SC: System and Communications Protection

Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] system and communications protection policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate…

Separate user functionality, including user interface services, from system management functionality.

Isolate security functions from nonsecurity functions.

Prevent unauthorized and unintended information transfer via shared system resources.

[Assignment: Protect against, Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]; and Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event].

Protect the availability of resources by allocating [Assignment: organization-defined resources] by [Assignment (one or more): priority, quota, [Assignment: organization-defined controls] ].

Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; Implement subnetworks for publicly accessible system components that are [Assignment: physically, logically] separated from internal organizational networks; and Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged…

Protect the [Assignment (one or more): confidentiality, integrity] of transmitted information.

Terminate the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity.

Provide a [Assignment: physically, logically] isolated trusted communications path for communications between the user and the trusted components of the system; and Permit users to invoke the trusted communications path for communications between the user and the following security functions of the system, including at a minimum, authentication and re-authentication: [Assignment: organization-defined security functions].

Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].

Determine the [Assignment: organization-defined cryptographic uses]; and Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use].

Prohibit remote activation of collaborative computing devices and applications with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and Provide an explicit indication of use to users physically present at the devices.

Associate [Assignment: organization-defined security and privacy attributes] with information exchanged between systems and between system components.

Issue public key certificates under an [Assignment: organization-defined certificate policy] or obtain public key certificates from an approved service provider; and Include only approved trust anchors in trust stores or certificate stores managed by the organization.

Define acceptable and unacceptable mobile code and mobile code technologies; and Authorize, monitor, and control the use of mobile code within the system.

Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among…

Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.

Protect the authenticity of communications sessions.

Fail to a [Assignment: organization-defined known system state] for the following failures on the indicated components while preserving [Assignment: organization-defined system state information] in failure: [Assignment: list of organization-defined types of system failures on organization-defined system components].

Employ minimal functionality and information storage on the following system components: [Assignment: organization-defined system components].

Include components within organizational systems specifically designed to be the target of malicious attacks for detecting, deflecting, and analyzing such attacks.

Include within organizational systems the following platform independent applications: [Assignment: organization-defined platform-independent applications].

Protect the [Assignment (one or more): confidentiality, integrity] of the following information at rest: [Assignment: organization-defined information at rest].

Employ a diverse set of information technologies for the following system components in the implementation of the system: [Assignment: organization-defined system components].

Employ the following concealment and misdirection techniques for [Assignment: organization-defined systems] at [Assignment: organization-defined time periods] to confuse and mislead adversaries: [Assignment: organization-defined concealment and misdirection techniques].

Perform a covert channel analysis to identify those aspects of communications within the system that are potential avenues for covert [Assignment (one or more): storage, timing] channels; and Estimate the maximum bandwidth of those channels.

Partition the system into [Assignment: organization-defined system components] residing in separate [Assignment: physical, logical] domains or environments based on [Assignment: organization-defined circumstances for physical or logical separation of components].

For [Assignment: organization-defined system components], load and execute: The operating environment from hardware-enforced, read-only media; and The following applications from hardware-enforced, read-only media: [Assignment: organization-defined applications].

Include system components that proactively seek to identify network-based malicious code or malicious websites.

Distribute the following processing and storage components across multiple [Assignment: physical locations, logical domains]: [Assignment: organization-defined processing and storage components].

Employ the following out-of-band channels for the physical delivery or electronic transmission of [Assignment: organization-defined information, system components, or devices] to [Assignment: organization-defined individuals or systems]: [Assignment: organization-defined out-of-band channels].

Employ the following operations security controls to protect key organizational information throughout the system development life cycle: [Assignment: organization-defined operations security controls].

Maintain a separate execution domain for each executing system process.

Protect external and internal [Assignment: organization-defined wireless links] from the following signal parameter attacks: [Assignment: organization-defined types of signal parameter attacks or references to sources for such attacks].

[Assignment: Physically, Logically] disable or remove [Assignment: organization-defined connection ports or input/output devices] on the following systems or system components: [Assignment: organization-defined systems or system components].

Prohibit [Assignment (one or more): the use of devices possessing [Assignment: organization-defined environmental sensing capabilities] in [Assignment: organization-defined facilities, areas, or systems] , the remote activation of environmental sensing capabilities on organizational systems or system components with the following exceptions: [Assignment: organization-defined exceptions where remote activation of sensors is allowed] ]; and Provide an explicit…

Establish usage restrictions and implementation guidelines for the following system components: [Assignment: organization-defined system components]; and Authorize, monitor, and control the use of such components within the system.

Employ a detonation chamber capability within [Assignment: organization-defined system, system component, or location].

Synchronize system clocks within and between systems and system components.

Implement a policy enforcement mechanism [Assignment: physically, logically] between the physical and/or network interfaces for the connecting security domains.

Establish [Assignment: organization-defined alternate communications paths] for system operations organizational command and control.

Relocate [Assignment: organization-defined sensors and monitoring capabilities] to [Assignment: organization-defined locations] under the following conditions or circumstances: [Assignment: organization-defined conditions or circumstances].

Implement hardware-enforced separation and policy enforcement mechanisms between [Assignment: organization-defined security domains].

Implement software-enforced separation and policy enforcement mechanisms between [Assignment: organization-defined security domains].

Employ hardware-based, write-protect for [Assignment: organization-defined system firmware components]; and Implement specific procedures for [Assignment: organization-defined authorized individuals] to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode.