The Hardware Asset Management (HWAM) Function is to discover unauthorized or unmanaged hardware on a network. Once unauthorized or unmanaged hardware is discovered by the contractor's provided tool(s), the agency will take action to remove this hardware. Since unauthorized hardware is unmanaged, it is likely vulnerable and will be exploited as a pivot to other assets if not removed or managed.

The Software Asset Management (SWAM) Function is to discover unauthorized or unmanaged software configuration items (SWCI) in IT assets on a network. Once unauthorized or unmanaged SWCI are discovered by the contractor's provided tool(s), the agency will take action to remove these SWCI. Because unauthorized software is unmanaged, it is probably vulnerable to being exploited as a pivot to other IT assets if not removed or managed. In addition, a complete, accurate, and timely software inventory is essential to support awareness and effective control of software vulnerabilities and security configuration settings; malware often exploits vulnerabilities to gain unauthorized access to and tamper with software and configuration settings to propagate itself throughout the enterprise.

The Configuration Management (CM) Function is to reduce misconfiguration of IT assets, including misconfigurations of hardware devices (to include physical, virtual, and operating system) and software. Once a misconfiguration of hardware devices is discovered by the contractor provided tools, the supported department / agency will be responsible to take any needed action to resolve the problem or accept the risk. Over 80% of known vulnerabilities are attributed to misconfiguration and missing patches. Cyber adversaries often use automated computer attack programs to search for and exploit IT assets with misconfigurations, especially for assets supporting Federal agencies, and then pivot to attack other assets.

The Vulnerability Management (VUL) Function is to discover and support remediation of vulnerabilities in IT assets on a network. Vulnerability management is the management of risks presented by known software weaknesses that are subject to exploitation. The vulnerability management function ensures that mistakes and deficiencies are identified. Once the contractor provided tool(s) identify these mistakes and deficiencies, the agency will take action to remove or remediate these from operational systems so that they can no longer be exploited. (An information security vulnerability is a deficiency in software that can be directly used by a hacker to gain access to a system or network.). 

 The Manage Network Access Controls (NAC) Function is to prevent, and allow the agency to remove and limit, unauthorized network connections/access to prevent attackers from exploiting internal and external network boundaries and then pivoting to gain deeper network access and/or capture network resident data in motion or at rest. Boundaries include firewalls as well as encryption (virtual private networks). Additionally, the function will prevent, remove, and limit unauthorized physical access.

The Manage Trust in People Granted Access (TRU) Function is to prevent insider attacks by carefully screening new and existing persons granted access for evidence that access might be abused. The Manage Trust in People Granted Access capability informs the Manage Account Access (Section 2.2.1.9) capability by providing background information and potential risk, or compromise, factors. These factors are used to determine if someone should be granted access, under the Manage Account Access capability, to certain resources (e.g., sensitive data). 

The Manage Security Related Behavior (BEH) Function is to prevent general users from taking unnecessary risks to prevent attackers from exploiting network and application users via social engineering scams. BEH prevents users with elevated privileges and special security roles from taking unnecessary risks to prevent attackers from exploring poor engineering and/or remediation. The Manage Security Related Behavior capability addresses the behavior of someone who has been granted access to information technology devices and systems. Information from this capability feeds into the Manage Trust in People Granted Access capability (Section 2.2.1.6) where determinations will be made about someone's suitability for continued access based, in part, on their behavior.

The Manage Credentials and Authentication (MCA) Function is to prevent a) the binding of credentials to or b) the use of credentials by other than the rightful owner (person or service) by careful management of credentials, preventing attackers from using hijacked credentials to gain unauthorized control of resources, especially administrative rights. The MCA capability ensures that account credentials are assigned to, and used by, authorized people. This capability will rely on the results of the Manage Account Access capability (Section 2.2.1.9) to ensure that only trusted people receive credentials. This covers credentials for physical and logistical access.

The Manage Account Access (MAA) Function is to prevent access beyond what is needed to meet business mission by limiting account access and eliminating unneeded accounts to prevent attackers from gaining unauthorized access to sensitive data. The Manage Account Access capability will assign access to computing resources based, in part, on their level of trustworthiness (as determined in Functional Area 6, Section 2.2.1.6).

The Prepare for Contingencies and Incidents (CP) Function is to prevent loss of confidentiality, integrity, and/or availability by being prepared for unanticipated events and/or attacks that might require recovery and/or special responses, preventing attacker’s compromises from being effective by adequate recovery as needed, and natural events from causing permanent loss by adequate preparation as needed.

The Respond to Contingencies and Incidents (INC) Function is to prevent repeat of previous attacks and limit the impact of ongoing attacks by using forensic analysis, audit information, etc. to a) appropriately respond to end ongoing attacks and to b) identify ways to prevent recurrence to prevent attackers from maintaining ongoing attacks and exploiting weaknesses already targeted by others.

The Design and Build in Requirements Policy and Planning (POL) Function is to prevent exploitation of the system by consciously designing the system to minimize weaknesses and building the system to meet that standard in order to reduce the attack surface and increase the effort required to reach the parts of the system that remain vulnerable. The Design and Built in Requirements, Policy, and Planning capability includes software assurance best practices to ensure that security is built into the System Development Lifecycle. This capability addresses how to avoid or remove weaknesses and vulnerabilities before the system is released into production caused by poor design and insecure coding practices.

The Design and Build in Quality (QAL) Function is to prevent attackers from exploiting weaknesses by finding and prioritizing weaknesses and fixing the most important weaknesses first. This capability addresses software before it is installed and operational.

The Manage Audit Information (AUD) Function is to prevent persistent attacks and weaknesses by using audit information to identify them and initiate an appropriate response. The function addresses agency efforts to monitor the behavior of employees (for example, downloading pornography, unusual times/volumes of access, etc.). The results of these audits feed into the Manage Trust in People Granted Access (Section 2.2.1.6) capability where determinations will be made about someone’s suitability for continued access based, in part, on their behavior.

The Manage Operation Security (OPS) Function is to prevent attackers from exploiting weaknesses by using functional and operational control limits to help senior managers determine when to authorize operation of systems, and when to devote extra attention to reducing risks to prevent attackers from exploiting preventable weaknesses and analyze prior failures to identify and resolve system weaknesses. This activity receives information from the Manage Audit/Information (Section 2.2.1.14) capability to help support leadership decisions to enable improvement of security. It covers information about all operational capabilities and, therefore, does not apply to the creation of a system.