The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and b. Reviews and updates the current: 1. System and communications protection policy [Assignment: organization-defined frequency]; and 2. System and communications protection procedures [Assignment: organization-defined frequency].
The information system separates user functionality (including user interface services) from information system management functionality.
The information system prevents the presentation of information system management-related functionality at an interface for non-privileged users.
The information system isolates security functions from nonsecurity functions.
The information system utilizes underlying hardware separation mechanisms to implement security function isolation.
The information system isolates security functions enforcing access and information flow control from nonsecurity functions and from other security functions.
The organization minimizes the number of nonsecurity functions included within the isolation boundary containing security functions.
The organization implements security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules.
The organization implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
The information system prevents unauthorized and unintended information transfer via shared system resources.
[Withdrawn: Incorporated into SC-4].
The information system prevents unauthorized information transfer via shared resources in accordance with [Assignment: organization-defined procedures] when system processing explicitly switches between different information classification levels or security categories.
The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or references to sources for such information] by employing [Assignment: organization-defined security safeguards].
The information system restricts the ability of individuals to launch [Assignment: organization-defined denial of service attacks] against other information systems.
The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding denial of service attacks.
The organization: (a) Employs [Assignment: organization-defined monitoring tools] to detect indicators of denial of service attacks against the information system; and (b) Monitors [Assignment: organization-defined information system resources] to determine if sufficient resources exist to prevent effective denial of service attacks.
The information system protects the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more); priority; quota; [Assignment: organization-defined security safeguards]].
The information system: a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
[Withdrawn: Incorporated into SC-7].
[Withdrawn: Incorporated into SC-7].
The organization limits the number of external network connections to the information system.
The organization: (a) Implements a managed interface for each external telecommunication service; (b) Establishes a traffic flow policy for each managed interface; (c) Protects the confidentiality and integrity of the information being transmitted across each interface; (d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and (e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need.
The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).
[Withdrawn: Incorporated into SC-7 (18)].
The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.
The information system routes [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces.
The information system: (a) Detects and denies outgoing communications traffic posing a threat to external information systems; and (b) Audits the identity of internal users associated with denied communications.
The organization prevents the unauthorized exfiltration of information across managed interfaces.
The information system only allows incoming communications from [Assignment: organization-defined authorized sources] to be routed to [Assignment: organization-defined authorized destinations].
The organization implements [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined information system components].
The organization isolates [Assignment: organization-defined information security tools, mechanisms, and support components] from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system.
The organization protects against unauthorized physical connections at [Assignment: organization-defined managed interfaces].
The information system routes all networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.
The information system prevents discovery of specific system components composing a managed interface.
The information system enforces adherence to protocol formats.
The information system fails securely in the event of an operational failure of a boundary protection device.
The information system blocks both inbound and outbound communications traffic between [Assignment: organization-defined communication clients] that are independently configured by end users and external service providers.
The information system provides the capability to dynamically isolate/segregate [Assignment: organization-defined information system components] from other components of the system.
The organization employs boundary protection mechanisms to separate [Assignment: organization-defined information system components] supporting [Assignment: organization-defined missions and/or business functions].
The information system implements separate network addresses (i.e., different subnets) to connect to systems in different security domains.
The information system disables feedback to senders on protocol format validation failure.
The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information.
The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].
The information system maintains the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception.
The information system implements cryptographic mechanisms to protect message externals unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].
The information system implements cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [Assignment: organization-defined alternative physical safeguards].
[Withdrawn: Incorporated into SC-8].
The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity.
The information system establishes a trusted communications path between the user and the following security functions of the system: [Assignment: organization-defined security functions to include at a minimum, information system authentication and re-authentication].
The information system provides a trusted communications path that is logically isolated and distinguishable from other paths.
The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].
The organization maintains availability of information in the event of the loss of cryptographic keys by users.
The organization produces, controls, and distributes symmetric cryptographic keys using [Selection: NIST FIPS-compliant; NSA-approved] key management technology and processes.
The organization produces, controls, and distributes asymmetric cryptographic keys using [Selection: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user's private key].
[Withdrawn: Incorporated into SC-12].
[Withdrawn: Incorporated into SC-12].
The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
[Withdrawn: Incorporated into SC-13].
[Withdrawn: Incorporated into SC-13].
[Withdrawn: Incorporated into SC-13].
[Withdrawn: Incorporated into SC-13].
[Withdrawn: Capability provided by AC-2, AC-3, AC-5, AC-6, SI-3, SI-4, SI-5, SI-7, SI-10].
The information system: a. Prohibits remote activation of collaborative computing devices with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and b. Provides an explicit indication of use to users physically present at the devices.
The information system provides physical disconnect of collaborative computing devices in a manner that supports ease of use.
[Withdrawn: Incorporated into SC-7].
The organization disables or removes collaborative computing devices from [Assignment: organization-defined information systems or information system components] in [Assignment: organization-defined secure work areas].
The information system provides an explicit indication of current participants in [Assignment: organization-defined online meetings and teleconferences].
The information system associates [Assignment: organization-defined security attributes] with information exchanged between information systems and between system components.
The information system validates the integrity of transmitted security attributes.
The organization issues public key certificates under an [Assignment: organization-defined certificate policy] or obtains public key certificates from an approved service provider.
The organization: a. Defines acceptable and unacceptable mobile code and mobile code technologies; b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and c. Authorizes, monitors, and controls the use of mobile code within the information system.
The information system identifies [Assignment: organization-defined unacceptable mobile code] and takes [Assignment: organization-defined corrective actions].
The organization ensures that the acquisition, development, and use of mobile code to be deployed in the information system meets [Assignment: organization-defined mobile code requirements].
The information system prevents the download and execution of [Assignment: organization-defined unacceptable mobile code].
The information system prevents the automatic execution of mobile code in [Assignment: organization-defined software applications] and enforces [Assignment: organization-defined actions] prior to executing the code.
The organization allows execution of permitted mobile code only in confined virtual machine environments.
The organization: a. Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and b. Authorizes, monitors, and controls the use of VoIP within the information system.
The information system: a. Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and b. Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.
[Withdrawn: Incorporated into SC-20].
The information system provides data origin and integrity protection artifacts for internal name/address resolution queries.
The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.
[Withdrawn: Incorporated into SC-21].
The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.
The information system protects the authenticity of communications sessions.
The information system invalidates session identifiers upon user logout or other session termination.
[Withdrawn: Incorporated into AC-12 (1)].
The information system generates a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognizes only session identifiers that are system-generated.
[Withdrawn: Incorporated into SC-23 (3)].
The information system only allows the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions.
The information system fails to a [Assignment: organization-defined known-state] for [Assignment: organization-defined types of failures] preserving [Assignment: organization-defined system state information] in failure.
The organization employs [Assignment: organization-defined information system components] with minimal functionality and information storage.
The information system includes components specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, and analyzing such attacks.
[Withdrawn: Incorporated into SC-35].
The information system includes: [Assignment: organization-defined platform-independent applications].
The information system protects the [Selection (one or more): confidentiality; integrity] of [Assignment: organization-defined information at rest].
The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined information] on [Assignment: organization-defined information system components].
The organization removes from online storage and stores off-line in a secure location [Assignment: organization-defined information].
The organization employs a diverse set of information technologies for [Assignment: organization-defined information system components] in the implementation of the information system.
The organization employs virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed [Assignment: organization-defined frequency].
The organization employs [Assignment: organization-defined concealment and misdirection techniques] for [Assignment: organization-defined information systems] at [Assignment: organization-defined time periods] to confuse and mislead adversaries.
[Withdrawn: Incorporated into SC-29 (1)].
The organization employs [Assignment: organization-defined techniques] to introduce randomness into organizational operations and assets.
The organization changes the location of [Assignment: organization-defined processing and/or storage] [Selection: [Assignment: organization-defined time frequency]; at random time intervals]].
The organization employs realistic, but misleading information in [Assignment: organization-defined information system components] with regard to its security state or posture.
The organization employs [Assignment: organization-defined techniques] to hide or conceal [Assignment: organization-defined information system components].
The organization: a. Performs a covert channel analysis to identify those aspects of communications within the information system that are potential avenues for covert [Selection (one or more): storage; timing] channels; and b. Estimates the maximum bandwidth of those channels.
The organization tests a subset of the identified covert channels to determine which channels are exploitable.
The organization reduces the maximum bandwidth for identified covert [Selection (one or more); storage; timing] channels to [Assignment: organization-defined values].
The organization measures the bandwidth of [Assignment: organization-defined subset of identified covert channels] in the operational environment of the information system.
The organization partitions the information system into [Assignment: organization-defined information system components] residing in separate physical domains or environments based on [Assignment: organization-defined circumstances for physical separation of components].
[Withdrawn: Incorporated into SC-8].
The information system at [Assignment: organization-defined information system components]: a. Loads and executes the operating environment from hardware-enforced, read-only media; and b. Loads and executes [Assignment: organization-defined applications] from hardware-enforced, read-only media.
The organization employs [Assignment: organization-defined information system components] with no writeable storage that is persistent across component restart or power on/off.
The organization protects the integrity of information prior to storage on read-only media and controls the media after such information has been recorded onto the media.
The organization: (a) Employs hardware-based, write-protect for [Assignment: organization-defined information system firmware components]; and (b) Implements specific procedures for [Assignment: organization-defined authorized individuals] to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode.
The information system includes components that proactively seek to identify malicious websites and/or web-based malicious code.
The organization distributes [Assignment: organization-defined processing and storage] across multiple physical locations.
The organization employs polling techniques to identify potential faults, errors, or compromises to [Assignment: organization-defined distributed processing and storage components].
The organization employs [Assignment: organization-defined out-of-band channels] for the physical delivery or electronic transmission of [Assignment: organization-defined information, information system components, or devices] to [Assignment: organization-defined individuals or information systems].
The organization employs [Assignment: organization-defined security safeguards] to ensure that only [Assignment: organization-defined individuals or information systems] receive the [Assignment: organization-defined information, information system components, or devices].
The organization employs [Assignment: organization-defined operations security safeguards] to protect key organizational information throughout the system development life cycle.
The information system maintains a separate execution domain for each executing process.
The information system implements underlying hardware separation mechanisms to facilitate process separation.
The information system maintains a separate execution domain for each thread in [Assignment: organization-defined multi-threaded processing].
The information system protects external and internal [Assignment: organization-defined wireless links] from [Assignment: organization-defined types of signal parameter attacks or references to sources for such attacks].
The information system implements cryptographic mechanisms that achieve [Assignment: organization-defined level of protection] against the effects of intentional electromagnetic interference.
The information system implements cryptographic mechanisms to reduce the detection potential of wireless links to [Assignment: organization-defined level of reduction].
The information system implements cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters.
The information system implements cryptographic mechanisms to prevent the identification of [Assignment: organization-defined wireless transmitters] by using the transmitter signal parameters.
The organization physically disables or removes [Assignment: organization-defined connection ports or input/output devices] on [Assignment: organization-defined information systems or information system components].
The information system: a. Prohibits the remote activation of environmental sensing capabilities with the following exceptions: [Assignment: organization-defined exceptions where remote activation of sensors is allowed]; and b. Provides an explicit indication of sensor use to [Assignment: organization-defined class of users].
The organization ensures that the information system is configured so that data or information collected by the [Assignment: organization-defined sensors] is only reported to authorized individuals or roles.
The organization employs the following measures: [Assignment: organization-defined measures], so that data or information collected by [Assignment: organization-defined sensors] is only used for authorized purposes.
The organization prohibits the use of devices possessing [Assignment: organization-defined environmental sensing capabilities] in [Assignment: organization-defined facilities, areas, or systems].
The organization: a. Establishes usage restrictions and implementation guidance for [Assignment: organization-defined information system components] based on the potential to cause damage to the information system if used maliciously; and b. Authorizes, monitors, and controls the use of such components within the information system.
The organization employs a detonation chamber capability within [Assignment: organization-defined information system, system component, or location].