a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] system and communications protection policy that:(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and2. Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; andc. Review and update the current system and communications protection:1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
Separate user functionality, including user interface services, from system management functionality.
Prevent the presentation of system management functionality at interfaces to non-privileged users.
Store state information from applications and software separately.
Isolate security functions from nonsecurity functions.
Employ hardware separation mechanisms to implement security function isolation.
Isolate security functions enforcing access and information flow control from nonsecurity functions and from other security functions.
Minimize the number of nonsecurity functions included within the isolation boundary containing security functions.
Implement security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules.
Implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
Prevent unauthorized and unintended information transfer via shared system resources.
[Withdrawn: Incorporated into SC-4.]
Prevent unauthorized information transfer via shared resources in accordance with [Assignment: organization-defined procedures] when system processing explicitly switches between different information classification levels or security categories.
a. [Selection: Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]; andb. Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event].
Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: [Assignment: organization-defined denial-of-service attacks].
Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial-of-service attacks.
(a) Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [Assignment: organization-defined monitoring tools]; and(b) Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: [Assignment: organization-defined system resources].
Protect the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more): priority; quota; [Assignment: organization-defined controls]].
a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; andc. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.
[Withdrawn: Incorporated into SC-7.]
[Withdrawn: Incorporated into SC-7.]
Limit the number of external network connections to the system.
(a) Implement a managed interface for each external telecommunication service;(b) Establish a traffic flow policy for each managed interface;(c) Protect the confidentiality and integrity of the information being transmitted across each interface;(d) Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;(e) Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need;(f) Prevent unauthorized exchange of control plane traffic with external networks;(g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and(h) Filter unauthorized control plane traffic from external networks.
Deny network communications traffic by default and allow network communications traffic by exception [Selection (one or more): at managed interfaces; for [Assignment: organization-defined systems]].
[Withdrawn: Incorporated into SC-7(18).]
Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using [Assignment: organization-defined safeguards].
Route [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces.
(a) Detect and deny outgoing communications traffic posing a threat to external systems; and(b) Audit the identity of internal users associated with denied communications.
(a) Prevent the exfiltration of information; and(b) Conduct exfiltration tests [Assignment: organization-defined frequency].
Only allow incoming communications from [Assignment: organization-defined authorized sources] to be routed to [Assignment: organization-defined authorized destinations].
Implement [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined system components].
Isolate [Assignment: organization-defined information security tools, mechanisms, and support components] from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system.
Protect against unauthorized physical connections at [Assignment: organization-defined managed interfaces].
Route networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.
Prevent the discovery of specific system components that represent a managed interface.
Enforce adherence to protocol formats.
Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device.
Block inbound and outbound communications traffic between [Assignment: organization-defined communication clients] that are independently configured by end users and external service providers.
Provide the capability to dynamically isolate [Assignment: organization-defined system components] from other system components.
Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions].
Implement separate network addresses to connect to systems in different security domains.
Disable feedback to senders on protocol format validation failure.
For systems that process personally identifiable information:(a) Apply the following processing rules to data elements of personally identifiable information: [Assignment: organization-defined processing rules];(b) Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system;(c) Document each processing exception; and(d) Review and remove exceptions that are no longer supported.
Prohibit the direct connection of [Assignment: organization-defined unclassified national security system] to an external network without the use of [Assignment: organization-defined boundary protection device].
Prohibit the direct connection of a classified national security system to an external network without the use of [Assignment: organization-defined boundary protection device].
Prohibit the direct connection of [Assignment: organization-defined unclassified non-national security system] to an external network without the use of [Assignment: organization-defined boundary protection device].
Prohibit the direct connection of [Assignment: organization-defined system] to a public network.
Implement [Selection: physically; logically] separate subnetworks to isolate the following critical system components and functions: [Assignment: organization-defined critical system components and functions].
Protect the [Selection (one or more): confidentiality; integrity] of transmitted information.
Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission.
Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception.
Implement cryptographic mechanisms to protect message externals unless otherwise protected by [Assignment: organization-defined alternative physical controls].
Implement cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [Assignment: organization-defined alternative physical controls].
Implement [Assignment: organization-defined protected distribution system] to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission.
[Withdrawn: Incorporated into SC-8.]
Terminate the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity.
a. Provide a [Selection: physically; logically] isolated trusted communications path for communications between the user and the trusted components of the system; andb. Permit users to invoke the trusted communications path for communications between the user and the following security functions of the system, including at a minimum, authentication and re-authentication: [Assignment: organization-defined security functions].
(a) Provide a trusted communications path that is irrefutably distinguishable from other communications paths; and(b) Initiate the trusted communications path for communications between the [Assignment: organization-defined security functions] of the system and the user.
Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].
Maintain availability of information in the event of the loss of cryptographic keys by users.
Produce, control, and distribute symmetric cryptographic keys using [Selection: NIST FIPS-validated; NSA-approved] key management technology and processes.
Produce, control, and distribute asymmetric cryptographic keys using [Selection: NSA-approved key management technology and processes; prepositioned keying material; DoD-approved or DoD-issued Medium Assurance PKI certificates; DoD-approved or DoD-issued Medium Hardware Assurance PKI certificates and hardware security tokens that protect the user’s private key; certificates issued in accordance with organization-defined requirements].
[Withdrawn: Incorporated into SC-12(3).]
[Withdrawn: Incorporated into SC-12(3).]
Maintain physical control of cryptographic keys when stored information is encrypted by external service providers.
a. Determine the [Assignment: organization-defined cryptographic uses]; andb. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use].
[Withdrawn: Incorporated into SC-13.]
[Withdrawn: Incorporated into SC-13.]
[Withdrawn: Incorporated into SC-13.]
[Withdrawn: Incorporated into SC-13.]
[Withdrawn: Incorporated into AC-2, AC-3, AC-5, AC-6, SI-10, SI-3, SI-4, SI-5, and SI-7.]
a. Prohibit remote activation of collaborative computing devices and applications with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; andb. Provide an explicit indication of use to users physically present at the devices.
Provide [Selection (one or more): physical; logical] disconnect of collaborative computing devices in a manner that supports ease of use.
[Withdrawn: Incorporated into SC-7.]
Disable or remove collaborative computing devices and applications from [Assignment: organization-defined systems or system components] in [Assignment: organization-defined secure work areas].
Provide an explicit indication of current participants in [Assignment: organization-defined online meetings and teleconferences].
Associate [Assignment: organization-defined security and privacy attributes] with information exchanged between systems and between system components.
Verify the integrity of transmitted security and privacy attributes.
Implement anti-spoofing mechanisms to prevent adversaries from falsifying the security attributes indicating the successful application of the security process.
Implement [Assignment: organization-defined mechanisms or techniques] to bind security and privacy attributes to transmitted information.
a. Issue public key certificates under an [Assignment: organization-defined certificate policy] or obtain public key certificates from an approved service provider; andb. Include only approved trust anchors in trust stores or certificate stores managed by the organization.
a. Define acceptable and unacceptable mobile code and mobile code technologies; andb. Authorize, monitor, and control the use of mobile code within the system.
Identify [Assignment: organization-defined unacceptable mobile code] and take [Assignment: organization-defined corrective actions].
Verify that the acquisition, development, and use of mobile code to be deployed in the system meets [Assignment: organization-defined mobile code requirements].
Prevent the download and execution of [Assignment: organization-defined unacceptable mobile code].
Prevent the automatic execution of mobile code in [Assignment: organization-defined software applications] and enforce [Assignment: organization-defined actions] prior to executing the code.
Allow execution of permitted mobile code only in confined virtual machine environments.
[Technology-specific; addressed as any other technology or protocol].
a. Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; andb. Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.
[Withdrawn: Incorporated into SC-20.]
Provide data origin and integrity protection artifacts for internal name/address resolution queries.
Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.
[Withdrawn: Incorporated into SC-21.]
Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.
Protect the authenticity of communications sessions.
Invalidate session identifiers upon user logout or other session termination.
[Withdrawn: Incorporated into AC-12(1).]
Generate a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognize only session identifiers that are system-generated.
[Withdrawn: Incorporated into SC-23(3).]
Only allow the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions.
Fail to a [Assignment: organization-defined known system state] for the following failures on the indicated components while preserving [Assignment: organization-defined system state information] in failure: [Assignment: list of organization-defined types of system failures on organization-defined system components].
Employ minimal functionality and information storage on the following system components: [Assignment: organization-defined system components].
Include components within organizational systems specifically designed to be the target of malicious attacks for detecting, deflecting, and analyzing such attacks.
[Withdrawn: Incorporated into SC-35.]
Include within organizational systems the following platform independent applications: [Assignment: organization-defined platform-independent applications].
Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest].
Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information].
Remove the following information from online storage and store offline in a secure location: [Assignment: organization-defined information].
Provide protected storage for cryptographic keys [Selection: [Assignment: organization-defined safeguards]; hardware-protected key store].
Employ a diverse set of information technologies for the following system components in the implementation of the system: [Assignment: organization-defined system components].
Employ virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed [Assignment: organization-defined frequency].
Employ the following concealment and misdirection techniques for [Assignment: organization-defined systems] at [Assignment: organization-defined time periods] to confuse and mislead adversaries: [Assignment: organization-defined concealment and misdirection techniques].
[Withdrawn: Incorporated into SC-29(1).]
Employ [Assignment: organization-defined techniques] to introduce randomness into organizational operations and assets.
Change the location of [Assignment: organization-defined processing and/or storage] [Selection: [Assignment: organization-defined time frequency]; at random time intervals].
Employ realistic, but misleading information in [Assignment: organization-defined system components] about its security state or posture.
Employ the following techniques to hide or conceal [Assignment: organization-defined system components]: [Assignment: organization-defined techniques].
a. Perform a covert channel analysis to identify those aspects of communications within the system that are potential avenues for covert [Selection (one or more): storage; timing] channels; andb. Estimate the maximum bandwidth of those channels.
Test a subset of the identified covert channels to determine the channels that are exploitable.
Reduce the maximum bandwidth for identified covert [Selection (one or more): storage; timing] channels to [Assignment: organization-defined values].
Measure the bandwidth of [Assignment: organization-defined subset of identified covert channels] in the operational environment of the system.
Partition the system into [Assignment: organization-defined system components] residing in separate [Selection: physical; logical] domains or environments based on [Assignment: organization-defined circumstances for physical or logical separation of components].
Partition privileged functions into separate physical domains.
[Withdrawn: Incorporated into SC-8.]
For [Assignment: organization-defined system components], load and execute:a. The operating environment from hardware-enforced, read-only media; andb. The following applications from hardware-enforced, read-only media: [Assignment: organization-defined applications].
Employ [Assignment: organization-defined system components] with no writeable storage that is persistent across component restart or power on/off.
Protect the integrity of information prior to storage on read-only media and control the media after such information has been recorded onto the media.
[Withdrawn: Incorporated into SC-51.]
Include system components that proactively seek to identify network-based malicious code or malicious websites.
Distribute the following processing and storage components across multiple [Selection: physical locations; logical domains]: [Assignment: organization-defined processing and storage components].
(a) Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: [Assignment: organization-defined distributed processing and storage components]; and(b) Take the following actions in response to identified faults, errors, or compromises: [Assignment: organization-defined actions].
Synchronize the following duplicate systems or system components: [Assignment: organization-defined duplicate systems or system components].
Employ the following out-of-band channels for the physical delivery or electronic transmission of [Assignment: organization-defined information, system components, or devices] to [Assignment: organization-defined individuals or systems]: [Assignment: organization-defined out-of-band channels].
Employ [Assignment: organization-defined controls] to ensure that only [Assignment: organization-defined individuals or systems] receive the following information, system components, or devices: [Assignment: organization-defined information, system components, or devices].
Employ the following operations security controls to protect key organizational information throughout the system development life cycle: [Assignment: organization-defined operations security controls].
Maintain a separate execution domain for each executing system process.
Implement hardware separation mechanisms to facilitate process isolation.
Maintain a separate execution domain for each thread in [Assignment: organization-defined multi-threaded processing].
Protect external and internal [Assignment: organization-defined wireless links] from the following signal parameter attacks: [Assignment: organization-defined types of signal parameter attacks or references to sources for such attacks].
Implement cryptographic mechanisms that achieve [Assignment: organization-defined level of protection] against the effects of intentional electromagnetic interference.
Implement cryptographic mechanisms to reduce the detection potential of wireless links to [Assignment: organization-defined level of reduction].
Implement cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters.
Implement cryptographic mechanisms to prevent the identification of [Assignment: organization-defined wireless transmitters] by using the transmitter signal parameters.
[Selection: Physically; Logically] disable or remove [Assignment: organization-defined connection ports or input/output devices] on the following systems or system components: [Assignment: organization-defined systems or system components].
a. Prohibit [Selection (one or more): the use of devices possessing [Assignment: organization-defined environmental sensing capabilities] in [Assignment: organization-defined facilities, areas, or systems]; the remote activation of environmental sensing capabilities on organizational systems or system components with the following exceptions: [Assignment: organization-defined exceptions where remote activation of sensors is allowed]]; andb. Provide an explicit indication of sensor use to [Assignment: organization-defined group of users].
Verify that the system is configured so that data or information collected by the [Assignment: organization-defined sensors] is only reported to authorized individuals or roles.
Employ the following measures so that data or information collected by [Assignment: organization-defined sensors] is only used for authorized purposes: [Assignment: organization-defined measures].
[Withdrawn: Incorporated into SC-42.]
Employ the following measures to facilitate an individual’s awareness that personally identifiable information is being collected by [Assignment: organization-defined sensors]: [Assignment: organization-defined measures].
Employ [Assignment: organization-defined sensors] that are configured to minimize the collection of information about individuals that is not needed.
a. Establish usage restrictions and implementation guidelines for the following system components: [Assignment: organization-defined system components]; andb. Authorize, monitor, and control the use of such components within the system.
Employ a detonation chamber capability within [Assignment: organization-defined system, system component, or location].
Synchronize system clocks within and between systems and system components.
(a) Compare the internal system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]; and(b) Synchronize the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period].
(a) Identify a secondary authoritative time source that is in a different geographic region than the primary authoritative time source; and(b) Synchronize the internal system clocks to the secondary authoritative time source if the primary authoritative time source is unavailable.
Implement a policy enforcement mechanism [Selection: physically; logically] between the physical and/or network interfaces for the connecting security domains.
Establish [Assignment: organization-defined alternate communications paths] for system operations organizational command and control.
Relocate [Assignment: organization-defined sensors and monitoring capabilities] to [Assignment: organization-defined locations] under the following conditions or circumstances: [Assignment: organization-defined conditions or circumstances].
Dynamically relocate [Assignment: organization-defined sensors and monitoring capabilities] to [Assignment: organization-defined locations] under the following conditions or circumstances: [Assignment: organization-defined conditions or circumstances].
Implement hardware-enforced separation and policy enforcement mechanisms between [Assignment: organization-defined security domains].
Implement software-enforced separation and policy enforcement mechanisms between [Assignment: organization-defined security domains].
a. Employ hardware-based, write-protect for [Assignment: organization-defined system firmware components]; andb. Implement specific procedures for [Assignment: organization-defined authorized individuals] to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode.