SI-6—Security and Privacy Function Verification
>Control Description
Verify the correct operation of ⚙organization-defined security and privacy functions;
Perform the verification of the functions specified in SI-6a [Selection (one or more): ⚙organization-defined system transitional states; upon command by user with appropriate privilege; ⚙organization-defined frequency];
Alert ⚙organization-defined personnel or roles to failed security and privacy verification tests; and
[Selection (one or more): Shut the system down; Restart the system; ⚙organization-defined alternative action (s)] when anomalies are discovered.
>FedRAMP Baseline Requirements
Parameter Values
>Discussion
Transitional states for systems include system startup, restart, shutdown, and abort. System notifications include hardware indicator lights, electronic alerts to system administrators, and messages to local computer consoles. In contrast to security function verification, privacy function verification ensures that privacy functions operate as expected and are approved by the senior agency official for privacy or that privacy attributes are applied or used as expected.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies and procedures govern security and privacy function verification?
- •Who is responsible for monitoring system and information integrity?
- •How frequently are integrity monitoring processes reviewed and updated?
Technical Implementation:
- •What technical controls detect and respond to security and privacy function verification issues?
- •How are integrity violations identified and reported?
- •What automated tools support system and information integrity monitoring?
Evidence & Documentation:
- •Can you provide recent integrity monitoring reports or alerts?
- •What logs demonstrate that SI-6 is actively implemented?
- •Where is evidence of integrity monitoring maintained and for how long?
Ask AI
Configure your API key to use AI features.