SC-1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES
Control
The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, system and communications protection policy that addresses purpose, scope, roles, responsibilities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls.
Supplemental Guidance
The system and communications protection policy and procedures are consistent with applicable federal laws, directives, policies, regulations, standards, and guidance. The system and communications protection policy can be included as part of the general information security policy for the organization. System and communications protection procedures can be developed for the security program in general, and for a particular information system, when required. NIST Special Publication 800-12 provides guidance on security policies and procedures.
Control Enhancements
None.
LOW
SC-1
MOD
SC-1
HIGH
SC-1
SC-2 APPLICATION PARTITIONING
Control
The information system separates user functionality (including user interface services) from information system management functionality.
Supplemental Guidance
The information system physically or logically separates user interface services (e.g., public web pages) from information storage and management services (e.g., database management). Separation may be accomplished through the use of different computers, different central processing units, different instances of the operating system, different network addresses, combinations of these methods, or other methods as appropriate.
Control Enhancements
None.
LOW
Not Selected
MOD
SC-2
HIGH
SC-3 SECURITY FUNCTION ISOLATION
Control
The information system isolates security functions from nonsecurity functions.
Supplemental Guidance
The information system isolates security functions from nonsecurity functions by means of partitions, domains, etc., including control of access to and integrity of, the hardware, software, and firmware that perform those security functions. The information system maintains a separate execution domain (e.g., address space) for each executing process.
Control Enhancements
(1) The information system employs underlying hardware separation mechanisms to facilitate security function isolation.
(2) The information system further divides the security functions with the functions enforcing access and information flow control isolated and protected from both nonsecurity functions and from other security functions.
(3) The information system minimizes the amount of nonsecurity functions included within the isolation boundary containing security functions.
(4) The information system security maintains its security functions in largely independent modules that avoid unnecessary interactions between modules.
(5) The information system security maintains its security functions in a layered structure minimizing interactions between layers of the design.
LOW
Not Selected
MOD
Not Selected
HIGH
SC-3
SC-4 INFORMATION REMNANTS
Control
The information system prevents unauthorized and unintended information transfer via shared system resources.
Supplemental Guidance
Control of information system remnants, sometimes referred to as object reuse, prevents information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after that resource has been released back to the information system.
Control Enhancements
None.
LOW
Not Selected
MOD
SC-4
HIGH
SC-4
SC-5 DENIAL OF SERVICE PROTECTION
Control
The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined list of types of denial of service attacks or reference to source for current list].
Supplemental Guidance
A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, network perimeter devices can filter certain types of packets to protect devices on an organization’s internal network from being directly affected by denial of service attacks. Information systems that are publicly accessible can be protected by employing increased capacity and bandwidth combined with service redundancy.
Control Enhancements
(1) The information system restricts the ability of users to launch denial of service attacks against other information systems or networks.
(2) The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.
LOW
SC-5
MOD
SC-5
HIGH
SC-5
SC-6 RESOURCE PRIORITY
Control
The information system limits the use of resources by priority.
Supplemental Guidance
Priority protection ensures that a lower-priority process is not able to interfere with the information system servicing any higher-priority process.
Control Enhancements
None.
LOW
Not Selected
MOD
SC-6
HIGH
SC-6
SC-7 BOUNDARY PROTECTION
Control
The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system.
Supplemental Guidance
Any connections to the Internet, or other external networks or information systems, occur through controlled interfaces (e.g., proxies, gateways, routers, firewalls, encrypted tunnels). The operational failure of the boundary protection mechanisms does not result in any unauthorized release of information outside of the information system boundary. Information system boundary protections at any designated alternate processing sites provide the same levels of protection as that of the primary site.
Control Enhancements
(1) The organization physically allocates publicly accessible information system components (e.g., public web servers) to separate subnetworks with separate, physical network interfaces. The organization prevents public access into the organization’s internal networks except as appropriately mediated.
LOW
SC-7
MOD
SC-7 (1)
HIGH
SC-7 (1)
SC-8 TRANSMISSION INTEGRITY
Control
The information system protects the integrity of transmitted information.
Supplemental Guidance
The FIPS 199 security category (for integrity) of the information being transmitted should guide the decision on the use of cryptographic mechanisms. NSTISSI No. 7003 contains guidance on the use of Protective Distribution Systems.
Control Enhancements
(1) The organization employs cryptographic mechanisms to ensure recognition of changes to information during transmission unless otherwise protected by alternative physical measures (e.g., protective distribution systems).
LOW
Not Selected
MOD
SC-8
HIGH
SC-9 TRANSMISSION CONFIDENTIALITY
Control
The information system protects the confidentiality of transmitted information.
Supplemental Guidance
The FIPS 199 security category (for confidentiality) of the information being transmitted should guide the decision on the use of cryptographic mechanisms. NSTISSI No. 7003 contains guidance on the use of Protective Distribution Systems.
Control Enhancements
(1) The organization employs cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless protected by alternative physical measures (e.g., protective distribution systems).
LOW
Not Selected
MOD
SC-9
HIGH
SC-9 (1)
SC-10 NETWORK DISCONNECT
Control
The information system terminates a network connection at the end of a session or after [Assignment: organization-defined time period] of inactivity.
Supplemental Guidance
None.
Control Enhancements
None.
LOW
MOD
SC-10
HIGH
SC-10
SC-11 TRUSTED PATH
Control
The information system establishes a trusted communications path between the user and the security functionality of the system.
Supplemental Guidance
None.
Control Enhancements
None.
LOW
Not Selected
MOD
Not Selected
HIGH
Not Selected
SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT
Control
The information system employs automated mechanisms with supporting procedures or manual procedures for cryptographic key establishment and key management.
Supplemental Guidance
NIST Special Publication 800-56 provides guidance on cryptographic key establishment. NIST Special Publication 800-57 provides guidance on cryptographic key management.
Control Enhancements
LOW
Not Selected
MOD
SC-12
HIGH
SC-12
SC-13 USE OF VALIDATED CRYPTOGRAPHY
Control
When cryptography is employed within the information system, the system performs all cryptographic operations (including key generation) using FIPS 140-2 validated cryptographic modules operating in approved modes of operation.
Supplemental Guidance
NIST Special Publication 800-56 provides guidance on cryptographic key establishment. NIST Special Publication 800-57 provides guidance on cryptographic key management.
Control Enhancements
None.
LOW
SC-13
MOD
SC-13
HIGH
SC-13
SC-14 PUBLIC ACCESS PROTECTIONS
Control
For publicly available systems, the information system protects the integrity of the information and applications.
Supplemental Guidance
Control Enhancements
None.
LOW
SC-14
MOD
SC-14
HIGH
SC-14
SC-15 COLLABORATIVE COMPUTING
Control
The information system prohibits remote activation of collaborative computing mechanisms (e.g., video and audio conferencing) and provides an explicit indication of use to the local users (e.g., use of camera or microphone).
Supplemental Guidance
None.
Control Enhancements
(1) The information system provides physical disconnect of camera and microphone in a manner that supports ease of use.
LOW
Not Selected
MOD
SC-15
HIGH
SC-15
SC-16 TRANSMISSION OF SECURITY PARAMETERS
Control
The information system reliably associates security parameters (e.g., security labels and markings) with information exchanged between information systems.
Supplemental Guidance
Security parameters may be explicitly or implicitly associated with the information contained within the information system.
Control Enhancements
None.
LOW
Not Selected
MOD
Not Selected
HIGH
Not Selected
SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES
Control
The organization develops and implements a certificate policy and certification practice statement for the issuance of public key certificates used in the information system.
Supplemental Guidance
Registration to receive a public key certificate includes authorization by a supervisor or a responsible official, and is done by a secure process that verifies the identity of the certificate holder and ensures that the certificate is issued to the intended party. NIST Special Publication 800-63 provides guidance on remote electronic authentication.
Control Enhancements
None.
LOW
Not Selected
MOD
SC-17
HIGH
SC-18 MOBILE CODE
Control
The organization: (i) establishes usage restrictions and implementation guidance for mobile code technologies based on the potential to cause damage to the information system if used maliciously; and (ii) documents, monitors, and controls the use of mobile code within the information system. Appropriate organizational officials authorize the use of mobile code.
Supplemental Guidance
Mobile code technologies include, for example, Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations. Control procedures prevent the development, acquisition, or introduction of unacceptable mobile code within the information system. NIST Special Publication 800-28 provides guidance on active content and mobile code. Additional information on risk-based approaches for the implementation of mobile code technologies can be found at: http://iase.disa.mil/mcp/index.html.
Control Enhancements
None.
LOW
Not Selected
MOD
SC-18
HIGH
SC-18
SC-19 VOICE OVER INTERNET PROTOCOL
Control
The organization: (i) establishes usage restrictions and implementation guidance for Voice Over Internet Protocol (VOIP) technologies based on the potential to cause damage to the information system if used maliciously; and (ii) documents, monitors, and controls the use of VOIP within the information system. Appropriate organizational officials authorize the use of VOIP.
Supplemental Guidance
NIST Special Publication 800-58 provides guidance on security considerations for VOIP technologies employed in information systems.
Control Enhancements
None.
LOW
Not Selected
MOD
SC-19
HIGH
SC-19
