System and communications protection

Table of Contents

On this page

 

The controls and activities in the System and communications protection (SC) family support the monitoring, control and protection of the systems themselves and of the communications between and within the systems.

SC-01 System and communications protection policy and procedures

Activity

  1. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]
    1. [Selection (1 or more): Organization-level; Mission/business process-level; System-level] system and communications protection policy that
      1. addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance
      2. is consistent with applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines
    2. procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls
  2. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and communications protection policy and procedures
  3. Review and update the current system and communications protection
    1. policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]
    2. procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]

Discussion

System and communications protection policy and procedures address the controls in the SC family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and communications protection policy and procedures.

Security and privacy program policies and procedures at the organization level are preferable, in general, and may remove the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations.

Procedures can be established for security and privacy programs, for mission or business processes, and for systems, as needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents.

Events that may precipitate an update to system and communications protection policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

Related controls and activities

PM-09, PS-08, SA-08, SI-02, SI-12.

Enhancements

None.

References

TBS Directive on Security Management: Appendix B: Mandatory Procedures for Information Technology Security Control

Top of page 
 

SC-02 Separation of system and user functionality

Control

Separate user functionality, including user interface services, from system management functionality.

Discussion

System management functionality includes functions that are necessary to administer databases, network components, workstations, or servers. These functions typically require privileged user access. User functions are separated from system management functions physically or logically.

Organizations may separate system management functions from user functions by using different computers, instances of operating systems, central processing units, or network addresses; by employing virtualization techniques; or through some combination of these or other methods.

The separation of system management functions from user functions includes web administrative interfaces that employ separate authentication methods for users of any other system resources. The separation of system and user functions may include isolating administrative interfaces on different domains and with additional access controls. The separation of system and user functionality can be achieved by applying the systems security engineering design principles in SA-08, including SA-08(01), SA-08(03), SA-08(04), SA-08(10), SA-08(12), SA-08(13), SA-08(14), and SA-08(18).

Related controls and activities

AC-06, SA-04, SA-08, SC-03, SC-07, SC-22, SC-32, SC-39, SI-400.

Enhancements

  • (01) Separation of system and user functionality: Interfaces for non-privileged users
    • Prevent the presentation of system management functionality at interfaces to non-privileged users.
    • Discussion: Preventing the presentation of system management functionality at interfaces to non-privileged users ensures that system administration options, including administrator privileges, are not available to the general user population. Restricting user access also prohibits the use of the grey-out option commonly used to eliminate accessibility to such information. One potential solution is to withhold system administration options until users establish sessions with administrator privileges.
    • Related controls and activities: AC-03.
  • (02) Separation of system and user functionality: Disassociability
    • Store state information separately from applications and software.
    • Discussion: If a system is compromised, storing applications and software separately from state information about users’ interactions with an application may better protect individuals’ privacy.
    • Related controls and activities: None.

References

None.

Top of page 
 

SC-03 Security function isolation

Control

Isolate security functions from non-security functions.

Discussion

Security functions are isolated from non-security functions by means of an isolation boundary implemented within a system via partitions and domains. The isolation boundary controls access to, and protects the integrity of, the hardware, software, and firmware that perform system security functions.

Systems implement code separation in many ways, such as through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that protect the code on disk and address space protections that protect executing code.

Systems can restrict access to security functions using access control mechanisms and by implementing least-privilege capabilities. Ideally, all code within the defined security function isolation boundary should only contain security-relevant code; however, it is sometimes necessary to include non-security functions as an exception.

The isolation of security functions from non-security functions can be achieved by applying the systems security engineering design principles in SA-08, including SA-08(01), SA-08(03), SA-08(04), SA-08(10), SA-08(12), SA-08(13), SA-08(14), and SA-08(18).

Related controls and activities

AC-03, AC-06, AC-25, CM-02, CM-04, SA-04, SA-05, SA-08, SA-15, SA-17, SC-02, SC-07, SC-32, SC-39, SI-16.

Enhancements

  • (01) Security function isolation: Hardware separation
    • Employ hardware separation mechanisms to implement security function isolation.
    • Discussion: Hardware separation mechanisms include hardware ring architectures that are implemented within microprocessors and hardware-enforced address segmentation used to support logically distinct storage objects with separate attributes (i.e., readable, writeable).
    • Related controls and activities: None.
  • (02) Security function isolation: Access and flow control functions
    • Isolate security functions enforcing access and information flow control from non-security functions and from other security functions.
    • Discussion: Security function isolation occurs because of implementation. The functions can still be scanned and monitored. Security functions that are potentially isolated from access and flow-control enforcement functions include auditing, intrusion detection, and malicious code protection functions.
    • Related controls and activities: None.
  • (03) Security function isolation: Minimize non-security functionality
    • Minimize the number of non-security functions included within the isolation boundary containing security functions.
    • Discussion: Where it is not feasible to achieve strict isolation of non-security functions from security functions, it is necessary to take actions to minimize non-security-relevant functions within the security function boundary. Non-security functions contained within the isolation boundary are considered security-relevant because errors or malicious code in the software can directly impact the security functions of systems. The fundamental design objective is that the specific portions of systems that provide information security are of minimal size and complexity. Minimizing the number of non-security functions in the security-relevant system components allows designers and implementers to focus only on those functions which are necessary to provide the desired security capability (typically access enforcement). By minimizing the non-security functions within the isolation boundaries, the amount of code that is trusted to enforce security policies is significantly reduced, thus contributing to understandability.
    • Related controls and activities: None.
  • (04) Security function isolation: Module coupling and cohesiveness
    • Implement security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules.
    • Discussion: Reducing inter-module interactions helps constrain security functions and manage complexity. The concepts of coupling and cohesiveness are important with respect to modularity in software design. Coupling refers to the dependencies that one module has on other modules. Cohesiveness refers to the relationship between functions within a module. Best practices in software engineering and systems security engineering rely on layering, minimization, and modular decomposition to reduce and manage complexity. This produces software modules that are highly cohesive and loosely coupled.
    • Related controls and activities: None.
  • (05) Security function isolation: Layered structures
    • Implement security functions as a layered structure, minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
    • Discussion: The implementation of layered structures with minimized interactions among security functions and non-looping layers (i.e., lower-layer functions do not depend on higher-layer functions) enables the isolation of security functions and the management of complexity.
    • Related controls and activities: None.

References

Top of page 
 

SC-04 Information in shared system resources

Control

Prevent unauthorized and unintended information transfer via shared system resources.

Discussion

Preventing unauthorized and unintended information transfer via shared system resources stops information produced by the actions of prior users or roles (or the actions of processes acting on behalf of prior users or roles) from being available to current users or roles (or current processes acting on behalf of current users or roles) that obtain access to shared system resources after those resources have been released back to the system.

Information in shared system resources also applies to encrypted representations of information. In other contexts, control of information in shared system resources is referred to as object reuse and residual information protection. Information in shared system resources does not address information remanence, which refers to the residual representation of data that has been nominally deleted; covert channels (including storage and timing channels), where shared system resources are manipulated to violate information flow restrictions; or components within systems for which there are only single users or roles.

Related controls and activities

AC-03, AC-04, SA-08.

Enhancements

  • (01) Information in shared system resources: Security levels
    • Withdrawn: Incorporated into SC-04.
  • (02) Information in shared system resources: Multilevel or periods processing
    • Prevent unauthorized information transfer via shared resources in accordance with [Assignment: organization-defined procedures] when system processing explicitly switches between different information classification levels or security categories.
    • Discussion: Changes in processing levels can occur during multilevel or periods processing with information at different classification levels or security categories. It can also occur during serial reuse of hardware components at different classification levels. Organization-defined procedures can include approved sanitization processes for electronically stored information.
    • Related controls and activities: None.

References

None.

Top of page 
 

SC-05 Denial-of-service protection

Control

  1. [Selection (1): Protect against; Limit] the effects of the following types of denial-of-service events: [Assignment: organization-defined types of denial-of-service events]
  2. Employ the following controls to achieve the denial-of-service objective: [Assignment: organization-defined controls by type of denial-of-service event]

Discussion

Denial-of-service events may occur due to various internal and external causes, such as an attack by an adversary or a lack of planning to support organizational needs with respect to capacity and bandwidth. Attacks can occur across a wide range of network protocols (e.g., IPv4, IPv6). Various technologies are available to limit or eliminate the origination and effects of denial-of-service events. For example, boundary protection devices can filter certain types of packets to protect system components on internal networks from being directly affected by or being the source of denial-of-service attacks. Employing increased network capacity and bandwidth combined with service redundancy also reduces the susceptibility to denial-of-service events.

Related controls and activities

CP-02, IR-04, SC-06, SC-07, SC-40.

Enhancements

  • (01) Denial-of-service protection: Restrict ability to attack other systems
    • Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: [Assignment: organization-defined denial-of-service attacks].
    • Discussion: Restricting the ability of individuals to launch denial-of-service attacks requires the mechanisms commonly used for such attacks to be unavailable. Individuals of concern include hostile insiders or external adversaries who have breached or compromised the system and are using it to launch a denial-of-service attack.
      Organizations can restrict the ability of individuals to connect and transmit arbitrary information on the transport medium (i.e., wired networks, wireless networks, spoofed Internet protocol packets). Organizations can also limit the ability of individuals to use excessive system resources. Protection against individuals having the ability to launch denial-of-service attacks may be implemented on specific systems or boundary devices that prohibit egress to potential target systems.
    • Related controls and activities: None.
  • (02) Denial-of-service protection: Capacity, bandwidth, and redundancy
    • Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial-of-service attacks.
    • Discussion: Managing capacity ensures that sufficient capacity is available to counter flooding attacks. Managing capacity includes establishing selected usage priorities, quotas, partitioning, or load balancing.
    • Related controls and activities: None.
  • (03) Denial-of-service protection: Detection and monitoring
      1. Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [Assignment: organization-defined monitoring tools]
      2. Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: [Assignment: organization-defined system resources]
    • Discussion: Organizations consider the utilization and capacity of system resources when managing risk associated with a denial of service due to malicious attacks. Denial-of-service attacks can originate from external or internal sources. System resources that are sensitive to denial of service include physical disk storage, memory, and CPU cycles.
      Techniques used to prevent denial-of-service attacks related to storage utilization and capacity include instituting disk quotas, configuring systems to automatically alert administrators when specific storage capacity thresholds are reached, using file compression technologies to maximize available storage space, and imposing separate partitions for system and user data.
    • Related controls and activities: CA-07, SI-04.

References

Top of page 
 

SC-06 Resource availability

Control

Protect the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (1 or more): priority; quota; [Assignment: organization-defined controls]].

Discussion

Priority protection prevents lower-priority processes from delaying or interfering with the system that services higher-priority processes. Quotas prevent users or processes from obtaining more than predetermined amounts of resources.

Related controls and activities

SC-05.

Enhancements

None.

References

Top of page 
 

SC-07 Boundary protection

Control

  1. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system
  2. Implement subnetworks for publicly accessible system components that are [Selection (1): physically; logically] separated from internal organizational networks
  3. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture

Discussion

Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs).

Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. NIST SP 800-189 provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses.

Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third-party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary).

Related controls and activities

AC-04, AC-17, AC-18, AC-19, AC-20, AU-13, CA-03, CM-02, CM-04, CM-07, CM-10, CP-08, CP-10, IR-04, MA-04, PE-03, PL-08, PM-12, SA-08, SA-17, SA-400, SC-05, SC-26, SC-32, SC-35, SC-43, SI-400.

Enhancements

  • (01) Boundary protection: Physically separated subnetworks
    • Withdrawn: Incorporated into SC-07.
  • (02) Boundary protection: Public access
    • Withdrawn: Incorporated into SC-07.
  • (03) Boundary protection: Access points
    • Limit the number of external network connections to the system.
    • Discussion: Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system.
    • GC discussion: The TBS Directive on Service and Digital, Appendix F: Standard on Enterprise Information Technology Usage Restrictions is an example of a federal guideline that requires limits on the number of external network connections. It requires that local Internet access services be obtained through SSC.
    • Related controls and activities: None.
  • (04) Boundary protection: External telecommunications services
      1. Implement a managed interface for each external telecommunication service
      2. Establish a traffic flow policy for each managed interface
      3. Protect the confidentiality and integrity of the information being transmitted across each interface
      4. Document each exception to the traffic flow policy with a supporting mission or business need and the duration of that need
      5. Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need
      6. Prevent unauthorized exchange of control plane traffic with external networks
      7. Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks
      8. Filter unauthorized control plane traffic from external networks
    • Discussion: External telecommunications services can provide data and/or voice communications services. Examples of control plane traffic include Border Gateway Protocol (BGP) routing, DNS, and management protocols. See NIST SP 800-189 for additional information on the use of the resource public key infrastructure (RPKI) to protect BGP routes and detect unauthorized BGP announcements.
    • Related controls and activities: AC-03, SC-08, SC-20, SC-21, SC-22.
  • (05) Boundary protection: Deny by default – allow by exception
    • Deny network communications traffic by default and allow network communications traffic by exception [Selection (1 or more): at managed interfaces; for [Assignment: organization-defined systems]].
    • Discussion: Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, allow-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system.
    • Related controls and activities: None.
  • (06) Boundary protection: Response to recognized failures
    • Withdrawn: Incorporated into SC-07(18).
  • (07) Boundary protection: Split tunneling for remote devices
    • Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using [Assignment: organization-defined safeguards].
    • Discussion: Split tunneling is the process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remote devices and, simultaneously, access uncontrolled networks.
      Split tunneling might be desirable to remote users for communicating with local system resources, such as printers or file servers. However, split tunneling can facilitate unauthorized external connections, making the system vulnerable to attack and to exfiltration of organizational information. Split tunneling can be prevented by disabling configuration settings that allow such capability in remote devices and by preventing those configuration settings from being configurable by users. Prevention can also be achieved by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling.
      A VPN can be used to securely provision a split tunnel. A securely provisioned VPN includes locking connectivity to exclusive, managed, and named environments, or to a specific set of pre-approved addresses, without user control.
    • GC discussion: As per the TBS Directive on Service and Digital, Appendix G: Standard on Enterprise Information Technology Service Common Configurations – Endpoint Management Configuration Requirements, split tunneling is disabled except for domains that are included in the list approved by the GC Enterprise Architecture Review Board. All other network traffic to or from the Internet must flow through the GC-approved pathways to the Internet rather than via a direct connection to the Internet.
    • Related controls and activities: None.
  • (08) Boundary protection: Route traffic to authenticated proxy servers
    • Route [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces.
    • Discussion: External networks are networks outside of organizational control. A proxy server is a server (i.e., system or application) that acts as an intermediary for clients requesting system resources from non-organizational or other organizational servers. System resources that may be requested include files, connections, web pages, or services.
      Client requests established through a connection to a proxy server are assessed to manage complexity and provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers that provide access to the Internet.
      Proxy servers can support the logging of Transmission Control Protocol (TCP) sessions and the blocking of specific URLs, IP addresses, and domain names. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Note that proxy servers may inhibit the use of VPNs and create the potential for adversary-in-the-middle attacks (depending on the implementation).
    • Related controls and activities: AC-03.
  • (09) Boundary protection: Restrict threatening outgoing communications traffic
      1. Detect and deny outgoing communications traffic posing a threat to external systems
      2. Audit the identity of internal users associated with denied communications
    • Discussion: Detecting outgoing communications traffic from internal actions that may pose threats to external systems is known as extrusion detection. Extrusion detection is carried out within the system at managed interfaces. Extrusion detection includes the analysis of incoming and outgoing communications traffic while searching for indications of internal threats to the security of external systems.
      Internal threats to external systems include traffic indicative of denial-of-service attacks, traffic with spoofed source addresses, and traffic that contains malicious code. Organizations should have criteria to determine, update, and manage identified threats related to extrusion detection.
    • Related controls and activities: AU-02, AU-06, SC-05, SC-38, SC-44, SI-03, SI-04.
  • (10) Boundary protection: Prevent exfiltration
      1. Prevent the exfiltration of information
      2. Conduct exfiltration tests [Assignment: organization-defined frequency]
    • Discussion: Prevention of exfiltration applies to both the intentional and unintentional exfiltration of information. Techniques used to prevent the exfiltration of information from systems may be implemented at internal endpoints, external boundaries, and across managed interfaces and include adherence to protocol formats, monitoring for beaconing activity from systems, disconnecting external network interfaces except when explicitly needed, employing traffic profile analysis to detect deviations from the volume and types of traffic expected, call-backs to command and control centres, conducting penetration testing, monitoring for steganography, disassembling and reassembling packet headers, and using data loss and data leakage prevention tools.
      Devices that enforce strict adherence to protocol formats include deep packet inspection firewalls and Extensible Markup Language (XML) gateways. The devices verify adherence to protocol formats and specifications at the application layer and identify vulnerabilities that cannot be detected by devices that operate at the network or transport layers.
      The prevention of exfiltration is similar to data loss prevention or data leakage prevention and is closely associated with cross-domain solutions and system guards that enforce information flow requirements.
    • Related controls and activities: AC-02, CA-08, SI-03.
  • (11) Boundary protection: Restrict incoming communications traffic
    • Only allow incoming communications from [Assignment: organization-defined authorized sources] to be routed to [Assignment: organization-defined authorized destinations].
    • Discussion: General source-address validation techniques are applied to restrict the use of illegal and unallocated source addresses as well as source addresses that should only be used within the system. The restriction of incoming communications traffic provides determinations that source and destination address pairs represent authorized or allowed communications. Determinations can be based on several factors, including the presence of such address pairs in the lists of authorized or allowed communications, the absence of such address pairs in lists of unauthorized or disallowed pairs, or meeting more general rules for authorized or allowed source and destination pairs.
      Strong authentication of network addresses is not possible without the use of explicit security protocols and, thus, addresses can often be spoofed. Furthermore, identity-based incoming traffic restriction methods can be employed, including router access control lists and firewall rules.
    • Related controls and activities: AC-03.
  • (12) Boundary protection: Host-based protection
    • Implement [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined system components].
    • Discussion: Host-based boundary protection mechanisms include host-based firewalls. System components that employ host-based boundary protection mechanisms include servers, workstations, notebook computers, and mobile devices.
    • Related controls and activities: None.
  • (13) Boundary protection: Isolation of security tools, mechanisms, and support components
    • Isolate [Assignment: organization-defined information security tools, mechanisms, and support components] from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system.
    • Discussion: Physically separate subnetworks with managed interfaces are useful in isolating computer network defences from critical operational processing networks to prevent adversaries from discovering the analysis and forensics techniques employed by organizations.
    • Related controls and activities: SC-02, SC-03.
  • (14) Boundary protection: Protect against unauthorized physical connections
    • Protect against unauthorized physical connections at [Assignment: organization-defined managed interfaces].
    • Discussion: Systems that operate at different security categories or classification levels may share common physical and environmental controls, since the systems may share space within the same facilities. In practice, it is possible that these separate systems may share common equipment rooms, wiring closets, and cable distribution paths. Protection against unauthorized physical connections can be achieved by using clearly identified and physically separated cable trays, connection frames, and patch panels for each side of managed interfaces with physical access controls that enforce limited authorized access to these items.
    • Related controls and activities: PE-04, PE-19.
  • (15) Boundary protection: Network privileged accesses
    • Route networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.
    • Discussion: Privileged access provides greater accessibility to system functions, including security functions. Adversaries attempt to gain privileged access to systems through remote access to cause adverse mission or business impacts, such as by exfiltrating information or bringing down a critical system capability. Routing networked, privileged access requests through a dedicated, managed interface further restricts privileged access for increased access control and auditing.
    • Related controls and activities: AC-02, AC-03, AU-02, SI-04.
  • (16) Boundary protection: Prevent discovery of system components
    • Prevent the discovery of specific system components that represent a managed interface.
    • Discussion: Preventing the discovery of system components representing a managed interface helps protect network addresses of those components from discovery through common tools and techniques used to identify devices on networks. Network addresses are not available for discovery and require prior knowledge for access. Preventing the discovery of components and devices can be accomplished by not publishing network addresses, using network address translation, or not entering the addresses in domain name systems. Another prevention technique is to periodically change network addresses.
    • Related controls and activities: None.
  • (17) Boundary protection: Automated enforcement of protocol formats
    • Enforce adherence to protocol formats.
    • Discussion: System components that enforce protocol formats include deep packet inspection firewalls and XML gateways. The components verify adherence to protocol formats and specifications at the application layer and identify vulnerabilities that cannot be detected by devices operating at the network or transport layers.
    • Related controls and activities: SC-04.
  • (18) Boundary protection: Fail secure
    • Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device.
    • Discussion: Fail secure is a condition achieved by employing mechanisms to ensure that, in the event of operational failures of boundary protection devices at managed interfaces, systems do not enter into unsecure states where intended security properties no longer hold. Managed interfaces include routers, firewalls, and application gateways that reside on protected subnetworks (commonly referred to as DMZs). Failures of boundary protection devices cannot lead to or cause information external to the devices to enter the devices, nor can failures permit unauthorized information releases.
    • Related controls and activities: CP-02, CP-12, SC-24.
  • (19) Boundary protection: Block communication from non-organizationally-configured hosts
    • Block inbound and outbound communications traffic between [Assignment: organization-defined communication clients] that are independently configured by end users and external service providers.
    • Discussion: Communication clients independently configured by end users and external service providers include instant messaging clients and video conferencing software and applications. Traffic blocking does not apply to communication clients that are configured by organizations to perform authorized functions.
    • Related controls and activities: None.
  • (20) Boundary protection: Dynamic isolation and segregation
    • Provide the capability to dynamically isolate [Assignment: organization-defined system components] from other system components.
    • Discussion: The capability to dynamically isolate certain internal system components is useful when it is necessary to partition or separate system components of questionable origin from components that possess greater trustworthiness. Component isolation reduces the attack surface of organizational systems. Isolating selected system components can also limit the damage from successful attacks when such attacks occur.
    • Related controls and activities: None.
  • (21) Boundary protection: Isolation of system components
    • Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions].
    • Discussion: Organizations can isolate system components that perform different mission or business functions. Such isolation limits unauthorized information flows among system components and provides the opportunity to deploy greater levels of protection for selected system components.
      Isolating system components with boundary protection mechanisms provides the capability for increased protection of individual system components and to control information flows more effectively between those components. Isolating system components provides enhanced protection that limits the potential harm from hostile cyber attacks and errors.
      The degree of isolation varies depending on the mechanisms chosen. Boundary protection mechanisms include routers, gateways, and firewalls that separate system components into separate networks or subnetworks; cross-domain devices that separate subnetworks; virtualization techniques; the encryption of information flows among system components using distinct encryption keys and complete physical/electrical isolation of the relevant network/system from all other networks (also known as air gapping).
    • Related controls and activities: CA-09.
  • (22) Boundary protection: Separate subnets for connecting to different security domains
    • Implement separate network addresses to connect to systems in different security domains.
    • Discussion: The decomposition of systems into subnetworks (i.e., subnets) helps to provide the appropriate level of protection for network connections to different security domains that contain information with different security categories or classification levels.
    • Related controls and activities: None.
  • (23) Boundary protection: Disable sender feedback on protocol validation failure
    • Disable feedback to senders on protocol format validation failure.
    • Discussion: Disabling feedback to senders when there is a failure in protocol validation format prevents adversaries from obtaining information that would otherwise be unavailable.
    • Related controls and activities: None.
  • (24) Boundary protection: Personal information
    • For systems that handle personal information:
      1. apply the following handling rules to data elements of personal information: [Assignment: organization-defined handling rules]
      2. monitor for permitted handling at the external interfaces to the system and at key internal boundaries within the system
      3. document each handling exception
      4. review and remove exceptions that are no longer supported
    • Discussion: Managing the handling of personal information is an important aspect of protecting an individual’s privacy. Applying, monitoring for, and documenting exceptions to handling rules ensure that personal information is handled only in accordance with established privacy requirements.
    • GC discussion: Uses and disclosures of information without the consent of the individual are listed in subsection 8(2) of the Privacy Act.
    • Related controls and activities: PT-02, SI-15.
  • (25) Boundary protection: Unclassified national security system connections
    • Prohibit the direct connection of [Assignment: organization-defined unclassified national security system] to an external network without the use of [Assignment: organization-defined boundary protection device].
    • Discussion: None.
    • GC discussion: A direct connection is a dedicated physical or virtual connection between 2 or more systems. Organizations typically do not have complete control over external networks, including the Internet. Boundary protection devices (e.g., firewalls, gateways, and routers) mediate communications and information flows between unclassified national security systems and external networks.
    • Related controls and activities: None.
  • (26) Boundary protection: Classified national security system connections
    • Prohibit the direct connection of a classified national security system to an external network without the use of [Assignment: organization-defined boundary protection device].
    • Discussion: None.
    • GC discussion: A direct connection is a dedicated physical or virtual connection between 2 or more systems. Organizations typically do not have complete control over external networks, including the Internet. Boundary protection devices (e.g., firewalls, gateways, and routers) mediate communications and information flows between classified national security systems and external networks. In addition, approved boundary protection devices (typically managed interface or cross-domain systems) provide information flow enforcement from systems to external networks.
    • Related controls and activities: None.
  • (27) Boundary protection: Unclassified non-national security system connections
    • Prohibit the direct connection of [Assignment: organization-defined unclassified non-national security system] to an external network without the use of [Assignment: organization-defined boundary protection device].
    • Discussion: None.
    • GC discussion: A direct connection is a dedicated physical or virtual connection between 2 or more systems. Organizations typically do not have complete control over external networks, including the Internet. Boundary protection devices (e.g., firewalls, gateways, and routers) mediate communications and information flows between unclassified non-national security systems and external networks.
    • Related controls and activities: None.
  • (28) Boundary protection: Connections to public networks
    • Prohibit the direct connection of [Assignment: organization-defined system] to a public network.
    • Discussion: A direct connection is a dedicated physical or virtual connection between 2 or more systems. A public network is a network accessible to the public, including the Internet and organizational extranets with public access.
    • Related controls and activities: None.
  • (29) Boundary protection: Separate subnets to isolate functions
    • Implement [Selection (1): physically; logically] separate subnetworks to isolate the following critical system components and functions: [Assignment: organization-defined critical system components and functions].
    • Discussion: Separating critical system components and functions from other non-critical system components and functions through separate subnetworks may be necessary to reduce susceptibility to a catastrophic or debilitating breach or compromise that results in system failure. For example, physically separating the command-and-control function from the in-flight entertainment function through separate subnetworks in a commercial aircraft provides an increased level of assurance in both the trustworthiness and robustness of critical system functions.
    • Related controls and activities: None.

References

Top of page 
 

SC-08 Transmission confidentiality and integrity

Control

Protect the [Selection (1 or more): confidentiality; integrity] of transmitted information.

Discussion

Protecting the confidentiality and integrity of transmitted information applies to internal and external networks, as well as to any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification.

Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fibre-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.

Organizations that rely on commercial providers who offer transmission services as commodity services rather than as fully dedicated services may find it difficult to obtain the necessary assurances regarding the implementation of needed controls for transmission confidentiality and integrity. In such situations, organizations determine what types of confidentiality or integrity services are available in standard, commercial telecommunications service packages. If it is not feasible to obtain the necessary controls and assurances of control effectiveness through appropriate contracting vehicles, organizations can implement appropriate compensating controls.

Related controls and activities

AC-17, AC-18, AU-10, IA-03, IA-08, IA-09, MA-04, PE-04, SA-04, SA-08, SA-400, SC-07, SC-16, SC-20, SC-23, SC-28, SI-400.

Enhancements

  • (01) Transmission confidentiality and integrity: Cryptographic protection
    • Implement cryptographic mechanisms to [Selection (1 or more): prevent unauthorized disclosure of information; detect changes to information] during transmission.
    • Discussion: Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and Internet Protocol Security (IPsec). Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have applications in digital signatures, checksums, and message authentication codes.
    • Related controls and activities: SC-12, SC-13.
  • (02) Transmission confidentiality and integrity: Pre- and post-transmission handling
    • Maintain the [Selection (1 or more): confidentiality; integrity] of information during preparation for transmission and during reception.
    • Discussion: Information can be unintentionally or maliciously disclosed or modified during preparation for transmission or during reception, including during aggregation, at protocol transformation points, and during packing and unpacking. Such unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.
    • Related controls and activities: None.
  • (03) Transmission confidentiality and integrity: Cryptographic protection for message externals
    • Implement cryptographic mechanisms to protect message externals unless otherwise protected by [Assignment: organization-defined alternative physical controls].
    • Discussion: Cryptographic protection for message externals addresses protection from the unauthorized disclosure of information. Message externals include message headers and routing information. Cryptographic protection prevents the exploitation of message externals and applies to internal and external networks or links that may be visible to individuals who are not authorized users. Header and routing information is sometimes transmitted in clear text (i.e., unencrypted) because the information is not identified by organizations as having significant value or because encrypting the information can result in lower network performance or higher costs. Alternative physical controls include protected distribution systems.
    • Related controls and activities: SC-12, SC-13.
  • (04) Transmission confidentiality and integrity: Conceal or randomize communications
    • Implement cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [Assignment: organization-defined alternative physical controls].
    • Discussion: Concealing or randomizing communication patterns addresses protection from unauthorized disclosure of information. Communication patterns include frequency, periods, predictability, and amount. Changes to communications patterns can reveal information with intelligence value, especially when combined with other available information related to the mission and business functions of the organization. Concealing or randomizing communications prevents the derivation of intelligence based on communications patterns and applies to both internal and external networks or links that may be visible to individuals who are not authorized users. Encrypting the links and transmitting in continuous, fixed, or random patterns prevents the derivation of intelligence from the system communications patterns. Alternative physical controls include protected distribution systems.
    • Related controls and activities: SC-12, SC-13.
  • (05) Transmission confidentiality and integrity: Protected distribution system
    • Implement [Assignment: organization-defined protected distribution system] to [Selection (1 or more): prevent unauthorized disclosure of information; detect changes to information] during transmission.
    • Discussion: The purpose of a protected distribution system is to deter, detect, and/or make difficult physical access to the communication lines that carry national security information.
    • Related controls and activities: None.

References

 

SC-09 Transmission confidentiality

Withdrawn: Incorporated into SC-08.

Top of page 
 

SC-10 Network disconnect

Control

Terminate the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity.

Discussion

Network disconnect applies to internal and external networks. Terminating network connections associated with specific communications sessions includes de-allocating TCP/IP address or port pairs at the operating system level and de-allocating the networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. Periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses.

Related controls and activities

AC-17, SC-23.

Enhancements

None.

References

None.

Top of page 
 

SC-11 Trusted path

Control

  1. Provide a [Selection (1): physically; logically] isolated trusted communications path for communications between the user and the trusted components of the system
  2. Permit users to invoke the trusted communications path for communications between the user and the following security functions of the system, including at a minimum, authentication and re-authentication: [Assignment: organization-defined security functions]

Discussion

Trusted paths are mechanisms by which users can communicate (using input devices such as keypads or smart card readers with a built-in PIN pad) directly with the security functions of systems with the requisite assurance to support security policies. Trusted path mechanisms can only be activated by users or the security functions of organizational systems. User responses that occur via trusted paths are protected from modification by and disclosure to untrusted applications.

Organizations employ trusted paths for trustworthy, high-assurance connections between security functions of systems and users, including during system logons. The original implementations of trusted paths employed an out-of-band signal to initiate the path, such as using the [Break] key, which does not transmit characters that can be spoofed. In later implementations, a key combination that could not be hijacked was used (e.g., the [Ctrl] + [Alt] + [Del] keys). Such key combinations, however, are platform-specific and may not provide a trusted path implementation in every case. The enforcement of trusted communications paths is provided by a specific implementation that meets the reference monitor concept.

Related controls and activities

AC-16, AC-25, SC-12, SC-23.

Enhancements

  • (01) Trusted path: Irrefutable communications path
      1. Provide a trusted communications path that is irrefutably distinguishable from other communications paths
      2. Initiate the trusted communications path for communications between the [Assignment: organization-defined security functions] of the system and the user
    • Discussion: An irrefutable communications path permits the system to initiate a trusted path, which necessitates that the user can unmistakably recognize the source of the communication as a trusted system component. For example, the trusted path may appear in an area of the display that other applications cannot access or be based on the presence of an identifier that cannot be spoofed.
    • Related controls and activities: None.

References

None.

Top of page 
 

SC-12 Cryptographic key establishment and management

Control

Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].

Discussion

Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. The joint NIST-CSE CMVP provides additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment.

GC discussion

The use of NIST-CSE CMVP-validated commercial cryptographic modules is recommended for all national security systems.

Related controls and activities

AC-17, AU-09, AU-10, CM-03, IA-03, IA-07, IA-13, SA-04, SA-08, SA-09, SC-08, SC-11, SC-12, SC-13, SC-17, SC-20, SC-37, SC-40, SI-03, SI-07.

Enhancements

  • (01) Cryptographic key establishment and management: Availability
    • Maintain availability of information in the event of the loss of cryptographic keys by users.
    • Discussion: Escrowing of encryption keys is a common practice for ensuring availability in the event of key loss. A forgotten passphrase is an example of losing a cryptographic key.
    • Related controls and activities: None.
  • (02) Cryptographic key establishment and management: Symmetric keys
    • Produce, control, and distribute symmetric cryptographic keys using [Selection (1): CMVP-validated; Cyber Centre-approved; prepositioned keying material] key management technology and processes.
    • Discussion: The Cyber Centre publication ITSP.40.111 provides recommendations for cryptographic key establishment schemes and key derivation functions that can be used to produce symmetric keys shared between 2 parties. These schemes are to be used in a network security protocol, such as those listed in the Cyber Centre’s ITSP.40.062 with further configuration guidance therein.
    • GC discussion: For national security systems, the use of Cyber Centre-approved key management technology and processes is mandatory.
    • Related controls and activities: None.
  • (03) Cryptographic key establishment and management: Asymmetric keys
    • Produce, control, and distribute asymmetric cryptographic keys using [Selection (1): Cyber Centre-approved key management technology and processes; prepositioned keying material; Cyber Centre-approved or Cyber Centre-issued Medium Assurance PKI certificates; Cyber Centre-approved or Cyber Centre-issued Medium Hardware Assurance PKI certificates and hardware security tokens that protect the user’s private key; certificates issued in accordance with organization-defined requirements].
    • Discussion: ITSP.40.111 provides recommendations for approved specifications of asymmetric cryptography and recommends that implementations, including key generation, execute within CMVP-validated cryptographic modules. ITSP.40.062 provides guidance on asymmetric key management within a PKI.
    • GC discussion: For national security systems, the use of Cyber Centre-approved key management technology and processes is mandatory.
    • Related controls and activities: None.
  • (04) Cryptographic key establishment and management: PKI certificates
    • Withdrawn: Incorporated into SC-12(03).
  • (05) Cryptographic key establishment and management: PKI certificates/hardware tokens
    • Withdrawn: Incorporated into SC-12(03).
  • (06) Cryptographic key establishment and management: Physical control of keys
    • Maintain physical control of cryptographic keys when stored information is encrypted by external service providers.
    • Discussion: For organizations that use external service providers (e.g., cloud service or data centre providers), physical control of cryptographic keys provides additional assurance that information stored by such external providers is not subject to unauthorized disclosure or modification.
    • Related controls and activities: None.

References

Top of page 
 

SC-13 Cryptographic protection

Control

  1. Determine the [Assignment: organization-defined cryptographic uses]
  2. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use]

Discussion

Cryptography can be employed to support a variety of security solutions, including the protection of classified information and protected information, the provision and implementation of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances but lack the necessary formal access approvals.

Cryptography can also be used to support random number and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and Cyber Centre-approved cryptography. For example, organizations that need to protect classified information may specify the use of Cyber Centre-approved cryptography. Organizations that need to provision and implement digital signatures may specify the use of FIPS-validated cryptography. Cryptography is implemented in accordance with applicable laws, Orders in Council, directives, regulations, policies, standards, and guidelines.

Related controls and activities

AC-02, AC-03, AC-07, AC-17, AC-18, AC-19, AU-09, AU-10, CM-11, CP-09, IA-03, IA-05, IA-07, IA-13, MA-04, MP-02, MP-04, MP-05, SA-04, SA-08, SA-09, SA-400, SC-08, SC-12, SC-20, SC-23, SC-28, SC-40, SI-03, SI-07.

Enhancements

  • (01) Cryptographic protection: FIPS-validated cryptography
    • Withdrawn: Incorporated into SC-13.
  • (02) Cryptographic protection: National Security Agency (NSA)-approved cryptography
    • Withdrawn: Incorporated into SC-13.
  • (03) Cryptographic protection: Individuals without formal access approvals
    • Withdrawn: Incorporated into SC-13.
  • (04) Cryptographic protection: Digital signatures
    • Withdrawn: Incorporated into SC-13.
  • (400) Cryptographic protection: PROTECTED A data in transit
    • Withdrawn: Incorporated into SC-13.
  • (401) Cryptographic protection: PROTECTED B data in transit
    • Withdrawn: Incorporated into SC-13.
  • (402) Cryptographic protection: PROTECTED C data in transit
    • Withdrawn: Incorporated into SC-13.
  • (403) Cryptographic protection: PROTECTED data at rest
    • Withdrawn: Incorporated into SC-13.
  • (404) Cryptographic protection: National security systems
    • Withdrawn: Incorporated into SC-13.

References

 

SC-14 Public access protections

Withdrawn: Incorporated into AC-02, AC-03, AC-05, AC-06, SI-03, SI-04, SI-05, SI-07, and SI-10.

Top of page 
 

SC-15 Collaborative computing devices and applications

Control

  1. Prohibit remote activation of collaborative computing devices and applications with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]
  2. Provide an explicit indication of use to users physically present at the devices

Discussion

Collaborative computing devices and applications include remote meeting devices and applications, networked whiteboards, cameras, and microphones. The explicit indication of use includes signals to users when collaborative computing devices and applications are activated.

Related controls and activities

AC-21, SC-42.

Enhancements

  • (01) Collaborative computing devices and applications: Physical or logical disconnect
    • Provide [Selection (1 or more): physical; logical] disconnect of collaborative computing devices in a manner that supports ease of use.
    • Discussion: Failing to disconnect from collaborative computing devices can result in subsequent compromises of organizational information. Providing easy methods to disconnect from such devices after a collaborative computing session ensures that participants carry out the disconnect activity without having to go through complex and tedious procedures. Disconnect from collaborative computing devices can be manual or automatic.
    • Related controls and activities: None.
  • (02) Collaborative computing devices and applications: Blocking inbound and outbound communications traffic
    • Withdrawn: Incorporated into SC-07.
  • (03) Collaborative computing devices and applications: Disabling and removal in secure work areas
    • Disable or remove collaborative computing devices and applications from [Assignment: organization-defined systems or system components] in [Assignment: organization-defined secure work areas].
    • Discussion: Failing to disable or remove collaborative computing devices and applications from systems or system components can result in compromises of information, including eavesdropping on conversations. A sensitive compartmented information facility (SCIF) is an example of a secure work area.
    • Related controls and activities: None.
  • (04) Collaborative computing devices and applications: Explicitly indicate current participants
    • Provide an explicit indication of current participants in [Assignment: organization-defined online meetings and teleconferences].
    • Discussion: Explicitly indicating current participants prevents unauthorized individuals from participating in collaborative computing sessions without the explicit knowledge of other participants.
    • Related controls and activities: None.

References

None.

Top of page 
 

SC-16 Transmission of security and privacy attributes

Control

Associate [Assignment: organization-defined security and privacy attributes] with information exchanged between systems and between system components.

Discussion

Security and privacy attributes can be explicitly or implicitly associated with the information contained in organizational systems or system components. Attributes are abstractions that represent the basic properties or characteristics of an entity with respect to protecting information or the management of personal information. Attributes are typically associated with internal data structures, including records, buffers, and files within the system.

Security and privacy attributes are used to implement access control and information flow control policies; reflect special dissemination, management, or distribution instructions, including permissible uses or disclosures of personal information; or support other aspects of the information security and privacy policies. Privacy attributes may be used independently or in conjunction with security attributes.

Related controls and activities

AC-03, AC-04, AC-16.

Enhancements

  • (01) Transmission of security and privacy attributes: Integrity verification
    • Verify the integrity of transmitted security and privacy attributes.
    • Discussion: Part of verifying the integrity of transmitted information is ensuring that security and privacy attributes that are associated with such information have not been modified in an unauthorized manner. Unauthorized modification of security or privacy attributes can result in a loss of integrity for transmitted information.
    • Related controls and activities: AU-10, SC-08.
  • (02) Transmission of security and privacy attributes: Anti-spoofing mechanisms
    • Implement anti-spoofing mechanisms to prevent adversaries from falsifying the security attributes indicating the successful application of the security process.
    • Discussion: Some attack vectors operate by altering the security attributes of an information system to intentionally and maliciously implement an insufficient level of security within the system. The alteration of attributes leads organizations to believe that a greater number of security functions are in place and operational than were actually implemented.
    • Related controls and activities: SI-03, SI-04, SI-07.
  • (03) Transmission of security and privacy attributes: Cryptographic binding
    • Implement [Assignment: organization-defined mechanisms or techniques] to bind security and privacy attributes to transmitted information.
    • Discussion: Cryptographic mechanisms and techniques can provide strong security and privacy attribute binding to transmitted information to help ensure the integrity of such information.
    • Related controls and activities: AC-16, SC-12, SC-13.

References

None.

Top of page 
 

SC-17 Public key infrastructure certificates

Control

  1. Issue public key certificates under an [Assignment: organization-defined certificate policy] or obtain public key certificates from an approved service provider
  2. Include only approved trust anchors in trust stores or certificate stores managed by the organization

Discussion

PKI certificates are certificates with visibility external to organizational systems and certificates related to the internal operations of systems, such as application-specific time services. In cryptographic systems with a hierarchical structure, a trust anchor is an authoritative source (i.e., a certificate authority) for which trust is assumed and not derived. A root certificate for a PKI system is an example of a trust anchor. A trust store or certificate store maintains a list of trusted root certificates.

Related controls and activities

AU-10, IA-05, SC-12.

Enhancements

None.

References

Top of page 
 

SC-18 Mobile code

Control

  1. Define acceptable and unacceptable mobile code and mobile code technologies
  2. Authorize, monitor, and control the use of mobile code within the system

Discussion

Mobile code includes any program, application, or content that can be transmitted across a network (e.g., embedded in an email, document, or website) and executed on a remote system. Decisions regarding the use of mobile code within organizational systems are based on the potential for the code to cause damage to the systems if used maliciously. Mobile code technologies include Java applets, JavaScript, HTML5, WebGL, and VBScript. Usage restrictions and implementation guidelines apply to both the selection and use of mobile code installed on servers and mobile code downloaded and executed on individual workstations and devices, including notebook computers and smart phones. Mobile code policy and procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.

Related controls and activities

AU-02, AU-12, CM-02, CM-06, SI-03.

Enhancements

  • (01) Mobile code: Identify unacceptable code and take corrective actions
    • Identify [Assignment: organization-defined unacceptable mobile code] and take [Assignment: organization-defined corrective actions].
    • Discussion: Corrective actions when unacceptable mobile code is detected include blocking, quarantining, or alerting administrators. Blocking includes preventing the transmission of word-processing files with embedded macros when such macros have been determined to be unacceptable mobile code.
    • Related controls and activities: None.
  • (02) Mobile code: Acquisition, development, and use
    • Prevent the download and execution of [Assignment: organization-defined unacceptable mobile code].
    • Discussion: None.
    • Related controls and activities: None.
  • (03) Mobile code: Prevent downloading and execution
    • Prevent the download and execution of [Assignment: organization-defined unacceptable mobile code].
    • Discussion: None.
    • Related controls and activities: None.
  • (04) Mobile code: Prevent automatic execution
    • Prevent the automatic execution of mobile code in [Assignment: organization-defined software applications] and enforce [Assignment: organization-defined actions] prior to executing the code.
    • Discussion: Actions enforced before executing mobile code include prompting users prior to opening email attachments or clicking on web links. Preventing the automatic execution of mobile code includes disabling auto-execute features on system components that employ any removable media technology.
    • Related controls and activities: None.
  • (05) Mobile code: Allow execution only in confined environments
    • Allow execution of permitted mobile code only in confined virtual machine environments.
    • Discussion: Permitting the execution of mobile code only in confined virtual machine environments helps prevent the introduction of malicious code into other systems and system components.
    • Related controls and activities: SC-44, SI-07.

References

None.

Top of page 
 

SC-19 Voice over Internet Protocol

Control

  1. The organization establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously
  2. The organization authorizes, monitors, and controls the use of VoIP within the information system

Discussion

None.

GC discussion

This control is used in any physical security zone that contains a National Security System (NSS) at the Secret or Top Secret level.

Related controls and activities

 

Enhancements

  • (400) Voice over Internet Protocol: Protocol conversion
    • Unclassified VoIP is not permitted within classified facilities unless the VoIP is converted to plain old telephone systems (POTS) before exiting the facility boundary.
    • Discussion: None.
    • GC discussion: VoIP in classified facilities should comply with the US Committee on National Security Systems Instruction (CNSSI) No. 5000. Some authorizers may require CNSSI-5000 compliance.
    • Related controls and activities: None.
  • (401) Voice over Internet Protocol: No public network access
    • Unclassified VoIP over a Local Area Network (LAN) with access to a public data network is not permitted within classified facilities.
    • Discussion: None.
    • GC discussion: VoIP in classified facilities should comply with CNSSI-5000. Some authorizers may require CNSSI-5000 compliance.
    • Related controls and activities: None.

References

To access this resource, please search for the title or issue number of the publication in the CNSS library:
CNSSI 5000 Voice Over Internet Protocol (VoIP) Telephony

Top of page 
 

SC-20 Secure name/address resolution service (authoritative source)

Control

  1. Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries.
  2. Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.

Discussion

Providing authoritative source information enables external clients, including remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Systems that provide name and address resolution services include DNS servers.

Additional artifacts include DNS Security Extensions (DNSSEC), digital signatures, and cryptographic keys. Authoritative data includes DNS resource records. The means for indicating the security status of child zones include the use of delegation signer resource records in the DNS. Systems that use technologies other than the DNS to map between host and service names and network addresses provide other means to assure the authenticity and integrity of response data.

Related controls and activities

AU-10, SC-08, SC-12, SC-13, SC-21, SC-22.

Enhancements

  • (01) Secure name/address resolution service (authoritative source): Child subspaces
    • Withdrawn: Incorporated into SC-20.
  • (02) Secure name/address resolution service (authoritative source): Data origin and integrity
    • Provide data origin and integrity protection artifacts for internal name/address resolution queries.
    • Discussion: None.
    • Related controls and activities: None.

References

Top of page 
 

SC-21 Secure name/address resolution service (recursive or caching resolver)

Control

Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

Discussion

Each client of name resolution services either performs this validation on its own or has authenticated channels to trusted validation providers. Systems that provide name and address resolution services for local clients include recursive resolving or caching DNS servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Systems that use technologies other than the DNS to map between host and service names and network addresses provide some other means to enable clients to verify the authenticity and integrity of response data.

Related controls and activities

SC-20, SC-22.

Enhancements

  • (01) Secure name/address resolution service (recursive or caching resolver): Data origin/integrity
    • Withdrawn: Incorporated into SC-21.

References

Protective domain name system (ITSAP.40.019)

Top of page 
 

SC-22 Architecture and provisioning for name/address resolution service

Control

Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.

Discussion

Systems that provide name and address resolution services include DNS servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least 2 authoritative DNS servers — one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in 2 geographically separated network subnetworks (i.e., not located in the same physical facility).

For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists).

Related controls and activities

SC-02, SC-20, SC-21, SC-24.

Enhancements

None.

References

Protective domain name system (ITSAP.40.019)

Top of page 
 

SC-23 Session authenticity

Control

Protect the authenticity of communications sessions.

Discussion

Protecting session authenticity addresses communications protection at the session level, not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of transmitted information. Authenticity protection includes protecting against adversary-in-the-middle attacks, session hijacking, and the insertion of false information into sessions.

Related controls and activities

AU-10, SC-08, SC-10, SC-11.

Enhancements

  • (01) Session authenticity: Invalidate session identifiers at logout
    • Invalidate session identifiers upon user logout or other session termination.
    • Discussion: Invalidating session identifiers at logout curtails the ability of adversaries to capture and continue to employ previously valid session IDs.
    • Related controls and activities: None.
  • (02) Session authenticity: User-initiated logouts/message displays
    • Withdrawn: Incorporated into AC-12(01).
  • (03) Session authenticity: Unique system-generated session identifiers
    • Generate a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognize only session identifiers that are system-generated.
    • Discussion: Generating unique session identifiers curtails the ability of adversaries to reuse previously valid session IDs. Employing the concept of randomness in the generation of unique session identifiers protects against brute-force attacks to determine future session identifiers.
    • Related controls and activities: AC-10, SC-12, SC-13.
  • (04) Session authenticity: Unique session identifiers with randomization
    • Withdrawn: Incorporated into SC-23(03).
  • (05) Session authenticity: Allowed certificate authorities
    • Only allow the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions.
    • Discussion: Reliance on certificate authorities for the establishment of secure sessions includes the use of TLS certificates. These certificates, after verification by their respective certificate authorities, facilitate the establishment of protected sessions between web clients and web servers.
    • Related controls and activities: SC-12, SC-13.

References

Top of page 
 

SC-24 Fail in known state

Control

Fail to a [Assignment: organization-defined known system state] for the following failures on the indicated components while preserving [Assignment: organization-defined system state information] in failure: [Assignment: list of organization-defined types of system failures on organization-defined system components].

Discussion

Failure in a known state addresses security concerns in accordance with the mission and business needs of organizations. Failure in a known state prevents the loss of confidentiality, integrity, or availability of information in the event of failures of organizational systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving system state information facilitates system restart and return to the operational mode with less disruption of mission and business processes.

Related controls and activities

CP-02, CP-04, CP-10, CP-12, SA-08, SC-07, SC-22, SI-13.

Enhancements

None.

References

None.

Top of page 
 

SC-25 Thin nodes

Control

Employ minimal functionality and information storage on the following system components: [Assignment: organization-defined system components].

Discussion

The deployment of system components with minimal functionality reduces the need to secure every endpoint and may reduce the exposure of information, systems, and services to attacks. Reduced or minimal functionality includes diskless nodes and thin client technologies.

Related controls and activities

SC-30, SC-44, SI-400.

Enhancements

None.

References

None.

Top of page 
 

SC-26 Decoys

Control

Include components within organizational systems specifically designed to be the target of malicious attacks for detecting, deflecting, and analyzing such attacks.

Discussion

Decoys (i.e., honeypots, honeynets, or deception nets) are established to attract adversaries and deflect attacks away from the operational systems that support organizational mission and business functions. Use of decoys requires some supporting isolation measures to ensure that any deflected malicious code does not infect organizational systems. Depending on the specific usage of the decoy, consultation with the departmental legal team before deployment may be needed.

Related controls and activities

RA-05, SC-07, SC-30, SC-35, SC-44, SI-03, SI-04.

Enhancements

  • (01) Decoys: Detection of malicious code
    • Withdrawn: Incorporated into SC-35.

References

None.

Top of page 
 

SC-27 Platform-independent applications

Control

Include within organizational systems the following platform-independent applications: [Assignment: organization-defined platform-independent applications].

Discussion

Platforms are combinations of hardware, firmware, and software components used to execute software applications. Platforms include operating systems, the underlying computer architectures, or both. Platform-independent applications are applications with the capability to execute on multiple platforms. Such applications promote portability and reconstitution on different platforms. Application portability and the ability to reconstitute on different platforms increase the availability of mission-essential functions within organizations in situations where systems with specific operating systems are under attack.

Related controls and activities

SC-29.

Enhancements

None.

References

None.

Top of page 
 

SC-28 Protection of information at rest

Control

Protect the [Selection (1 or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest].

Discussion

Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information.

Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning.

Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage.

Related controls and activities

AC-03, AC-04, AC-06, AC-19, CA-07, CM-03, CM-05, CM-06, CP-09, MP-04, MP-05, PE-03, SA-400, SC-08, SC-12, SC-13, SC-34, SI-03, SI-07, SI-16.

Enhancements

  • (01) Protection of information at rest: Cryptographic protection
    • Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [Assignment: organization-defined system components or media]: [Assignment: organization-defined information].
    • Discussion: The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields.
    • Related controls and activities: AC-19, SC-12, SC-13.
  • (02) Protection of information at rest: Offline storage
    • Remove the following information from online storage and store offline in a secure location: [Assignment: organization-defined information].
    • Discussion: Removing organizational information from online storage to offline storage eliminates the possibility of individuals gaining unauthorized access to the information through a network. Therefore, organizations may choose to move information to offline storage in lieu of protecting such information in online storage.
    • Related controls and activities: None.
  • (03) Protection of information at rest: Cryptographic keys
    • Provide protected storage for cryptographic keys [Selection (1): [Assignment: organization-defined safeguards]; hardware-protected key store].
    • Discussion: A Trusted Platform Module (TPM) is an example of a hardware-protected data store that can be used to protect cryptographic keys.
    • Related controls and activities: SC-12, SC-13.

References

Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B information (ITSP.40.111)

Top of page 
 

SC-29 Heterogeneity

Control

Employ a diverse set of information technologies for the following system components in the implementation of the system: [Assignment: organization-defined system components].

Discussion

Increasing the diversity of information technologies within organizational systems reduces the impact of potential exploitations or compromises of specific technologies. Such diversity protects against common mode failures, including those failures induced by supply chain attacks. Diversity in information technologies also reduces the likelihood that the means adversaries use to compromise one system component will be effective against other system components, thus further increasing the adversary work factor to successfully complete planned attacks. An increase in diversity may add complexity and management overhead that could ultimately lead to mistakes and unauthorized configurations.

Related controls and activities

AU-09, PL-08, SC-27, SC-30, SI-400, SR-03.

Enhancements

  • (01) Heterogeneity: Virtualization techniques
    • Employ virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed [Assignment: organization-defined frequency].
    • Discussion: While frequent changes to operating systems and applications can pose significant configuration management challenges, the changes can result in an increased work factor for adversaries to conduct successful attacks. Changing virtual operating systems or applications, as opposed to changing actual operating systems or applications, provides virtual changes that impede attacker success while reducing configuration management efforts. Virtualization techniques can assist in isolating untrustworthy software or software of dubious provenance into confined execution environments.
    • Related controls and activities: None.

References

None.

Top of page 
 

SC-30 Concealment and misdirection

Control

Employ the following concealment and misdirection techniques for [Assignment: organization-defined systems] at [Assignment: organization-defined time periods] to confuse and mislead adversaries: [Assignment: organization-defined concealment and misdirection techniques].

Discussion

Concealment and misdirection techniques can significantly reduce the targeting capabilities of adversaries (i.e., the window of opportunity and available attack surface) to initiate and complete attacks. For example, virtualization techniques provide organizations with the ability to disguise systems, potentially reducing the likelihood of successful attacks without the cost of having multiple platforms.

The increased use of concealment and misdirection techniques and methods — including randomness, uncertainty, and virtualization — may sufficiently confuse and mislead adversaries and subsequently increase the risk of discovery and/or exposing tradecraft. Concealment and misdirection techniques may provide additional time to perform core mission and business functions. The implementation of concealment and misdirection techniques may add to the complexity and management overhead required for the system.

Related controls and activities

AC-06, SC-25, SC-26, SC-29, SC-44, SI-14.

Enhancements

  • (01) Concealment and misdirection: Virtualization techniques
    • Withdrawn: Incorporated into SC-29(01).
  • (02) Concealment and misdirection: Randomness
    • Employ [Assignment: organization-defined techniques] to introduce randomness into organizational operations and assets.
    • Discussion: Randomness introduces increased levels of uncertainty for adversaries regarding the actions that organizations take to defend their systems against attacks. Such actions may impede the ability of adversaries to correctly target information resources of organizations that support critical missions or business functions.
      Uncertainty may also cause adversaries to hesitate before initiating or continuing attacks. Misdirection techniques that involve randomness include performing certain routine actions at different times of day, employing different information technologies, using different suppliers, and rotating roles and responsibilities of organizational personnel.
    • Related controls and activities: None.
  • (03) Concealment and misdirection: Change processing and storage locations
    • Change the location of [Assignment: organization-defined processing and/or storage] [Selection (1): [Assignment: organization-defined time frequency]; at random time intervals]].
    • Discussion: Adversaries target critical mission and business functions and the systems that support those mission and business functions while also trying to minimize the exposure of their existence and tradecraft. The static, homogeneous, and deterministic nature of organizational systems targeted by adversaries make such systems more susceptible to attacks with less adversary cost and effort to be successful.
      Changing processing and storage locations (also referred to as moving target defence) addresses the advanced persistent threat using techniques such as virtualization, distributed processing, and replication. This enables organizations to relocate the system components (i.e., processing, storage) that support critical mission and business functions.
      Changing the locations of processing activities and/or storage sites introduces a degree of uncertainty into the targeting activities of adversaries. The targeting uncertainty increases the work factor of adversaries and makes compromises or breaches of the organizational systems more difficult and time-consuming. It also increases the chances that adversaries may inadvertently disclose certain aspects of their tradecraft while attempting to locate critical organizational resources.
    • Related controls and activities: None.
  • (04) Concealment and misdirection: Misleading information
    • Employ realistic, but misleading information in [Assignment: organization-defined system components] about its security state or posture.
    • Discussion: Employing misleading information is intended to confuse potential adversaries regarding the nature and extent of controls deployed by organizations. Thus, adversaries may employ incorrect and ineffective attack techniques. One technique for misleading adversaries is for organizations to place misleading information regarding the specific controls deployed in external systems that are known to be targeted by adversaries. Another technique is the use of deception nets that mimic actual aspects of organizational systems but use, for example, out-of-date software configurations.
    • Related controls and activities: None.
  • (05) Concealment and misdirection: Concealment of system components
    • Employ the following techniques to hide or conceal [Assignment: organization-defined system components]: [Assignment: organization-defined techniques].
    • Discussion: By hiding, disguising, or concealing critical system components, organizations may be able to decrease the probability that adversaries target and successfully compromise those assets. Potential means to hide, disguise, or conceal system components include the configuration of routers or the use of encryption or virtualization techniques.
    • Related controls and activities: None.

References

None.

Top of page 
 

SC-31 Covert channel analysis

Control

  1. Perform a covert channel analysis to identify those aspects of communications within the system that are potential avenues for covert [Selection (1 or more): storage; timing] channels
  2. Estimate the maximum bandwidth of those channels

Discussion

Developers are in the best position to identify potential areas within systems that might lead to covert channels. Covert channel analysis is a meaningful activity when there is the potential for unauthorized information flows across security domains, such as in the case of systems that contain export-controlled information and have connections to external networks (i.e., networks that are not controlled by organizations). Covert channel analysis is also useful for multilevel secure systems, multiple security level systems, and cross-domain systems.

Related controls and activities

AC-03, AC-04, SA-08, SI-11.

Enhancements

  • (01) Covert channel analysis: Test covert channels for exploitability
    • Test a subset of the identified covert channels to determine the channels that are exploitable.
    • Discussion: None.
    • Related controls and activities: None.
  • (02) Covert channel analysis: Maximum bandwidth
    • Reduce the maximum bandwidth for identified covert [Selection (1 or more): storage; timing] channels to [Assignment: organization-defined values].
    • Discussion: The complete elimination of covert channels, especially covert timing channels, is usually not possible without significant performance impacts.
    • Related controls and activities: None.
  • (03) Covert channel analysis: Measure bandwidth in operational environments
    • Measure the bandwidth of [Assignment: organization-defined subset of identified covert channels] in the operational environment of the system.
    • Discussion: Measuring covert channel bandwidth in specified operational environments helps organizations determine how much information can be covertly leaked before such leakage adversely affects mission or business functions. Covert channel bandwidth may be significantly different when measured in settings that are independent of the specific environments of operation, including laboratories or system development environments.
    • Related controls and activities: None.

References

None.

Top of page 
 

SC-32 System partitioning

Control

Partition the system into [Assignment: organization-defined system components] residing in separate [Selection (1): physical; logical] domains or environments based on [Assignment: organization-defined circumstances for physical or logical separation of components].

Discussion

System partitioning is part of a defence-in-depth protection strategy. Organizations determine the degree of physical separation of system components. Physical separation options include physically distinct components in separate racks in the same room, critical components in separate rooms, and geographical separation of critical components. Security categorization can guide the selection of candidates for domain partitioning. Managed interfaces restrict or prohibit network access and information flow among partitioned system components.

Related controls and activities

AC-04, AC-06, SA-08, SC-02, SC-03, SC-07, SC-36, SI-400.

Enhancements

  • (01) System partitioning: Separate physical domains for privileged functions
    • Partition privileged functions into separate physical domains.
    • Discussion: Privileged functions that operate in a single physical domain may represent a single point of failure if that domain becomes compromised or experiences a denial of service.
    • Related controls and activities: None.

References

 

SC-33 Transmission preparation integrity

Withdrawn: Incorporated into SC-08.

Top of page 
 

SC-34 Non-modifiable executable programs

Control

For [Assignment: organization-defined system components], load and execute:

  1. the operating environment from hardware-enforced, read-only media
  2. the following applications from hardware-enforced, read-only media: [Assignment: organization-defined applications]

Discussion

The operating environment for a system contains the code that hosts applications, including operating systems, executives, or virtual machine monitors (i.e., hypervisors). It can also include certain applications that run directly on hardware platforms. Hardware-enforced, read-only media and write-once recordable media include Compact Disc-Recordable (CD-R) Digital Versatile Disc-Recordable (DVD-R), and Blu-Ray (BD-R) disk drives as well as one-time, programmable read-only memory (PROM). The use of non-modifiable storage ensures the integrity of software from the point of creation of the read-only image. The use of reprogrammable read-only memory can be accepted as read-only media provided that integrity can be adequately protected from the point of initial writing to the insertion of the memory into the system, and there are reliable hardware protections against reprogramming the memory while installed in organizational systems.

Related controls and activities

AC-03, SI-07, SI-14.

Enhancements

  • (01) Non-modifiable executable programs: No writeable storage
    • Employ [Assignment: organization-defined system components] with no writeable storage that is persistent across component restart or power on/off.
    • Discussion: Disallowing writeable storage eliminates the possibility of malicious code insertion via persistent, writeable storage within the designated system components. The restriction applies to fixed and removable storage, with the latter being addressed either directly or as specific restrictions imposed through access controls for mobile devices.
    • Related controls and activities: AC-19, MP-07.
  • (02) Non-modifiable executable programs: Integrity protection and read-only media
    • Protect the integrity of information prior to storage on read-only media and control the media after such information has been recorded onto the media.
    • Discussion: Security safeguards prevent the substitution of media into information systems or the reprogramming of programmable read-only media prior to installation into the systems. Security safeguards include, for example, a combination of prevention, detection, and response.
    • Related controls and activities: AC-05, CM-03, CM-05, CM-09, MP-02, MP-04, MP-05, SA-12, SC-28, SI-03.
  • (03) Non-modifiable executable programs: Hardware-based protection
    • Withdrawn: Moved to SC-51.

References

None.

Top of page 
 

SC-35 External malicious code identification

Control

Include system components that proactively seek to identify network-based malicious code or malicious websites.

Discussion

External malicious code identification differs from decoys in SC-26 in that the components actively probe networks, including the Internet, in search of malicious code contained on external websites. Like decoys, the use of external malicious code identification techniques requires some supporting isolation measures to ensure that any malicious code discovered during the search and subsequently executed does not infect organizational systems. Virtualization is a common technique for achieving such isolation.

Related controls and activities

SC-07, SC-26, SC-44, SI-03, SI-04.

Enhancements

None.

References

None.

Top of page 
 

SC-36 Distributed processing and storage

Control

Distribute the following processing and storage components across multiple [Selection (1): physical locations; logical domains]: [Assignment: organization-defined processing and storage components].

Discussion

Distributing processing and storage across multiple physical locations or logical domains provides a degree of redundancy or overlap for organizations. The redundancy and overlap increase the work factor of adversaries to adversely impact organizational operations, assets, and individuals. The use of distributed processing and storage does not assume a single primary processing or storage location. Therefore, it allows for parallel processing and storage.

Related controls and activities

CP-06, CP-07, PL-08, SC-32.

Enhancements

  • (01) Distributed processing and storage: Polling techniques
      1. Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: [Assignment: organization-defined distributed processing and storage components]
      2. Take the following actions in response to identified faults, errors, or compromises: [Assignment: organization-defined actions]
    • Discussion: Distributed processing and/or storage may be used to reduce opportunities for adversaries to compromise the confidentiality, integrity, or availability of organizational information and systems. However, the distribution of processing and storage components does not prevent adversaries from compromising one or more of the components. Polling compares the processing results and/or storage content from the distributed components and subsequently votes on the outcomes. Polling identifies potential faults, compromises, or errors in the distributed processing and storage components.
    • Related controls and activities: SI-04.
  • (02) Distributed processing and storage: Synchronization
    • Synchronize the following duplicate systems or system components: [Assignment: organization-defined duplicate systems or system components].
    • Discussion: SC-36 and CP-09(06) require the duplication of systems or system components in distributed locations. The synchronization of duplicated and redundant services and data helps to ensure that information contained in the distributed locations can be used in the mission or business functions of organizations, as needed.
    • Related controls and activities: CP-09.

References

None.

Top of page 
 

SC-37 Out-of-band channels

Control

Employ the following out-of-band channels for the physical delivery or electronic transmission of [Assignment: organization-defined information, system components, or devices] to [Assignment: organization-defined individuals or systems]: [Assignment: organization-defined out-of-band channels].

Discussion

Out-of-band channels include local, non-network access to systems; network paths physically separate from network paths used for operational traffic; or non-electronic paths, such as Canada Post. The use of out-of-band channels contrasts with the use of in-band channels (i.e., the same channels) that carry routine operational traffic. Out-of-band channels do not have the same vulnerability or exposure as in-band channels. Therefore, the confidentiality, integrity, or availability compromises of in-band channels will not compromise or adversely affect the out-of-band channels.

Organizations may employ out-of-band channels in the delivery or transmission of organizational items, including authenticators and credentials; cryptographic key management information; system and data backups; configuration management changes for hardware, firmware, or software; security updates; maintenance information; and malicious code protection updates. For example, cryptographic keys for encrypted files are delivered using a different channel than the file.

Related controls and activities

AC-02, CM-03, CM-05, CM-07, IA-02, IA-04, IA-05, MA-04, SC-12, SI-03, SI-04, SI-07.

Enhancements

  • (01) Out-of-band channels: Ensure delivery and transmission
    • Employ [Assignment: organization-defined controls] to ensure that only [Assignment: organization-defined individuals or systems] receive the following information, system components, or devices: [Assignment: organization-defined information, system components, or devices].
    • Discussion: Techniques employed by organizations to ensure that only designated systems or individuals receive certain information, system components, or devices include sending authenticators via an approved courier service but requiring recipients to show some form of government-issued photographic identification as a condition of receipt.
    • Related controls and activities: None.

References

RCMP GCPSG-007 Transport, Transmittal and Storage of Protected and Classified Material (restricted to GC)

Top of page 
 

SC-38 Operations security

Control

Employ the following operations security controls to protect key organizational information throughout the system development lifecycle: [Assignment: organization-defined operations security controls].

Discussion

Operations security (OPSEC) is a systematic process by which potential adversaries can be denied information about the capabilities and intentions of organizations by identifying, controlling, and protecting generally unclassified information that specifically relates to the planning and execution of sensitive organizational activities.

The OPSEC process involves 5 steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and the application of appropriate countermeasures. OPSEC controls are applied to organizational systems and the environments in which those systems operate. OPSEC controls protect the confidentiality of information, including limiting the sharing of information with suppliers, potential suppliers, and other non-organizational elements and individuals.

Information critical to organizational mission and business functions includes user identities, element uses, suppliers, supply chain processes, functional requirements, security requirements, system design specifications, testing and evaluation protocols, and security control implementation details.

Related controls and activities

CA-02, CA-07, PL-01, PM-09, PM-12, RA-02, RA-03, RA-05, SC-07, SR-03, SR-07.

Enhancements

None.

References

None.

Top of page 
 

SC-39 Process isolation

Control

Maintain a separate execution domain for each executing system process.

Discussion

Systems can maintain separate execution domains for each executing process by assigning each process a separate address space. Each system process has a distinct address space so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process.

Maintaining separate execution domains for executing processes can be achieved, for example, by implementing separate address spaces. Process isolation technologies, including sandboxing or virtualization, logically separate software and firmware from other software, firmware, and data. Process isolation helps limit the access of potentially untrusted software to other system resources. The capability to maintain separate execution domains is available in commercial operating systems that employ multi-state processor technologies.

Related controls and activities

AC-03, AC-04, AC-06, AC-25, SA-08, SC-02, SC-03, SI-16.

Enhancements

  • (01) Process isolation: Hardware separation
    • Implement hardware separation mechanisms to facilitate process isolation.
    • Discussion: Hardware-based separation of system processes is generally less susceptible to compromise than software-based separation, thus providing greater assurance that the separation will be enforced. Hardware separation mechanisms include hardware memory management.
    • Related controls and activities: None.
  • (02) Process isolation: Separate execution domain per thread
    • Maintain a separate execution domain for each thread in [Assignment: organization-defined multi-threaded processing].
    • Discussion: None.
    • Related controls and activities: None.

References

None.

Top of page 
 

SC-40 Wireless link protection

Control

Protect external and internal [Assignment: organization-defined wireless links] from the following signal parameter attacks: [Assignment: organization-defined types of signal parameter attacks or references to sources for such attacks].

Discussion

Wireless link protection applies to internal and external wireless communication links that may be visible to individuals who are not authorized system users. Adversaries can exploit the signal parameters of wireless links if such links are not adequately protected. There are many ways to exploit the signal parameters of wireless links to gain intelligence, deny service, or spoof system users. Protection of wireless links reduces the impact of attacks that are unique to wireless systems. If organizations rely on commercial service providers for transmission services as commodity items rather than as fully dedicated services, it may not be possible to implement wireless link protections to the extent necessary to meet organizational security requirements.

Related controls and activities

AC-18, SC-05.

Enhancements

  • (01) Wireless link protection: Electromagnetic interference
    • Implement cryptographic mechanisms that achieve [Assignment: organization-defined level of protection] against the effects of intentional electromagnetic interference.
    • Discussion: The implementation of cryptographic mechanisms that mitigate electromagnetic interference protects systems against intentional jamming that might deny or impair communications by ensuring that wireless spread- spectrum waveforms used to provide anti-jam protection are not predictable by unauthorized individuals. The implementation of cryptographic mechanisms may also coincidentally mitigate the effects of unintentional jamming due to interference from legitimate transmitters that share the same spectrum. Mission requirements, projected threats, concepts of operations, and laws, Orders in Council, directives, regulations, policies, and standards determine the levels of wireless link availability, cryptography needed, and performance.
    • Related controls and activities: PE-21, SC-12, SC-13.
  • (02) Wireless link protection: Reduce detection potential
    • Implement cryptographic mechanisms to reduce the detection potential of wireless links to [Assignment: organization-defined level of reduction].
    • Discussion: The implementation of cryptographic mechanisms to reduce detection potential is used for covert communications and to protect wireless transmitters from geolocation. It also ensures that the spread-spectrum waveforms used to achieve a low probability of detection are not predictable by unauthorized individuals. Mission requirements, projected threats, concepts of operations, and applicable laws, Orders in Council, directives, regulations, policies, and standards determine the levels to which wireless links are undetectable.
    • Related controls and activities: SC-12, SC-13.
  • (03) Wireless link protection: Imitative or manipulative communications deception
    • Implement cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters.
    • Discussion: The implementation of cryptographic mechanisms to identify and reject imitative or manipulative communications ensures that the signal parameters of wireless transmissions are not predictable by unauthorized individuals. Such unpredictability reduces the probability of imitative or manipulative communications deception based on signal parameters alone.
    • Related controls and activities: SC-12, SC-13, SI-04.
  • (04) Wireless link protection: Signal parameter identification
    • Implement cryptographic mechanisms to prevent the identification of [Assignment: organization-defined wireless transmitters] by using the transmitter signal parameters.
    • Discussion: The implementation of cryptographic mechanisms to prevent the identification of wireless transmitters protects against the unique identification of wireless transmitters for the purposes of intelligence exploitation by ensuring that anti-fingerprinting alterations to signal parameters are not predictable by unauthorized individuals. It also provides anonymity when required. Radio fingerprinting techniques identify the unique signal parameters of transmitters to fingerprint such transmitters for purposes of tracking and mission or user identification.
    • Related controls and activities: SC-12, SC-13.

References

None.

Top of page 
 

SC-41 Port and input/output device access

Control

[Selection (1): Physically; Logically] disable or remove [Assignment: organization-defined connection ports or input/output devices] on the following systems or system components: [Assignment: organization-defined systems or system components].

Discussion

Disabling or removing connection ports and input/output (I/O) devices helps prevent the exfiltration of information from systems and the introduction of malicious code from those ports or devices. Physically disabling or removing ports and/or devices is the stronger action compared to logical approaches. Examples of connection ports include Universal Serial Bus (USB), Thunderbolt, and Firewire (IEEE 1394). Examples of I/O devices include optical disc drives, USB thumb drives, monitors, keyboards, and mice.

Related controls and activities

AC-20, MP-07.

Enhancements

None.

References

None.

Top of page 
 

SC-42 Sensor capability and data

Control

  1. Prohibit [Selection (1 or more): the use of devices possessing [Assignment: organization-defined environmental sensing capabilities] in [Assignment: organization-defined facilities, areas, or systems]; the remote activation of environmental sensing capabilities on organizational systems or system components with the following exceptions: [Assignment: organization-defined exceptions where remote activation of sensors is allowed]]
  2. Provide an explicit indication of sensor use to [Assignment: organization-defined group of users]

Discussion

Sensor capability and data applies to types of systems or system components characterized as mobile devices, such as cellular telephones, smart phones, and tablets. Mobile devices often include sensors that can collect and record data regarding the environment where the system is in use. Sensors that are embedded within mobile devices include microphones, cameras, Global Positioning System (GPS) mechanisms, and accelerometers.

While the sensors on mobiles devices provide an important function, such devices can potentially provide a means for adversaries to learn valuable information about individuals and organizations if activated covertly. For example, remotely activating the GPS function on a mobile device could provide an adversary with the ability to track the movements of an individual. Organizations may prohibit individuals from bringing cellular telephones or digital cameras into certain designated facilities or controlled areas within facilities where classified information is stored or sensitive conversations take place.

Related controls and activities

SC-15.

Enhancements

  • (01) Sensor capability and data: Reporting to authorized individuals or roles
    • Verify that the system is configured so that data or information collected by the [Assignment: organization-defined sensors] is only reported to authorized individuals or roles.
    • Discussion: In situations where sensors are activated by authorized individuals, it is still possible that the data or information collected by the sensors will be sent to unauthorized entities. Organizations should make sure appropriate controls are in place to ensure sensor data is protected.
    • Related controls and activities: None.
  • (02) Sensor capability and data: Authorized use
    • Employ the following measures so that data or information collected by [Assignment: organization-defined sensors] is used only for authorized purposes: [Assignment: organization-defined measures].
    • Discussion: Organizations should ensure lawful authority for any use or disclosure of sensor data. Information collected by sensors for a specific authorized purpose could be misused for some unauthorized purpose. For example, GPS sensors that are used to support traffic navigation could be misused to track the movements of individuals. Measures to mitigate such activities include additional training to help ensure that authorized individuals do not abuse their authority and, in the case where sensor data is maintained by external parties, contractual restrictions on the use of such data exist.
    • Related controls and activities: PT-02.
  • (03) Sensor capability and data: Prohibit use of devices
    • Withdrawn: Incorporated into SC-42.
  • (04) Sensor capability and data: Notice of collection
    • Employ the following measures to facilitate an individual’s awareness that personal information is being collected by [Assignment: organization-defined sensors]: [Assignment: organization-defined measures].
    • Discussion: Obtain legal advice before collecting sensor data on employer-issued devices. When individuals are aware that organizational sensors are collecting data, they can engage more effectively in managing their privacy. Measures can include conventional written notices or sensor configurations that make individuals directly or indirectly aware through other devices that the sensor is collecting information. The clarity of the notice is an important consideration.
    • GC discussion: There are both privacy and Charter implications with the use of sensor technology, and further assessment by organizational counsel may be required. It is important to notify users of employer-issued technologies about the potential infringement of their personal information and that users acknowledge these risks before using the device.
    • Related controls and activities: PT-01, PT-04, PT-05.
  • (05) Sensor capability and data: Collection minimization
    • Employ [Assignment: organization-defined sensors] that are configured to minimize the collection of information about individuals that is not needed.
    • Discussion: Although policies that constrain authorized use can be applied to information once it is collected, minimizing the collection of information that is not needed mitigates privacy and Charter risk and mitigates the risk of policy control failures.
    • GC discussion: In addition, for the use of the technologies that can be considered privacy-invasive, the OPC asks that Charter implications be considered, in line with the R. vs. Oakes Supreme Court decision. Bearing in mind the concept of unreasonable search and seizure, organizations should assess collection of information that may infringe on Charter rights against the principles set out in the aforementioned Oakes decision.
    • Related controls and activities: SA-08, SI-12
  • (400) Sensor capability and data: Disablement in security/high-security zones
    • Ensure that the organization disables all sensors on all devices when they are not approved to process information at the highest classification level in the security or high-security zone they are in.
    • Discussion: None.
    • GC discussion: Organizations must ensure that device sensors are disabled. For example, cameras and microphones on Protected B-approved workstations must be physically disabled if they are not used. If they are used, they must be situated in such ways as to prevent compromise of Protected C or classified information discussed or presented in the security or high-security zones.
    • Related controls and activities: None.

References

Top of page 
 

SC-43 Usage restrictions

Control

  1. Establish usage restrictions and implementation guidelines for the following system components: [Assignment: organization-defined system components]
  2. Authorize, monitor, and control the use of such components within the system

Discussion

Usage restrictions apply to all system components including, but not limited to, mobile code, mobile devices, wireless access, and wired and wireless peripheral components (e.g., copiers, printers, scanners, optical devices, and other similar technologies). The usage restrictions and implementation guidelines are based on the potential for system components to cause damage to the system and help to ensure that only authorized system use occurs.

Related controls and activities

AC-18, AC-19, CM-06, SC-07, SC-18.

Enhancements

None.

References

TBS Directive on Service and Digital, Appendix F: Standard on Enterprise Information Technology Usage Restrictions

Top of page 
 

SC-44 Detonation chambers

Control

Employ a detonation chamber capability within [Assignment: organization-defined system, system component, or location].

Discussion

Detonation chambers, also known as dynamic execution environments, allow organizations to open email attachments, execute untrusted or suspicious applications, and execute URL requests in the safety of an isolated environment or a virtualized sandbox. Protected and isolated execution environments provide a means of determining whether the associated attachments or applications contain malicious code.

While detonation chambers are related to the concept of deception nets, they are not intended to maintain a long-term environment in which adversaries can operate and their actions can be observed. Rather, detonation chambers are intended to quickly identify malicious code and either reduce the likelihood that the code is propagated to user environments of operation or prevent such propagation completely.

Related controls and activities

SC-07, SC-18, SC-25, SC-26, SC-30, SC-35, SC-39, SI-03, SI-07.

Enhancements

None.

References

Top 10 IT security actions to protect Internet-connected networks and information (ITSM.10.089)

Top of page 
 

SC-45 System time synchronization

Control

Synchronize system clocks within and between systems and system components.

Discussion

Time synchronization of system clocks is essential for the correct execution of many system services, including identification and authentication processes that involve certificates and time-of-day restrictions as part of access control. Denial of service or failure to deny expired credentials may result if clocks are not properly synchronized within and between systems and system components.

Time is commonly expressed in UTC or local time with an offset from UTC. The granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, such as clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for system components. Time service can be critical to other security capabilities — such as access control and identification and authentication — depending on the nature of the mechanisms used to support the capabilities.

Related controls and activities

AC-03, AU-08, IA-02, IA-08.

Enhancements

  • (01) System time synchronization: Synchronization with authoritative time source
      1. Compare the internal system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]
      2. Synchronize the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period]
    • Discussion: Synchronization of internal system clocks with an authoritative source provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network.
    • Related controls and activities: None.
  • (02) System time synchronization: Secondary authoritative time source
      1. Identify a secondary authoritative time source that is in a different geographic region than the primary authoritative time source
      2. Synchronize the internal system clocks to the secondary authoritative time source if the primary authoritative time source is unavailable
    • Discussion: It may be necessary to employ geolocation information to determine that the secondary authoritative time source is in a different geographic region.
    • Related controls and activities: None.

References

IETF RFC 5905 Network Time Protocol Version 4: Protocol and Algorithms Specification

Top of page 
 

SC-46 Cross-domain policy enforcement

Control

Implement a policy enforcement mechanism [Selection (1): physically; logically] between the physical and/or network interfaces for the connecting security domains.

Discussion

For logical policy enforcement mechanisms, organizations should avoid creating a logical path between interfaces to prevent the ability to bypass the policy enforcement mechanism. For physical policy enforcement mechanisms, the robustness of physical isolation afforded by the physical implementation of policy enforcement may be needed to preclude the presence of logical covert channels penetrating the security domain.

GC discussion

Only Cyber Centre-approved CDS should be used for Protected C and classified information. Contact cyber@cyber.gc.ca for more information.

Related controls and activities

AC-04, SC-07.

Enhancements

  • (400) Cross-domain policy enforcement: Manual data transfer
    • Limit the use of manual data transfer.
    • Discussion: A transfer CDS allows information to be transferred securely and automatically between different security domains. The use of manual data transfer should be limited to specific requirements. Circumventing the proper transfer procedures and choosing to transfer information using removable media is generally inappropriate user behaviour.
      If transferring information using removable media becomes an operational necessity, procedures must conform with the Cyber Centre’s ITSB-112. An authorized user may do a manual data transfer using removable media such as a USB memory stick. If available, an offline CDS can be used to scan and sanitize the media. Such a transfer can be used when there is a requirement to transfer a software patch or anti-virus update from a removable media device to an isolated security domain, for example.
    • Related controls and activities: None.

References

Top of page 
 

SC-47 Alternate communications paths

Control

Establish [Assignment: organization-defined alternate communications paths] for system operations organizational command and control.

Discussion

An incident, whether adversarial or non-adversarial, can disrupt established communications paths used for system operations and organizational command and control. Alternate communications paths reduce the risk of all communications paths being affected by the same incident. Moreover, the inability of organizational officials to obtain timely information about disruptions or to provide timely direction to operational elements after a communications path incident can impact the ability of the organization to respond to such incidents in a timely manner. Establishing alternate communications paths for command-and-control purposes, including designating alternative decision-makers if primary decision-makers are unavailable and establishing the extent and limitations of their actions, can greatly facilitate the organization’s ability to continue to operate and take appropriate actions during an incident.

Related controls and activities

CP-02, CP-08.

Enhancements

None.

References

TBS Directive on Security Management, Appendix D: Mandatory Procedures for Business Continuity Management Control

Top of page 
 

SC-48 Sensor relocation

Control

Relocate [Assignment: organization-defined sensors and monitoring capabilities] to [Assignment: organization-defined locations] under the following conditions or circumstances: [Assignment: organization-defined conditions or circumstances].

Discussion

Adversaries may take various paths and use different approaches as they move laterally through an organization (including its systems) to reach their target or as they attempt to exfiltrate information from the organization. Organizations often only have a limited set of monitoring and detection capabilities, and they may be focused on the critical or likely infiltration or exfiltration paths.

By using communications paths that an organization typically does not monitor, an adversary can increase its chances of achieving its desired goals. By relocating its sensors or monitoring capabilities to new locations, an organization can impede the adversary’s ability to achieve its goals. Sensors or monitoring capabilities might be relocated based on threat information that the organization has acquired or relocated randomly to confuse the adversary and make its lateral transition through the system or organization more challenging.

Related controls and activities

AU-02, SC-07, SI-04.

Enhancements

  • (01) Sensor relocation: Dynamic relocation of sensors or monitoring capabilities
    • Dynamically relocate [Assignment: organization-defined sensors and monitoring capabilities] to [Assignment: organization-defined locations] under the following conditions or circumstances: [Assignment: organization-defined conditions or circumstances].
    • Discussion: None.
    • Related controls and activities: None.

References

NIST SP 800-160 Vol. 2 Rev. 1 Developing Cyber Resilient Systems: A Systems Security Engineering Approach

Top of page 
 

SC-49 Hardware-enforced separation and policy enforcement

Control

Implement hardware-enforced separation and policy enforcement mechanisms between [Assignment: organization-defined security domains].

Discussion

System owners may require additional strength of mechanism and robustness to ensure domain separation and policy enforcement for specific types of threats and environments of operation. Hardware-enforced separation and policy enforcement provide greater strength of mechanism than software-enforced separation and policy enforcement.

Related controls and activities

AC-04, SA-08, SC-50.

Enhancements

None.

References

System lifecycle cyber security and privacy risk management activities (ITSP.10.037)

Top of page 
 

SC-50 Software-enforced separation and policy enforcement

Control

Implement software-enforced separation and policy enforcement mechanisms between [Assignment: organization-defined security domains].

Discussion

System owners may require additional strength of mechanism to ensure domain separation and policy enforcement for specific types of threats and environments of operation.

Related controls and activities

AC-03, AC-04, SA-08, SC-02, SC-03, SC-49.

Enhancements

None.

References

System lifecycle cyber security and privacy risk management activities (ITSP.10.037)

Top of page 
 

SC-51 Hardware-based protection

Control

  1. Employ hardware-based write-protect for [Assignment: organization-defined system firmware components]
  2. Implement specific procedures for [Assignment: organization-defined authorized individuals] to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode

Discussion

None.

Related controls and activities

None.

Enhancements

None.

References

None.

Top of page 
 

SC-400 Entity source authentication

Control

The information system allows a message recipient to verify the claimed source identifier in a message.

Discussion

Source authentication prevents an unauthorized entity from sending a message impersonating another entity. This control applies to non-session-based communications and can be implemented in protocols at any layer, from VoIP packets to electronic mail. A message is any communication between 2 entities.

Related controls and activities

IA-01, IA-02, IA-03, IA-04, IA-05, SC-08, SC-13

Enhancements

  • (01) Entity source authentication: Claimed identifier authentication
    • Authentication of the claimed identifier in the message is cryptographically based.
    • Discussion: None.
    • Related controls and activities: None.
  • (02) Entity source authentication: Digital signature
    • The organization employs CMVP-certified cryptography for digital signature generation and verification.
    • Discussion: None.
    • Related controls and activities: SC-13.
  • (03) Entity source authentication: Authentication implementation
    • The organization employs Cyber Centre-approved cryptography and protocols to implement the authentication.
    • Discussion: None.
    • Related controls and activities: SC-13.

References

Top of page 
 

SC-401 Unclassified telecommunications in secure facilities

Control

  1. Unclassified telecommunications systems in secure facilities must not pass/transmit sensitive audio discussions when they are idle and not in use. Additionally, these telecommunications systems must be configured to prevent external control or activation. The concepts of on-hook audio protection outlined in CNSSI 5002 and 5006 must be incorporated into secure facilities’ telecommunications systems
  2. Unclassified telephone systems and services must be configured to prevent technical exploitation or penetration. In addition, these systems must incorporate physical and software access controls to prevent disclosure or manipulation of system programming and stored data
  3. The organization must ensure that the following specific requirements are applied to unclassified telecommunications systems
    1. provide on-hook audio protection by the use of CNSSI 5006 equipment, CNSSI 5006-approved disconnect devices, or equivalent CNSSI 5002 system configuration
    2. provide isolation by using a computerized telephone system (CTS) with control of software and hardware configuration control and of audit reports (such as station message detail reporting, call detail reporting, etc.). System programming will not include the ability to place, or keep, a handset off-hook. Configuration of the system must ensure that all on-hook and off-hook vulnerabilities are identified and mitigated
    3. ensure that equipment used for the administration of telephone systems is installed inside an area where access is limited to authorized personnel. When local administration terminals (for a CTS) are not or cannot be contained within the controlled area or safeguarded against unauthorized manipulation, then the use of CNSSI 5006-approved telephone equipment must be required, regardless of the CTS configuration
    4. ensure that remote maintenance is not used outside the secure facility
    5. ensure that speakerphones and audio-conferencing systems are not used on unclassified telecommunications systems in secure facilities. CSE may approve exceptions to this requirement when these systems have sufficient audio isolation from other classified discussion areas in the secure facility, and when there are established procedures to prevent inadvertent transmission of classified information
    6. ensure that features used for voicemail or unified messaging services are configured to prevent unauthorized access to remote diagnostic ports or internal dial tone
    7. ensure that telephone answering devices (TAD) and facsimile machines do not contain features that introduce security vulnerabilities, for example, remote room monitoring, remote programming, or other similar features that may permit off-premises access to room audio. Prior CSE approval is required before installation or use
  4. All unclassified telecommunications systems and associated infrastructure must be electrically and physically isolated from any classified information/telecommunications systems in accordance with CNSS requirements or any other separation standards applied to the classified information system on site
  5. The security requirements and installation guidelines contained in the CNSSI 5000 shall be followed for VoIP systems installed in any physical security zone processing classified information

Discussion

None.

GC discussion

A secure facility is any physical security zone that processes classified information. Secure facility may mean SCIF at the Top Secret level, or any secure facility of lower level (e.g. Secret, Confidential).

Related controls and activities

None.

Enhancements

None.

References

To access these resources, please search for the title or issue number of the publication in the CNSS library:

  • CNSSI 5000 Voice Over Internet Protocol (VoIP) Telephony
  • CNSSI 5002 Telephony isolation used for unified communications implementations within physically protected spaces
  • CNSSI 5006 National Instruction for Approved Telephone Equipment
 
Table of Contents
Date modified: