7. TECHNICAL CONTROLS
7.4 System and Communications Protection (SC)
System and Communications Protection includes instructions on partitioning to preclude inadvertent data contamination and on the isolation of security functions from other areas and services. Boundary protection requirements are addressed which include protections against denial of service. In addition, transmission confidentiality and integrity controls (e.g., cryptographic services and Public Key Infrastructure (PKI) technology rules) are identified.
Policy: Office of Personnel Management (OPM) shall provide system and communications protection for OPM information systems and information. This protection will assure users that OPM information is protected by controls to prevent unauthorized users from interfering with authorized communications and from accessing information that resides on, or is transmitted from, OPM systems. OPM’s policy shall:
• Monitor, control, and protect communications (information transmitted or received by information systems);
• Employ its information systems to transmit information in a secure manner
commensurate with the risk and magnitude of harm that could result from unauthorized transmission or receipt of information or from interference with OPM’s communications.
Manners of securing the transmission of information include the use of trusted path, cryptographic key, data encryption, session encryption, and public key infrastructure (PKI), among other methods;
• Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within its information systems;
• Employ methods to protect its information systems from denial of service (DOS) attacks;
• Authorize, monitor, and control the use of mobile code and communications protocols (e.g., Voice over Internet Protocol) on its information systems; and
• Provide mechanisms to protect the authenticity of communications sessions conducted on its information systems.
7.4.1 System and Communications Protection Policy and Procedures (SC-1) The policy under this control is implemented with the OPM System and Communications Protection Procedure. System and Communications Protection procedures shall be developed and disseminated. System specific procedures may be developed by program offices and operational groups where necessary. The procedures shall be reviewed at least annually and updated as determined necessary.
7.4.2 Application Partitioning (SC-2)
Information system management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from information system management functionality is either physical or logical and is accomplished by using different computers, different central processing units, different instances of the operating system, different network addresses, combinations of these methods, or other methods as appropriate.
System Owners (SO) shall ensure information systems are configured to separate user functionality from information system management functionality. (Moderate and High) 7.4.3 Security Function Isolation (SC-3)
The information system isolates security functions from non-security functions by means of an isolation boundary (implemented via partitions and domains) that controls access to and protects the integrity of, the hardware, software, and firmware that perform those security functions. The information system maintains a separate execution domain (e.g., address space) for each
executing process.
SOs shall ensure information systems isolate security functions from non-security functions, by using different partitions, domains, or other methods. This controls access to and protects the integrity of the hardware, software, and firmware that perform security functions. (High) 7.4.4 Information in Shared Resources (SC-4)
Information produced by the actions of a prior user/role should not be available to any current user/role that obtains access to a shared system resource after that resource has been released back to the information system.
SOs shall ensure that information systems are configured to prevent unauthorized and unintended information transfer via shared system resources. (Moderate and High)
7.4.5 Denial of Service Protection (SC-5)
A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect devices on an organization’s internal network from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service
redundancy may reduce the susceptibility to some denial of service attacks.
SOs shall ensure information systems are designed and configured to protect against or limit the effects of all types of denial of service attacks: National Institute of Standards and
Technology (NIST) SP 800-61 Rev. 1 and US-CERT (United States Computer Emergency Readiness Team) Guidelines.
Examples of DoS attacks include but are not limited to:
• Using all available network bandwidth by generating unusually large volumes of traffic;
• Sending malformed TCP/IP packets to a server so that its operating system will crash;
• Sending illegal requests to an application to crash it;
• Making many processor-intensive requests so that the server’s processing resources is fully consumed (e.g., requests that require the server to encrypt each reply);
• Establishing many simultaneous login sessions to a server so that other users cannot start login sessions;
• Broadcasting on the same frequencies used by a wireless network to make the network unusable; and
• Consuming all available disk space by creating many large files.
7.4.6 Boundary Protection (SC-7)
Boundary protection of information resources is accomplished by the installation and operation of controlled interfaces (e.g., proxies, gateways, routers, firewall, and load balancers). Controlled interfaces provide an added level of assurance that unauthorized personnel will be unable to access or affect systems that are not authorized for the individual or process. By tracking and controlling data, deciding whether to pass, drop, reject, or encrypt the data, controlled interfaces have proven to be an additional means of effectively securing a network.
SOs shall ensure information systems:
• Monitor and control communications at the external boundary of the information system and at key internal boundaries within the system; and
• Connect to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with organizational security architecture.
SOs shall ensure the following controls are implemented (Moderate and High):
• Physically allocate publicly accessible information system components (e.g., public web servers) to separate networks with separate physical network interfaces;
• Prevent public access to the organization’s internal networks except as appropriately mediated by managed interfaces employing boundary protection devices;
• Limit the number of access points to the information system to allow for more comprehensive monitoring of inbound and outbound communications and network traffic;
• Implement a managed interface (boundary protection devices in effective security architecture) for each external telecommunications service;
• Establish a traffic flow policy for each managed interface, and document exceptions to the policy with supporting mission/business need and its duration;
• Review exceptions to the traffic flow policy at least annually (or when changes to the system traffic flow occur) and remove the exceptions that are no longer supported by an explicit mission/business need;
• Employ security as needed controls to protect the confidentiality and integrity of the information being transmitted;
• Deny network traffic by default and allow network traffic by exception (i.e., deny all, permit by exception) at managed interfaces;
• Prevent remote devices that have established a non-remote connection with the system from communicating outside of that communications path with resources in external networks (split-tunneling);
• Prevent the unauthorized release of information outside of the information system boundary or any unauthorized communication through the information system boundary when there is an operational failure of the boundary protection mechanisms (High); and
• Route all outbound internal communications traffic to the Internet through
authenticated proxy servers within the managed interfaces of boundary protection devices (High). External networks are networks outside the control of the organization. Proxy servers support logging individual Transmission Control Protocol (TCP) sessions and blocking specific Uniform Resource Locators (URLs), domain names, and Internet Protocol (IP) addresses. Proxy servers are also configurable with organization defined lists of authorized and unauthorized websites.
7.4.7 Transmission Integrity (SC-8)
Integrity, in terms of data and network security, is the assurance that information can only be accessed or modified by those authorized to do so; content of information cannot be changed.
SOs shall ensure information systems protect the integrity of transmitted information. Integrity mechanisms (e.g., hashing and checksums) in accordance with the current version of FIPS 180 shall be used to ensure recognition of changes to the information during transmission, unless otherwise protected by alternative physical measures (e.g., physical access controls, conduit, etc.). (Moderate and High)
7.4.8 Transmission Confidentiality (SC-9)
Confidentiality is ensuring that information is accessible only to those authorized to have access and to prevent the disclosure of information to unauthorized individuals or systems.
SOs shall ensure information systems protect the confidentiality of transmitted information.
Cryptographic mechanisms shall be used to prevent unauthorized disclosure of information during transmission unless protected by alternative physical measures (e.g., physical access controls, conduit, etc.). (Moderate and High)
Cryptographic mechanisms shall be used to prevent unauthorized disclosure of Personally Identifiable Information (PII) during transmission.
7.4.9 Network Disconnect (SC-10)
Terminating network connections associated with communications sessions include de-allocating associated TCP/IP address/port pairs at the operating-system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection.
SOs shall ensure information systems are configured to terminate the network connection associated with a communications session at the end of the session or after 15 minutes of inactivity. (Moderate and High)
7.4.10 Cryptographic Key Establishment and Management (SC-12)
Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. In addition to being required for the effective operation of a cryptographic mechanism, effective cryptographic key management provides protections to maintain the availability of the information in the event of the loss of cryptographic keys by users.
SOs shall ensure cryptographic keys are established and managed for required cryptography employed within the information system.
SOs shall ensure information systems maintain availability of information in the event of the loss of cryptographic keys by users. (High)
7.4.11 Use of Cryptography (SC-13)
Encryption is the process of changing plain text into cipher text for the purpose of security or privacy. There are two basic types of cryptography, secret key and public key systems. In secret key systems, the same key is used for both encryption and decryption, in which all parties
participating in the communication share a single key. There are two keys in public key systems, which are the public key and a private key.
SOs shall ensure information systems implement required FIPS 140-2 compliant cryptographic protections using cryptographic modules that comply with applicable laws, Executive orders, directives, policies, regulations, standards, and guidance.
7.4.12 Public Access Protections (SC-14)
Publically available applications and information must be protected to ensure users can access reliable information at any given time. An organization's mission and/or reputation may be adversely impacted if public facing content is not adequately protected from unauthorized modification or denial of service.
SOs shall ensure information systems protect the integrity and availability of publicly available information and applications.
7.4.13 Collaborative Computing Devices (SC-15)
Collaborative computing devices include but are not limited to video teleconferencing, networked white boards, cameras, and microphones.
SOs shall ensure the information system:
• Prohibits remote activation of collaborative computing devices with the following
exceptions: authorized administrator access, such as maintenance or troubleshooting.
Remote activation is the ability to enable (or activate) a device from a device or system that is not connected directly to that device; and
• Provides an explicit indication of use to users physically present at the devices when in use. Explicit indication of use may include signals to users when the collaborative device is activated, such as, activity lights and event notifications.
7.4.14 Public Key Infrastructure Certificates (SC-17)
The primary function of a Public Key Infrastructure (PKI) is to allow the distribution and use of public keys and certificates with security and integrity. PKI is a foundation on which other applications and network security components are built. The generation, distribution, and management of public keys and associated certificates normally occur through the use of Certification Authorities (CAs), Registration Authorities (RAs), and directory services, which can be used to establish a hierarchy or chain of trust. In the Internet environment, entities unknown to each other do not have sufficient trust established between them to perform business, contractual, legal, or other types of transactions. The implementation of PKI using a CA provides the mechanisms for this trust.
Federal agencies attain certificates from an approved, shared service provider, as required by Office of Management and Budget (OMB) policy. For federal agencies operating a legacy public key infrastructure cross-certified with the Federal Bridge Certification Authority at medium assurance or higher, this Certification Authority will suffice. This control focuses on certificates with a visibility external to the information system and does not include certificates related to internal system operations, such as application-specific time services.
SOs shall ensure public key certificates are issued under an appropriate certificate policy or public key certificates are obtained under an appropriate certificate policy from an approved service provider as required by OMB Memorandum 05-24. (Moderate and High)
7.4.15 Mobile Code (SC-18)
Mobile code is software transferred between systems, (e.g., transferred across a network or via a USB flash drive), and executed on a local system without installation or execution by the
recipient. Decisions regarding the employment of mobile code within organizational information systems should be based on the potential risk for the code to cause damage to the system if used maliciously. Mobile code technologies include but are not limited to scripts, applets, ActiveX controls, Microsoft Office macros, Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations.
The Chief Information Security Officer (CISO) shall coordinate with SOs to:
a) Define acceptable and unacceptable mobile code and mobile code technologies.
b) Establish usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies based on the potential to cause damage to the
information system, whether intentional or unintentional.
SOs shall ensure the use of mobile code within information systems is authorized, monitored, and controlled. (Moderate and High)
7.4.16 Voice over Internet Protocol (SC-19)
Voice over Internet Protocol (VoIP) is any of a type of methodologies, communication protocols, and transmission technologies for delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet.
The CISO shall coordinate with SOs to establish usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously.
SOs shall ensure the use of VoIP within the information system is authorized prior to use and is monitored and controlled throughout the system life cycle. (Moderate and High)
7.4.17 Secure Name/Address Resolution Service (Authoritative Source) (SC-20) This control enables remote clients to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. A domain name system (DNS) server is an example of an information system that provides name/address resolution service. Digital signatures and cryptographic keys are examples of additional artifacts. DNS resource records are examples of authoritative data.
Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data. The DNS security controls are consistent with, and referenced from, OMB Memorandum 08-23.
The original design of the Domain Name System (DNS) did not include security; instead it was designed to be a scalable distributed system. The Domain Name System Security Extensions (DNSSEC) attempts to add security, while maintaining backwards compatibility and is a set of extensions to DNS, which provide origin authentication of DNS data, data integrity, and authenticated denial of existence. An authoritative name server is a name server that gives answers in response to questions asked about names in one or more zones.
SOs shall ensure information systems provide additional data origin and integrity artifacts along with the authoritative data it returns in response to name/address resolution queries.
SOs shall ensure information systems, when operating as part of a distributed, hierarchical namespace, provide the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains. For example, indicate the security status of child subspaces through the use of
delegation signer (DS) resource records in the DNS.
7.4.18 Secure Name/Address Resolution Service (Recursive or Caching Resolver) (SC-21)
A recursive resolving or caching domain name system (DNS) server is an example of an
information system that provides name/address resolution service for local clients. Authoritative DNS servers are examples of authoritative sources. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data.
SOs shall ensure information systems perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems. (High)
7.4.19 Architecture and Provisioning for Name/Address Resolution Service (SC-22)
A domain name system (DNS) server is an example of an information system that provides name/address resolution service. To eliminate single points of failure and to enhance
redundancy, there are typically at least two authoritative domain name system (DNS) servers, one configured as primary and the other as secondary. Additionally, the two servers are commonly located in two different network subnets and geographically separated (i.e., not located in the same physical facility). With regard to role separation, DNS servers with an internal role, only process name/address resolution requests from within the organization (i.e., internal clients). DNS servers with an external role only process name/address resolution information requests from clients external to the organization (i.e., on the external networks including the Internet). The set of clients that can access an authoritative DNS server in a particular role is specified by the organization (e.g., by address ranges, explicit lists).
SOs responsible for information systems that collectively provide name/address resolution service for an organization shall ensure these systems are fault tolerant and implement internal and external role separation. (Moderate and High)
7.4.20 Session Authenticity (SC-23)
This control focuses on communications protection at the session, versus packet level. The intent of this control is to establish grounds for confidence at each end of a communications session in the ongoing identity of the other party and in the validity of the information being transmitted. For example, this control addresses man-in-the-middle attacks including session hijacking or insertion of false information into a session. This control is only implemented where deemed necessary by the organization (e.g., sessions in service-oriented architectures providing web-based services).
SOs shall ensure information systems provide mechanisms to protect the authenticity of communications sessions. (Moderate and High)
7.4.21 Fail in Known State (SC-24)
Failure in a known state can address safety or security. Failure in a known secure state helps prevent loss of confidentiality, integrity, or availability in the event of a failure of the
information system or a component of the system. Failure in a known safe state helps prevent systems from failing to a state that may cause injury to individuals or destruction to property.
Preserving information system state information facilitates system restart and return to the operational mode of the organization with less disruption of mission/business processes.
SOs shall ensure information systems fail to an identified state as documented in the System
SOs shall ensure information systems fail to an identified state as documented in the System