SC: System And Communications Protection

The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and Reviews and…

The information system separates user functionality (including user interface services) from information system management functionality.

The information system isolates security functions from nonsecurity functions.

The information system prevents unauthorized and unintended information transfer via shared system resources.

The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or references to sources for such information] by employing [Assignment: organization-defined security safeguards].

The information system protects the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more); priority; quota; [Assignment: organization-defined security safeguards]].

The information system: Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and Connects to external networks or information systems only through managed interfaces consisting of boundary protection…

The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.

The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity.

The information system establishes a trusted communications path between the user and the following security functions of the system: [Assignment: organization-defined security functions to include at a minimum, information system authentication and re-authentication].

The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].

The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

The information system: Prohibits remote activation of collaborative computing devices with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and Provides an explicit indication of use to users physically present at the devices.

The information system associates [Assignment: organization-defined security attributes] with information exchanged between information systems and between system components.

The organization issues public key certificates under an [Assignment: organization-defined certificate policy] or obtains public key certificates from an approved service provider.

The organization: Defines acceptable and unacceptable mobile code and mobile code technologies; Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and Authorizes, monitors, and controls the use of mobile code within the information system.

The organization: Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and Authorizes, monitors, and controls the use of VoIP within the information system.

The information system: Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain…

The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.

The information system protects the authenticity of communications sessions.

The information system fails to a [Assignment: organization-defined known-state] for [Assignment: organization-defined types of failures] preserving [Assignment: organization-defined system state information] in failure.

The organization employs [Assignment: organization-defined information system components] with minimal functionality and information storage.

The information system includes components specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, and analyzing such attacks.

The information system includes: [Assignment: organization-defined platform-independent applications].

The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest].

The organization employs a diverse set of information technologies for [Assignment: organization-defined information system components] in the implementation of the information system.

The organization employs [Assignment: organization-defined concealment and misdirection techniques] for [Assignment: organization-defined information systems] at [Assignment: organization-defined time periods] to confuse and mislead adversaries.

The organization: Performs a covert channel analysis to identify those aspects of communications within the information system that are potential avenues for covert [Selection (one or more): storage; timing] channels; and Estimates the maximum bandwidth of those channels.

The organization partitions the information system into [Assignment: organization-defined information system components] residing in separate physical domains or environments based on [Assignment: organization-defined circumstances for physical separation of components].

The information system at [Assignment: organization-defined information system components]: Loads and executes the operating environment from hardware-enforced, read-only media; and Loads and executes [Assignment: organization-defined applications] from hardware-enforced, read-only media.

The information system includes components that proactively seek to identify malicious websites and/or web-based malicious code.

The organization distributes [Assignment: organization-defined processing and storage] across multiple physical locations.

The organization employs [Assignment: organization-defined out-of-band channels] for the physical delivery or electronic transmission of [Assignment: organization-defined information, information system components, or devices] to [Assignment: organization-defined individuals or information systems].

The organization employs [Assignment: organization-defined operations security safeguards] to protect key organizational information throughout the system development life cycle.

The information system maintains a separate execution domain for each executing process.

The information system protects external and internal [Assignment: organization-defined wireless links] from [Assignment: organization-defined types of signal parameter attacks or references to sources for such attacks].

The organization physically disables or removes [Assignment: organization-defined connection ports or input/output devices] on [Assignment: organization-defined information systems or information system components].

The information system: Prohibits the remote activation of environmental sensing capabilities with the following exceptions: [Assignment: organization-defined exceptions where remote activation of sensors is allowed]; and Provides an explicit indication of sensor use to [Assignment: organization-defined class of users].

The organization: Establishes usage restrictions and implementation guidance for [Assignment: organization-defined information system components] based on the potential to cause damage to the information system if used maliciously; and Authorizes, monitors, and controls the use of such components within the information system.

The organization employs a detonation chamber capability within [Assignment: organization-defined information system, system component, or location].