IRS Office of Safeguards SCSEM

Internal Revenue Service

Office of Safeguards

SCSEM Subject: Network Assessment

SCSEM Version: 1.5
SCSEM Release Date: June 3, 2015

NOTICE:
The IRS strongly recommends agencies test all Safeguard Computer Security Evaluation Matrix (SCSEM) settings in a development or test
environment prior to deployment in production. In some cases a security setting may impact a systems functionality and usability. Consequently,
it is important to perform testing to determine the impact on system security, functionality, and usability. Ideally, the test system configuration
should match the production system configuration. Prior to making changes to the production system, agencies should back up all critical data
files on the system and if possible, make a full backup of the system to ensure it can be restored to its pre-SCSEM state if necessary.

General Testing Information

Agency Name:
Agency Code:
Test Location:
Test Date:
Closing Date:
Shared Agencies:
Name of Tester:

Agency Representatives and Contact Information

Name:
Org:
Title:
Phone:
E-mail:

Name:
Org:
Title:
Phone:
E-mail:

This SCSEM was designed to comply with Section 508 of the Rehabilitation Act
Please submit SCSEM feedback and suggestions to SafeguardReports@IRS.gov
Obtain SCSEM updates online at http://www.irs.gov/uac/Safeguards-Program

348117775.xls Page 1 of 11
 IRS Office of Safeguards SCSEM
Testing Results
INSTRUCTIONS:
Sections below are automatically calculated.

The 'Info' status is provided for use by the tester during test execution to indicate more information is needed to complete the test.
It is not an acceptable final test status, all test cases should be Pass, Fail or N/A at the conclusion of testing.

All SCSEM Test Results

Final Test Results (This table calculates all tests in the Test Cases tab) Overall SCSEM Statistics
Additional
Total Number of Weighted
Passed Failed Information N/A
Tests Performed Pass Rate
All SCSEM Tests Complete Blank Available
Requested
0 0 0 0 0 0 Totals 0 20 20

Weighted Score

348117775.xls Page 2 of 11
 IRS Office of Safeguards SCSEM
Instructions
Introduction and Purpose:
This SCSEM is used by the IRS Office of Safeguards to evaluate an agencys network, focusing on key perimeter and internal network segment entry
points for network segments containing systems that receive, store, process or transmit FTI; and logical placement of networking equipment to ensure
control of the flow of FTI to and from the systems with FTI.

Agencies should use this SCSEM to prepare for an upcoming Safeguard review, but it is also an effective tool for agencies to use as part of internal
periodic security assessments or internal inspections to ensure continued compliance in the years when a Safeguard review is not scheduled. Also the
agency can use the SCSEM to identify the types of policies to have in place to ensure continued compliance with IRS Publication 1075.

Test Cases Legend:

Test ID Pre-populated number to uniquely identify SCSEM test cases. The ID format includes the platform, platform version
and a unique number (01-XX) and can therefore be easily identified after the test has been executed.
NIST ID Mapping of test case requirements to one or more NIST SP 800-53 control identifiers for reporting purposes.
NIST Control Name Full name which describes the NIST ID.
Test Method: The test case is executed by Interview, Examine or Test methods in accordance with the test methodology specified
in NIST SP 800-53A. In test plans where SCAP testing is available, Automated and Manual indicators are added to
the Test method to indicate whether the test can be accomplished through the SCAP tool.
Test Objective Description of specifically what the test is designed to accomplish. The objective should be a summary of the
test case and expected results.
Test Procedures A detailed description of the step-by-step instructions to be followed by the tester. The test procedures should be
executed using the applicable NIST 800-53A test method (Interview, Examine, Test).
Expected Results Provides a description of the acceptable conditions allowed as a result of the test procedure execution.
Actual Results The tester shall provide appropriate detail describing the outcome of the test. The tester is responsible for identifying
Interviewees and Evidence to validate the results in this field or the separate Notes/Evidence field.
Status The tester indicates the status for the test results (Pass, Fail, Info, N/A). "Pass" indicates that the expected results
were met. "Fail" indicates the expected results were not met. "Info" is temporary and indicates that the test execution
is not completed and additional information is required to determine a Pass/Fail status. "N/A" indicates that the
test subject is not capable of implementing the expected results and doing so does not impact security. The tester
must determine the appropriateness of the "N/A" status.
Notes/Evidence As determined appropriate to the tester or as required by the test method, procedures or expected results, the tester
may need to provide additional information pertaining to the test execution (Interviewee, Documentation, etc.)
Criticality A baseline risk category has been pre-populated next to each control to assist agencies in establishing priorities for
corrective action. The reviewer has the discretion to change the prioritization to accurately reflect the risk and the overall
security posture based on environment specific testing.

348117775.xls Page 3 of 11
 IRS Office of Safeguards SCSEM
Test Cases
Test ID NIST ID NIST Control Name Test Method Test Objective Test Procedures Expected Results Actual Results Status Notes/Evidence

NET-01 AU-12 Audit Generation Examine/ Network boundary devices,
Interview including firewalls, network-
based IPS, and inbound and
outbound proxies, are
configured to verbosely log
all traffic (both allowed and
blocked) arriving at the
device.
1. Review the network boundary device 1. Verbose logging is enabled on all network
configurations. boundary devices.
2. Ensure that logs are being captured on
network boundary devices, including all activity
related to firewalls, network-based IPS,
inbound and outbound proxies (verbose
logging is enabled).

NET-02 AU-3 Content of Audit Examine/ Audit log settings capture 1. Validate audit log settings for each hardware 1. Systems record logs in a standardized
Records Interview consistent information in a device and the software installed on it, ensuring format such as syslog entries or those
standard format. that logs include a date, timestamp, source outlined by the Common Event Expression
addresses, destination addresses, and various initiative.
other useful elements of each packet and/or 2. If systems cannot generate logs in a
transaction. standardized format, log normalization tools
are deployed to convert logs into a
standardized format.

NET-03 AU-3 Content of Audit Examine/ All remote access (i.e., VPN, 1. Review the remote access points to the 1. All remote access to the network with FTI is
Records Interview dial-up, or other mechanism) network with FTI and determine how the logged.
to the network that contains remote access it being logged.
the systems with FTI, 2. Review the point where the external
whether to the DMZ or an demarcation point is to the internal FTI network
internal network, is logged. (DMZ or other location) and determine whether
the method of connection (VPN, dial-up, etc.) is
being logged.
3. Review the logs and ensure that remote
access users connection information is being
tracked from the demarcation point through to
the internal destination.

NET-04 AU-4 Audit Storage Examine/ Logs for network devices 1. Ensure that all network devices that store 1. Network device logs have adequate storage
Capacity Interview have been allocated logs have adequate storage space for the logs space and logs are backed up and archived
adequate storage space to generated, so that log files will not fill up off of the system for storage in accordance
retain audit records for the between log rotation intervals. with IRS requirements of 7 years.
required audit retention 2. Ensure that the logs are backed up, archived
period of 7 years. off of the system, and retained for a period of 7
years.
Note: At a minimum these
logs should contain security-
relevant events that satisfy
the (AU-2) requirements fom
IRS Publication 1075.

348117775.xls Page 4 of 11
 IRS Office of Safeguards SCSEM

Test ID NIST ID NIST Control Name Test Method Test Objective Test Procedures Expected Results Actual Results Status Notes/Evidence

NET-05 AU-6 Audit Review, Examine/ Network and host-based logs 1. Interview the system administrator and 1. System administrators/security personnel
Analysis, and Interview are reviewed on a weekly ensure that network and host-based logs are regularly review all network and host-based
Reporting basis for anomalies. reviewed on a weekly basis or more frequently logs on a weekly basis, are reviewing
at the discretion of the information system anomalies, and are documenting findings and
owner for indications of unusual activity related reporting in accordance with the agency's
to potential unauthorized access. incident reporting procedures.
2. Ask the system administrator to walk through 2. The agency's log review process includes
the review process and determine how regularly reviewing network activity for
anomalies are identified and handled. abnormal increases in network traffic from the
3. Ask about the agency's process for agency's normal traffic threshold.
monitoring increases in network activity. 3. Abnormal increases in network traffic
activity are reported in accordance with the
agency's incident reporting procedures

NET-06 CM-8 Information System Examine/ A software asset inventory of
Component Inventory Interview all software used to receive,
process, store or transmit FTI
is maintained in production
and pre-production
environments.
1. Obtain the agency's IT software asset
inventory (including software used in pre-
production/development environments).
2. Review the IT software asset inventory to
verify systems that receive process, store or
transmit FTI are included and identified.
3. Determine the process used to keep the
inventory current, and verify the inventory is up
to date in accordance with the agency's policy.
4. Determine if the agency has the capability to
monitor for unauthorized software on the
network.
1. The software inventory includes a list of
authorized software that is required in the
enterprise for each type of system, including
servers, workstations, and laptops of various
kinds and uses in production and pre-
production environments.
2. The inventory tracks the version number
and patch level of the underlying operating
system as well as the installed applications.
3. The network is monitored for deviations
from the expected inventory of software, and
security and/or operations personnel are
alerted when deviations or unauthorized
software is discovered.

NET-07 CM-8 Information System Examine/ A hardware asset inventory
Component Inventory Interview of all systems and devices
that receive, process, store
or transmit FTI is maintained
in production and pre-
production environments.
1. Obtain the agency's IT hardware asset
inventory (including hardware used in pre-
production/development environments).
2. Review the IT hardware asset inventory to
verify systems that receive process, store or
transmit FTI are included and identified.
3. Determine the process used to keep the
inventory current, and verify the inventory is up
to date in accordance with the agency's policy.
4. Determine if the agency has the capability to
monitor for unauthorized hosts on the network.
1. The organization maintains an asset
inventory of the systems and devices that
receive, process, store and transmit FTI in
production and pre-production environments,
including but not limited to desktops, laptops,
servers, network equipment (routers,
switches, firewalls, etc.), printers, storage area
networks, voiceover-IP telephones, etc. The
inventory of information system components
includes detail such as make, model, OS,
type, model, serial number, physical location,
owner, and machine name.
2. The inventory includes systems and
devices that receive, store, process and
transmit FTI in a pre-production environment.
3. The inventory is kept current through
periodic manual inventory checks or a network
monitoring tool automatically maintains the
inventory.
4. The network is monitored for deviations
from the expected inventory of assets on the
network, and security and/or operations
personnel are alerted when deviations or
unauthorized hosts are discovered.

348117775.xls Page 5 of 11
 IRS Office of Safeguards SCSEM

Test ID NIST ID NIST Control Name Test Method Test Objective Test Procedures Expected Results Actual Results Status Notes/Evidence

NET-08 RA-5 Vulnerability Scanning Examine/ Network and system
Interview vulnerability scanning is
performed on a monthly
basis to identify
vulnerabilities.
1. Interview agency personnel to determine the
frequency for automated vulnerability scanning
of systems and networks that receive, store,
process and transmit FTI.
2. Examine procedures to determine the
process for analyzing vulnerability scan reports
and results from security control assessments.
3. Examine procedures to determine the
process for reporting vulnerabilities to
designated personnel in the agency.
4. Examine the procedures for remediating
vulnerabilities in accordance with an agency
acceptance of risk.
1. The agency conducts automated
vulnerability scanning against systems and
networks that receive, store, process and
transmit FTI at least monthly.
2. The agency compares the results from
back-to-back vulnerability scans to verify that
vulnerabilities were addressed either by
patching, implementing a compensating
control, or documenting and accepting a
reasonable business risk.
3. Security personnel share vulnerability
reports indicating critical issues with senior
management.
4. Any vulnerability identified is remediated in
a timely manner, with critical vulnerabilities
taking highest priority.

NET-09 SC-7 Boundary Protection Examine/ The network architecture is 1. Review the agency's network diagram to
Interview layered to provide protection determine how traffic to systems that receive,
to systems that receive, process, store or transmit FTI is limited only
store, process or transmit services needed for authorized business use
FTI. and limited access to authorized personnel.
2. Identify all access points into the information
system and how segmentation is handled, and
determine what protection is employed at each
network segment where FTI is present. This
review should cover the point where FTI enters
the network from the perimeter to where it is
stored or currently resides.
1. The agency's internal network is segmented
into separate trust zones to provide more
granular control of system access and
additional intranet boundary defenses.
Segmentation limits traffic to systems that
receive, process, store or transmit FTI to only
services needed for business use and to
authorized personnel.
2.The network segment where the systems
that receive, store, process and transmit FTI
are located are protected with a firewall to
control the traffic into that network. There are
multiple layers of protection (defense-in-
depth).

NET-10 SC-7 Boundary Protection Examine/ Network Address Translation
Interview (NAT) is implemented at the
public traffic demarcation
point on the network to
protect internal addresses
from being disclosed publicly.
1. Review the network traffic flow/data flow
diagram and determine where the demarcation
point is for public traffic on the network.
2. Review the boundary device located at that
point and ensure that the router or firewall is
configured with NAT enabled.
1. The agency employs NAT to protect internal
IPs from being publicly disclosed.
2. If NAT is not implemented at the agencys
boundary firewall or router then it must be
implemented on each firewall or router that
protects network segments that contain
components which receive, process, store, or
transmit FTI.

NET-11 SC-7 Boundary Protection Examine/ The network architecture 1. Review the network traffic flow/data flow 1. Publicly accessible components reside in a *Criticality may be
Interview separates internal systems diagram to determine how publicly accessible screened subnet (DMZ) architecture to upgraded to Critical if FTI
from DMZ systems. information system components are protected provide boundary protection. systems are directly
and arranged. 2. DMZ systems do not contain FTI and accessible from the
internal systems with FTI are not directly Internet
accessible from the Internet.

348117775.xls Page 6 of 11

Test ID NIST ID NIST Control Name Test Method Test Objective
NET-12 SC-7 Boundary Protection Examine/ Managed interfaces
Interview employing boundary
protection at Internet
gateways and internal
network segments with FTI
implement ingress and
egress filtering to allow only
those ports and protocols
with an explicit and
documented business need.
NET-13 SC-7 Boundary Protection Examine/ Managed interfaces
Interview employing boundary
protection to systems with
FTI are configured with a
default-deny rule that drops
all traffic except those
services and ports that are
explicitly allowed
NET-14 SI-4 Information System Examine/ An intrusion detection system
Monitoring Interview (IDS) is used to monitor
traffic at the agency's
network perimeter and the
perimeter of the network
segment with FTI.
NET-15 Si-4 Information System Examine/ Systems employing boundary
Monitoring Interview protection (Firewall, IDS and
HIPS) generate an alert or e-
mail notice upon detection of
a suspected attack.
348117775.xls
IRS Office of Safeguards SCSEM
Test Procedures
1. Review the agency's network diagram and
FTI-applicable inventory devices.
2. Review the managed interfaces employing
boundary protection at the network perimeter
and network segment where FTI systems are
located and determine what services (TCP and
UDP) are permitted.
3. For each permitted service, examine the
documented business need.
4. Determine if inbound filtering is enabled on
managed interfaces employing boundary
protection at the network perimeter and
network segment where FTI systems are
located.
1. Review the agency's network diagram and
FTI-applicable inventory devices.
2. Identify the managed interfaces employing
boundary protection (Firewall, IDS) and review
the settings to determine whether they are
configured to deny all traffic by default and
allow by exception. Firewalls shall be
configured to prohibit any Transmission Control
Protocol (TCP) or User Datagram Protocol
(UDP) service or other protocol/service that is
not explicitly permitted.
1. Examine the logical network design to
identify the location of IDS sensors on the
network.
2. Review the IDS settings and the network
configuration to ensure that an IDS monitors
all traffic.
1. Meet with the firewall and/or IDS
administrator and/or the administrator(s) for
systems employing boundary protection, to
determine how administrators are notified of
alerts for suspected attacks or attempts to
bypass system security measures (e.g.,
through console dashboard or reporting
mechanism)
Expected Results Actual Results Status Notes/Evidence
1. Firewalls and routers are configured to
prohibit any Transmission Control Protocol
(TCP) or User Datagram Protocol (UDP)
service or other protocol/service that is not
explicitly permitted
2. For each permitted service, the following
information is documented:
- Service allowed (including TCP or UDP port
number);
- Service description;
- Business case necessitating the service; and
- Internal controls associated with the service.
3. There are no services (TCP or UDP)
allowed except for the documented services.
4. Inbound filtering is implemented to reject
all data packets that have an internal agency
IP address.
1. The agency's managed interfaces
employing boundary protection are configured
to deny all traffic by default and allow traffic by
exception.
2. Firewalls are configured to prohibit any
Transmission Control Protocol (TCP) or User
Datagram Protocol (UDP) service or other
protocol/service that is not explicitly permitted
1. Network-based IDS sensors are deployed
to monitor traffic on Internet and extranet DMZ
systems and networks, and network segments
with FTI that look for unusual attack
mechanisms and detect compromise of these
systems.
2. The IDS is configured to look for attacks
from external sources directed at DMZ and
internal systems, as well as attacks originating
from internal systems against the DMZ or
Internet.
1. When agency firewalls, IDS, HIPS, and
other systems employing boundary protection
generate a real-time alert or e-mail notice
regarding unauthorized packets based on a
suspected attack, or suspected attempt to
bypass system security occurs, administrators
are notified.
2. The alert is written to local and remote
consoles, an administrator must acknowledge
the alert, and the alert and administrator
acknowledgement are logged.
Page 7 of 11

Test ID NIST ID NIST Control Name Test Method Test Objective
NET-16 SI-4 Information System Examine/ Systems that receive,
Monitoring Interview process, store or transmit FTI
that are accessible by a host-
to-gateway VPN employ at
Host Intrusion Prevention
System (HIPS).
NET-17 SI-4 Information System Examine/ Where network boundary
Monitoring Interview protection mechanisms are
not granular enough to
protect FTI components (for
example a firewall is
employed which allows more
ports/protocols than is
necessary for communication
to the FTI component), a
Host Intrusion Prevention
System (HIPS) is employed.
NET-18 SI-3 Malicious Code Examine Malicious code protection is
Protection Interview implemented and current.
NET-19 SI-3 Malicious Code Examine/ Laptops, workstations, and
Protection Interview servers are configured to not
auto-run content from USB
tokens (i.e., "thumb drives"),
USB hard drives, CDs/DVDs,
Firewire devices, external
serial advanced technology
attachment devices, mounted
network shares, or other
removable media.
348117775.xls
IRS Office of Safeguards SCSEM
Test Procedures
1. Determine whether there are any host-to-
gateway VPN connections to systems with FTI.
2. For host-to-gateway VPN connections,
determine if the destination host with FTI
employs a HIPS.
1. Review the network boundary protection
components and their settings.
2. Determine whether the boundary protection
mechanisms are granular enough to
specifically protect FTI components or if the
firewall is too permissive (e.g., if the firewall
allows more ports/protocols than necessary for
communication to the FTI component)
Note: This would be applicable if any of test
cases 9-13 for the SC-7 control do not pass.
1. Interview agency personnel to determine
whether malicious code protection software is
configured to scan files transported by email,
email attachments, and web accesses.
2. Examine procedures to determine the
process for updating malicious code protection
software for signature definition releases.
3. Examine malicious code protection software
to determine it is configured to perform periodic
scans of the information system and real-time
scans of files from external sources as the files
are downloaded, opened, or executed.
4. Examine procedures to determine the
process for addressing the receipt of false
positives during malicious code detection and
eradication and the resulting potential impact
on the availability of the information system.
1. Interview system administrators and
determine whether servers, workstations, and
laptops are configured to ensure that
removable media does not auto-run when
connected (i.e. USB hard drives, CD/DVD
drives).
2. Sample the FTI-applicable inventory and
choose at least one server, workstation, and
laptop, review the configuration to make sure
that the infrastructure is not configured to auto
run removable media.
Expected Results Actual Results Status Notes/Evidence
1. If host-to-gateway VPN connections exist to
systems with FTI where the traffic between the
VPN gateway and the destination host is not
protected by IPSec, a HIPS is installed on the
destination host to provide defense-in-depth
by detecting attacks and monitoring for
potentially malicious traffic.
1. A HIPS is installed on each FTI-applicable
system which is logically positioned for
protection behind the boundary device. The
HIPS should be specifically configured for
each individual device and those settings
should be documented.
1. The agency employs malicious code *Criticality may be
protection mechanisms at information system upgraded to Critical if
entry and exit points and at workstations, malicious code protection
servers, or mobile computing devices on the mechanisms are not
network to detect and eradicate malicious implemented
code transported by email, email attachments,
and web accesses.
2. The malicious code protection software
employs signature auto update features or
administrators manually push updates to all
machines on a daily basis. After applying an
update, each system is verified it has received
its signature update.
3. Malicious code protection software is
configured to perform periodic scans of the
information system and real-time scans of files
from external sources as the files are
downloaded, opened, or executed.
4. Procedures are in place to address the
receipt of false positives during malicious
code detection and eradication and the
resulting potential impact on the availability of
the information system.
1. Servers, workstations, and laptops are not
configured to auto-run removable media.
Page 8 of 11
 IRS Office of Safeguards SCSEM

Test ID NIST ID NIST Control Name Test Method Test Objective Test Procedures Expected Results Actual Results Status Notes/Evidence

NET-20 SI-3 Malicious Code Examine/ Laptops, workstations, and 1. Interview system administrators and ensure 1. Servers, workstations, and laptops are
Protection Interview servers are configured to that FTI-applicable infrastructure is configured configured to automatically scan removable
conduct an automated anti- to automatically run an anti-malware scan media for malware when inserted.
malware scan of removable (such as Symantec or McAfee) when the
media when it is inserted. removable media is inserted.
2. Sample the FTI-applicable inventory and
choose at least, one server, workstation, and
laptop, review the configuration to make sure
that the infrastructure automatically scans
removable media for malware when it is
inserted.

348117775.xls Page 9 of 11
 IRS Office of Safeguards SCSEM
Appendix
SCSEM Sources:
This SCSEM was created for the IRS Office of Safeguards based on the following resources.
IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies
NIST SP 800-53 Rev. 4, Recommended Security Controls for Federal Information Systems and Organizations (April 2013)
NIST SP 800-41 Guidelines on Firewalls and Firewall Policy
DISA Network Policy Security Technical Implementation Guide Version 8 Release 4 29 October 2010
DISA Firewall Security Technical Implementation Guide Version 8 Release 3 27 August 2010
Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines (CAG) Version 3.0 15 April 2011

Out of Scope Controls - Unselected NIST 800-53 Controls

Reason: Not required by Publication 1075. See Publication 1075 for more details.
AC-21, AU-13, AU-14, CP-3, CP-8, CP-9, CP-10, IA-8, PE-9, PE-10, PE-11, PE-12, PE-13, PE-14, PE-15, PM-1, PM-3, PM-5, PM-6, PM-7, PM-8,
PM-9, PM-10, PM-11, SA-12, SA-13, SA-14, SC-16, SC-20, SC-22, SC-25, SC-26, SC-27, SC-28, SC-29, SC-30, SC-31, SC-33, SC-34, SI-8, SI-13

Out of Scope Controls - Policy & Procedural Controls

Reason: Tested in the Management, Operational and Technical (MOT) SCSEM
AC-1, AC-14, AC-18, AC-19, AC-20, AC-22, AT-3, AT-4, AU-1, AU-7, AU-11, CA-1, CA-2, CA-3, CA-5, CA-6, CA-7, CM-1, CM-2, CM-3, CM-4, CM-5,
CM-6, CM-7, CM-8, CM-9, CP-1, CP-2, CP-4, CP-6, IA-1, IR-3, IR-7, IR-8, MA-1, MA-2, MA-3, MA-4, MA-5, PL-1, PL-2, PL-4, PL-5, PL-6, PM-2, RA-1,
RA-2, RA-3, RA-5, SA-1, SA-2, SA-3, SA-4, SA-5, SA-6, SA-7, SA-8, SA-10, SA-11, SC-1, SC-5, SC-7, SC-12, SC-15, SC-17, SC-18, SC-19, SC-32,
SI-1, SI-4, SI-5, SI-7, SI-9, SI-10, SI-11

Out of Scope Controls - Physical Security or Disclosure Controls

Reason: Tested in the Safeguard Disclosure Security Evaluation Matrix (SDSEM)
AT-1, AT-2, CP-7, IR-1, IR-2, IR-4, IR-5, IR-6, MP-1, MP-2, MP-3, MP-4, MP-5, MP-6, MP-7, PE-1, PE-2, PE-3, PE-4, PE-5, PE-6, PE-7, PE-8, PE-16,
PE-17, PE-18, PM-4, PS-1, PS-2, PS-3, PS-4, PS-5, PS-6, PS-7, PS-8, SA-9, SI-12

348117775.xls Page 10 of 11
 IRS Office of Safeguards SCSEM
Change Log
Version Date Description of Changes Author
0.1 2/18/2011 First Release Booz Allen Hamilton
0.2 6/29/2011 Updated based on Network Defense-in-Depth Memo Release Booz Allen Hamilton
0.3 11/24/2011 Updated based on Top 20 Critical Security Controls Booz Allen Hamilton
0.4 12/8/2011 Updated based on internal feedback session. Booz Allen Hamilton
1.0 9/28/2012 Update to new template. Increase version to 1.0. Booz Allen Hamilton
1.1 2/12/2013 Minor update to correct worksheet locking capabilities. Added back NIST control name to Test Cases Tab. Booz Allen Hamilton

1.2 9/26/2013 Update test cases based on NIST 800-53 R4 Booz Allen Hamilton
1.3 4/11/2014 No major updates. Template update. Booz Allen Hamilton
1.4 1/9/2015 Added baseline Criticality Score and Issue Codes, weighted test cases based on criticality, and updated Results Booz Allen Hamilton
1.4.1 1/28/2015 Updated baseline Criticality Scores per risk management initiative and feedback Booz Allen Hamilton
1.5 6/3/2015 Updated NET-08 to meet IRS Requirement for monthly scanning. NET-05 & NET-04 updated to IRS Booz Allen Hamilton
Requirement for weekly review of audit logs and 7 years of log retention.

348117775.xls Page 11 of 11