docs/private-platform/nist-controls/cm/pmp-nist-cm04.md new file mode 100644 index 00000000000..fe427d43b65 --- /dev/null +++ b/content/en/docs/private-platform/nist-controls/cm/pmp-nist-cm04.md @@ -0,0 +1,122 @@ +--- +title: "CM-04 Security Impact Analysis" +linktitle: "CM-04" +url: /private-mendix-platform/nist-controls/cm-04/ +description: "Documents the Private Mendix Platform's compliance with the CM-04 control of the NIST 800-53 framework." +weight: 20 +--- + +## Introduction + +This document describes how Private Mendix Platform fulfills the CM-04 control. + +| Control ID | CM-04 | +| --- | --- | +| Control category | CM - Configuration Management | +| Requirement baseline | FEDRAMP MODERATE | +| Responsibility and ownership | Customer - Infra, Customer - Org | + +## Control + +The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. + +### Supplemental Guidance + +Organizational personnel with information security responsibilities (for example, Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills and technical expertise to analyze the changes to information systems and the associated security ramifications. + +Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems. + +The following controls are related to this control: + +* CA-02 +* CA-07 +* CM-03 +* CM-09 +* SA-04 +* SA-05 +* SA-10 +* SI-02 + +For more information, refer to NIST Special Publication 800-128. + +## Responsibility + +### Customer Responsibility + +The customer is responsible for implementing this control in an appropriate manner in their organization. This includes assessing the overall security impacts of changes to the information system prior to implementation to ensure compliance with federal requirements. The customer must ensure that security impact analysis processes, roles, and documentation requirements are documented, reviewed, and enforced within their environment. + +#### Infra Implementer + +The Infra Implementer is responsible for detailing the infrastructure architecture and security structure to support security impact analysis. + +#### App Implementer + +The App Implementer is responsible for detailing the Mendix App architecture and security structure to support security impact analysis. + +#### Infra Operator + +The Infra Operator is responsible for assessing and reporting on the security impacts of potential infrastructure updates. + +#### App Operator + +The App Operator is responsible for assessing and reporting on the security impacts of potential Mendix app updates. + +## Guidance + +### Customer Responsibility + +This control is governed by NIST SP 800-53 Rev 4 and NIST SP 800-128, which establish requirements for analyzing the security impacts of changes to information systems prior to implementation. Customers operating within a FedRAMP or DoD SRG environment must ensure that all changes to the information system undergo security impact analysis by qualified personnel before they are applied to production environments. + +To meet these requirements, the customer must carry out the following actions: + +1. Establish security impact analysis processes. + + The customer must establish formal security impact analysis processes that require all changes to the information system to be evaluated for security implications prior to implementation. This includes defining roles and responsibilities for conducting analyses, approval workflows, and documentation requirements in accordance with NIST SP 800-128. + +2. Ensure architecture and security documentation + + The Infra Implementer must detail the infrastructure architecture and security structure, and the App Implementer must detail the Mendix app architecture and security structure. This documentation must be maintained current to support effective security impact analysis of proposed changes per NIST SP 800-53 SA-5 requirements. + +3. Require security impact reporting for updates. + + The Infra Operator must assess and report on the security impacts of potential infrastructure updates, and the App Operator must assess and report on the security impacts of potential Mendix App updates. All security impact assessments must be reviewed and approved by the Customer before changes are implemented. + +#### Infra Implementer + +The Infra Implementer is responsible for maintaining detailed documentation of the infrastructure architecture and security structure. This documentation serves as the baseline for security impact analysis when changes are proposed to the infrastructure. + +The Infra Implementer must perform the following tasks: + +* Create and maintain comprehensive documentation of the infrastructure architecture, including network diagrams, security boundaries, data flows, and security control implementations. +* Maintain security configuration baselines for all infrastructure components, enabling comparison and impact assessment when changes are proposed. +* Provide technical expertise and infrastructure documentation to support the customer's security impact analysis process when infrastructure changes are proposed. + +#### App Implementer + +The App Implementer is responsible for maintaining detailed documentation of the Mendix application architecture and security structure. This documentation supports security impact analysis when application changes are proposed. + +The App Implementer must perform the following tasks: + +* Create and maintain comprehensive documentation of the Mendix application architecture, including data models, security roles, access controls, and integration points. +* Maintain documentation of all application-level security controls, including authentication mechanisms, authorization rules, input validation, and encryption configurations. +* Provide technical expertise and application documentation to support the customer's security impact analysis process when application changes are proposed. + +#### Infra Operator + +The Infra Operator is responsible for assessing and reporting on the security impacts of potential infrastructure updates, including patches, configuration changes, and platform upgrades, before they are implemented. + +The Infra Operator must perform the following tasks: + +* Before applying infrastructure updates, analyze the potential security impacts by reviewing release notes, security advisories, and change documentation against the current infrastructure security configuration. +* Document the results of security impact assessments and report findings to the customer for review and approval before implementing infrastructure changes. +* Where possible, test infrastructure changes in non-production environments to validate that security controls remain effective after the change is applied. + +#### App Operator + +The App Operator is responsible for assessing and reporting on the security impacts of potential Mendix app updates, including application changes, dependency updates, and configuration modifications, before they are implemented. + +The App Operator must perform the following tasks: + +* Before applying Mendix application updates, analyze the potential security impacts by reviewing change documentation, dependency updates, and Mendix release notes against the current application security configuration. +* Document the results of security impact assessments and report findings to the customer for review and approval before implementing application changes. +* Test application changes in separate environments to validate that security controls remain effective and that no new vulnerabilities are introduced before promoting to production. \ No newline at end of file diff --git a/content/en/docs/private-platform/nist-controls/cm/pmp-nist-cm05.md b/content/en/docs/private-platform/nist-controls/cm/pmp-nist-cm05.md new file mode 100644 index 00000000000..f679c22c03a --- /dev/null +++ b/content/en/docs/private-platform/nist-controls/cm/pmp-nist-cm05.md @@ -0,0 +1,66 @@ +--- +title: "CM-05 - Access Restrictions for Change" +linktitle: "CM-05" +url: /private-mendix-platform/nist-controls/cm-05/ +description: "Documents the Private Mendix Platform's compliance with the CM-05 control of the NIST 800-53 framework." +weight: 20 +--- + +## Introduction + +This document describes how Private Mendix Platform fulfills the CM-05 control. + +| Control ID | CM-05 | +| --- | --- | +| Control category | CM - Configuration Management | +| Requirement baseline | FEDRAMP MODERATE | +| Responsibility and ownership | Customer - Infra, Customer - Org | + +## Control + +The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system. + +### Supplemental Guidance + +Any changes to the hardware, software, or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. + +Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. + +Examples of access restrictions include the following: +* Physical and logical access controls (for example, AC-03 and PE-03) +* Workflow automation +* Media libraries +* Abstract layers (for example, changes implemented into third-party interfaces rather than directly into information systems) +* Change windows (for example, changes occur only during specified times, making unauthorized changes easy to discover). + +The following controls are related to this control: + +* AC-03 +* AC-06 +* PE-03 + +## Responsibility + +### Customer Responsibility + +The customer is responsible for implementing this control in an appropriate manner in their organization. This includes defining, documenting, and enforcing physical and logical access restrictions for all changes to the information system to ensure compliance with federal requirements. The customer must ensure that change control access restrictions, including approval workflows and access records, are documented, reviewed, and enforced within their environment. + +## Guidance + +### Customer Responsibility + +This control is governed by NIST SP 800-53 Rev 4 and NIST SP 800-128, which establish requirements for restricting access to information system change processes and maintaining configuration change control. Customers operating within a FedRAMP or DoD SRG environment must ensure that only qualified and authorized individuals can initiate changes to the information system, and that all access for change purposes is documented. + +To meet these requirements, the customer must carry out the following actions: + +1. Define and document change control access restrictions. + + The customer must define, document, approve, and enforce change control access restrictions for the information system. This includes establishing which personnel or roles are authorized to make changes, defining change windows, and implementing approval workflows in accordance with NIST SP 800-53 Rev 4 AC-3 and AC-6 least privilege principles. + +2. Implement physical and logical access controls. + + The customer must ensure that both physical and logical access controls are in place for change management, including workflow automation, role-based access to deployment pipelines, and media library restrictions. The Infra Implementer, App Implementer, Infra Operator, and App Operator must respect the customer's change control restrictions throughout the system lifecycle per NIST SP 800-128. + +Maintain change access records and audit trails. + + The customer must maintain records of all access granted for change purposes and periodically review these records to detect unauthorized changes. This includes implementing audit logging for all configuration change activities, conducting regular reviews of change access permissions, and enforcing separation of duties as required by PE-03 physical protection requirements. \ No newline at end of file diff --git a/content/en/docs/private-platform/nist-controls/cm/pmp-nist-cm0506.md b/content/en/docs/private-platform/nist-controls/cm/pmp-nist-cm0506.md new file mode 100644 index 00000000000..a6807a56b23 --- /dev/null +++ b/content/en/docs/private-platform/nist-controls/cm/pmp-nist-cm0506.md @@ -0,0 +1,55 @@ +--- +title: "CM-05 (06) Access Restrictions for Change - Limit Library Privileges" +linktitle: "CM-05 (06)" +url: /private-mendix-platform/nist-controls/cm-0506/ +description: "Documents the Private Mendix Platform's compliance with the CM-05 (06) control of the NIST 800-53 framework." +weight: 20 +--- + +## Introduction + +This document describes how Private Mendix Platform fulfills the CM-05 (06) control. + +| Control ID | CM-05 (06) | +| --- | --- | +| Control category | CM - Configuration Management | +| Requirement baseline | IL5 | +| Responsibility and ownership | Customer - Infra, Customer - Org | + +## Control + +The organization limits privileges to change software resident within software libraries. + +### Supplemental Guidance + +Software libraries include privileged programs. + +The following controls are related to this control: + +* AC-02 + +## Responsibility + +### Customer Responsibility + +The customer is responsible for implementing this control in an appropriate manner in their organization. This includes defining and enforcing privilege limitations for all changes to software resident within software libraries to ensure compliance with federal requirements. The customer must ensure that access controls for software libraries, including privileged programs, are documented, reviewed, and enforced within their environment. + +## Guidance + +### Customer Responsibility + +This control is governed by NIST SP 800-53 Rev 4 and FIPS 200, which establish requirements for limiting privileges to modify software within software libraries, including privileged programs. Customers operating within a FedRAMP or DoD SRG environment must ensure that only authorized personnel can change software in libraries, and that these privilege limitations are consistently enforced. + +To meet these requirements, the customer must carry out the following actions: + +1. Define software library privilege policies. + + The customer must define who is allowed to make changes to software libraries and components, and under what conditions. This includes establishing role-based access controls for software repositories, package registries, and deployment artifacts in accordance with NIST SP 800-53 Rev 4 AC-2 account management requirements. + +2. Enforce privilege restrictions across all parties. + + The Infra Implementer, App Implementer, Infra Operator, and App Operator must respect the customer's privilege limitations throughout the lifecycle of the solution. This includes implementing technical controls such as repository branch protections, code signing requirements, and deployment pipeline restrictions that prevent unauthorized modifications to software libraries. + +3. Review and audit library access privileges. + + The customer must periodically review and audit access privileges to software libraries to ensure compliance with the defined policies. This includes maintaining records of who has write access to software libraries, reviewing privilege assignments at organization-defined frequencies, and revoking unnecessary access in alignment with least privilege principles, as described in NIST SP 800-53 AC-06. \ No newline at end of file diff --git a/content/en/docs/private-platform/nist-controls/cm/pmp-nist-cm06.md b/content/en/docs/private-platform/nist-controls/cm/pmp-nist-cm06.md new file mode 100644 index 00000000000..12c75e3b0ba --- /dev/null +++ b/content/en/docs/private-platform/nist-controls/cm/pmp-nist-cm06.md @@ -0,0 +1,149 @@ +--- +title: "CM-06 Configuration Settings" +linktitle: "CM-06" +url: /private-mendix-platform/nist-controls/cm-06/ +description: "Documents the Private Mendix Platform's compliance with the CM-06 control of the NIST 800-53 framework." +weight: 20 +--- + +## Introduction + +This document describes how Private Mendix Platform fulfills the CM-06 control. + +| Control ID | CM-06 | +| --- | --- | +| Control category | CM - Configuration Management | +| Requirement baseline | FEDRAMP MODERATE | +| Responsibility and ownership | Customer - Infra, Customer - Org | + +## Control + +The organization: + +* Establishes and documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists that reflect the most restrictive mode consistent with operational requirements. +* Implements the configuration settings. +* Identifies, documents, and approves any deviations from established configuration settings for organization-defined information system components based on organization-defined operational requirements. +* Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. + +### Supplemental Guidance + +Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Some examples of nformation technology products for which security-related configuration settings can be defined include the following: + +* Mainframe computers +* Servers (for example, database, electronic mail, authentication, web, proxy, file, domain name) +* Workstations +* Input/output devices (for example, scanners, copiers, and printers) +* Network components (for example, firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors) +* Operating systems +* Middleware +* Applications. + +Security-related parameters are parameters which impact the security state of information systems, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example the following: + +* Registry settings +* Account, file, directory permission settings +* Settings for functions, ports, protocols, services, and remote connections. + +Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. + +Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms or products, and instructions for configuring those information system components to meet operational requirements. + +Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. + +Common secure configurations include the United States Government Configuration Baseline (USGCB), which affects the implementation of CM-06 and other controls, such as AC-19 and CM-07. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (for example, Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. + +The following controls are related to this control: + +* AC-19 +* CM-02 +* CM-03 +* CM-07 +* SI-04 + +For more information, refer to the following: + +* OMB Memoranda 07-11, 07-18, 08-22 +* NIST Special Publications 800-70, 800-128 +* Web: [NVD - Home](http://nvd.nist.gov/), [NCP - National Checklist Program Checklist Repository](http://checklists.nist.gov/). + +## Responsibility + +### Customer Responsibility + +The customer is responsible for implementing this control in an appropriate manner in their organization. This includes determining which security hardened configurations are required for their environment to ensure compliance with federal requirements. The customer must ensure that configuration settings, security baselines, deviation approvals, and change monitoring processes are documented, reviewed, and enforced within their environment. + +#### Infra Implementer + +The Infra Implementer is responsible for ensuring that the infrastructure and CI/CD stack is appropriately hardened based on the customer's requirements. + +#### App Implementer + +The App Implementer is responsible for ensuring the Mendix app is built in such a way that it can successfully operate in the hardened environment. + +#### Infra Operator + +The Infra Operator is responsible for ensuring continued compliance as infrastructure and customer requirements change. + +#### App Operator + +The App Operator is responsible for ensuring continued compliance as the application and customer requirements change. + +## Guidance + +### Customer Responsibility + +This control is governed by NIST SP 800-53 Rev 4, NIST SP 800-70, and NIST SP 800-128, which establish requirements for implementing and managing security configuration settings for federal information systems. Customers operating within a FedRAMP or DoD SRG environment must ensure that all information system components are configured according to security configuration checklists that reflect the most restrictive mode consistent with operational requirements. + +To meet these requirements, the customer must carry out the following actions: + +1. Establish security configuration baselines. + + The customer must determine which security hardened configurations are required for their environment, establishing configuration settings using recognized security configuration checklists (for example, USGCB, CIS Benchmarks, DISA STIGs) that reflect the most restrictive mode consistent with operational requirements, in accordance with NIST SP 800-70 and OMB Memoranda 07-11. + +2. Ensure infrastructure and application hardening. + + The Infra Implementer must ensure that the infrastructure and CI/CD stack is appropriately hardened based on the customer's requirements, and the App Implementer must ensure the Mendix App is built to successfully operate in the hardened environment. Any deviations from established configuration settings must be documented and approved by the customer, as described in NIST SP 800-128. + +3. Monitor and maintain configuration compliance. + + The Infra Operator and App Operator must ensure continued compliance as the infrastructure, application, and customer requirements change. This includes implementing automated configuration monitoring, documenting and approving deviations, and controlling changes to configuration settings in accordance with organizational policies, as described in NIST SP 800-53 CM-3 and SI-4. + +#### Infra Implementer + +The Infra Implementer is responsible for ensuring that the infrastructure and CI/CD stack is appropriately hardened based on the customer's security configuration requirements. This includes applying security configuration checklists to operating systems, network devices, cloud services, and container platforms. + +The Infra Implementer must perform the following tasks: + +* Configure all infrastructure components according to the customer's security configuration checklists, applying DISA STIGs, CIS Benchmarks, or other approved hardening guides to operating systems, network devices, and cloud services. +* Configure the CI/CD deployment pipeline with security hardening measures, including access controls, artifact integrity verification, and secure build environment configurations. +* Document all implemented configuration settings and any deviations from the established baselines, providing justification for each deviation for customer review and approval. + +#### App Implementer + +The App Implementer is responsible for ensuring that the Mendix application is built and configured to operate successfully within the Customer's security hardened environment while maintaining appropriate security settings at the application level. + +The App Implementer must perform the following tasks: + +* Implement the most restrictive application security settings consistent with operational requirements, including authentication configuration, session management, and data protection settings within the Mendix application. +* Test the Mendix application in the hardened environment to verify that it operates correctly with all security configuration settings applied, identifying and resolving any compatibility issues. +* Document all application-level configuration settings and any deviations from the established baselines for Customer review and approval. + +#### Infra Operator + +The Infra Operator is responsible for ensuring continued infrastructure configuration compliance as infrastructure components are updated and Customer requirements evolve over time. + +The Infra Operator must perform the following tasks: + +* Implement automated configuration monitoring to detect deviations from established security baselines across all infrastructure components. +* Ensure all changes to infrastructure configuration settings follow the organization's change control process and are documented, approved, and tracked. +* Provide regular configuration compliance reports to the customer, including any deviations detected and remediation actions taken. + +#### App Operator + +The App Operator is responsible for ensuring continued application configuration compliance as the Mendix application evolves and customer requirements change. + +The App Operator must perform the following tasks: + +* Implement monitoring to detect deviations from established application security configuration settings and alert on unauthorized changes. +* Ensure all changes to application configuration settings follow the organization's change control process and are approved before implementation. +* Provide regular application configuration compliance reports to the customer, including any deviations detected and remediation actions taken. \ No newline at end of file diff --git a/content/en/docs/private-platform/nist-controls/ir/pmp-nist-ir0602.md b/content/en/docs/private-platform/nist-controls/ir/pmp-nist-ir0602.md new file mode 100644 index 00000000000..bac2d45bbed --- /dev/null +++ b/content/en/docs/private-platform/nist-controls/ir/pmp-nist-ir0602.md @@ -0,0 +1,47 @@ +--- +title: "IR-06 (02) Vulnerabilities Related To Incidents" +linktitle: "IR-06 (02)" +url: /private-mendix-platform/nist-controls/ir-0602/ +description: "Documents the Private Mendix Platform's compliance with the IR-06 (02) control of the NIST 800-53 framework." +weight: 20 +--- + +## Introduction + +This document describes how Private Mendix Platform fulfills the IR-06 (02) control. + +| Control ID | IR-06 (02) | +| --- | --- | +| Control category | IR - Incident Response | +| Requirement baseline | IL4 | +| Responsibility and ownership | Mendix - Private Mendix Platform, Mendix - Operator, Customer - Infra | + +## Control + +The organization reports information system vulnerabilities associated with reported security incidents to organization-defined personnel or roles. + +## Responsibility + +### Mendix Responsibility + +Mendix is responsible to address and respond to vulnerabilities and security incidents related to Mendix products that are reported to Mendix, in accordance with applicable regulations and following the Mendix security incident and vulnerability response policy. + +### Customer Responsibility + +The customer is responsible for specifying the recipients to whom information system vulnerabilities and security incidents should be reported. + +## Guidance + +### Mendix Responsibility + +Mendix will respond to information system vulnerabilities and incidents caused by Mendix products and reported to Mendix in compliance with appropriate regulations and in alignment with our security incident and vulnerability response policy. + +### Customer Responsibility + +It is the responsibility of the customer to indicate who should receive reports about information system vulnerabilities and security incidents. + +It is the responsibility of the Infra Implementer, App Implementer, Infra Operator, and App Operator to report information system vulnerabilities associated with reported security incidents to whomever the customer indicates. + +## Proof and Remarks + +Details about the Mendix security incident response are available in Section IV of the SOC-2 report in Conveyor. \ No newline at end of file diff --git a/content/en/docs/private-platform/nist-controls/ir/pmp-nist-ir0701.md b/content/en/docs/private-platform/nist-controls/ir/pmp-nist-ir0701.md new file mode 100644 index 00000000000..5de15682b9b --- /dev/null +++ b/content/en/docs/private-platform/nist-controls/ir/pmp-nist-ir0701.md @@ -0,0 +1,47 @@ +--- +title: "IR-07 (01) Automation Support For Availability Of Information or Support" +linktitle: "IR-07 (01)" +url: /private-mendix-platform/nist-controls/ir-0701/ +description: "Documents the Private Mendix Platform's compliance with the IR-07 (01) control of the NIST 800-53 framework." +weight: 20 +--- + +## Introduction + +This document describes how Private Mendix Platform fulfills the IR-07 (01) control. + +| Control ID | IR-07 (01) | +| --- | --- | +| Control category | IR - Incident Response | +| Requirement baseline | FEDRAMP MODERATE | +| Responsibility and ownership | Mendix - Operator, Customer - Infra | + +## Control + +The organization employs automated mechanisms to increase the availability of incident response-related information and support. + +### Supplemental Guidance + +Automated mechanisms can provide a push and/or pull capability for users to obtain incident response assistance. For example, individuals might have access to a website to query the assistance capability, or conversely, the assistance capability may have the ability to proactively send information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support. + +## Responsibility + +### Customer Responsibility + +This is not a Mendix responsibility. It is the responsibility of the customer to determine what automated mechanisms are appropriate to increase security incident response information sharing and support. + +It is the responsibility of the Infra Implementer to ensure the infrastructure and Private Mendix Platform are properly integrated with any automated security incident response sharing mechanisms dictated by the customer. + +It is the responsibility of the App Implementer to ensure that the Mendix app is properly integrated with any automated security incident response sharing mechanisms dictated by the Customer. + +It is the responsibility of the Infra Operator and the App Operator to ensure ongoing successful integration with these automated mechanisms, as dictated by the customer. + +## Guidance + +### Customer Responsibility + +The customer is ultimately responsible for compliance with this control, because they are the owners of their business processes, data, and security posture. They are best positioned to determine what automated security incident response mechanisms are appropriate for their unique operational context. + +The Infra and App Implementers are responsible for ensuring that the customer's chosen automated security incident mechanisms are correctly configured and integrated at the foundational infrastructure level, and for individual Mendix apps. + +The Infra and App Operators are responsible for ensuring ongoing integration with the automated security incident mechanisms, as well as any required updates. diff --git a/content/en/docs/private-platform/nist-controls/ma/pmp-nist-ma01.md b/content/en/docs/private-platform/nist-controls/ma/pmp-nist-ma01.md index 82a7d99c93a..78b354cf5de 100644 --- a/content/en/docs/private-platform/nist-controls/ma/pmp-nist-ma01.md +++ b/content/en/docs/private-platform/nist-controls/ma/pmp-nist-ma01.md @@ -38,7 +38,7 @@ The policy can be included as part of the general information security policy fo The following controls are related to this control: -* PM-9. +* PM-09. For more information, refer to the NIST Special Publications 800-12, 800-100. diff --git a/content/en/docs/private-platform/nist-controls/mp/pmp-nist-mp01.md b/content/en/docs/private-platform/nist-controls/mp/pmp-nist-mp01.md index 762e93e0ed5..0d4940b7e94 100644 --- a/content/en/docs/private-platform/nist-controls/mp/pmp-nist-mp01.md +++ b/content/en/docs/private-platform/nist-controls/mp/pmp-nist-mp01.md @@ -40,7 +40,7 @@ The policy can be included as part of the general information security policy fo The following controls are related to this control: -* PM-9 +* PM-09 For more information, refer to the NIST Special Publications 800-12 and 800-100. diff --git a/content/en/docs/private-platform/nist-controls/mp/pmp-nist-mp02.md b/content/en/docs/private-platform/nist-controls/mp/pmp-nist-mp02.md index 93704c36f55..d28c5c8ce92 100644 --- a/content/en/docs/private-platform/nist-controls/mp/pmp-nist-mp02.md +++ b/content/en/docs/private-platform/nist-controls/mp/pmp-nist-mp02.md @@ -28,7 +28,7 @@ Restricting non-digital media access includes, for example, denying access to pa The following controls are related to this control: -* AC-3 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) * IA-2 * MP-4 * PE-2 diff --git a/content/en/docs/private-platform/nist-controls/pl/pmp-nist-pl01.md b/content/en/docs/private-platform/nist-controls/pl/pmp-nist-pl01.md index 44a082f836a..501dba425b6 100644 --- a/content/en/docs/private-platform/nist-controls/pl/pmp-nist-pl01.md +++ b/content/en/docs/private-platform/nist-controls/pl/pmp-nist-pl01.md @@ -36,7 +36,7 @@ This control addresses the establishment of policy and procedures for the effect The following controls are related to this control: -* PM-9 +* PM-09 For more information, refer to the NIST Special Publications 800-12, 800-18, and 800-100. diff --git a/content/en/docs/private-platform/nist-controls/pl/pmp-nist-pl02.md b/content/en/docs/private-platform/nist-controls/pl/pmp-nist-pl02.md index b61a2f8f67a..3e82e0401c4 100644 --- a/content/en/docs/private-platform/nist-controls/pl/pmp-nist-pl02.md +++ b/content/en/docs/private-platform/nist-controls/pl/pmp-nist-pl02.md @@ -65,7 +65,7 @@ The following controls are related to this control: * PM-1 * PM-7 * PM-8 -* PM-9 +* PM-09 * PM-11 * SA-5 * SA-17 diff --git a/content/en/docs/private-platform/nist-controls/ra/pmp-nist-ra01.md b/content/en/docs/private-platform/nist-controls/ra/pmp-nist-ra01.md index bb12951e3c8..7a13ea6f04c 100644 --- a/content/en/docs/private-platform/nist-controls/ra/pmp-nist-ra01.md +++ b/content/en/docs/private-platform/nist-controls/ra/pmp-nist-ra01.md @@ -36,7 +36,7 @@ This control addresses the establishment of policy and procedures for the effect The following controls are related to this control: -* PM-9 +* PM-09 For more information, refer to the NIST Special Publications 800-12, 800-30, and 800-100. diff --git a/content/en/docs/private-platform/nist-controls/ra/pmp-nist-ra03.md b/content/en/docs/private-platform/nist-controls/ra/pmp-nist-ra03.md index 1212c593b29..cdd02b4bcc3 100644 --- a/content/en/docs/private-platform/nist-controls/ra/pmp-nist-ra03.md +++ b/content/en/docs/private-platform/nist-controls/ra/pmp-nist-ra03.md @@ -37,7 +37,7 @@ first two steps in the Risk Management Framework. Risk assessments can play an i The following controls are related to this control: * RA-2 -* PM-9 +* PM-09 For more information, refer to OMB Memorandum 04-04; NIST Special Publication 800-30, and 800-39; [IDManagement](https://www.idmanagement.gov/). diff --git a/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc04.md b/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc04.md index 85e2c77d29d..c5d28cd040a 100644 --- a/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc04.md +++ b/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc04.md @@ -32,7 +32,7 @@ This control does not address: The following controls are related to this control: -* AC-3 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) * AC-4 * MP-6 diff --git a/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc13.md b/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc13.md index d58cbb8244a..3c50163357a 100644 --- a/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc13.md +++ b/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc13.md @@ -29,7 +29,7 @@ This control does not impose any requirements on organizations to use cryptograp The following controls are related to this control: * AC-2 -* AC-3 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) * AC-7 * AC-17 * AC-18 diff --git a/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc28.md b/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc28.md index 63dce04e15a..7346c693ec9 100644 --- a/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc28.md +++ b/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc28.md @@ -26,7 +26,7 @@ This control addresses the confidentiality and integrity of information at rest The following controls are related to this control: -* AC-3 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) * AC-6 * CA-7 * CM-3 diff --git a/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc39.md b/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc39.md index ca315b64357..d9eb785b63f 100644 --- a/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc39.md +++ b/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc39.md @@ -26,7 +26,7 @@ Information systems can maintain separate execution domains for each executing p The following controls are related to this control: -* AC-3 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) * AC-4 * AC-6 * SA-4 diff --git a/content/en/docs/private-platform/nist-controls/si/pmp-nist-si10.md b/content/en/docs/private-platform/nist-controls/si/pmp-nist-si10.md index ecfab61ad47..4d621e5fa80 100644 --- a/content/en/docs/private-platform/nist-controls/si/pmp-nist-si10.md +++ b/content/en/docs/private-platform/nist-controls/si/pmp-nist-si10.md @@ -27,7 +27,7 @@ Checking the valid syntax and semantics of information system inputs (for exampl The following controls are related to this control: * AC-2 -* AC-3 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) * AC-4 * AC-5 * AC-6. diff --git a/content/en/docs/private-platform/nist-controls/si/pmp-nist-si1003.md b/content/en/docs/private-platform/nist-controls/si/pmp-nist-si1003.md index 8f198d7941d..16873da6fd3 100644 --- a/content/en/docs/private-platform/nist-controls/si/pmp-nist-si1003.md +++ b/content/en/docs/private-platform/nist-controls/si/pmp-nist-si1003.md @@ -26,7 +26,7 @@ A common vulnerability in organizational information systems is unpredictable be The following controls are related to this control: -* AC-3. +* [AC-03](/private-mendix-platform/nist-controls/ac-03/). ## Responsibility diff --git a/static/attachments/private-platform/nist-ac/nist-ac-0207-1.png b/static/attachments/private-platform/nist-ac/nist-ac-0207-1.png new file mode 100644 index 00000000000..2aae387ed65 Binary files /dev/null and b/static/attachments/private-platform/nist-ac/nist-ac-0207-1.png differ diff --git a/static/attachments/private-platform/nist-ac/nist-ac-0207-2.png b/static/attachments/private-platform/nist-ac/nist-ac-0207-2.png new file mode 100644 index 00000000000..aceeeea8b10 Binary files /dev/null and b/static/attachments/private-platform/nist-ac/nist-ac-0207-2.png differ diff --git a/static/attachments/private-platform/nist-ac/nist-ac-0207-3.png b/static/attachments/private-platform/nist-ac/nist-ac-0207-3.png new file mode 100644 index 00000000000..5fcb4354bdf Binary files /dev/null and b/static/attachments/private-platform/nist-ac/nist-ac-0207-3.png differ diff --git a/static/attachments/private-platform/nist-ac/nist-ac-0207-4.png b/static/attachments/private-platform/nist-ac/nist-ac-0207-4.png new file mode 100644 index 00000000000..bcdc637f25b Binary files /dev/null and b/static/attachments/private-platform/nist-ac/nist-ac-0207-4.png differ