SC-5: Denial-of-service Protection
Control Family:
Threats Addressed:
Baselines:
- Low
- SC-5
- Moderate
- SC-5
- High
- SC-5
- Privacy
N/A
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- SC-5: Denial Of Service Protection
Control Statement
- [Assignment: Protect against, Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]; and
- Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event].
Supplemental Guidance
Denial-of-service events may occur due to a variety of internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Such attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). A variety of technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events.
Control Enhancements
SC-5(1): Restrict Ability to Attack Other Systems
Baseline(s):
Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: [Assignment: organization-defined denial-of-service attacks].
SC-5(2): Capacity, Bandwidth, and Redundancy
Baseline(s):
Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial-of-service attacks.
SC-5(3): Detection and Monitoring
Baseline(s):
Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [Assignment: organization-defined monitoring tools]; and Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: [Assignment: organization-defined system resources].