// Level 3 · Controls

System and Communications Protection

NIST SP 800-53 Rev 5 System and Communications Protection controls.

SC-01Medium

Policy and Procedures

Develop, document, and disseminate to [parameter]:

SC-02Medium

Separation of System and User Functionality

Separate user functionality, including user interface services, from system management functionality.

SC-03Medium

Security Function Isolation

Isolate security functions from nonsecurity functions.

SC-04Medium

Information in Shared System Resources

Prevent unauthorized and unintended information transfer via shared system resources.

SC-05Medium

Denial-of-service Protection

[parameter] the effects of the following types of denial-of-service events: [parameter] ; and

SC-06Medium

Resource Availability

Protect the availability of resources by allocating [parameter] by [parameter].

SC-07Medium

Boundary Protection

Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;

SC-08Medium

Transmission Confidentiality and Integrity

Protect the [parameter] of transmitted information.

SC-09Medium

Network Disconnect

Terminate the network connection associated with a communications session at the end of the session or after [parameter] of inactivity.

SC-11Medium

Trusted Path

Provide a [parameter] isolated trusted communications path for communications between the user and the trusted components of the system; and

SC-12Medium

Cryptographic Key Establishment and Management

Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [parameter].

SC-13Medium

Cryptographic Protection

Determine the [parameter] ; and

SC-14Medium

Collaborative Computing Devices and Applications

Prohibit remote activation of collaborative computing devices and applications with the following exceptions: [parameter] ; and

SC-16Medium

Transmission of Security and Privacy Attributes

Associate [parameter] with information exchanged between systems and between system components.

SC-17Medium

Public Key Infrastructure Certificates

Issue public key certificates under an [parameter] or obtain public key certificates from an approved service provider; and

SC-18Medium

Mobile Code

Define acceptable and unacceptable mobile code and mobile code technologies; and

SC-19Medium

Voice Over Internet Protocol

Technology-specific; addressed as any other technology or protocol.

SC-20Medium

Secure Name/Address Resolution Service (Authoritative Source)

Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and

SC-21Medium

Secure Name/Address Resolution Service (Recursive or Caching Resolver)

Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

SC-22Medium

Architecture and Provisioning for Name/Address Resolution Service

Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.

SC-23Medium

Session Authenticity

Protect the authenticity of communications sessions.

SC-24Medium

Fail in Known State

Fail to a [parameter] for the following failures on the indicated components while preserving [parameter] in failure: [parameter].

SC-25Medium

Thin Nodes

Employ minimal functionality and information storage on the following system components: [parameter].

SC-26Medium

Decoys

Include components within organizational systems specifically designed to be the target of malicious attacks for detecting, deflecting, and analyzing such attacks.

SC-27Medium

Platform-independent Applications

Include within organizational systems the following platform independent applications: [parameter].

SC-28Medium

Protection of Information at Rest

Protect the [parameter] of the following information at rest: [parameter].

SC-29Medium

Heterogeneity

Employ a diverse set of information technologies for the following system components in the implementation of the system: [parameter].

SC-30Medium

Concealment and Misdirection

Employ the following concealment and misdirection techniques for [parameter] at [parameter] to confuse and mislead adversaries: [parameter].

SC-31Medium

Covert Channel Analysis

Perform a covert channel analysis to identify those aspects of communications within the system that are potential avenues for covert [parameter] channels; and

SC-32Medium

System Partitioning

Partition the system into [parameter] residing in separate [parameter] domains or environments based on [parameter].

SC-33Medium

Transmission Preparation Integrity

SC-34Medium

Non-modifiable Executable Programs

For [parameter] , load and execute:

SC-35Medium

External Malicious Code Identification

Include system components that proactively seek to identify network-based malicious code or malicious websites.

SC-36Medium

Distributed Processing and Storage

Distribute the following processing and storage components across multiple [parameter]: [parameter].

SC-37Medium

Out-of-band Channels

Employ the following out-of-band channels for the physical delivery or electronic transmission of [parameter] to [parameter]: [parameter].

SC-38Medium

Operations Security

Employ the following operations security controls to protect key organizational information throughout the system development life cycle: [parameter].

SC-39Medium