diff --git a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac01.md b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac01.md index 27d551c704d..a070e6e043d 100644 --- a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac01.md +++ b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac01.md @@ -38,7 +38,7 @@ The organizational risk management strategy is a key factor in establishing poli The following controls are related to this control: -* PM-9. +* PM-09 For more information, refer to the NIST Special Publications 800-12 and 800-100. diff --git a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac02.md b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac02.md index 0f1ec23598a..eed451ceb1a 100644 --- a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac02.md +++ b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac02.md @@ -44,7 +44,7 @@ The organization: ### Supplemental Guidance - Information system account types include the following: +Information system account types include the following: * Individual * Shared @@ -73,27 +73,27 @@ The organization: The following controls are related to this control: -* AC-3 -* AC-4 -* AC-5 -* AC-6 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) +* AC-04 +* AC-05 +* AC-06 * AC-10 * AC-17 * AC-19 * AC-20 -* AU-9 -* IA-2 -* IA-4 -* IA-5 -* IA-8 -* CM-5 -* CM-6 -* CM-11 -* MA-3 -* MA-4 -* MA-5 -* PL-4 -* SC-13. +* AU-09 +* IA-02 +* IA-04 +* IA-05 +* IA-08 +* CM-05 +* CM-06 +* CM-011 +* MA-03 +* MA-04 +* MA-05 +* PL-04 +* SC-13 ## Responsibility diff --git a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac0202.md b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac0202.md new file mode 100644 index 00000000000..30aa3286c9b --- /dev/null +++ b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac0202.md @@ -0,0 +1,42 @@ +--- +title: "AC-02 (02) Account Management - Removal Of Temporary / Emergency Accounts" +linktitle: "AC-02 (02)" +url: /private-mendix-platform/nist-controls/ac-0202/ +description: "Documents the Private Mendix Platform's compliance with the AC-02 (02) control of the NIST 800-53 framework." +weight: 20 +--- + +## Introduction + +This document describes how Private Mendix Platform fulfills the AC-02 (02) control. + +| Control ID | AC-02 (02) | +| --- | --- | +| Control category | AC - Access Control | +| Requirement baseline | FEDRAMP MODERATE | +| Responsibility and ownership | Customer - Org | + +## Control + +The information system automatically removes or; disables temporary and emergency accounts after an: organization-defined time period for each type of account. + +### Supplemental Guidance + +This control enhancement requires the removal of both temporary and emergency accounts automatically after a predefined period of time has elapsed, rather than at the convenience of the systems administrator. + +## Responsibility + +### Customer Responsibility + +Private Mendix Platform does not provision temporary or emergency accounts outside of normal pre-provisioning and login (SSO) mechanisms. + +## Guidance + +### Customer Responsibility + +To effectively manage temporary and emergency accounts, organizations should: + +* Define specific time limits for each type of account based on operational needs and security requirements. +* Configure the information system to automatically disable or remove these accounts once the defined period expires. +* Regularly review account activity and ensure that no temporary or emergency account remains active beyond its authorized timeframe. +* Document the procedures for account creation, monitoring, and removal to ensure compliance and accountability. diff --git a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac0207.md b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac0207.md new file mode 100644 index 00000000000..a82fee1b458 --- /dev/null +++ b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac0207.md @@ -0,0 +1,71 @@ +--- +title: "AC-02 (07) Account Management - Role-Based Schemes" +linktitle: "AC-02 (07)" +url: /private-mendix-platform/nist-controls/ac-0207/ +description: "Documents the Private Mendix Platform's compliance with the AC-02 (07) control of the NIST 800-53 framework." +weight: 20 +--- + +## Introduction + +This document describes how Private Mendix Platform fulfills the AC-02 (07) control. + +| Control ID | AC-02 (07) | +| --- | --- | +| Control category | AC - Access Control | +| Requirement baseline | FEDRAMP MODERATE | +| Responsibility and ownership | Customer - Org | + +## Control + +The organization: + +* Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles. +* Monitors privileged role assignments. +* Takes organization-defined actions when privileged role assignments are no longer appropriate. + +### Supplemental Guidance + +Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. These privileged roles include, for example, key management, account management, network and system administration, database administration, and web administration. + +## Responsibility + +### Customer Responsibility + +Customers are responsible for defining and documenting their organization-specific privileged roles in alignment with job functions and the principle of least privilege, establishing formal processes for requesting, approving, and provisioning privileged access within Private Mendix Platform. They must conduct periodic access reviews to ensure role assignments remain appropriate, and supplement the platform's built-in monitoring audit logging tools to capture a complete trail of privileged role changes. + +Additionally, customers are responsible for defining and enforcing actions when privileged access is no longer appropriate — including integrating role revocation with Identity Provider (IdP) workflows to ensure timely de-provisioning upon employee offboarding or role changes, and establishing internal SLAs to govern the timeliness of such actions. + +## Guidance + +### Customer Responsibility + +Privileged access to Private Mendix Platform is controlled through Role-Based Access Control (RBAC) that is driven by the customer's Identity Provider (IdP): + +#### Authentication + +Users authenticate through the customer's IdP (for example, Azure AD, Entra ID, or other SAML 2.0 or OIDC-compliant provider). The platform does not maintain independent credential stores for end users. + +#### Role Assignment through IdP Claims or Groups + +The customer's IdP asserts group memberships or role claims during authentication. These IdP groups or claims are mapped to corresponding Private Mendix Platform roles. This ensures that the customer retains centralized control over who holds privileged roles. + +#### Access Enforcement + +Upon authentication, the platform evaluates the user's IdP-asserted roles and grants or denies access to privileged actions accordingly. Users without the required privileged role mapping cannot access or execute privileged functions. + +#### Lifecycle Management + +When a user's group membership or role claim is modified or removed in the customer's IdP, their privileged access within Private Mendix Platform and Mendix applications is updated at the next authentication event. This ensures that privilege revocation is handled centrally through the IdP. + +## Proof and Remarks + +For more information on how Private Mendix Platform manages dynamic roles and groups, see [Dynamic Role Management in Private Mendix Platform](/private-mendix-platform/dynamic-role-management/#role-editing). + +{{< figure src="/attachments/private-platform/nist-ac/nist-ac-0207-1.png" class="no-border" >}} + +{{< figure src="/attachments/private-platform/nist-ac/nist-ac-0207-2.png" class="no-border" >}} + +{{< figure src="/attachments/private-platform/nist-ac/nist-ac-0207-3.png" class="no-border" >}} + +{{< figure src="/attachments/private-platform/nist-ac/nist-ac-0207-4.png" class="no-border" >}} \ No newline at end of file diff --git a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac05.md b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac05.md index ee4213cfc46..8e2bf08e6d2 100644 --- a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac05.md +++ b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac05.md @@ -34,7 +34,7 @@ Separation of duties addresses the potential for abuse of authorized privileges The following controls are related to this control: -* AC-3 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) * AC-6 * PE-3 * PE-4 diff --git a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac17.md b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac17.md index 9bf4c046d9d..4416a8592db 100644 --- a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac17.md +++ b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac17.md @@ -34,7 +34,7 @@ Remote access controls apply to information systems other than public web server The following controls are related to this control: * AC-2 -* AC-3 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) * AC-18 * AC-19 * AC-20 diff --git a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac18.md b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac18.md index fd75b43c763..e313bd5e915 100644 --- a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac18.md +++ b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac18.md @@ -30,7 +30,7 @@ Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 8 The following controls are related to this control: * AC-2 -* AC-3 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) * AC-17 * AC-19 * CA-3 diff --git a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac19.md b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac19.md index b0a577bf24c..80b96a08133 100644 --- a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac19.md +++ b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac19.md @@ -51,7 +51,7 @@ Organizations are cautioned that the need to provide adequate security for mobil The following controls are related to this control: -* AC-3 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) * AC-7 * AC-18 * AC-20 diff --git a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac20.md b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac20.md index f1f9e84244e..15e358c7c77 100644 --- a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac20.md +++ b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac20.md @@ -35,7 +35,7 @@ This control does not apply to the use of external information systems to access The following controls are related to this control: -* AC-3 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) * AC-17 * AC-19 * CA-3 diff --git a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac21.md b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac21.md index 052d5b395fc..abff3c5ba87 100644 --- a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac21.md +++ b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac21.md @@ -29,7 +29,7 @@ This control applies to information that may be restricted in some manner (for e The following controls are related to this control: -* AC-3 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) ## Responsibility diff --git a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac22.md b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac22.md index 8a2ec8d2d1f..07fda3c1cb6 100644 --- a/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac22.md +++ b/content/en/docs/private-platform/nist-controls/ac/pmp-nist-ac22.md @@ -31,7 +31,7 @@ In accordance with federal laws, Executive Orders, directives, policies, regulat The following controls are related to this control: -* AC-3 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) * AC-4 * AT-2 * AT-3 diff --git a/content/en/docs/private-platform/nist-controls/au/pmp-nist-au09.md b/content/en/docs/private-platform/nist-controls/au/pmp-nist-au09.md index 8a1bffcb492..2a47d24151c 100644 --- a/content/en/docs/private-platform/nist-controls/au/pmp-nist-au09.md +++ b/content/en/docs/private-platform/nist-controls/au/pmp-nist-au09.md @@ -17,8 +17,6 @@ This document describes how Private Mendix Platform fulfills the AU-09 control. ## Control -### AU-08 - The information system protects audit information and audit tools from unauthorized access, modification, and deletion. ### Supplemental Guidance @@ -27,7 +25,7 @@ The audit information includes all information needed to successfully audit info The following controls are related to this control: -* AC-3 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) * AC-6 * MP-2 * MP-4 diff --git a/content/en/docs/private-platform/nist-controls/au/pmp-nist-au0902.md b/content/en/docs/private-platform/nist-controls/au/pmp-nist-au0902.md new file mode 100644 index 00000000000..c826133a193 --- /dev/null +++ b/content/en/docs/private-platform/nist-controls/au/pmp-nist-au0902.md @@ -0,0 +1,56 @@ +--- +title: "AU-09 (02) Protection of Audit Information - Audit Backup on Separate Physical Systems or Components" +linktitle: "AU-09 (02)" +url: /private-mendix-platform/nist-controls/au-0902/ +description: "Documents the Private Mendix Platform's compliance with the AU-09 (02) control of the NIST 800-53 framework." +weight: 20 +--- + +## Introduction + +This document describes how Private Mendix Platform fulfills the AU-09 (02) control. + +| Control ID | AU-09 (02) | +| --- | --- | +| Requirement baseline | FEDRAMP MODERATE | +| Responsibility and ownership | Customer - Org, Customer - Infra | + +## Control + +The information system backs up audit records at an organization-defined frequency onto a physically different system or system component than the system or component being audited. + +### Supplemental Guidance + +This control enhancement helps to ensure that a compromise of the information system being audited does not also result in a compromise of the audit records. + +The following controls are related to this control: + +* AU-04 +* AU-05 +* AU-11 + +## Responsibility + +### Customer Responsibility + +The customer is responsible for implementing this control in an appropriate manner in their organization. This includes establishing audit record backup policies and procedures that ensure logs are regularly replicated to a physically separate system to comply with federal requirements. The customer must ensure that backup destinations, frequencies, and retention periods for audit records are documented, reviewed, and enforced within their environment. + +## Guidance + +### Customer Responsibility + +This control is governed by NIST SP 800-53 Rev 4 and NIST SP 800-92, which establish requirements for the protection and backup of audit information for federal information systems. Customers operating within a FedRAMP or DoD SRG environment must ensure their audit record backup mechanisms meet the baseline requirements for physical separation and data integrity. + +To meet these requirements, the customer must carry out the following actions: + +1. Define audit record backup destinations and frequency. + + Establish and document where audit records and logs should be backed up to, ensuring the backup target is on a physically different system or system component than the one being audited. The customer must dictate backup frequency, retention periods, and acceptable storage locations in accordance with NIST SP 800-92 guidelines for log management. + +2. Ensure infrastructure-level backup configuration. + + Direct the Infra Implementer to ensure that audit record backups are properly created, configured, and populated on the designated physically separate system. This includes verifying that backup processes are automated, monitored for failures, and aligned with the organization's contingency planning requirements per NIST SP 800-34. + +3. Ensure application-level audit log backup. + + Direct the App Implementer to ensure that the Mendix App's custom audit logs are properly directed to the backup system as dictated by the Customer. This includes configuring log forwarding mechanisms within the application to target the designated backup infrastructure and validating that all auditable events are captured in the backup trail. diff --git a/content/en/docs/private-platform/nist-controls/ma/pmp-nist-ma01.md b/content/en/docs/private-platform/nist-controls/ma/pmp-nist-ma01.md index 82a7d99c93a..78b354cf5de 100644 --- a/content/en/docs/private-platform/nist-controls/ma/pmp-nist-ma01.md +++ b/content/en/docs/private-platform/nist-controls/ma/pmp-nist-ma01.md @@ -38,7 +38,7 @@ The policy can be included as part of the general information security policy fo The following controls are related to this control: -* PM-9. +* PM-09. For more information, refer to the NIST Special Publications 800-12, 800-100. diff --git a/content/en/docs/private-platform/nist-controls/mp/pmp-nist-mp01.md b/content/en/docs/private-platform/nist-controls/mp/pmp-nist-mp01.md index 762e93e0ed5..0d4940b7e94 100644 --- a/content/en/docs/private-platform/nist-controls/mp/pmp-nist-mp01.md +++ b/content/en/docs/private-platform/nist-controls/mp/pmp-nist-mp01.md @@ -40,7 +40,7 @@ The policy can be included as part of the general information security policy fo The following controls are related to this control: -* PM-9 +* PM-09 For more information, refer to the NIST Special Publications 800-12 and 800-100. diff --git a/content/en/docs/private-platform/nist-controls/mp/pmp-nist-mp02.md b/content/en/docs/private-platform/nist-controls/mp/pmp-nist-mp02.md index 93704c36f55..d28c5c8ce92 100644 --- a/content/en/docs/private-platform/nist-controls/mp/pmp-nist-mp02.md +++ b/content/en/docs/private-platform/nist-controls/mp/pmp-nist-mp02.md @@ -28,7 +28,7 @@ Restricting non-digital media access includes, for example, denying access to pa The following controls are related to this control: -* AC-3 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) * IA-2 * MP-4 * PE-2 diff --git a/content/en/docs/private-platform/nist-controls/pl/pmp-nist-pl01.md b/content/en/docs/private-platform/nist-controls/pl/pmp-nist-pl01.md index 44a082f836a..501dba425b6 100644 --- a/content/en/docs/private-platform/nist-controls/pl/pmp-nist-pl01.md +++ b/content/en/docs/private-platform/nist-controls/pl/pmp-nist-pl01.md @@ -36,7 +36,7 @@ This control addresses the establishment of policy and procedures for the effect The following controls are related to this control: -* PM-9 +* PM-09 For more information, refer to the NIST Special Publications 800-12, 800-18, and 800-100. diff --git a/content/en/docs/private-platform/nist-controls/pl/pmp-nist-pl02.md b/content/en/docs/private-platform/nist-controls/pl/pmp-nist-pl02.md index b61a2f8f67a..3e82e0401c4 100644 --- a/content/en/docs/private-platform/nist-controls/pl/pmp-nist-pl02.md +++ b/content/en/docs/private-platform/nist-controls/pl/pmp-nist-pl02.md @@ -65,7 +65,7 @@ The following controls are related to this control: * PM-1 * PM-7 * PM-8 -* PM-9 +* PM-09 * PM-11 * SA-5 * SA-17 diff --git a/content/en/docs/private-platform/nist-controls/ra/pmp-nist-ra01.md b/content/en/docs/private-platform/nist-controls/ra/pmp-nist-ra01.md index bb12951e3c8..7a13ea6f04c 100644 --- a/content/en/docs/private-platform/nist-controls/ra/pmp-nist-ra01.md +++ b/content/en/docs/private-platform/nist-controls/ra/pmp-nist-ra01.md @@ -36,7 +36,7 @@ This control addresses the establishment of policy and procedures for the effect The following controls are related to this control: -* PM-9 +* PM-09 For more information, refer to the NIST Special Publications 800-12, 800-30, and 800-100. diff --git a/content/en/docs/private-platform/nist-controls/ra/pmp-nist-ra03.md b/content/en/docs/private-platform/nist-controls/ra/pmp-nist-ra03.md index 1212c593b29..cdd02b4bcc3 100644 --- a/content/en/docs/private-platform/nist-controls/ra/pmp-nist-ra03.md +++ b/content/en/docs/private-platform/nist-controls/ra/pmp-nist-ra03.md @@ -37,7 +37,7 @@ first two steps in the Risk Management Framework. Risk assessments can play an i The following controls are related to this control: * RA-2 -* PM-9 +* PM-09 For more information, refer to OMB Memorandum 04-04; NIST Special Publication 800-30, and 800-39; [IDManagement](https://www.idmanagement.gov/). diff --git a/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc04.md b/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc04.md index 85e2c77d29d..c5d28cd040a 100644 --- a/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc04.md +++ b/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc04.md @@ -32,7 +32,7 @@ This control does not address: The following controls are related to this control: -* AC-3 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) * AC-4 * MP-6 diff --git a/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc13.md b/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc13.md index d58cbb8244a..3c50163357a 100644 --- a/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc13.md +++ b/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc13.md @@ -29,7 +29,7 @@ This control does not impose any requirements on organizations to use cryptograp The following controls are related to this control: * AC-2 -* AC-3 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) * AC-7 * AC-17 * AC-18 diff --git a/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc28.md b/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc28.md index 63dce04e15a..7346c693ec9 100644 --- a/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc28.md +++ b/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc28.md @@ -26,7 +26,7 @@ This control addresses the confidentiality and integrity of information at rest The following controls are related to this control: -* AC-3 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) * AC-6 * CA-7 * CM-3 diff --git a/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc39.md b/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc39.md index ca315b64357..d9eb785b63f 100644 --- a/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc39.md +++ b/content/en/docs/private-platform/nist-controls/sc/pmp-nist-sc39.md @@ -26,7 +26,7 @@ Information systems can maintain separate execution domains for each executing p The following controls are related to this control: -* AC-3 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) * AC-4 * AC-6 * SA-4 diff --git a/content/en/docs/private-platform/nist-controls/si/pmp-nist-si10.md b/content/en/docs/private-platform/nist-controls/si/pmp-nist-si10.md index ecfab61ad47..4d621e5fa80 100644 --- a/content/en/docs/private-platform/nist-controls/si/pmp-nist-si10.md +++ b/content/en/docs/private-platform/nist-controls/si/pmp-nist-si10.md @@ -27,7 +27,7 @@ Checking the valid syntax and semantics of information system inputs (for exampl The following controls are related to this control: * AC-2 -* AC-3 +* [AC-03](/private-mendix-platform/nist-controls/ac-03/) * AC-4 * AC-5 * AC-6. diff --git a/content/en/docs/private-platform/nist-controls/si/pmp-nist-si1003.md b/content/en/docs/private-platform/nist-controls/si/pmp-nist-si1003.md index 8f198d7941d..16873da6fd3 100644 --- a/content/en/docs/private-platform/nist-controls/si/pmp-nist-si1003.md +++ b/content/en/docs/private-platform/nist-controls/si/pmp-nist-si1003.md @@ -26,7 +26,7 @@ A common vulnerability in organizational information systems is unpredictable be The following controls are related to this control: -* AC-3. +* [AC-03](/private-mendix-platform/nist-controls/ac-03/). ## Responsibility diff --git a/static/attachments/private-platform/nist-ac/nist-ac-0207-1.png b/static/attachments/private-platform/nist-ac/nist-ac-0207-1.png new file mode 100644 index 00000000000..2aae387ed65 Binary files /dev/null and b/static/attachments/private-platform/nist-ac/nist-ac-0207-1.png differ diff --git a/static/attachments/private-platform/nist-ac/nist-ac-0207-2.png b/static/attachments/private-platform/nist-ac/nist-ac-0207-2.png new file mode 100644 index 00000000000..aceeeea8b10 Binary files /dev/null and b/static/attachments/private-platform/nist-ac/nist-ac-0207-2.png differ diff --git a/static/attachments/private-platform/nist-ac/nist-ac-0207-3.png b/static/attachments/private-platform/nist-ac/nist-ac-0207-3.png new file mode 100644 index 00000000000..5fcb4354bdf Binary files /dev/null and b/static/attachments/private-platform/nist-ac/nist-ac-0207-3.png differ diff --git a/static/attachments/private-platform/nist-ac/nist-ac-0207-4.png b/static/attachments/private-platform/nist-ac/nist-ac-0207-4.png new file mode 100644 index 00000000000..bcdc637f25b Binary files /dev/null and b/static/attachments/private-platform/nist-ac/nist-ac-0207-4.png differ