ensure the following: This cyber security policy must be readily available to all personnel who have access to, or are responsible for, critical cyber assets.

The responsible entity must assign a senior manager with overall responsibility for leading and managing the entity’s implementation of, and adherence to, the policy. This senior manager shall be identified by name, title, business phone, business address, and date of designation. Changes to the senior manager must be documented within 30 calendar days of the effective date. The senior manager or delegate(s) shall authorize and document any exception from the requirements of the cyber security policy.

Information Protection

The responsible entity shall implement and document a program to identify, classify, and protect information associated with critical cyber assets. The critical cyber asset information to be protected shall include, at a minimum and regardless of media type, operational procedures, lists of critical assets, network topology or similar diagrams, floor plans of computing centers that contain critical cyber assets, equipment layouts of critical cyber assets, disaster recovery plans, incident response plans, and security configuration information.

The responsible entity shall, at least annually, assess adherence to its critical cyber asset information protection program, document the assessment results, and implement an action plan to remediate deficiencies identified during the assessment.

Access Control

The responsible entity must document and implement a program for managing access to protected critical cyber asset information. The responsible entity shall maintain a list of designated personnel who are responsible for authorizing logical or physical access to protected information. Personnel are identified by name, title, business phone, and the information for which they are responsible for authorizing access. At least annually, the responsible entity must review the access privileges to protected information to confirm that access privileges are correct and that they correspond with the responsible entity’s needs and appropriate personnel roles and responsibilities.

Change Control and Configuration Management

The responsible entity must establish and document a process of change control and configuration management for adding, modifying, replacing, or removing critical cyber asset hardware or software, and must implement supporting configuration management activities to identify, control, and document all entity- or vendor-related changes to hardware and software components of critical cyber assets pursuant to the change control process.


The identification and protection of the electronic security perimeter(s) inside which all critical cyber assets reside, as well as all access points on the perimeter, are required.

Electronic Security Perimeter

The responsible entity must ensure that every critical cyber asset resides within an electronic security perimeter. The responsible entity must identify and document the electronic security perimeter(s) and all access points to the perimeter(s).

1. Access points to the electronic security perimeter(s) must include any externally connected communication end point (for example, dial-up modems) terminating at any device within the electronic security perimeter(s).

2. For a dial-up-accessible critical cyber asset that uses a non-routable protocol, the responsible entity must define an electronic security perimeter for that single access point at the dial-up device.

3. Communication links connecting discrete electronic security perimeters must not be considered part of the electronic security perimeter. However, end points of these communication links within the electronic security perimeter(s) must be considered access points to the electronic security perimeter(s).

4. Any non-critical cyber asset within a defined electronic security perimeter must be identified and protected.

5. Cyber assets used in the access control and monitoring of the electronic security perimeter(s) must be afforded certain protective measures.

6. The responsible entity must maintain documentation on the electronic security perimeter(s), all interconnected critical and non-critical cyber assets within the electronic security perimeter(s), all electronic access points to the electronic security perimeter(s), and the cyber assets deployed for the access control and monitoring of these access points.

Electronic Access Controls

The responsible entity must implement and document the organizational processes and technical and procedural mechanisms for control of electronic access at all electronic access points to the electronic security perimeter(s).

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement