NZISM-3.3-to-3.6.html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8" />

    <title>NZISM Comparison</title>

    <style type="text/css">
        body {
    font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
}

h1 {
    color: #040477;
}

table {
    border: 1px solid black;
    border-collapse: collapse;
}

thead {
    background-color: #040477;
    color: white;
}

th, td {
    padding: 0.3em;
    text-align: left;
}

td {
    border: 1px solid black;
    max-width: 800px;
    overflow-wrap: break-word;
}

span.insert {
    text-decoration: underline;
    background-color: mediumseagreen;
}

span.delete {
    text-decoration: line-through;
    background-color: firebrick;
}
    </style>
</head>
<body>
    <section>
        <p>This is a report of changes between <strong>nzism-data/NZISM-FullDoc-V.3.3-February 2020.xml</strong> and <strong>nzism-data/NZISM-FullDoc-V.3.6-September-2022.xml</strong>.</p>
        <ul>
            <li><a href="#controls_added">Controls Added</a></li>
            <li><a href="#controls_removed">Controls Removed</a></li>
            <li><a href="#controls_changed">Controls Changed</a></li>
        </ul>
    </section>
    <section id="controls_added">
        <h1>Controls Added</h1>

        <table>
            <thead>
                <tr>
                    <th>CID</th>
                    <th>Title</th>
                    <th>Classifications</th>
                    <th>Compliances</th>
                    <th>Text</th>
                </tr>
            </thead>
            <tbody>
                
                <tr>
                    <td>7045</td>
                    <td>2.3.25.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies intending to adopt public cloud technologies or services MUST develop a plan for how they intend to use these services.  This plan can be standalone or part of an overarching ICT strategy.</td>
                </tr>
                
                <tr>
                    <td>7046</td>
                    <td>2.3.25.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>An agency’s cloud adoption plan SHOULD cover:
Outcomes and benefits that the adoption of cloud technologies will bring;
Risks introduced or mitigated through the use of cloud, and the agency’s risk tolerance;
Financial and cost accounting models;
Shared responsibility models;
Cloud deployment models;
Cloud security strategy;
Resilience and recovery approaches;
Data recovery on contract termination;
Cloud exit strategy and other contractual arrangements; and
A high level description of the foundation services that enable cloud adoption, including:

User, device and system identity;
Encryption and key management;
Information management;
Logging and alerting;
Incident management;
Managing privileged activities; and
Cost management.


</td>
                </tr>
                
                <tr>
                    <td>7049</td>
                    <td>2.3.26.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies intending to adopt public cloud technologies or services SHOULD incorporate Zero Trust philosophies and concepts.</td>
                </tr>
                
                <tr>
                    <td>7050</td>
                    <td>2.3.26.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD leverage public cloud environment native security services as part of legacy system migrations, in preference to recreating application architectures that rely on legacy perimeter controls for security.</td>
                </tr>
                
                <tr>
                    <td>7206</td>
                    <td>2.4.13.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD ensure they are aware of the latest developments in post-quantum cryptography.  GCSB is tracking these developments and will continue to provide advice through the NZISM.</td>
                </tr>
                
                <tr>
                    <td>7207</td>
                    <td>2.4.13.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD maintain an inventory of sensitive and critical datasets that must be secured for an extended amount of time.  This will ensure datasets that may be at risk now and decrypted once a cryptographically relevant quantum computer is available are not secured solely through the use of quantum vulnerable cryptography.</td>
                </tr>
                
                <tr>
                    <td>7208</td>
                    <td>2.4.13.C.03.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD conduct an inventory of systems using cryptographic technologies to determine the potential size and scope of future transition work once post-quantum cryptographic systems become available.</td>
                </tr>
                
                <tr>
                    <td>7209</td>
                    <td>2.4.13.C.04.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD identify which systems in their inventory rely on public key cryptography and note them as quantum vulnerable in agency risk assessments.</td>
                </tr>
                
                <tr>
                    <td>7210</td>
                    <td>2.4.13.C.05.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD determine a priority order for quantum vulnerable systems to be transitioned from classical cryptography to post-quantum cryptography.</td>
                </tr>
                
                <tr>
                    <td>7211</td>
                    <td>2.4.13.C.06.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD consider the following factors when prioritising the quantum vulnerable systems:
Is the system a high value asset based on agency requirements?
Does the system protect sensitive information (e.g. key stores, passwords, root keys, signing keys, personally identifiable information, and classified information)?
Do other systems (internal or external to the agency) depend on the cryptographic protections in place on the quantum vulnerable system?
How long does the data need to be protected?
</td>
                </tr>
                
                <tr>
                    <td>7212</td>
                    <td>2.4.13.C.07.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Using the inventory and prioritisation information, agencies SHOULD develop a plan for system transitions upon publication of the new post-quantum cryptographic standard.</td>
                </tr>
                
                <tr>
                    <td>7084</td>
                    <td>3.2.10.C.04.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>The CISO SHOULD work with system owners, system certifiers and system accreditors to determine appropriate information security policies for their systems and ensure consistency with the Protective Security Requirements (PSR) and in particular the relevant NZISM components.</td>
                </tr>
                
                <tr>
                    <td>7130</td>
                    <td>5.9.23.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>An agency MUST undertake a risk assessment to determine which systems and services to include in the agency’s VDP.</td>
                </tr>
                
                <tr>
                    <td>7133</td>
                    <td>5.9.24.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>An agency MUST develop and publish a VDP.</td>
                </tr>
                
                <tr>
                    <td>7134</td>
                    <td>5.9.24.C.02.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>An agency’s VDP MUST contain at least the following core content:
A scoping statement listing the systems the policy applies to;
Contact details;
Secure communication options (including any public keys);
Information the finder should include in the report;
Acknowledgement of reports and a response time;
Guidance on what forms of vulnerability testing are out of scope for reporters/finders (permitted activities);
Reporters/finders agreeing to not share information about the vulnerability until the end of the disclosure period, in order to allow the agency to address any issues before they become public;
Illegal activities are not permitted (specifying the relevant legislation, such as the Crimes Act); and
Either that “Bug bounties” will not be paid for any discoveries, or it should provide information about the agency’s bug bounty programme.
</td>
                </tr>
                
                <tr>
                    <td>7136</td>
                    <td>5.9.25.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>An agency SHOULD publish a security.txt to permit secure communications and direct any reports to a specific agency resource, in accordance with the agency’s VDP.</td>
                </tr>
                
                <tr>
                    <td>7138</td>
                    <td>5.9.26.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>An agency MUST commit to addressing disclosed vulnerabilities within the timeframe it sets in its policy.</td>
                </tr>
                
                <tr>
                    <td>7139</td>
                    <td>5.9.26.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>An agency’s vulnerability disclosure timeframe SHOULD be set to no more than 90 days.</td>
                </tr>
                
                <tr>
                    <td>7141</td>
                    <td>5.9.27.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST ensure they integrate their VDP with other elements of their information security policies.</td>
                </tr>
                
                <tr>
                    <td>6997</td>
                    <td>12.6.10.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Because of the risks that data can be recovered from monitors, it is essential that any redeployment or disposal of monitors MUST follow the guidance in the NZISM.</td>
                </tr>
                
                <tr>
                    <td>7165</td>
                    <td>13.5.24.C.03.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Where a facility is NOT an approved facility, agencies MUST ensure any incineration equipment is rated for the destruction of electronic waste (WEEE) and the operator is properly authorised or licensed.</td>
                </tr>
                
                <tr>
                    <td>7166</td>
                    <td>13.5.24.C.04.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Where a facility is NOT an approved facility, agencies MUST ensure processes are in place for the safe handling of electronic waste (WEEE), including any residual material from the destruction process.</td>
                </tr>
                
                <tr>
                    <td>6835</td>
                    <td>16.4.30.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST establish a Privileged Access Management (PAM) policy.</td>
                </tr>
                
                <tr>
                    <td>6836</td>
                    <td>16.4.30.C.02.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Within the context of agency operations, the agency’s PAM policy MUST define:
a privileged account; and
privileged access.
</td>
                </tr>
                
                <tr>
                    <td>6837</td>
                    <td>16.4.30.C.03.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST manage Privileged Accounts in accordance with the Agency’s PAM Policy.</td>
                </tr>
                
                <tr>
                    <td>6842</td>
                    <td>16.4.31.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST apply the Principle of Least Privilege when developing and implementing a Privileged Access Management (PAM) policy.</td>
                </tr>
                
                <tr>
                    <td>6843</td>
                    <td>16.4.31.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD use two-factor or Multi-Factor Authentication to allow access to Privileged Accounts.</td>
                </tr>
                
                <tr>
                    <td>6846</td>
                    <td>16.4.32.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>As part of a Privileged Access Management (PAM) policy, agencies MUST establish and implement a strong approval and authorisation process before any privileged access credentials are issued.</td>
                </tr>
                
                <tr>
                    <td>6847</td>
                    <td>16.4.32.C.02.</td>
                    <td>All Classifications</td>
                    <td>Must Not</td>
                    <td>Privileged Access credentials MUST NOT be issued until approval has been formally granted.</td>
                </tr>
                
                <tr>
                    <td>6852</td>
                    <td>16.4.33.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST establish robust credential suspension and revocation procedures as part of the agency’s Privileged Access Management (PAM) policy.</td>
                </tr>
                
                <tr>
                    <td>6855</td>
                    <td>16.4.34.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST create and maintain a comprehensive inventory of privileged accounts and the associated access rights and credentials.</td>
                </tr>
                
                <tr>
                    <td>6859</td>
                    <td>16.4.35.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST create, implement and maintain a robust system of continuous discovery, monitoring and review of privileged accounts and the access rights and credentials associated with those accounts.</td>
                </tr>
                
                <tr>
                    <td>6860</td>
                    <td>16.4.35.C.02.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Privileged account monitoring systems MUST monitor and record:
individual user activity, including exceptions such as out of hours access;
activity from unauthorised sources;
any unusual use patterns; and
any creation of unauthorised privileges access credentials.
</td>
                </tr>
                
                <tr>
                    <td>6861</td>
                    <td>16.4.35.C.03.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST protect and limit access to activity and audit logs and records.</td>
                </tr>
                
                <tr>
                    <td>6864</td>
                    <td>16.4.36.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST develop and implement a response and remediation policy and procedure as part of an agency’s Privileged Access Management (PAM) policy.</td>
                </tr>
                
                <tr>
                    <td>6868</td>
                    <td>16.4.37.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST implement a Privileged Access Management (PAM) policy training module as part of the agency’s overall user training and awareness requirement.</td>
                </tr>
                
                <tr>
                    <td>6948</td>
                    <td>16.7.33.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST undertake a risk analysis before designing and implementing MFA.</td>
                </tr>
                
                <tr>
                    <td>6952</td>
                    <td>16.7.34.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>The design of an agency’s MFA SHOULD include consideration of:
Risk Identification;
Level of security and access control appropriate for each aspect of an agency’s information systems (data, devices, equipment, storage, cloud, etc.)
A formal authorisation process for user system access and entitlements;
Logging, monitoring and reporting of activity;
Review of logs for orphaned accounts and inappropriate user access;
Identification of error and anomalies which may indicate inappropriate or malicious activity;
Incident response;
Remediation of errors;
Suspension and/or revocation of access rights where policy violations occur;
Capacity planning.
</td>
                </tr>
                
                <tr>
                    <td>6953</td>
                    <td>16.7.34.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Where an agency has implemented MFA they SHOULD:
Require MFA for administrative or other high privileged users; and
Implement a secure, multi-factor process to allow users to reset their normal usage user credentials.
</td>
                </tr>
                
                <tr>
                    <td>6956</td>
                    <td>16.7.35.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>The design of an agency’s MFA system SHOULD be integrated with the agency’s Information Security Policy and the agency’s Privileged Access Management (PAM) Policy.</td>
                </tr>
                
                <tr>
                    <td>6960</td>
                    <td>16.7.36.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>When agencies implement MFA they MUST ensure users have an understanding of the risks, and include appropriate usage and safeguards for MFA in the agency’s user training and awareness programmes.</td>
                </tr>
                
                <tr>
                    <td>7189</td>
                    <td>17.2.21.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies using DSA, for the approved use of digital signatures, MUST use a modulus of at least 1024 bits.</td>
                </tr>
                
                <tr>
                    <td>7181</td>
                    <td>17.2.24.C.03.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies using RSA, for the approved use of digital signatures and passing encryption session keys or similar keys, SHOULD use a modulus of at least 4096 bits.</td>
                </tr>
                
                <tr>
                    <td>7186</td>
                    <td>17.2.25.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies using RSA keys within internet X.509 Public Key Infrastructure certificates MUST use a modulus of at least 2048 bits.</td>
                </tr>
                
                <tr>
                    <td>7187</td>
                    <td>17.2.26.C.03.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>In all other cases when information requires integrity protection using hashing algorithms, Agencies MUST use a minimum of SHA-256.</td>
                </tr>
                
                <tr>
                    <td>7250</td>
                    <td>18.7.14.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST undertake a threat and risk assessment on the use of inverse split tunnelling prior to enabling the functionality in remote access VPN systems.</td>
                </tr>
                
                <tr>
                    <td>7251</td>
                    <td>18.7.14.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>When providing inverse split-tunnelled access to internet based services (“directly accessed services”), the following aspects SHOULD be considered as part of the threat and risk assessment:
How do directly accessed services authenticate agency device identities prior to granting access to the service?
How do agency devices securely resolve internet addresses for directly accessed services?
How are the communications between the devices and directly accessed services secured?
How does an agency monitor and account for access made to directly accessed services?
How does an agency protect devices from compromise if they are able to directly access internet based resources, or be directly accessed from the internet?
How do directly accessed services authenticate the user of the agency device prior to granting access to the service (this is separate to authenticating the agency device itself)?
How does an agency enforce the use of multi-factor authentication with directly accessed services?
How does an agency authorise access to directly accessed services, and does this include from devices that are not authorised to connect to agency remote access services (authorisation and authentication are separate activities)?
How is access to directly accessed cloud services removed when staff no longer require access or leave the agency?
</td>
                </tr>
                
                <tr>
                    <td>7349</td>
                    <td>23.1.53.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST clearly identify and understand where classification, security domain, and trust zone boundaries exist prior to implementation or adoption of public cloud services.</td>
                </tr>
                
                <tr>
                    <td>7350</td>
                    <td>23.1.53.C.02.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Where multiple identity systems under different security policies are used to control access to an agency’s instance of a public cloud service, the instance MUST be considered to be in a separate security domain from services where access control is managed solely by the agency’s identity system.</td>
                </tr>
                
                <tr>
                    <td>7353</td>
                    <td>23.1.54.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST clearly identify and understand their cloud service provider’s security responsibilities for each service consumed, and the aspects of security that the agency is responsible for, prior to implementation or adoption of the service.</td>
                </tr>
                
                <tr>
                    <td>7354</td>
                    <td>23.1.54.C.02.</td>
                    <td></td>
                    <td>Should</td>
                    <td>Agencies SHOULD clearly document the aspects of security they and their provider are responsible for.</td>
                </tr>
                
                <tr>
                    <td>7355</td>
                    <td>23.1.54.C.03.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD review existing security processes to ensure compatibility with their cloud service provider’s responsibilities.</td>
                </tr>
                
                <tr>
                    <td>7359</td>
                    <td>23.1.55.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD deploy and manage their cloud infrastructure using automation, version control, and infrastructure as code techniques where these are available.</td>
                </tr>
                
                <tr>
                    <td>7386</td>
                    <td>23.2.16.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST update their risk assessment process to account for public cloud specific risks, prior to implementation or adoption of public cloud services.</td>
                </tr>
                
                <tr>
                    <td>7387</td>
                    <td>23.2.16.C.02.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST undertake a cloud specific risk assessment in line with the process outlined by the GCDO for each public cloud service, prior to implementation or adoption of public cloud services.</td>
                </tr>
                
                <tr>
                    <td>7388</td>
                    <td>23.2.16.C.03.</td>
                    <td>Confidential, Secret, Top Secret</td>
                    <td>Must Not</td>
                    <td>Agencies MUST NOT accredit public cloud services for use with data classified CONFIDENTIAL, SECRET, or TOP SECRET.</td>
                </tr>
                
                <tr>
                    <td>7389</td>
                    <td>23.2.16.C.04.</td>
                    <td>All Classifications</td>
                    <td>Must Not</td>
                    <td>Agencies MUST NOT accredit public cloud services to host, process, store, or transmit NZEO endorsed information.</td>
                </tr>
                
                <tr>
                    <td>7394</td>
                    <td>23.2.17.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST consider risks to the availability of systems and information in their design of cloud systems architectures, supporting controls, and governance processes prior to implementation or adoption of public cloud services.</td>
                </tr>
                
                <tr>
                    <td>7397</td>
                    <td>23.2.18.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD obtain regular assurance checks on cloud service providers, ensuring that they are undertaken by a suitably qualified assessor.</td>
                </tr>
                
                <tr>
                    <td>7400</td>
                    <td>23.2.19.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST obtain assurance that cloud service providers undertake appropriate software and operating system patching and maintenance.</td>
                </tr>
                
                <tr>
                    <td>7404</td>
                    <td>23.2.20.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST obtain assurance that technical protections exist to adequately isolate tenants.</td>
                </tr>
                
                <tr>
                    <td>7407</td>
                    <td>23.2.21.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD make use of the GCSB endorsed baseline security templates where applicable.  </td>
                </tr>
                
                <tr>
                    <td>7433</td>
                    <td>23.3.18.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Accounts used to perform privileged actions SHOULD NOT be synchronised between environments.</td>
                </tr>
                
                <tr>
                    <td>7436</td>
                    <td>23.3.19.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Where administration interfaces or portals are accessible from the internet, privileged accounts MUST be configured to use multiple factors of authentication.</td>
                </tr>
                
                <tr>
                    <td>7437</td>
                    <td>23.3.19.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Where cloud service interfaces or portals are accessible from the internet, user accounts SHOULD be configured to use multiple factors of authentication.</td>
                </tr>
                
                <tr>
                    <td>7440</td>
                    <td>23.3.20.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Staff offboarding processes MUST be updated to include removing all access to public cloud based services, prior to implementation or adoption of public cloud services.</td>
                </tr>
                
                <tr>
                    <td>7443</td>
                    <td>23.3.21.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST ensure that relying parties continually verify the authenticity of their identity provider’s responses, through for example, cryptographic signing of authentication requests and responses.</td>
                </tr>
                
                <tr>
                    <td>7446</td>
                    <td>23.3.22.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD ensure that relying parties use all available information from the identity provider to inform access control decisions.</td>
                </tr>
                
                <tr>
                    <td>7461</td>
                    <td>23.4.9.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>For each cloud service, agencies MUST ensure that the mechanisms used to protect data meet agency requirements.</td>
                </tr>
                
                <tr>
                    <td>7462</td>
                    <td>23.4.9.C.02.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST update key management plans to account for differences in public cloud before storing organisational data in a public cloud environment.</td>
                </tr>
                
                <tr>
                    <td>7463</td>
                    <td>23.4.9.C.03.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST ensure their key management plan includes provision for migrating data from the cloud environment where it was created.</td>
                </tr>
                
                <tr>
                    <td>7466</td>
                    <td>23.4.10.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST apply the principle of least privilege and configure service endpoints to restrict access to authorised parties.</td>
                </tr>
                
                <tr>
                    <td>7469</td>
                    <td>23.4.11.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST identify where data used in conjunction with a public cloud service is stored or processed, including any replicas or backups that may be created.</td>
                </tr>
                
                <tr>
                    <td>7470</td>
                    <td>23.4.11.C.02.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agency risk assessments of public cloud services MUST include any risks arising from data location. Any actions required to mitigate these risks must be identified and documented prior to implementation or adoption of public cloud services.</td>
                </tr>
                
                <tr>
                    <td>7474</td>
                    <td>23.4.12.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST update their disaster recovery plans prior to storing or replicating data in public cloud services, to ensure these plans address any cloud-specific aspects of backup and recovery.</td>
                </tr>
                
                <tr>
                    <td>7475</td>
                    <td>23.4.12.C.02.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>When planning tests of disaster recovery processes in accordance with 6.4.6 Backup strategy, agencies MUST include tests of any cloud-specific data recovery processes.</td>
                </tr>
                
                <tr>
                    <td>7494</td>
                    <td>23.5.10.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST understand the range of logging capabilities provided by their cloud service providers and determine whether they are sufficient for agency needs.</td>
                </tr>
                
                <tr>
                    <td>7496</td>
                    <td>23.5.11.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST ensure that logs associated with public cloud services are collected, protected, and that their integrity can be confirmed in accordance with the agency’s documented logging requirements.</td>
                </tr>
                
                <tr>
                    <td>7498</td>
                    <td>23.5.12.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST ensure that cloud service provider logs are incorporated into overall enterprise logging and alerting systems or procedures in a timely manner to detect information security incidents.</td>
                </tr>
                
                <tr>
                    <td>7499</td>
                    <td>23.5.12.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD ensure that tools and procedures used to detect potential information security incidents account for the public cloud services being consumed by the agency.</td>
                </tr>
                
            </tbody>
        </table>
    </section>

    <section id="controls_removed">
        <h1>Controls Removed</h1>

        <table>
            <thead>
                <tr>
                    <th>CID</th>
                    <th>Title</th>
                    <th>Classifications</th>
                    <th>Compliances</th>
                    <th>Text</th>
                </tr>
            </thead>
            <tbody>
                
                <tr>
                    <td>383</td>
                    <td>3.3.6.C.05.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>ITSMs SHOULD work with system owners, systems certifiers and systems accreditors to determine appropriate information security policies for their systems and ensure consistency with the Protective Security Requirements (PSR) and in particular the relevant NZISM components.</td>
                </tr>
                
                <tr>
                    <td>2141</td>
                    <td>17.2.20.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies using DSA, for the approved use of digital signatures, MUST use a modulus of at least 1024 bits.</td>
                </tr>
                
                <tr>
                    <td>2161</td>
                    <td>17.2.27.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>3DES MUST use either two distinct keys in the order key 1, key 2, key 1 or three distinct keys.</td>
                </tr>
                
                <tr>
                    <td>2170</td>
                    <td>17.2.28.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>AES implementations for symmetric encryption of data SHOULD use the Galois/Counter Mode (GCM).</td>
                </tr>
                
            </tbody>
        </table>
    </section>

    <section id="controls_changed">
        <h1>Controls Changed</h1>

        <table>
            <thead>
                <tr>
                    <th>CID</th>
                    <th>Title</th>
                    <th>Classifications</th>
                    <th>Compliances</th>
                    <th>Text</th>
                </tr>
            </thead>
            <tbody>
                
                <tr>
                    <td>127</td>
                    <td>1.1.64.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>System owners seeking a dispensation for non-compliance with any baseline controls in this manual MUST be granted a dispensation by their Accreditation Authority. Where High <span class="delete">Grad</span><span class="insert">Assuranc</span>e Cryptographic Systems (H<span class="insert">ACS) are implemented, the Accreditation Authority will be the Director-General </span>GCS<span class="delete">) are implemented, the Accreditation Authority will be the Director-General GCS</span>B or a formal delegate.</td>
                </tr>
                
                <tr>
                    <td>255</td>
                    <td>2.3.27.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies intending to adopt cloud technologies or services MUST conduct a comprehensive risk assessment, in accordance with the guidance provided by the G<span class="insert">overnment </span>C<span class="delete">I</span><span class="insert">hief Digital </span>O<span class="insert">fficer (GCDO)</span> before implementation or adoption.</td>
                </tr>
                
                <tr>
                    <td>283</td>
                    <td>3.1.8.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>When the agency head de<span class="delete">vo</span>l<span class="delete">v</span><span class="insert">egat</span>es their authority<span class="insert">,</span> the delegate SHOULD be <span class="insert">a senior executive who understands </span>the <span class="delete">CISO</span><span class="insert">consequences and potential impact to the business of the acceptance of residual risk</span>.</td>
                </tr>
                
                <tr>
                    <td>311</td>
                    <td>3.2.8.C.05.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Where <span class="insert">mul</span>t<span class="delete">h</span><span class="insert">ipl</span>e role<span class="insert">s</span> <span class="delete">of</span><span class="insert">are held by</span> the CISO <span class="delete">is outsourced,</span><span class="insert">any</span> potential conflicts of interest<span class="delete"> in availability, response times or working with vendors</span> SHOULD be identified and carefully managed.</td>
                </tr>
                
                <tr>
                    <td>322</td>
                    <td>3.2.11.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>The CISO SHOULD be responsible for e<span class="insert">stablishing mechanisms and programs to e</span>nsur<span class="delete">ing</span><span class="insert">e</span> compliance with the information security policies and standards within the agency.</td>
                </tr>
                
                <tr>
                    <td>323</td>
                    <td>3.2.11.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>The CISO SHOULD be responsible for ensuring agency compliance with the NZISM through facilitating a continuous program of certification and accreditation <span class="delete">b</span><span class="insert">of </span>a<span class="delete">sed</span><span class="insert">ll</span> <span class="delete">on security risk man</span>age<span class="insert">ncy syste</span>m<span class="delete">ent</span><span class="insert">s</span>.</td>
                </tr>
                
                <tr>
                    <td>334</td>
                    <td>3.2.13.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>The CISO SHOULD liaise with agenc<span class="insert">y technolog</span>y architecture teams to ensure alignment between security and agency architectures.</td>
                </tr>
                
                <tr>
                    <td>391</td>
                    <td>3.3.8.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>ITSMs MUST be responsible for ensuring the development, maintenance, updating and implementation of Security Risk Management Plans (SRMPs), Systems Security Plans (S<span class="delete">ecPlan</span><span class="insert">SP</span>) and any Standard Operating Procedures (SOPs) for all agency systems.</td>
                </tr>
                
                <tr>
                    <td>569</td>
                    <td>4.3.18.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>The SecPol, SRMP, S<span class="delete">ec</span><span class="insert">S</span>P<span class="delete">lan</span>, SOPs and IRP documentation MUST be reviewed by the auditor to ensure that it is comprehensive and appropriate for the environment the system is to operate within.</td>
                </tr>
                
                <tr>
                    <td>634</td>
                    <td>4.4.12.C.03.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST notify the Government C<span class="delete">I</span><span class="insert">hief Digital </span>O<span class="insert">fficer (GCDO)</span> where All-of-Government systems are connected to agency systems operating with expired accreditations.</td>
                </tr>
                
                <tr>
                    <td>675</td>
                    <td>4.5.18.C.03.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>The Accreditation Authority MUST advise the GC<span class="delete">I</span><span class="insert">D</span>O where the accreditation decision may affect any All-of-Government systems.</td>
                </tr>
                
                <tr>
                    <td>702</td>
                    <td>5.1.10.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST ensure that every system is covered by a S<span class="delete">ec</span><span class="insert">S</span>P<span class="delete">lan</span>.</td>
                </tr>
                
                <tr>
                    <td>718</td>
                    <td>5.1.15.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD ensure that their SRMP, Systems Architecture, S<span class="delete">ec</span><span class="insert">S</span>P<span class="delete">lan</span>, SOPs and IRP are logically connected and consistent for each system, other agency systems and with the agency’s SecPol.</td>
                </tr>
                
                <tr>
                    <td>729</td>
                    <td>5.1.18.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST ensure that their SecPol, SRMP, S<span class="delete">ec</span><span class="insert">S</span>P<span class="delete">lan</span>, SOPs and IRP are appropriately classified.</td>
                </tr>
                
                <tr>
                    <td>781</td>
                    <td>5.2.3.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>The Information Security Policy (SecPol) SHOULD include topics such as:
accreditation processes;
personnel responsibilities;
configuration control;
access control;
networking and connections with other systems;
physical security and media control;
emergency procedures and information security incident management;
<span class="insert">vulnerability disclosure;
</span>change management; and
information security awareness and training.
</td>
                </tr>
                
                <tr>
                    <td>828</td>
                    <td>5.4.5.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST select controls from this manual to be included in the S<span class="delete">ec</span><span class="insert">S</span>P<span class="delete">lan</span> based on the scope of the system with additional system specific controls being included as a result of the associated SRMP. Encryption Key Management requires specific consideration; refer to Chapter 17 – Cryptography.</td>
                </tr>
                
                <tr>
                    <td>829</td>
                    <td>5.4.5.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD use the latest baseline of this manual when developing, and updating, their S<span class="delete">ec</span><span class="insert">S</span>P<span class="delete">lan</span>s as part of the certification, accreditation and reaccreditation of their systems.</td>
                </tr>
                
                <tr>
                    <td>831</td>
                    <td>5.4.5.C.03.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD include a Key Management Plan in the S<span class="delete">ec</span><span class="insert">S</span>P<span class="delete">lan</span>.</td>
                </tr>
                
                <tr>
                    <td>1048</td>
                    <td>6.1.9.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD review the components detailed in the table below.<span class="insert"> Agencies SHOULD also ensure that any adjustments and changes as a result of any vulnerability analysis are consistent with the vulnerability disclosure policy.</span>


Component
Review


Information security documentation
The SecPol, Systems Architecture, SRMPs, S<span class="delete">ec</span><span class="insert">S</span>P<span class="delete">lan</span>s, SitePlan, SOPs<span class="insert">, the VDP,</span> the IRP, and any third party assurance reports.


Dispensations
Prior to the identified expiry date.


Operating environment
When an identified threat emerges or changes, an agency gains or loses a function or the operation of functions are moved to a new physical environment.


Procedures
After an information security incident or test exercise.


System security
Items that could affect the security of the system on a regular basis.


Threats
Changes in threat environment and risk profile.


NZISM
Changes to baseline or other controls, any new controls and guidance.


</td>
                </tr>
                
                <tr>
                    <td>1095</td>
                    <td>6.3.7.C.03.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD follow this change management process outline:
produce a written change request;
submit the change request to all stakeholders for approval;
document the changes to be implemented;
test the approved changes;
notification to user of the change schedule and likely effect or outage;
implement the approved changes after successful testing;
update the relevant information security documentation including the SRMP, S<span class="delete">ec</span><span class="insert">S</span>P<span class="delete">lan</span> and SOPs
notify and educate system users of the changes that have been implemented as close as possible to the time the change is applied; and
continually educate system users in regards to changes.
</td>
                </tr>
                
                <tr>
                    <td>1237</td>
                    <td>7.2.25.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST urgently notify GCSB of any suspected loss or compromise of keying material associated with H<span class="delete">G</span><span class="insert">A</span>CE.</td>
                </tr>
                
                <tr>
                    <td>1409</td>
                    <td>8.4.11.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies choosing to prevent the storage of classified information on non-volatile media and enforcing scrubbing of temporary data at logoff or shutdown SHOULD:
assess the security risks associated with such a decision; and
specify the processes and conditions for their application within the system’s S<span class="delete">ec</span><span class="insert">S</span>P<span class="delete">lan</span>.
 </td>
                </tr>
                
                <tr>
                    <td>1412</td>
                    <td>8.4.12.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies securing volatile media for IT equipment during non-operational hours SHOULD:
disconnect power from the equipment the media resides within;
assess the security risks if not sanitising the media; and
specify any additional processes and controls that will be applied within the system’s S<span class="delete">ec</span><span class="insert">S</span>P<span class="delete">lan</span>.
</td>
                </tr>
                
                <tr>
                    <td>1480</td>
                    <td>9.2.10.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST specify in the System Security Plan (S<span class="delete">ec</span><span class="insert">S</span>P<span class="delete">lan</span>) any authorisations, security clearances and briefings necessary for system access.</td>
                </tr>
                
                <tr>
                    <td>1484</td>
                    <td>9.2.11.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD:
limit system access on a need-to-know/need-to-access basis;
provide system users with the least amount of privileges needed to undertake their duties;<span class="delete"> and</span>
have any requests for access to a system authorised by the supervisor or manager of the system user<span class="insert">; and
ensure a formal acknowledgement of the security briefing is obtained and recorded</span>.
</td>
                </tr>
                
                <tr>
                    <td>1487</td>
                    <td>9.2.12.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD:
maintain a secure record of:

all authorised system users;
their user identification;
why access is required;
role and privilege level,
who provided the authorisation to access the system;
when the authorisation was granted; and

<span class="insert">keep a copy of the acknowledgement signed by the individual granted a clearance; and
</span>maintain the record, for the life of the system or <span class="insert">information to which access is granted, or </span>the length of employment<span class="insert">,</span> whichever is the longer<span class="delete">, to which access is granted</span>.
</td>
                </tr>
                
                <tr>
                    <td>1508</td>
                    <td>9.2.18.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies granting limited higher access to a system MUST ensure that:
<span class="delete">effecti</span><span class="insert">the appro</span>v<span class="delete">e controls are in place to restrict access to only</span><span class="insert">al for access is formally acknowledged and recorded; and either
effective controls are in place to restrict access only to</span> classified information that is necessary to undertake the system user’s duties; or
the system user is continually supervised by another system user who has the appropriate security clearances to access the system.
</td>
                </tr>
                
                <tr>
                    <td>2412</td>
                    <td>10.5.11.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD inspect cables for inconsistencies with the cable register in accordance with the frequency defined in the S<span class="delete">ec</span><span class="insert">S</span>P<span class="delete">lan</span>.</td>
                </tr>
                
                <tr>
                    <td>5626</td>
                    <td>10.6.29.C.01.</td>
                    <td>Confidential, Secret, Top Secret</td>
                    <td>Must</td>
                    <td>Cabinet rails MUST be installed to<span class="insert">:</span>
provide adequate room for patch cables and wire managers;
provide adequate space for cable management at front, sides, and rear; and
arrange switches and patch panels to minimize patching between cabinets & racks.
</td>
                </tr>
                
                <tr>
                    <td>2662</td>
                    <td>11.3.12.C.02.</td>
                    <td>Confidential, Secret, Top Secret</td>
                    <td>Must</td>
                    <td>Agencies <span class="insert">MU</span>S<span class="delete">HOULD</span><span class="insert">T</span> use push-to-talk <span class="insert">mec</span>han<span class="delete">d</span><span class="insert">i</span>s<span class="delete">et</span><span class="insert">m</span>s to meet the requirement for off-hook audio protection.<span class="insert"> PTT activation MUST be clearly labelled.</span></td>
                </tr>
                
                <tr>
                    <td>3455</td>
                    <td>12.4.5.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Where known vulnerabilities cannot be patched, or security patches are not available, agencies SHOULD implement:
controls to resolve the vulnerability such as:

disable the functionality associated with the vulnerability though product configuration;
ask the vendor for an alternative method of managing the vulnerability;
install a version of the product that does not have the identified vulnerability;
install a different product with a more responsive vendor; or
engage a software developer to correct the software.

controls to prevent exploitation of the vulnerability including:

apply external input sanitisation (if an input triggers the exploit);
apply filtering or verification on the software output (if the exploit relates to an information disclosure);
apply additional access controls that prevent access to the vulnerability; or
configure firewall rules to limit access to the vulnerable software.

controls to contain the exploit including:

apply firewall rules limiting outward traffic that is likely in the event of an exploitation;
apply mandatory access control preventing the execution of exploitation code; or
set file system permissions preventing exploitation code from being written to disk; 
<span class="insert">allo</span>w<span class="delete">hite and black</span><span class="insert"> and deny </span>listing to prevent code execution; and

controls to detect attacks including:

deploy an IDS;
monitor logging alerts; or
use other mechanisms as appropriate for the detection of exploits using the known vulnerability.

controls to prevent attacks including:

deploy an IPS or HIPS; or
use other mechanisms as appropriate for the diversion of exploits using the known vulnerability, such as honey pots and Null routers.

</td>
                </tr>
                
                <tr>
                    <td>3537</td>
                    <td>12.6.4.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST sanitise or destroy, then declassify, IT equipment containing <span class="insert">any </span>media before disposal.</td>
                </tr>
                
                <tr>
                    <td>3566</td>
                    <td>12.6.8.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST visually inspect video screens by turning up the brightness to the maximum level to determine if any classified information has been burnt into or persists on the screen<span class="insert">, before redeployment or disposal</span>.</td>
                </tr>
                
                <tr>
                    <td>3572</td>
                    <td>12.6.9.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST attempt to sanitise video screens with minor burn-in or image persistence by displaying a solid white image on the screen for an extended period of time.<span class="insert"> If burn-in cannot be corrected the screen MUST be processed through an approved destruction facility.</span></td>
                </tr>
                
                <tr>
                    <td>4302</td>
                    <td>13.5.24.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td><span class="delete">Agencies </span>M<span class="delete">UST employ approved equipment for the purpose of m</span>edia and IT <span class="delete">E</span><span class="insert">e</span>quipment destruction<span class="insert"> MUST be performed using approved destruction equipment, facilities and methods</span>.</td>
                </tr>
                
                <tr>
                    <td>4304</td>
                    <td>13.5.24.C.02.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Where agenc<span class="delete">y</span><span class="insert">ies do not</span> own<span class="insert"> th</span>e<span class="delete">d</span><span class="insert">ir</span> <span class="delete">appr</span>o<span class="delete">ved</span><span class="insert">wn</span> destruction equipment<span class="delete"> is not available</span><span class="insert">,</span> agencies MUST use an approved destruction facility for media and IT <span class="delete">E</span><span class="insert">e</span>quipment destruction.</td>
                </tr>
                
                <tr>
                    <td>4343</td>
                    <td>13.5.25.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST, at minimum, store and handle the resulting waste for all methods, <span class="delete">as for</span><span class="insert">in accordance with</span> the classification given in the table below.



Initial media or IT Equipment classification


Screen aperture size particles can pass through




Less than or equal to 3mm
Treat as


Less than or equal to 6mm
Treat as



 TOP SECRET

UNCLASSIFIED

RESTRICTED


SECRET

UNCLASSIFIED

RESTRICTED


CONFIDENTIAL

UNCLASSIFIED

RESTRICTED


RESTRICTED

UNCLASSIFIED


UNCLASSIFIED



Particle size: measured in any direction, should not exceed stated measurement.</td>
                </tr>
                
                <tr>
                    <td>4359</td>
                    <td>13.5.27.C.03.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>The Destruction Register SHOULD record:
D<span class="delete">ate o</span><span class="insert">estruction </span>f<span class="insert">acility used;
Destruction method used;
Date of</span> destruction;
Operator and witness<span class="insert">es</span>;
Media<span class="delete"> or</span><span class="insert"> and</span> IT <span class="delete">E</span><span class="insert">e</span>quipment classification; and
Media<span class="delete"> or</span><span class="insert"> and</span> IT <span class="delete">E</span><span class="insert">e</span>quipment type, characteristics and serial number.
</td>
                </tr>
                
                <tr>
                    <td>4367</td>
                    <td>13.5.29.C.01.</td>
                    <td>Top Secret</td>
                    <td>Must Not</td>
                    <td>Agencies MUST NOT outsource the supervision and oversight of the destruction of TOP SECRET or NZEO media and IT <span class="delete">E</span><span class="insert">e</span>quipment or other accountable material to a non-government entity or organisation.</td>
                </tr>
                
                <tr>
                    <td>1234</td>
                    <td>14.2.4.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD implement application <span class="insert">allo</span>w<span class="delete">hite</span><span class="insert"> </span>listing as part of the SOE for workstations, servers and any other network device.</td>
                </tr>
                
                <tr>
                    <td>1242</td>
                    <td>14.2.5.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST ensure that a system user cannot disable the application <span class="insert">allo</span>w<span class="delete">hite</span><span class="insert"> </span>listing mechanism.</td>
                </tr>
                
                <tr>
                    <td>898</td>
                    <td>14.2.5.C.04.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD ensure that application <span class="insert">allo</span>w<span class="delete">hite</span><span class="insert"> </span>listing does not replace the antivirus and anti-malware software within a system.</td>
                </tr>
                
                <tr>
                    <td>907</td>
                    <td>14.2.6.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD ensure that system administrators are not automatically exempt from application <span class="insert">allo</span>w<span class="delete">hite</span><span class="insert"> </span>list<span class="delete">ing</span> policy.</td>
                </tr>
                
                <tr>
                    <td>936</td>
                    <td>14.2.7.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD ensure that application <span class="insert">allo</span>w<span class="delete">hite</span><span class="insert"> </span>listing is used in addition to a strong access control list model and the use of limited privilege accounts.</td>
                </tr>
                
                <tr>
                    <td>940</td>
                    <td>14.2.7.C.03.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD plan and test application <span class="insert">allo</span>w<span class="delete">hite</span><span class="insert"> </span>listing mechanisms and processes thoroughly prior to implementation.</td>
                </tr>
                
                <tr>
                    <td>945</td>
                    <td>14.2.7.C.05.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD restrict the process creation permissions of any executables which are permitted to run by the application <span class="insert">allo</span>w<span class="delete">hite</span><span class="insert"> </span>listing controls.</td>
                </tr>
                
                <tr>
                    <td>947</td>
                    <td>14.2.7.C.07.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Logs from the application <span class="insert">allo</span>w<span class="delete">hite</span><span class="insert"> </span>listing implementation SHOULD include all relevant information.</td>
                </tr>
                
                <tr>
                    <td>1602</td>
                    <td>14.3.8.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies permitting TLS through their gateways SHOULD implement:
a solution that decrypts and inspects the TLS traffic as per content filtering requirements; or
a<span class="delete"> </span><span class="insert">n allo</span>w<span class="delete">hite</span><span class="insert"> </span>list specifying the addresses (uniform resource locators) to which encrypted connections are permitted, with all other addresses blocked.
</td>
                </tr>
                
                <tr>
                    <td>1609</td>
                    <td>14.3.10.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD implement <span class="insert">allo</span>w<span class="delete">hite</span><span class="insert"> </span>listing for all HTTP traffic being communicated through their gateways.</td>
                </tr>
                
                <tr>
                    <td>1608</td>
                    <td>14.3.10.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies using a<span class="insert">n</span> <span class="insert">allo</span>w<span class="delete">hite</span><span class="insert"> </span>list on their gateways to specify the external addresses, to which encrypted connections are permitted, SHOULD specify <span class="insert">allo</span>w<span class="delete">hite</span><span class="insert"> </span>list addresses by domain name or IP address.</td>
                </tr>
                
                <tr>
                    <td>1610</td>
                    <td>14.3.10.C.03.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>If agencies do not <span class="insert">allo</span>w<span class="delete">hite</span><span class="insert"> </span>list websites they SHOULD <span class="delete">black</span><span class="insert">deny </span>list websites to prevent access to known malicious websites.</td>
                </tr>
                
                <tr>
                    <td>1611</td>
                    <td>14.3.10.C.04.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies <span class="delete">black</span><span class="insert">deny </span>listing websites SHOULD update the <span class="delete">black</span><span class="insert">deny </span>list on a frequent basis to ensure that it remains effective.</td>
                </tr>
                
                <tr>
                    <td>1621</td>
                    <td>14.3.13.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must Not</td>
                    <td>Users MUST NOT use agency user<span class="delete">id</span><span class="insert">ID</span> and login passwords as credentials for external websites.</td>
                </tr>
                
                <tr>
                    <td>6019</td>
                    <td>15.2.20.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Before implementing DMARC agencies SHOULD:
Create a DMARC policy;
List all domains<span class="delete"> </span><span class="insert">, in partic</span>u<span class="delete">sed for the sending</span><span class="insert">lar those used for the sending and/or receiving of</span> email;
Review the configuration of SPF and DKIM for all active domains<span class="insert"> and all published domains</span>; and
Establish one or more monitored inboxes to receive <span class="insert">DMARC </span>reports.
</td>
                </tr>
                
                <tr>
                    <td>6020</td>
                    <td>15.2.20.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD enable DMARC for all email originating from or received by their domain(s), including:
sending domain owners SHOULD publish a DMARC record <span class="insert">with a related DNS entry </span>advising mail receivers<span class="insert"> of</span> the characteristics of messages purporting to originate from the sender’s domain;
received<span class="insert"> DMARC</span> messages SHOULD be managed in accordance with the agency’s published DMARC policy; and
agencies SHOULD produce failure reports and aggregate reports according to the agency’s DMARC policies.
</td>
                </tr>
                
                <tr>
                    <td>1745</td>
                    <td>15.2.21.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD configure the following gateway filters:
inbound and outbound email, including any attachments, that contain:

malicious code;
content in conflict with the agency’s email policy;
content that cannot be identified;
<span class="insert">deny listed or unauthorised filetypes; and

encrypted content, when that content cannot </span>b<span class="delete">lacklisted or unauthorised filety</span><span class="insert">e ins</span>pe<span class="delete">s</span><span class="insert">cted for malicious code or authenticated as originating from a trusted source</span>;<span class="delete"> and

encrypted content,</span><span class="insert">
emails addressed to internal email aliases</span> w<span class="delete">hen that content cannot be inspected for malicious code or authenticated as originating from a trusted source</span><span class="insert">ith source addresses located from outside the domain</span>;<span class="delete">
emails addressed to internal email aliases</span><span class="insert"> and
all emails arriving via an external connection</span> w<span class="delete">ith source addresses located from outside the domain; and
all emails arriving via an external connection w</span>here the source address uses an internal agency domain name.
</td>
                </tr>
                
                <tr>
                    <td>1827</td>
                    <td>16.1.31.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST:
develop<span class="insert">, implement</span> and maintain a set of policies and procedures covering<span class="insert"> all</span> system users’:

identification;
authentication; 
authorisation;<span class="insert">
privileged access identification and management;</span> and

make their system users aware of the agency’s policies and procedures.
</td>
                </tr>
                
                <tr>
                    <td>2070</td>
                    <td>17.1.51.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies using cryptographic functionality within a product <span class="delete">for the protection of classified</span><span class="insert">to protect the confidentiality, authentication, non-repudiation or integrity of</span> information<span class="insert">,</span> MUST ensure that the product has completed a cryptographic evaluation recognised by the GCSB.</td>
                </tr>
                
                <tr>
                    <td>2080</td>
                    <td>17.1.53.C.02.</td>
                    <td>Confidential, Secret, Top Secret</td>
                    <td>Must</td>
                    <td>If an agency wishes to reduce the storage or physical transfer requirements for IT equipment or media that contains classified information, they MUST encrypt the classified information using High <span class="delete">Grad</span><span class="insert">Assuranc</span>e Cryptographic Equipment (H<span class="delete">G</span><span class="insert">A</span>CE).<span class="delete"> </span> <span class="insert"> </span>It is important to note that the classification of the information itself remains unchanged.</td>
                </tr>
                
                <tr>
                    <td>2081</td>
                    <td>17.1.53.C.03.</td>
                    <td>Confidential, Secret, Top Secret</td>
                    <td>Must</td>
                    <td>If an agency wishes to use encryption to reduce the storage, handling or physical transfer requirements for IT equipment or media that contains classified information, they MUST use:
full disk encryption; or
partial<span class="delete"> </span><span class="insert"> </span>disk encryption where the access control will allow writing <span class="delete">only</span><span class="insert">ONLY</span> to the encrypted partition holding the classified information.
</td>
                </tr>
                
                <tr>
                    <td>2082</td>
                    <td>17.1.53.C.04.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>If an agency wishes to use encryption to reduce the storage or physical transfer requirements for IT equipment or media that contains classified information, they SHOULD use:
full disk encryption; or
partial<span class="delete"> </span><span class="insert"> </span>disk encryption where the access control will <span class="delete">only </span>allow writing<span class="insert"> ONLY</span> to the encrypted partition holding the classified information.
</td>
                </tr>
                
                <tr>
                    <td>2089</td>
                    <td>17.1.55.C.01.</td>
                    <td>Confidential, Secret, Top Secret</td>
                    <td>Must</td>
                    <td>Agencies MUST use H<span class="delete">G</span><span class="insert">A</span>CE if they wish to communicate or pass information over UNCLASSIFIED, insecure or unprotected networks.</td>
                </tr>
                
                <tr>
                    <td>2090</td>
                    <td>17.1.55.C.02.</td>
                    <td>Restricted/Sensitive</td>
                    <td>Must</td>
                    <td>Information or systems classified RESTRICTED or SENSITIVE MUST be encrypted with an <span class="delete">a</span><span class="insert">A</span>pproved <span class="delete">encryption al</span><span class="insert">Crypto</span>g<span class="delete">orithm and p</span><span class="insert">raphic Algorithm and P</span>rotocol if information is transmitted or systems are communicating over <span class="delete">any </span>insecure or unprotected network<span class="delete"> such as the Internet</span><span class="insert">s</span>, <span class="insert">such as the Internet, </span>public <span class="delete">infrastructure</span><span class="insert">networks</span> or non-agency controlled networks.</td>
                </tr>
                
                <tr>
                    <td>2091</td>
                    <td>17.1.55.C.03.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST encrypt ag<span class="insert">gregated ag</span>ency data using an approved algorithm and protocol <span class="delete">when data is transmitted </span><span class="insert">over insecure or unprotected networks such as the Internet, pu</span>b<span class="delete">etween data centres over insecure or unprotect</span><span class="insert">lic infrastructure or non-agency controll</span>ed networks <span class="delete">such as the Internet, public in</span><span class="insert">when the compromise o</span>f<span class="delete">rastructure or non-agency controlled networks</span><span class="insert"> the aggregated data would present a significant impact to the agency</span>.<span class="insert">  </span></td>
                </tr>
                
                <tr>
                    <td>2092</td>
                    <td>17.1.55.C.04.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD <span class="delete">use</span><span class="insert">encrypt agency data using</span> an approved <span class="delete">encryption product</span><span class="insert">algorithm and protocol</span> if they wish to communicate over insecure or unprotected networks such as the Internet, public networks or non-agency controlled networks.</td>
                </tr>
                
                <tr>
                    <td>2105</td>
                    <td>17.1.58.C.03.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies<span class="insert"> using HACE</span> MUST consult <span class="delete">with </span>the GCSB for<span class="delete"> the</span> key management requirements<span class="delete"> for HGCE</span>.</td>
                </tr>
                
                <tr>
                    <td>2128</td>
                    <td>17.2.17.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies<span class="delete"> using an unevaluated product that implements an Approved Cryptographic Algorithm</span> MUST ensure that only Approved Cryptographic Algorithms can be used<span class="insert"> when using an unevaluated product that implements a combination of approved and non-approved Cryptographic Algorithms</span>.</td>
                </tr>
                
                <tr>
                    <td>2134</td>
                    <td>17.2.19.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies using DH, for the approved use of agreeing on encryption session keys, MUST use a modulus of at least <span class="delete">4</span><span class="insert">3</span>0<span class="delete">96</span><span class="insert">72</span> bits.</td>
                </tr>
                
                <tr>
                    <td>2137</td>
                    <td>17.2.20.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td><span class="delete">Legacy d</span><span class="insert">D</span>evices which are NOT capable of implementing required key lengths MUST be reconfigured with the longest feasible key length as a matter of urgency.</td>
                </tr>
                
                <tr>
                    <td>2138</td>
                    <td>17.2.20.C.02.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td><span class="delete">Legacy d</span><span class="insert">D</span>evices which are NOT capable of implementing required key lengths MUST be scheduled for replacement as a matter of urgency.</td>
                </tr>
                
                <tr>
                    <td>2151</td>
                    <td>17.2.24.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies using RSA, for the approved use of digital signatures and passing encryption session keys or similar keys, MUST use a modulus of at least <span class="insert">307</span>2<span class="delete">048</span> bits.</td>
                </tr>
                
                <tr>
                    <td>2155</td>
                    <td>17.2.26.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST use the SHA-2 family <span class="delete">be</span>for<span class="insert"> new systems. Us</span>e <span class="delete">using</span><span class="insert">of</span> SHA-1<span class="insert"> is permitted ONLY for legacy systems</span>.</td>
                </tr>
                
                <tr>
                    <td>5905</td>
                    <td>17.2.26.C.02.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies <span class="insert">MU</span>S<span class="delete">HOULD</span><span class="insert">T</span> use a minimum of SHA-384<span class="insert"> when using hashing algorithms to provide integrity protection for information classified as RESTRICTED/SENSITIVE or above</span>.</td>
                </tr>
                
                <tr>
                    <td>2158</td>
                    <td>17.2.28.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should Not</td>
                    <td>Agencies using <span class="insert">approved symmetric encryption algorithms (e.g. </span>AES<span class="delete"> or 3DES</span><span class="insert">)</span> SHOULD NOT use Electronic Code Book <span class="delete">Mode </span>(ECB)<span class="insert"> mode</span>.</td>
                </tr>
                
                <tr>
                    <td>2598</td>
                    <td>17.4.16.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD use the current version of TLS (version 1.<span class="delete">2</span><span class="insert">3</span>).</td>
                </tr>
                
                <tr>
                    <td>3021</td>
                    <td>17.9.25.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>The table below describes the minimum contents which SHOULD be documented in the KMP.


Topic 
 Content


Objectives


Objectives of the cryptographic system and KMP, including organisational aims.
Refer to relevant NZCSIs.




System description


The environment.
Maximum classification of information protected.
Topology Diagram(s) and description of the cryptographic system topology including data flows.
The use of keys.
Key algorithm.
Key length.
Key lifetime.





Roles and administrative responsibilities<span class="delete">.</span>


Documents roles and responsibilities, including the:

COMSEC Custodian;
Cryptographic systems administrator;
Record keeper; and
Auditor<span class="insert">.</span>




Accounting


How accounting will be undertaken for the cryptographic system.
What records will be maintained.
How records will be audited.




Classification


Classification of the cryptographic system hardware.
Classification of cryptographic system software.
Classification of the cryptographic system documentation.




Information security incidents


A description of the conditions under which compromise of key material should be declared.
References to procedures to be followed when reporting and dealing with information security incidents.





Key management



Who generates keys.
How keys are delivered.
How keys are received<span class="insert">.</span>
Key distribution, including local, remote and central.
How keys are installed.
How keys are transferred.
How keys are stored.
How keys are recovered.
How keys are revoked.
How keys are destroyed.




Maintenance


Maintaining the cryptographic system software and hardware.
Destroying equipment and media.




References


Vendor documentation<span class="insert">.</span>
Related policies.




</td>
                </tr>
                
                <tr>
                    <td>3043</td>
                    <td>17.9.31.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST comply with NZCSI when using H<span class="delete">GCP or HG</span><span class="insert">A</span>CE.</td>
                </tr>
                
                <tr>
                    <td>3053</td>
                    <td>17.9.32.C.03.</td>
                    <td>All Classifications</td>
                    <td>Should Not</td>
                    <td>Agencies SHOULD NOT transport commercial grade cryptographic equipment <span class="insert">or products </span>in a keyed state.</td>
                </tr>
                
                <tr>
                    <td>3290</td>
                    <td>18.2.6.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies deploying a wireless network for public access MUST se<span class="delete">g</span><span class="insert">pa</span>r<span class="delete">eg</span>ate it from any other agency network<span class="insert">s; including BYOD networks</span>.</td>
                </tr>
                
                <tr>
                    <td>3621</td>
                    <td>18.2.34.C.01.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Wireless networks SHOULD <span class="delete">be sufficiently segregated through the </span>use<span class="delete"> of</span> channel separation.</td>
                </tr>
                
                <tr>
                    <td>3740</td>
                    <td>18.3.12.C.01.</td>
                    <td>Confidential, Secret, Top Secret</td>
                    <td>Must</td>
                    <td>Agencies MUST:
configure VTC and VoIP devices to authenticate themselves to the call controller upon registration;
disable phone auto-registration and only allow a<span class="delete"> </span><span class="insert">n allo</span>w<span class="delete">hite</span><span class="insert"> </span>list of authorised devices to access the network;
block unauthorised devices by default; 
disable all unused and prohibited functionality; and
use individual logins for IP phones.
</td>
                </tr>
                
                <tr>
                    <td>3741</td>
                    <td>18.3.12.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD:
configure VoIP phones to authenticate themselves to the call controller upon registration;
disable phone auto-registration and <span class="delete">only</span><span class="insert">use an</span> allow <span class="delete">a white</span>list of authorised devices to access the network;
block unauthorised devices by default; 
disable all unused and prohibited functionality; and
use individual logins for IP phones.
</td>
                </tr>
                
                <tr>
                    <td>4015</td>
                    <td>19.4.4.C.01.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST use devices as shown in the following table for controlling the data flow of one-way gateways between networks of different classifications.



High networ<span class="delete">r</span><span class="insert">k</span>
Low network
You require


RESTRICTED
 
UNCLASSIFIED
EAL2 or PP diode


RESTRICTED
EAL2 or PP diode


CONFIDENTIAL
 
UNCLASSIFIED
high assurance diode


RESTRICTED
high assurance diode


CONFIDENTIAL
high assurance diode


SECRET
 
UNCLASSIFIED
high assurance diode


RESTRICTED
high assurance diode


CONFIDENTIAL
high assurance diode


SECRET
high assurance diode


TOP SECRET
 
UNCLASSIFIED
high assurance diode


RESTRICTED
high assurance diode


CONFIDENTIAL
high assurance diode


SECRET
high assurance diode


TOP SECRET
high assurance diode



</td>
                </tr>
                
                <tr>
                    <td>4742</td>
                    <td>19.5.27.C.06.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Event logs covering all VoIP and UC services SHOULD be maintained in accordance with the requirements of the NZISM. See section<span class="insert">s</span> 16.<span class="delete">5</span><span class="insert">6</span> - Event <span class="delete">l</span><span class="insert">L</span>ogging and Auditing and 13.1.12 - Archiving.</td>
                </tr>
                
                <tr>
                    <td>4752</td>
                    <td>19.5.28.C.05.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD consider the use of <span class="delete">b</span><span class="insert">a</span>l<span class="delete">ack</span>l<span class="delete">isting</span><span class="insert">ow</span> and <span class="delete">whit</span><span class="insert">d</span>e<span class="insert">ny </span>listing to manage fraudulent calls to known fraudulent call destinations.</td>
                </tr>
                
                <tr>
                    <td>4406</td>
                    <td>20.3.12.C.01.</td>
                    <td>Confidential, Secret, Top Secret</td>
                    <td>Must</td>
                    <td>Agencies MUST create and enforce a<span class="insert">n</span> <span class="insert">allo</span>w<span class="delete">hite</span><span class="insert"> </span>list of permitted content types based on business requirements and the results of a security risk assessment.</td>
                </tr>
                
                <tr>
                    <td>4407</td>
                    <td>20.3.12.C.02.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>Agencies SHOULD create and enforce a<span class="insert">n</span> <span class="insert">allo</span>w<span class="delete">hite</span><span class="insert"> </span>list of permitted content types based on business requirements and the results of a security risk assessment.</td>
                </tr>
                
                <tr>
                    <td>4660</td>
                    <td>21.4.11.C.06.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Wireless acces<span class="delete">se</span>s points used for access to agency networks MUST be implemented and secured in accordance with the directions in this manual (See Section 18.2 – Wireless Local Area Networks).</td>
                </tr>
                
                <tr>
                    <td>4675</td>
                    <td>21.4.11.C.20.</td>
                    <td>All Classifications</td>
                    <td>Should</td>
                    <td>BYOD devices and systems SHOULD use Multi<span class="insert">-</span>factor (at least two-factor) authentication to connect to agency systems and prior to being permitted access to agency data.</td>
                </tr>
                
                <tr>
                    <td>4812</td>
                    <td>22.1.21.C.05.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies MUST consult with the GC<span class="delete">I</span><span class="insert">D</span>O to ensure the strategic and other cloud risks are comprehensively assessed.</td>
                </tr>
                
                <tr>
                    <td>4814</td>
                    <td>22.1.21.C.07.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies using cloud services MUST ensure they have conducted a documented risk assessment, accepted any residual risks, and followed the endorsement procedure required by the GC<span class="delete">I</span><span class="insert">D</span>O.</td>
                </tr>
                
                <tr>
                    <td>4822</td>
                    <td>22.1.22.C.03.</td>
                    <td>All Classifications</td>
                    <td>Must</td>
                    <td>Agencies using cloud services hosted offshore and connected to All-of-Government systems MUST ensure they have conducted a risk assessment, accepted any residual risks, and followed the endorsement procedure required by the GC<span class="delete">I</span><span class="insert">D</span>O.</td>
                </tr>
                
            </tbody>
        </table>
    </section>
<body>
</html>