SC: System and Communications Protection

Controls

SC-1: Policy and Procedures

Baseline(s):

  • Low
  • Moderate
  • High

Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] system and communications protection policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate…

SC-5: Denial-of-service Protection

Baseline(s):

  • Low
  • Moderate
  • High

[Assignment: Protect against, Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]; and Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event].

SC-6: Resource Availability

Baseline(s):

(Not part of any baseline)

Protect the availability of resources by allocating [Assignment: organization-defined resources] by [Assignment (one or more): priority, quota, [Assignment: organization-defined controls] ].

SC-7: Boundary Protection

Baseline(s):

  • Low
  • Moderate
  • High

Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; Implement subnetworks for publicly accessible system components that are [Assignment: physically, logically] separated from internal organizational networks; and Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged…

SC-10: Network Disconnect

Baseline(s):

  • Moderate
  • High

Terminate the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity.

SC-11: Trusted Path

Baseline(s):

(Not part of any baseline)

Provide a [Assignment: physically, logically] isolated trusted communications path for communications between the user and the trusted components of the system; and Permit users to invoke the trusted communications path for communications between the user and the following security functions of the system, including at a minimum, authentication and re-authentication: [Assignment: organization-defined security functions].

SC-12: Cryptographic Key Establishment and Management

Baseline(s):

  • Low
  • Moderate
  • High

Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].

SC-13: Cryptographic Protection

Baseline(s):

  • Low
  • Moderate
  • High

Determine the [Assignment: organization-defined cryptographic uses]; and Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use].

SC-15: Collaborative Computing Devices and Applications

Baseline(s):

  • Low
  • Moderate
  • High

Prohibit remote activation of collaborative computing devices and applications with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and Provide an explicit indication of use to users physically present at the devices.

SC-17: Public Key Infrastructure Certificates

Baseline(s):

  • Moderate
  • High

Issue public key certificates under an [Assignment: organization-defined certificate policy] or obtain public key certificates from an approved service provider; and Include only approved trust anchors in trust stores or certificate stores managed by the organization.

SC-18: Mobile Code

Baseline(s):

  • Moderate
  • High

Define acceptable and unacceptable mobile code and mobile code technologies; and Authorize, monitor, and control the use of mobile code within the system.

SC-20: Secure Name/address Resolution Service (authoritative Source)

Baseline(s):

  • Low
  • Moderate
  • High

Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among…

SC-24: Fail in Known State

Baseline(s):

  • High

Fail to a [Assignment: organization-defined known system state] for the following failures on the indicated components while preserving [Assignment: organization-defined system state information] in failure: [Assignment: list of organization-defined types of system failures on organization-defined system components].

SC-25: Thin Nodes

Baseline(s):

(Not part of any baseline)

Employ minimal functionality and information storage on the following system components: [Assignment: organization-defined system components].

SC-26: Decoys

Baseline(s):

(Not part of any baseline)

Include components within organizational systems specifically designed to be the target of malicious attacks for detecting, deflecting, and analyzing such attacks.

SC-27: Platform-independent Applications

Baseline(s):

(Not part of any baseline)

Include within organizational systems the following platform independent applications: [Assignment: organization-defined platform-independent applications].

SC-28: Protection of Information at Rest

Baseline(s):

  • Moderate
  • High

Protect the [Assignment (one or more): confidentiality, integrity] of the following information at rest: [Assignment: organization-defined information at rest].

SC-29: Heterogeneity

Baseline(s):

(Not part of any baseline)

Employ a diverse set of information technologies for the following system components in the implementation of the system: [Assignment: organization-defined system components].

SC-30: Concealment and Misdirection

Baseline(s):

(Not part of any baseline)

Employ the following concealment and misdirection techniques for [Assignment: organization-defined systems] at [Assignment: organization-defined time periods] to confuse and mislead adversaries: [Assignment: organization-defined concealment and misdirection techniques].

SC-31: Covert Channel Analysis

Baseline(s):

(Not part of any baseline)

Perform a covert channel analysis to identify those aspects of communications within the system that are potential avenues for covert [Assignment (one or more): storage, timing] channels; and Estimate the maximum bandwidth of those channels.

SC-32: System Partitioning

Baseline(s):

(Not part of any baseline)

Partition the system into [Assignment: organization-defined system components] residing in separate [Assignment: physical, logical] domains or environments based on [Assignment: organization-defined circumstances for physical or logical separation of components].

SC-34: Non-modifiable Executable Programs

Baseline(s):

(Not part of any baseline)

For [Assignment: organization-defined system components], load and execute: The operating environment from hardware-enforced, read-only media; and The following applications from hardware-enforced, read-only media: [Assignment: organization-defined applications].

SC-36: Distributed Processing and Storage

Baseline(s):

(Not part of any baseline)

Distribute the following processing and storage components across multiple [Assignment: physical locations, logical domains]: [Assignment: organization-defined processing and storage components].

SC-37: Out-of-band Channels

Baseline(s):

(Not part of any baseline)

Employ the following out-of-band channels for the physical delivery or electronic transmission of [Assignment: organization-defined information, system components, or devices] to [Assignment: organization-defined individuals or systems]: [Assignment: organization-defined out-of-band channels].

SC-38: Operations Security

Baseline(s):

(Not part of any baseline)

Employ the following operations security controls to protect key organizational information throughout the system development life cycle: [Assignment: organization-defined operations security controls].

SC-39: Process Isolation

Baseline(s):

  • Low
  • Moderate
  • High

Maintain a separate execution domain for each executing system process.

SC-40: Wireless Link Protection

Baseline(s):

(Not part of any baseline)

Protect external and internal [Assignment: organization-defined wireless links] from the following signal parameter attacks: [Assignment: organization-defined types of signal parameter attacks or references to sources for such attacks].

SC-41: Port and I/O Device Access

Baseline(s):

(Not part of any baseline)

[Assignment: Physically, Logically] disable or remove [Assignment: organization-defined connection ports or input/output devices] on the following systems or system components: [Assignment: organization-defined systems or system components].

SC-42: Sensor Capability and Data

Baseline(s):

(Not part of any baseline)

Prohibit [Assignment (one or more): the use of devices possessing [Assignment: organization-defined environmental sensing capabilities] in [Assignment: organization-defined facilities, areas, or systems] , the remote activation of environmental sensing capabilities on organizational systems or system components with the following exceptions: [Assignment: organization-defined exceptions where remote activation of sensors is allowed] ]; and Provide an explicit…

SC-43: Usage Restrictions

Baseline(s):

(Not part of any baseline)

Establish usage restrictions and implementation guidelines for the following system components: [Assignment: organization-defined system components]; and Authorize, monitor, and control the use of such components within the system.

SC-44: Detonation Chambers

Baseline(s):

(Not part of any baseline)

Employ a detonation chamber capability within [Assignment: organization-defined system, system component, or location].

SC-46: Cross Domain Policy Enforcement

Baseline(s):

(Not part of any baseline)

Implement a policy enforcement mechanism [Assignment: physically, logically] between the physical and/or network interfaces for the connecting security domains.

SC-47: Alternate Communications Paths

Baseline(s):

(Not part of any baseline)

Establish [Assignment: organization-defined alternate communications paths] for system operations organizational command and control.

SC-48: Sensor Relocation

Baseline(s):

(Not part of any baseline)

Relocate [Assignment: organization-defined sensors and monitoring capabilities] to [Assignment: organization-defined locations] under the following conditions or circumstances: [Assignment: organization-defined conditions or circumstances].

SC-51: Hardware-based Protection

Baseline(s):

(Not part of any baseline)

Employ hardware-based, write-protect for [Assignment: organization-defined system firmware components]; and Implement specific procedures for [Assignment: organization-defined authorized individuals] to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode.