PR.PT-4: Communications and control networks are protected
PF v1.0 References:
Threats Addressed:
Description
[csf.tools Note: Subcategories do not have detailed descriptions.]
Related Controls
NIST Special Publication 800-53 Revision 5
AC-12: Session Termination
Automatically terminate a user session after [Assignment: organization-defined conditions, or trigger events requiring session disconnect].
AC-17: Remote Access
Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and Authorize each type of remote access to the system prior to allowing such connections.
AC-18: Wireless Access
Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and Authorize each type of wireless access to the system prior to allowing such connections.
CP-8: Telecommunications Services
Establish alternate telecommunications services, including necessary agreements to permit the resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
SC-5: Denial-of-service Protection
[Assignment: Protect against, Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]; and Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event].
SC-7: Boundary Protection
Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; Implement subnetworks for publicly accessible system components that are [Assignment: physically, logically] separated from internal organizational networks; and Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged…
SC-10: Network Disconnect
Terminate the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity.
SC-11: Trusted Path
Provide a [Assignment: physically, logically] isolated trusted communications path for communications between the user and the trusted components of the system; and Permit users to invoke the trusted communications path for communications between the user and the following security functions of the system, including at a minimum, authentication and re-authentication: [Assignment: organization-defined security functions].
SC-20: Secure Name/address Resolution Service (authoritative Source)
Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among…
SC-21: Secure Name/address Resolution Service (recursive or Caching Resolver)
Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.
SC-22: Architecture and Provisioning for Name/address Resolution Service
Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.
SC-23: Session Authenticity
Protect the authenticity of communications sessions.
SC-31: Covert Channel Analysis
Perform a covert channel analysis to identify those aspects of communications within the system that are potential avenues for covert [Assignment (one or more): storage, timing] channels; and Estimate the maximum bandwidth of those channels.
SC-37: Out-of-band Channels
Employ the following out-of-band channels for the physical delivery or electronic transmission of [Assignment: organization-defined information, system components, or devices] to [Assignment: organization-defined individuals or systems]: [Assignment: organization-defined out-of-band channels].
SC-38: Operations Security
Employ the following operations security controls to protect key organizational information throughout the system development life cycle: [Assignment: organization-defined operations security controls].
SC-47: Alternate Communications Paths
Establish [Assignment: organization-defined alternate communications paths] for system operations organizational command and control.
NIST Special Publication 800-171 Revision 2
3.1.16: Authorize wireless access prior to allowing such connections
Establishing usage restrictions and configuration/connection requirements for wireless access to the system provides criteria for organizations to support wireless access authorization decisions. Such restrictions and requirements reduce the susceptibility to unauthorized access to the system through wireless technologies. Wireless networks use authentication protocols which provide credential protection and mutual authentication. [SP 800-97] provide guidance on…
3.1.17: Protect wireless access using authentication and encryption
Organizations authenticate individuals and devices to help protect wireless access to the system. Special attention is given to the wide variety of devices that are part of the Internet of Things with potential wireless access to organizational systems. See [NIST CRYPTO].
3.13.1: Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems
Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or…
3.13.2: Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems
Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles…
3.13.5: Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks
Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). DMZs are typically implemented with boundary control devices and techniques that include routers, gateways, firewalls, virtualization, or cloud-based technologies. [SP 800-41] provides guidance on firewalls and firewall policy. [SP 800-125B] provides guidance on security for virtualization technologies.
3.13.6: Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception)
This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.
3.13.7: Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling)
Split tunneling might be desirable by remote users to communicate with local system resources such as printers or file servers. However, split tunneling allows unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information. This requirement is implemented in remote devices (e.g., notebook computers, smart phones, and tablets) through…
3.13.15: Protect the authenticity of communications sessions
Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and…
Cloud Controls Matrix v3.0.1
DSI-02: Data Inventory / Flows
Policies and procedures shall be established, and supporting business processes and technical measures implemented, to inventory, document, and maintain data flows for data that is resident (permanently or temporarily) within the service’s geographically distributed (physical and virtual) applications and infrastructure network and systems components and/or shared with other third parties to ascertain any regulatory, statutory,…
IVS-06: Network Security
Network environments and virtual instances shall be designed and configured to restrict and monitor traffic between trusted and untrusted connections. These configurations shall be reviewed at least annually, and supported by a documented justification for use for all allowed services, protocols, ports, and by compensating controls.
IVS-09: Segmentation
Multi-tenant organizationally-owned or managed (physical and virtual) applications, and infrastructure system and network components, shall be designed, developed, deployed, and configured such that provider and customer (tenant) user access is appropriately segmented from other tenant users, based on the following considerations: Established policies and procedures Isolation of business critical assets and/or sensitive user data, and…
IVS-10: VM Security – Data Protection
Secured and encrypted communication channels shall be used when migrating physical servers, applications, or data to virtualized servers and, where possible, shall use a network segregated from production-level networks for such migrations.
IVS-12: Wireless Security
Policies and procedures shall be established, and supporting business processes and technical measures implemented, to protect wireless network environments, including the following: Perimeter firewalls implemented and configured to restrict unauthorized traffic Security settings enabled with strong encryption for authentication and transmission, replacing vendor default settings (e.g., encryption keys, passwords, and SNMP community strings) User access…
IVS-13: Network Architecture
Network architecture diagrams shall clearly identify high-risk environments and data flows that may have legal compliance impacts. Technical measures shall be implemented and shall apply defense-in-depth techniques (e.g., deep packet analysis, traffic throttling, and black-holing) for detection and timely response to network-based attacks associated with anomalous ingress or egress traffic patterns (e.g., MAC spoofing and…
STA-03: Network / Infrastructure Services
Business-critical or customer (tenant) impacting (physical and virtual) application and system-system interface (API) designs and configurations, and infrastructure network and systems components, shall be designed, developed, and deployed in accordance with mutually agreed-upon service and capacity-level expectations, as well as IT governance and service management policies and procedures.
NIST Special Publication 800-53 Revision 4
AC-4: Information Flow Enforcement
The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies].
AC-17: Remote Access
The organization: Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and Authorizes remote access to the information system prior to allowing such connections.
AC-18: Wireless Access
The organization: Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and Authorizes wireless access to the information system prior to allowing such connections.
CP-8: Telecommunications Services
The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
SC-7: Boundary Protection
The information system: Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and Connects to external networks or information systems only through managed interfaces consisting of boundary protection…
SC-19: Voice Over Internet Protocol
The organization: Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and Authorizes, monitors, and controls the use of VoIP within the information system.
SC-20: Secure Name / Address Resolution Service (Authoritative Source)
The information system: Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain…
SC-21: Secure Name / Address Resolution Service (Recursive Or Caching Resolver)
The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.
SC-22: Architecture And Provisioning For Name / Address Resolution Service
The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.
SC-23: Session Authenticity
The information system protects the authenticity of communications sessions.
SC-24: Fail In Known State
The information system fails to a [Assignment: organization-defined known-state] for [Assignment: organization-defined types of failures] preserving [Assignment: organization-defined system state information] in failure.
SC-25: Thin Nodes
The organization employs [Assignment: organization-defined information system components] with minimal functionality and information storage.
SC-29: Heterogeneity
The organization employs a diverse set of information technologies for [Assignment: organization-defined information system components] in the implementation of the information system.
SC-32: Information System Partitioning
The organization partitions the information system into [Assignment: organization-defined information system components] residing in separate physical domains or environments based on [Assignment: organization-defined circumstances for physical separation of components].
SC-36: Distributed Processing And Storage
The organization distributes [Assignment: organization-defined processing and storage] across multiple physical locations.
SC-37: Out-Of-Band Channels
The organization employs [Assignment: organization-defined out-of-band channels] for the physical delivery or electronic transmission of [Assignment: organization-defined information, information system components, or devices] to [Assignment: organization-defined individuals or information systems].
SC-38: Operations Security
The organization employs [Assignment: organization-defined operations security safeguards] to protect key organizational information throughout the system development life cycle.
SC-39: Process Isolation
The information system maintains a separate execution domain for each executing process.
SC-40: Wireless Link Protection
The information system protects external and internal [Assignment: organization-defined wireless links] from [Assignment: organization-defined types of signal parameter attacks or references to sources for such attacks].
SC-41: Port And I/O Device Access
The organization physically disables or removes [Assignment: organization-defined connection ports or input/output devices] on [Assignment: organization-defined information systems or information system components].
SC-43: Usage Restrictions
The organization: Establishes usage restrictions and implementation guidance for [Assignment: organization-defined information system components] based on the potential to cause damage to the information system if used maliciously; and Authorizes, monitors, and controls the use of such components within the information system.
Critical Security Controls Version 7.1
11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
12: Boundary Defense
Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data.