DocuSign Envelope ID: 47E92340-69A8-41E6-ACF5-32E9F690D504North Carolina Department ofInformation TechnologyStatewide Information SecurityManualMarch 20201

DocuSign Envelope ID: 47E92340-69A8-41E6-ACF5-32E9F690D504Statewide Information Security ManualINTRODUCTIONPURPOSEThe purpose of this policy is to establish a statewide security policy for North Carolina State agencies and the Statenetwork. This policy also establishes principles to ensure a secure network infrastructure that integratesconfidentiality, availability, and integrity into the infrastructure design, implementation, and maintenance, in orderto do the following:a.Protect the State’s infrastructure and the citizen’s data, whether hosted by external entities or withinState data centers, from both internal and external threats.b.Provide a consistent and repeatable framework for which IT assets can be securely connected to theState network.c.Support the State’s initiative to establish standards to manage technology, risks and increaseconsistency and accessibility.OWNERState Chief Risk OfficerSCOPEThe Statewide Information Security Manual is the foundation for information technology security in NorthCarolina. It sets out the statewide information security standards required by N.C.G.S. §143B-1376, which directsthe State Chief Information Officer (State CIO) to establish a statewide set of standards for information technologysecurity to maximize the functionality, security, and interoperability of the State’s distributed informationtechnology assets, including, but not limited to, data classification and management, communications, andencryption technologies. This policy covers all State information and information systems to include those used,managed, or operated by a contractor, an agency, or other organization on behalf of the State. This policy appliesto all State employees, contractors, and all other users of State information and information systems that supportthe operation and assets of the State. Use by local governments, local education agencies (LEAs), communitycolleges, constituent institutions of the University of North Carolina (UNC) and other executive branch agencies isencouraged to the extent allowed by law.POLICYSECTION 1. ADOPTION OF NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) RISKMANAGEMENT FRAMEWORK SPECIAL PUBLICATION (SP) 800-37The State has adopted the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 –Guide for Applying Risk Management Framework (RMF) for Federal Information Systems, as the standard formanaging information security risk in State IT resources. The RMF provides a disciplined and structured processthat integrates information security and risk management activities into the system development life cycle. TheNIST RMF utilizes NIST SP 800-53 as the foundation for identifying and implementing security controls. NIST 80053 organizes these security controls into (17) Control Families. Each policy document and control family identified2

DocuSign Envelope ID: 47E92340-69A8-41E6-ACF5-32E9F690D504in the Statewide Information Security Manual is based on the NIST SP 800-53, Security and Privacy Controls. TheState has modified certain controls from the original NIST 800-53 requirements where they were deemednecessary.Table 1 below identifies the control family names which will be utilized within the State security policies.TABLE 1: SECURITY CONTROL FAMILY NAMESIDFAMILYIDFAMILYACAccess ControlMPMedia ProtectionATAwareness and TrainingPEPhysical and Environmental ProtectionAUAudit and AccountabilityPLPlanningCASecurity Assessment and AuthorizationPSPersonnel SecurityCMConfiguration ManagementRARisk AssessmentCPContingency PlanningSASystem and Services AcquisitionIAIdentification and AuthenticationSCSystem and Communications ProtectionIRIncident ResponseSISystem and Information IntegrityMAMaintenanceSECURITY CATEGORIZATIONThere are two levels of security categorization to be used within the State: Low and Moderate. Security controlsmust be selected based on the data classification and security categorization of the information system and/orrequirements for the specific operating environment.Low Systems: Systems that contain only data that is public by law or directly available to the public viasuch mechanisms as the Internet. In addition, desktops, laptops and supporting systems used by agenciesare Low Risk unless they store, process, transfer or communicate Restricted or Highly Restricted data.Moderate Systems: Systems that stores, process, transfer or communicate Restricted or Highly Restricteddata or has a direct dependency on a Moderate system. Any system that stores, processes, or transfers orcommunicates PII or other sensitive data types is classified as a Moderate system, at a minimum.Agencies may tailor the baseline controls, as needed to enhance the security posture, based on their uniqueorganizational needs. An example of such enhancement may occur due to additional requirements mandated byFederal agencies such as Internal Revenue Service (IRS) and other. All agencies are required to implement andcomply with the baseline controls within the Statewide Information Security Manual, unless otherwise prescribedby Federal or State statute.NIST SP 800-53 controls defines three types of controls: Common Controls: Those security controls that are Enterprise wide, e.g. State policies, Security devicesprovided by DIT, Enterprise email, etc. Agencies may inherit these controls as the system is managedoutside of their authority. It is important to note that in order for a system to be considered Inherited, itmust meet, at a minimum, the following criteria:oThe system is managed by DIT, Cloud or other organizations outside the authority and securityboundary of the agencyoThe State Chief Risk Officer has designated the control as inheritable3

DocuSign Envelope ID: 47E92340-69A8-41E6-ACF5-32E9F690D504 System-Specific Controls: Those controls that provide security and other services for a particularinformation system only Hybrid Controls: Those controls which are shared between Enterprise, i.e. DIT, Cloud and/or Agencymanaged.Agencies must evaluate each system and identify those that fall within the above listed control types. This step iscrucial in facilitating and understanding roles and responsibilities as it pertains to audits and assessments. Thefollowing Table 2 - Security Control Baseline identifies those controls that will be implemented if a system iscategorized as Low or Moderate. The table is based on NIST 800-53 Rev 4 and has been modified to meet State ofNorth Carolina use.Note: Controls which have brackets, e.g. (X), are above the NIST baseline requirement. Controls listed as“Optional” may be utilized to enhance the security posture of the information system and are NOT to beconsidered mandatory. Agencies should understand that with the implementation of optional controls mayrequire additional funding. The description of these controls may be found at the following e.TABLE 2: SECURITY CONTROL BASELINESCNTLNO.INITIAL CONTROL BASELINESCONTROL NAMELOWMODAccess ControlAC-1Access Control Policy and ProceduresAC-1AC-1AC-2Account ManagementAC-2AC-2 (1) (2) (3) (4)AC-3Access EnforcementAC-3AC-3AC-4Information Flow EnforcementAC-4AC-4AC-5Separation of DutiesAC-5AC-5AC-6Least PrivilegeAC-6AC-6AC-7Unsuccessful Logon AttemptsAC-7AC-7AC-8System Use NotificationAC-8AC-8AC-9Previous Logon (Access) NotificationOptionalOptionalAC-10Concurrent Session ControlOptionalOptionalAC-11Session LockAC-11AC-11 (1)AC-12Session TerminationAC-12AC-12AC-14Permitted Actions without Identification orAuthenticationAC-14AC-14AC-16Security AttributesOptionalOptionalAC-17Remote AccessAC-17AC-17 (1) (2) (3) (4)AC-18Wireless AccessAC-18AC-18 (1)AC-19Access Control for Mobile DevicesAC-19AC-19 (5)AC-20Use of External Information SystemsAC-21Information SharingAC-22Publicly Accessible ContentAC-23AC-24AC-25AC-20AC-20 (1) (2)OptionalAC-21AC-22AC-22Data Mining ProtectionOptionalOptionalAccess Control DecisionsOptionalOptionalReference MonitorOptionalOptional4

DocuSign Envelope ID: 47E92340-69A8-41E6-ACF5-32E9F690D504CNTLNO.INITIAL CONTROL BASELINESCONTROL NAMELOWMODAwareness and TrainingAT-1Security Awareness and Training Policy andProceduresAT-1AT-1AT-2Security Awareness TrainingAT-2AT-2 (2)AT-3Role-Based Security TrainingAT-3AT-3AT-4Security Training RecordsAT-4AT-4AU-1Audit and Accountability Policy andProceduresAU-1AU-1AU-2Audit EventsAU-2AU-2 (3)AU-3Content of Audit RecordsAU-3AU-3 (1)AU-4Audit Storage CapacityAU-4AU-4AU-5Response to Audit Processing FailuresAU-5AU-5AU-6Audit Review, Analysis, and ReportingAU-6AU-6 (1) (3)AU-7Audit Reduction and Report GenerationOptionalAU-7AU-8Time StampsAU-8AU-8 (1)Audit and AccountabilityAU-9Protection of Audit InformationAU-10Non-repudiationAU-9AU-9 (4)OptionalOptionalAU-11AU-12Audit Record RetentionAU-11AU-11Audit GenerationAU-12AU-12AU-13AU-14Monitoring for Information DisclosureOptionalOptionalSession AuditOptionalOptionalAU-15Alternate Audit l AuditingOptionalOptionalSecurity Assessment and AuthorizationCA-1Security Assessment and AuthorizationPolicies and ProceduresCA-1CA-1CA-2Security AssessmentsCA-2CA-2 (1)CA-3System InterconnectionsCA-3CA-3 (5)CA-4Security CertificationIncorporated into CA-2.Incorporated into CA-2.CA-5Plan of Action and MilestonesCA-5CA-5CA-6Security AuthorizationCA-6CA-6CA-7Continuous MonitoringCA-8Penetration TestingCA-9Internal System ConnectionsCA-7CA-7 (1)OptionalCA-8CA-9CA-9Configuration ManagementCM-1Configuration Management Policy andProceduresCM-1CM-1CM-2Baseline ConfigurationCM-2CM-2 (1) (3) (7)CM-3Configuration Change ControlCM-3CM-3CM-4Security Impact AnalysisCM-4CM-4CM-5Access Restrictions for ChangeCM-5CM-5CM-6Configuration SettingsCM-6CM-6CM-7Least FunctionalityCM-7CM-75

DocuSign Envelope ID: 47E92340-69A8-41E6-ACF5-32E9F690D504INITIAL CONTROL BASELINESCNTLNO.CONTROL NAMELOWMODCM-8Information System Component InventoryCM-8CM-8 (3)CM-9Configuration Management PlanCM-9CM-9CM-10Software Usage RestrictionsCM-10CM-10CM-11User-Installed SoftwareCM-11CM-11Contingency PlanningCP-1Contingency Planning Policy andProceduresCP-1CP-1CP-2Contingency PlanCP-2CP-2CP-3Contingency TrainingCP-3CP-3CP-4Contingency Plan TestingCP-4CP-4CP-5Contingency Plan UpdateIncorporated into CP-2Incorporated into CP-2CP-6Alternate Storage SiteOptionalCP-6 (1) (3)CP-7Alternate Processing SiteOptionalCP-7 (1) (2) (3)CP-8Telecommunications ServicesOptionalCP-8CP-9Information System BackupCP-9CP-9 (1)CP-10Information System Recovery andReconstitutionCP-10CP-10CP-11Alternate Communications ProtocolsOptionalOptionalCP-12Safe ModeOptionalOptionalCP-13Alternative Security MechanismsOptionalOptionalIdentification and AuthenticationIA-1Identification and Authentication Policy andProceduresIA-1IA-1IA-2Identification and Authentication(Organizational Users)IA-2IA-2 (8)IA-3Device Identification and AuthenticationIA-3IA-3IA-4Identifier ManagementIA-4IA-4IA-5Authenticator ManagementIA-5IA-5IA-6Authenticator FeedbackIA-6IA-6IA-7Cryptographic Module AuthenticationIA-7IA-7IA-8Identification and Authentication (NonOrganizational Users)IA-8IA-8IA-9Service Identification and AuthenticationOptionalOptionalIA-10Adaptive Identification and onOptionalOptionalIR-1Incident Response Policy and ProceduresIR-2Incident Response TrainingIR-2IR-2IR-3Incident Response TestingOptionalIR-3 (2)IR-4Incident HandlingIR-4IR-4IR-5Incident MonitoringIR-5IR-5IR-6Incident ReportingIR-6IR-6IR-7Incident Response AssistanceIR-7IR-7IR-8Incident Response PlanIR-8IR-8Incident ResponseIR-1IR-16

DocuSign Envelope ID: 47E92340-69A8-41E6-ACF5-32E9F690D504INITIAL CONTROL BASELINESCNTLNO.CONTROL NAMELOWMODIR-9Information Spillage ResponseOptionalOptionalIR-10Integrated Information Security AnalysisTeamOptionalOptionalMaintenanceMA-1System Maintenance Policy and ProceduresMA-1MA-1MA-2Controlled MaintenanceMA-2MA-2MA-3Maintenance ToolsOptionalMA-3 (1) (2)MA-4Nonlocal MaintenanceMA-4MA-4 (2)MA-5Maintenance PersonnelMA-5MA-5MA-6Timely MaintenanceOptionalMA-6Media ProtectionMP-1Media Protection Policy and ProceduresMP-1MP-1MP-2Media AccessMP-2MP-2MP-3Media MarkingOptionalMP-3MP-4Media StorageOptionalMP-4MP-5Media TransportOptionalMP-5MP-6Media SanitizationMP-6MP-6MP-7Media UseMP-7MP-7 (1)MP-8Media DowngradingOptionalOptionalPhysical and Environmental ProtectionPE-1Physical and Environmental ProtectionPolicy and ProceduresPE-1PE-1PE-2Physical Access AuthorizationsPE-2PE-2PE-3Physical Access ControlPE-3PE-3PE-4Access Control for Transmission MediumPE-5Access Control for Output DevicesPE-6PE-8PE-9PE-4PE-4OptionalPE-5Monitoring Physical AccessPE-6PE-6 (1)Visitor Access RecordsPE-8PE-8Power Equipment and CablingOptionalPE-9PE-10Emergency ShutoffOptionalPE-10PE-11Emergency PowerOptionalPE-11PE-12Emergency LightingPE-12PE-12PE-13Fire ProtectionPE-13PE-13 (3)PE-14Temperature and Humidity ControlsPE-14PE-14PE-15Water Damage ProtectionPE-15PE-15PE-16Delivery and RemovalPE-16PE-16PE-17Alternate Work SiteOptionalPE-17PE-18Location of Information System ComponentsOptionalPE-18PE-19Information LeakageOptionalOptionalPE-20Asset Monitoring and TrackingOptionalOptionalPlanningPL-1Security Planning Policy and ProceduresOptionalPL-1PL-2System Security PlanOptionalPL-2 (3)7

DocuSign Envelope ID: 47E92340-69A8-41E6-ACF5-32E9F690D504CNTLNO.INITIAL CONTROL BASELINESCONTROL NAMELOWMODPL-4Rules of BehaviorPL-4PL-4PL-5Privacy Impact AssessmentOptionalIncorporated in RA-3PL-7Security Concept of OperationsOptionalOptionalPL-8Information Security ArchitecturePL-8PL-8PL-9Central ManagementOptionalOptionalPersonnel SecurityPS-1Personnel Security Policy and ProceduresPS-1PS-1PS-2Position Risk DesignationPS-2PS-2PS-3Personnel ScreeningPS-3PS-3PS-4Personnel TerminationPS-4PS-4PS-5Personnel TransferPS-5PS-5PS-6Access AgreementsPS-6PS-6PS-7Third-Party Personnel SecurityPS-7PS-7PS-8Personnel SanctionsPS-8PS-8Risk AssessmentRA-1Risk Assessment Policy and ProceduresRA-1RA-1RA-2Security CategorizationRA-2RA-2RA-3Risk AssessmentRA-4Risk Assessment UpdateRA-5Vulnerability ScanningRA-6Technical Surveillance CountermeasuresSurveySA-1System and Services Acquisition Policy andProceduresSA-1SA-1SA-2Allocation of ResourcesSA-2SA-2SA-3System Development Life CycleSA-4Acquisition ProcessSA-5Information System DocumentationSA-8Security Engineering PrinciplesOptionalSA-8SA-9External Information System ServicesSA-9SA-9 (2)SA-10Developer Configuration ManagementOptionalSA-10SA-11Developer Security Testing and EvaluationOptionalSA-11SA-12Supply Chain onalOptionalSA-14Criticality AnalysisOptionalOptionalSA-15Development Process, Standards, andToolsOptionalOptionalSA-16Developer-Provided TrainingOptionalOptionalSA-17Developer Security Architecture and DesignOptionalOptionalSA-18Tamper Resistance and DetectionOptionalOptionalSA-19Component AuthenticityOptionalOptionalSA-20Customized Development of ated into RA-3Incorporated into RA-3RA-5RA-5 (1) (2) (5)OptionalOptionalSystem and Services AcquisitionSA-3SA-3SA-4 (10)SA-4 (1) (2) (9) (10)SA-5SA-58

DocuSign Envelope ID: 47E92340-69A8-41E6-ACF5-32E9F690D504INITIAL CONTROL BASELINESCNTLNO.CONTROL NAMELOWMODSA-21Developer ScreeningOptionalOptionalSA-22Unsupported System ComponentsOptionalOptionalSC-1System and Communications ProtectionPolicy and ProceduresSC-1SC-1SC-2Application PartitioningSC-2SC-2SC-3Security Function IsolationOptionalOptionalSC-4Information in Shared ResourcesOptionalSC-4SC-5Denial of Service ProtectionSC-5SC-5SC-6Resource AvailabilityOptionalOptionalSC-7Boundary ProtectionSC-7SC-7System and Communications ProtectionSC-8Transmission Confidentiality and IntegritySC-8SC-8SC-10Network DisconnectSC-10SC-10SC-11Trusted PathOptionalOptionalSC-12Cryptographic Key Establishment andManagementSC-12SC-12SC-13Cryptographic ProtectionSC-13SC-13SC-15Collaborative Computing DevicesSC-15SC-15SC-16Transmission of Security AttributesOptionalOptionalSC-17Public Key Infrastructure CertificatesSC-17SC-17SC-18Mobile CodeSC-18SC-18SC-19Voice Over Internet ProtocolOptionalSC-19SC-20Secure Name /Address Resolution Service(Authoritative Source)SC-20SC-20SC-21Secure Name /Address Resolution Service(Recursive or Caching Resolver)SC-21SC-21SC-22Architecture and Provisioning forName/Address Resolution ServiceSC-22SC-22SC-23Session AuthenticitySC-23SC-23SC-24Fail in Known StateOptionalOptionalSC-25Thin lSC-27Platform-Independent ApplicationsOptionalOptionalSC-28Protection of Information at lSC-30Concealment and MisdirectionOptionalOptionalSC-31Covert Channel AnalysisOptionalOptionalSC-32Information System PartitioningOptionalOptionalSC-34Non-Modifiable Executable ptionalSC-36Distributed Processing and StorageOptionalOptionalSC-37Out-of-Band ChannelsOptionalOptionalSC-38Operations SecurityOptionalOptionalSC-39Process IsolationOptionalOptionalSC-40Wireless Link ProtectionSC-40SC-409

DocuSign Envelope ID: 47E92340-69A8-41E6-ACF5-32E9F690D504CNTLNO.INITIAL CONTROL BASELINESCONTROL NAMELOWMODSC-41Port and I/O Device AccessOptionalOptionalSC-42Sensor Capability and DataOptionalOptionalSC-43Usage RestrictionsOptionalOptionalSC-44Detonation ChambersOptionalSC-44System and Information IntegritySI-1System and Information Integrity Policy andProceduresSI-1SI-1SI-2Flaw RemediationSI-2SI-2 (2)SI-3Malicious Code ProtectionSI-3SI-3 (1) (2)SI-4Information System MonitoringSI-4SI-4 (2) (4) (5)SI-5Security Alerts, Advisories, and DirectivesSI-5SI-5SI-6Security Function VerificationOptionalOptionalSI-7Software, Firmware, and InformationIntegrityOptionalSI-7 (1) (7)SI-8Spam ProtectionOptionalSI-8 (1) (2)SI-10Information Input ValidationOptionalSI-10SI-11Error HandlingOptionalSI-11SI-12Information Handling and RetentionSI-12SI-12SI-13Predictable Failure onalOptionalSI-15Information Output FilteringOptionalOptionalSI-16Memory ProtectionOptionalSI-16SI-17Fail-Safe ProceduresOptionalOptionalSECTION 2. IMPLEMENTATION AND M ANAGEMENTThis Manual is the foundation for information technology security in state government and is required for allexecutive branch agencies to follow in order to comply with statewide information security standards. To besuccessful, Agency leadership must continue to emphasize the importance of information security throughouttheir organizations and at their discretion, implement additional supplementary controls as deemed necessary.When considering the supplementary controls not included in the State’s policies, agencies should refer to NIST SP800-53 Rev 4 and industry security practices related to information technology implementation. Agencies are alsorequired to ensure ongoing compliance by implementing continuous monitoring activities.SECTION 3 – INFORMATION PROTECTIONAgencies must implement appropriate safeguards as defined in the supporting policy documents (such asidentification and authentication, encryption, data filtering, tagging, Multi-factor authentication or segregation) toensure Restricted and Highly Restricted information, including Personally Identifiable Information (PII), Federal TaxInformation (FTI), Payment Card Industry (PCI) is protected from inappropriate disclosure, misuse, or other securitybreaches, in accordance with State, Federal and other security standards and requirements.10

DocuSign Envelope ID: 47E92340-69A8-41E6-ACF5-32E9F690D504Agencies must ensure an appropriate response in the event of a breach of sensitive PII consistent with Federal andAgency standards and requirements.SECTION 4 – CONTINUOUS MONITORIN GContinuous monitoring, automatic alerting, and auditing with corresponding tracking capabilities and reporting arerequired for devices connected to the State infrastructure or supporting State business (e.g. cloud services).Agencies must also have procedures in place to ensure robust incident response to unauthorized accesses andactivities. The State CIO has the authority to require the installation of monitoring or auditing agents on devicesconnected to the network.SECTION 5 – SECURITY ARCHITECTUREAgencies must implement appropriate information safeguards (such as encryption, data filtering, tagging, orsegregation) to ensure highly restricted information, including Personally Identifiable Information (PII), Federal TaxInformation (FTI), Payment Card Industry (PCI) is protected from inappropriate disclosure, misuse, or other securitybreaches, in accordance with State, Federal and other security standards and requirements.Agencies must ensure an appropriate response in the event of a breach of sensitive PII consistent with Federal andAgency standards and requirements.SECTION 4 – REFERENCESThe following policies in the Statewide Information Security Manual provide additional details for theimplementation of State information technology resources. SCIO-SEC-301: Access Control Policy (AC) SCIO-SEC-302: Awareness and Training Policy (AT) SCIO-SEC-303: Audit and Accountability Policy (AU) SCIO-SEC-304: Security Assessment and Authorization Policy (CA) SCIO-SEC-305: Configuration Management Policy (CM) SCIO-SEC-306: Contingency Planning Policy (CP) SCIO-SEC-307: Identification and Authentication Policy (IA) SCIO-SEC-308: Incident Response Policy (IR) SCIO-SEC-309: Maintenance Policy (MA) SCIO-SEC-310: Media Protection Policy (MP) SCIO-SEC-311: Personnel Security Policy (PS) SCIO-SEC-312: Security Planning Policy (PL) SCIO-SEC-313: Physical and Environmental Protection Policy (PE) SCIO-SEC-314: Risk Assessment Policy (RA) SCIO-SEC-315: System and Services Acquisition Policy (SA) SCIO-SEC-316: System and Communications Protection Policy (SC) SCIO-SEC-317: System and Information Integrity Policy (SI)11

AC-19 Access Control for Mobile Devices AC-19 AC-19 (5) AC-20 Use of External Information Systems AC-20 AC-20 (1) (2) AC-21 Information Sharing Optional AC-21 AC-22 Publicly Accessible Content AC-22 AC-22 AC-23 Data Mining Protection Optional Optional AC-24 Access Control Decisions Optional Optional