SC: System and Communications Protection
Controls
SC-1: Policy and Procedures
Baseline(s):
- Low
- Moderate
- High
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] system and communications protection policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate…
SC-2: Separation of System and User Functionality
Baseline(s):
- Moderate
- High
Separate user functionality, including user interface services, from system management functionality.
SC-3: Security Function Isolation
Baseline(s):
- High
Isolate security functions from nonsecurity functions.
SC-4: Information in Shared System Resources
Baseline(s):
- Moderate
- High
Prevent unauthorized and unintended information transfer via shared system resources.
SC-5: Denial-of-service Protection
Baseline(s):
- Low
- Moderate
- High
[Assignment: Protect against, Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]; and Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event].
SC-6: Resource Availability
Baseline(s):
Protect the availability of resources by allocating [Assignment: organization-defined resources] by [Assignment (one or more): priority, quota, [Assignment: organization-defined controls] ].
SC-7: Boundary Protection
Baseline(s):
- Low
- Moderate
- High
Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; Implement subnetworks for publicly accessible system components that are [Assignment: physically, logically] separated from internal organizational networks; and Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged…
SC-8: Transmission Confidentiality and Integrity
Baseline(s):
- Moderate
- High
Protect the [Assignment (one or more): confidentiality, integrity] of transmitted information.
SC-10: Network Disconnect
Baseline(s):
- Moderate
- High
Terminate the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity.
SC-11: Trusted Path
Baseline(s):
Provide a [Assignment: physically, logically] isolated trusted communications path for communications between the user and the trusted components of the system; and Permit users to invoke the trusted communications path for communications between the user and the following security functions of the system, including at a minimum, authentication and re-authentication: [Assignment: organization-defined security functions].
SC-12: Cryptographic Key Establishment and Management
Baseline(s):
- Low
- Moderate
- High
Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].
SC-13: Cryptographic Protection
Baseline(s):
- Low
- Moderate
- High
Determine the [Assignment: organization-defined cryptographic uses]; and Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use].
SC-15: Collaborative Computing Devices and Applications
Baseline(s):
- Low
- Moderate
- High
Prohibit remote activation of collaborative computing devices and applications with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and Provide an explicit indication of use to users physically present at the devices.
SC-16: Transmission of Security and Privacy Attributes
Baseline(s):
Associate [Assignment: organization-defined security and privacy attributes] with information exchanged between systems and between system components.
SC-17: Public Key Infrastructure Certificates
Baseline(s):
- Moderate
- High
Issue public key certificates under an [Assignment: organization-defined certificate policy] or obtain public key certificates from an approved service provider; and Include only approved trust anchors in trust stores or certificate stores managed by the organization.
SC-18: Mobile Code
Baseline(s):
- Moderate
- High
Define acceptable and unacceptable mobile code and mobile code technologies; and Authorize, monitor, and control the use of mobile code within the system.
SC-20: Secure Name/address Resolution Service (authoritative Source)
Baseline(s):
- Low
- Moderate
- High
Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among…
SC-21: Secure Name/address Resolution Service (recursive or Caching Resolver)
Baseline(s):
- Low
- Moderate
- High
Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.
SC-22: Architecture and Provisioning for Name/address Resolution Service
Baseline(s):
- Low
- Moderate
- High
Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.
SC-23: Session Authenticity
Baseline(s):
- Moderate
- High
Protect the authenticity of communications sessions.
SC-24: Fail in Known State
Baseline(s):
- High
Fail to a [Assignment: organization-defined known system state] for the following failures on the indicated components while preserving [Assignment: organization-defined system state information] in failure: [Assignment: list of organization-defined types of system failures on organization-defined system components].
SC-25: Thin Nodes
Baseline(s):
Employ minimal functionality and information storage on the following system components: [Assignment: organization-defined system components].
SC-26: Decoys
Baseline(s):
Include components within organizational systems specifically designed to be the target of malicious attacks for detecting, deflecting, and analyzing such attacks.
SC-27: Platform-independent Applications
Baseline(s):
Include within organizational systems the following platform independent applications: [Assignment: organization-defined platform-independent applications].
SC-28: Protection of Information at Rest
Baseline(s):
- Moderate
- High
Protect the [Assignment (one or more): confidentiality, integrity] of the following information at rest: [Assignment: organization-defined information at rest].
SC-29: Heterogeneity
Baseline(s):
Employ a diverse set of information technologies for the following system components in the implementation of the system: [Assignment: organization-defined system components].
SC-30: Concealment and Misdirection
Baseline(s):
Employ the following concealment and misdirection techniques for [Assignment: organization-defined systems] at [Assignment: organization-defined time periods] to confuse and mislead adversaries: [Assignment: organization-defined concealment and misdirection techniques].
SC-31: Covert Channel Analysis
Baseline(s):
Perform a covert channel analysis to identify those aspects of communications within the system that are potential avenues for covert [Assignment (one or more): storage, timing] channels; and Estimate the maximum bandwidth of those channels.
SC-32: System Partitioning
Baseline(s):
Partition the system into [Assignment: organization-defined system components] residing in separate [Assignment: physical, logical] domains or environments based on [Assignment: organization-defined circumstances for physical or logical separation of components].
SC-34: Non-modifiable Executable Programs
Baseline(s):
For [Assignment: organization-defined system components], load and execute: The operating environment from hardware-enforced, read-only media; and The following applications from hardware-enforced, read-only media: [Assignment: organization-defined applications].
SC-35: External Malicious Code Identification
Baseline(s):
Include system components that proactively seek to identify network-based malicious code or malicious websites.
SC-36: Distributed Processing and Storage
Baseline(s):
Distribute the following processing and storage components across multiple [Assignment: physical locations, logical domains]: [Assignment: organization-defined processing and storage components].
SC-37: Out-of-band Channels
Baseline(s):
Employ the following out-of-band channels for the physical delivery or electronic transmission of [Assignment: organization-defined information, system components, or devices] to [Assignment: organization-defined individuals or systems]: [Assignment: organization-defined out-of-band channels].
SC-38: Operations Security
Baseline(s):
Employ the following operations security controls to protect key organizational information throughout the system development life cycle: [Assignment: organization-defined operations security controls].
SC-39: Process Isolation
Baseline(s):
- Low
- Moderate
- High
Maintain a separate execution domain for each executing system process.
SC-40: Wireless Link Protection
Baseline(s):
Protect external and internal [Assignment: organization-defined wireless links] from the following signal parameter attacks: [Assignment: organization-defined types of signal parameter attacks or references to sources for such attacks].
SC-41: Port and I/O Device Access
Baseline(s):
[Assignment: Physically, Logically] disable or remove [Assignment: organization-defined connection ports or input/output devices] on the following systems or system components: [Assignment: organization-defined systems or system components].
SC-42: Sensor Capability and Data
Baseline(s):
Prohibit [Assignment (one or more): the use of devices possessing [Assignment: organization-defined environmental sensing capabilities] in [Assignment: organization-defined facilities, areas, or systems] , the remote activation of environmental sensing capabilities on organizational systems or system components with the following exceptions: [Assignment: organization-defined exceptions where remote activation of sensors is allowed] ]; and Provide an explicit…
SC-43: Usage Restrictions
Baseline(s):
Establish usage restrictions and implementation guidelines for the following system components: [Assignment: organization-defined system components]; and Authorize, monitor, and control the use of such components within the system.
SC-44: Detonation Chambers
Baseline(s):
Employ a detonation chamber capability within [Assignment: organization-defined system, system component, or location].
SC-45: System Time Synchronization
Baseline(s):
Synchronize system clocks within and between systems and system components.
SC-46: Cross Domain Policy Enforcement
Baseline(s):
Implement a policy enforcement mechanism [Assignment: physically, logically] between the physical and/or network interfaces for the connecting security domains.
SC-47: Alternate Communications Paths
Baseline(s):
Establish [Assignment: organization-defined alternate communications paths] for system operations organizational command and control.
SC-48: Sensor Relocation
Baseline(s):
Relocate [Assignment: organization-defined sensors and monitoring capabilities] to [Assignment: organization-defined locations] under the following conditions or circumstances: [Assignment: organization-defined conditions or circumstances].
SC-49: Hardware-enforced Separation and Policy Enforcement
Baseline(s):
Implement hardware-enforced separation and policy enforcement mechanisms between [Assignment: organization-defined security domains].
SC-50: Software-enforced Separation and Policy Enforcement
Baseline(s):
Implement software-enforced separation and policy enforcement mechanisms between [Assignment: organization-defined security domains].
SC-51: Hardware-based Protection
Baseline(s):
Employ hardware-based, write-protect for [Assignment: organization-defined system firmware components]; and Implement specific procedures for [Assignment: organization-defined authorized individuals] to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode.