Device Class 3 Controls

Device Class 3 Security Requirements:

• Confidentiality: MODERATE
• Integrity: HIGH
• Availability: MODERATE

Devices of class 3 must meet controls from NIST 800-53 and ISO/IEC 15408 in the following areas:

• Access Control
• AC-2 Account Management (Class 3)
• AC-3 Access Enforcement (Class 1)
• AC-4 Information Flow Enforcement (Class 1)
• AC-6 Least Privilege (Class 3)
• AC-7 Unsuccessful Authentication Attempts (Class 1)
• AC-8 System Use Notification (Class 1)
• AC-11 Session Lock (Class 1)
• AC-12 Session Termination (Class 1)
• AC-17 Remote Access (Class 1)
• AC-18 Wireless Access (Class 3)
• AC-21 Information Sharing (Class 2)
• Audit and Accountability
• AU-2 Audit Events (Class 1)
• AU-3 Content Of Audit Records (Class 3)
• AU-4 Audit Storage Capacity (Class 1)
• AU-5 Response To Audit Processing Failures (Class 3)
• AU-7 Audit Reduction And Report Generation (Class 1)
• AU-8 Time Stamps (Class 1)
• AU-9 Protection Of Audit Information (Class 3)
• AU-10 Non-repudiation (Class 3)
• AU-12 Audit Generation (Class 3)
• Configuration Management
• CM-7 Least Functionality (Class 1)
• CM-11 User-installed Software (Class 1)
• Contingency Planning
• CP-12 Safe Mode (Class 1)
• Identification and Authentication
• IA-2 Identification And Authentication (organizational Users) (Class 3)
• IA-5 Authenticator Management (Class 1)
• IA-6 Authenticator Feedback (Class 1)
• IA-7 Cryptographic Module Authentication (Class 1)
• IA-11 Re-authentication (Class 1)
• Incident Response
• IR-5 Incident Monitoring (Class 1)
• IR-6 Incident Reporting (Class 1)
• Media Protection
• MP-3 Media Marking (Class 2)
• MP-4 Media Storage (Class 2)
• MP-5 Media Transport (Class 2)
• MP-6 Media Sanitization (Class 3)
• Physical and Environmental Protection
• PE-4 Access Control For Transmission Medium (Class 2)
• PE-5 Access Control For Output Devices (Class 2)
• Privacy
• ISO FPR_PSE.1 Pseudonymity (Class 1)
• ISO FPR_PSE.2 Reversible Pseudonymity (Class 1)
• ISO FPR_UNL.1 Unlinkability (Class 1)
• Risk Assessment
• RA-5 Vulnerability Scanning (Class 1)
• System and Communications Protection
• SC-2 Application Partitioning (Class 1)
• SC-3 Security Function Isolation (Class 3)
• SC-4 Information In Shared Resources (Class 2)
• SC-5 Denial Of Service Protection (Class 1)
• SC-7 Boundary Protection (Class 3)
• SC-8 Transmission Confidentiality And Integrity (Class 2)
• SC-10 Network Disconnect (Class 1)
• SC-12 Cryptographic Key Establishment And Management (Class 2)
• SC-13 Cryptographic Protection (Class 1)
• SC-18 Mobile Code (Class 1)
• SC-21 Secure Name / Address Resolution Service (Recursive Or Caching Resolver) (Class 1)
• SC-22 Architecture And Provisioning For Name / Address Resolution Service (Class 1)
• SC-23 Session Authenticity (Class 1)
• SC-24 Fail In Known State (Class 3)
• SC-28 Protection Of Information At Rest (Class 2)
• SC-39 Process Isolation (Class 1)
• SC-42 Sensor Capability And Data (Class 2)
• System and Information Integrity
• SI-3 Malicious Code Protection (Class 1)
• SI-4 Information System Monitoring (Class 1)
• SI-7 Software, Firmware, And Information Integrity (Class 3)
• SI-10 Information Input Validation (Class 1)
• SI-11 Error Handling (Class 1)
• SI-16 Memory Protection (Class 1)
• SI-17 Fail-safe Procedures (Class 3)
• System and Services Acquisition
• SA-10 Developer Configuration Management (Class 1)
• SA-11 Developer Security Testing And Evaluation (Class 1)
• SA-12 Supply Chain Protection (Class 3)
• SA-18 Tamper Resistance And Detection (Class 3)

Compared to Class 2 devices, devices of class 3 will have additional requirements in the areas of:

• Access Control
• AC-2 Account Management (Class 3)
• AC-6 Least Privilege (Class 3)
• AC-18 Wireless Access (Class 3)
• Audit and Accountability
• AU-3 Content Of Audit Records (Class 3)
• AU-5 Response To Audit Processing Failures (Class 3)
• AU-9 Protection Of Audit Information (Class 3)
• AU-10 Non-repudiation (Class 3)
• AU-12 Audit Generation (Class 3)
• Identification and Authentication
• IA-2 Identification And Authentication (organizational Users) (Class 3)
• Media Protection
• MP-6 Media Sanitization (Class 3)
• System and Communications Protection
• SC-3 Security Function Isolation (Class 3)
• SC-7 Boundary Protection (Class 3)
• SC-24 Fail In Known State (Class 3)
• System and Information Integrity
• SI-7 Software, Firmware, And Information Integrity (Class 3)
• SI-17 Fail-safe Procedures (Class 3)
• System and Services Acquisition
• SA-12 Supply Chain Protection (Class 3)
• SA-18 Tamper Resistance And Detection (Class 3)