SPARC

System and Communications Protection

Catalog: Electronic (OSCAL) Version of NIST SP 800-53 Rev 5.2.0 Controls and SP 800-53A Rev 5.2.0 Assessment Procedures | Controls: 224

← Back to Catalog

Control ID

Title / Statement

Priority

Baseline Impact

SC-01

Policy and Procedures 9 params

a. Develop, document, and disseminate to {{ insert: param, sc-1_prm_1 }}: 1. {{ insert: param, sc-01_odp.03 }} system and communications protection policy that: (a) Addresses purpose, s...

► View parameters

Param ID	Label	Constraint / Choices
sc-1_prm_1	organization-defined personnel or roles	Organization-defined
sc-01_odp.01	personnel or roles	personnel or roles to whom the system and communications protection policy is to be disseminated is/are defined;
sc-01_odp.02	personnel or roles	personnel or roles to whom the system and communications protection procedures are to be disseminated is/are defined;
sc-01_odp.03		Select one-or-more: organization-level; mission/business-process-level; system-level
sc-01_odp.04	official	an official to manage the system and communications protection policy and procedures is defined;
sc-01_odp.05	frequency	the frequency at which the current system and communications protection policy is reviewed and updated is defined;
sc-01_odp.06	events	events that would require the current system and communications protection policy to be reviewed and updated are defi...
sc-01_odp.07	frequency	the frequency at which the current system and communications protection procedures are reviewed and updated is defined;
sc-01_odp.08	events	events that would require the system and communications protection procedures to be reviewed and updated are defined;

—

SC-02

Separation of System and User Functionality

Separate user functionality, including user interface services, from system management functionality.

—

SC-02(01)

Interfaces for Non-privileged Users

Prevent the presentation of system management functionality at interfaces to non-privileged users.

—

SC-02(02)

Disassociability

Store state information from applications and software separately.

—

SC-03

Security Function Isolation

Isolate security functions from nonsecurity functions.

—

SC-03(01)

Hardware Separation

Employ hardware separation mechanisms to implement security function isolation.

—

SC-03(02)

Access and Flow Control Functions

Isolate security functions enforcing access and information flow control from nonsecurity functions and from other security functions.

—

SC-03(03)

Minimize Nonsecurity Functionality

Minimize the number of nonsecurity functions included within the isolation boundary containing security functions.

—

SC-03(04)

Module Coupling and Cohesiveness

Implement security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules.

—

SC-03(05)

Layered Structures

Implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher la...

—

SC-04

Information in Shared System Resources

Prevent unauthorized and unintended information transfer via shared system resources.

—

SC-04(01)

Security Levels

—

SC-04(02)

Multilevel or Periods Processing 1 param

Prevent unauthorized information transfer via shared resources in accordance with {{ insert: param, sc-04.02_odp }} when system processing explicitly switches between different information classifi...

► View parameters

Param ID	Label	Constraint / Choices
sc-04.02_odp	procedures	procedures to prevent unauthorized information transfer via shared resources are defined;

—

SC-05

Denial-of-service Protection 3 params

a. {{ insert: param, sc-05_odp.02 }} the effects of the following types of denial-of-service events: {{ insert: param, sc-05_odp.01 }} ; and b. Employ the following controls to achieve the deni...

► View parameters

Param ID	Label	Constraint / Choices
sc-05_odp.01	types of denial-of-service events	types of denial-of-service events to be protected against or limited are defined;
sc-05_odp.02		Select one: protect against; limit
sc-05_odp.03	controls by type of denial-of-service event	controls to achieve the denial-of-service objective by type of denial-of-service event are defined;

—

SC-05(01)

Restrict Ability to Attack Other Systems 1 param

Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: {{ insert: param, sc-05.01_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-05.01_odp	denial-of-service attacks	denial-of-service attacks for which to restrict the ability of individuals to launch are defined;

—

SC-05(02)

Capacity, Bandwidth, and Redundancy

Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial-of-service attacks.

—

SC-05(03)

Detection and Monitoring 2 params

(a) Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: {{ insert: param, sc-05.03_odp.01 }} ; and (b) Monitor the fol...

► View parameters

Param ID	Label	Constraint / Choices
sc-05.03_odp.01	monitoring tools	monitoring tools for detecting indicators of denial-of-service attacks are defined;
sc-05.03_odp.02	system resources	system resources to be monitored to determine if sufficient resources exist to prevent effective denial-of-service at...

—

SC-06

Resource Availability 3 params

Protect the availability of resources by allocating {{ insert: param, sc-06_odp.01 }} by {{ insert: param, sc-06_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-06_odp.01	resources	resources to be allocated to protect the availability of resources are defined;
sc-06_odp.02		Select one-or-more: priority; quota; {{ insert: param, sc-06_odp.03 }}
sc-06_odp.03	controls	controls to protect the availability of resources are defined (if selected);

—

SC-07

Boundary Protection 1 param

a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible...

► View parameters

Param ID	Label	Constraint / Choices
sc-07_odp		Select one: physically; logically

—

SC-07(01)

Physically Separated Subnetworks

—

SC-07(02)

Public Access

—

SC-07(03)

Access Points

Limit the number of external network connections to the system.

—

SC-07(04)

External Telecommunications Services 1 param

(a) Implement a managed interface for each external telecommunication service; (b) Establish a traffic flow policy for each managed interface; (c) Protect the confidentiality and integrity of...

► View parameters

Param ID	Label	Constraint / Choices
sc-07.04_odp	frequency	the frequency at which to review exceptions to traffic flow policy is defined;

—

SC-07(05)

Deny by Default — Allow by Exception 2 params

Deny network communications traffic by default and allow network communications traffic by exception {{ insert: param, sc-07.05_odp.01 }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-07.05_odp.01		Select one-or-more: at managed interfaces; for {{ insert: param, sc-07.05_odp.02 }}
sc-07.05_odp.02	systems	systems for which network communications traffic is denied by default and network communications traffic is allowed b...

—

SC-07(06)

Response to Recognized Failures

—

SC-07(07)

Split Tunneling for Remote Devices 1 param

Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-07.07_odp	safeguards	safeguards to securely provision split tunneling are defined;

—

SC-07(08)

Route Traffic to Authenticated Proxy Servers 2 params

Route {{ insert: param, sc-07.08_odp.01 }} to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces.

► View parameters

Param ID	Label	Constraint / Choices
sc-07.08_odp.01	internal communications traffic	internal communications traffic to be routed to external networks is defined;
sc-07.08_odp.02	external networks	external networks to which internal communications traffic is to be routed are defined;

—

SC-07(09)

Restrict Threatening Outgoing Communications Traffic

(a) Detect and deny outgoing communications traffic posing a threat to external systems; and (b) Audit the identity of internal users associated with denied communications.

—

SC-07(10)

Prevent Exfiltration 1 param

(a) Prevent the exfiltration of information; and (b) Conduct exfiltration tests {{ insert: param, sc-07.10_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-07.10_odp	frequency	the frequency for conducting exfiltration tests is defined;

—

SC-07(11)

Restrict Incoming Communications Traffic 2 params

Only allow incoming communications from {{ insert: param, sc-07.11_odp.01 }} to be routed to {{ insert: param, sc-07.11_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-07.11_odp.01	authorized sources	authorized sources of incoming communications to be routed are defined;
sc-07.11_odp.02	authorized destinations	authorized destinations to which incoming communications from authorized sources may be routed are defined;

—

SC-07(12)

Host-based Protection 2 params

Implement {{ insert: param, sc-07.12_odp.01 }} at {{ insert: param, sc-07.12_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-07.12_odp.01	host-based boundary protection mechanisms	host-based boundary protection mechanisms to be implemented are defined;
sc-07.12_odp.02	system components	system components where host-based boundary protection mechanisms are to be implemented are defined;

—

SC-07(13)

Isolation of Security Tools, Mechanisms, and Support Components 1 param

Isolate {{ insert: param, sc-07.13_odp }} from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system.

► View parameters

Param ID	Label	Constraint / Choices
sc-07.13_odp	information security tools, mechanisms, and support components	information security tools, mechanisms, and support components to be isolated from other internal system components a...

—

SC-07(14)

Protect Against Unauthorized Physical Connections 1 param

Protect against unauthorized physical connections at {{ insert: param, sc-07.14_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-07.14_odp	managed interfaces	managed interfaces to be protected against unauthorized physical connections are defined;

—

SC-07(15)

Networked Privileged Accesses

Route networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.

—

SC-07(16)

Prevent Discovery of System Components

Prevent the discovery of specific system components that represent a managed interface.

—

SC-07(17)

Automated Enforcement of Protocol Formats

Enforce adherence to protocol formats.

—

SC-07(18)

Fail Secure

Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device.

—

SC-07(19)

Block Communication from Non-organizationally Configured Hosts 1 param

Block inbound and outbound communications traffic between {{ insert: param, sc-07.19_odp }} that are independently configured by end users and external service providers.

► View parameters

Param ID	Label	Constraint / Choices
sc-07.19_odp	communication clients	communication clients that are independently configured by end users and external service providers are defined;

—

SC-07(20)

Dynamic Isolation and Segregation 1 param

Provide the capability to dynamically isolate {{ insert: param, sc-07.20_odp }} from other system components.

► View parameters

Param ID	Label	Constraint / Choices
sc-07.20_odp	system components	system components to be dynamically isolated from other system components are defined;

—

SC-07(21)

Isolation of System Components 2 params

Employ boundary protection mechanisms to isolate {{ insert: param, sc-07.21_odp.01 }} supporting {{ insert: param, sc-07.21_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-07.21_odp.01	system components	system components to be isolated by boundary protection mechanisms are defined;
sc-07.21_odp.02	missions and/or business functions	missions and/or business functions to be supported by system components isolated by boundary protection mechanisms ar...

—

SC-07(22)

Separate Subnets for Connecting to Different Security Domains

Implement separate network addresses to connect to systems in different security domains.

—

SC-07(23)

Disable Sender Feedback on Protocol Validation Failure

Disable feedback to senders on protocol format validation failure.

—

SC-07(24)

Personally Identifiable Information 1 param

For systems that process personally identifiable information: (a) Apply the following processing rules to data elements of personally identifiable information: {{ insert: param, sc-07.24_odp }}; ...

► View parameters

Param ID	Label	Constraint / Choices
sc-07.24_odp	processing rules	processing rules for systems that process personally identifiable information are defined;

—

SC-07(25)

Unclassified National Security System Connections 2 params

Prohibit the direct connection of {{ insert: param, sc-07.25_odp.01 }} to an external network without the use of {{ insert: param, sc-07.25_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-07.25_odp.01	unclassified national security system	the unclassified national security system prohibited from directly connecting to an external network is defined;
sc-07.25_odp.02	boundary protection device	the boundary protection device required for a direct connection to an external network is defined;

—

SC-07(26)

Classified National Security System Connections 1 param

Prohibit the direct connection of a classified national security system to an external network without the use of {{ insert: param, sc-07.26_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-07.26_odp	boundary protection device	the boundary protection device required for a direct connection to an external network is defined;

—

SC-07(27)

Unclassified Non-national Security System Connections 2 params

Prohibit the direct connection of {{ insert: param, sc-07.27_odp.01 }} to an external network without the use of {{ insert: param, sc-07.27_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-07.27_odp.01	unclassified, non-national security system	the unclassified, non-national security system prohibited from directly connecting to an external network is defined;
sc-07.27_odp.02	boundary protection device	the boundary protection device required for a direct connection of unclassified, non-national security system to an e...

—

SC-07(28)

Connections to Public Networks 1 param

Prohibit the direct connection of {{ insert: param, sc-07.28_odp }} to a public network.

► View parameters

Param ID	Label	Constraint / Choices
sc-07.28_odp	system	the system that is prohibited from directly connecting to a public network is defined;

—

SC-07(29)

Separate Subnets to Isolate Functions 2 params

Implement {{ insert: param, sc-07.29_odp.01 }} separate subnetworks to isolate the following critical system components and functions: {{ insert: param, sc-07.29_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-07.29_odp.01		Select one: physically; logically
sc-07.29_odp.02	critical system components and functions	critical system components and functions to be isolated are defined;

—

SC-08

Transmission Confidentiality and Integrity 1 param

Protect the {{ insert: param, sc-08_odp }} of transmitted information.

► View parameters

Param ID	Label	Constraint / Choices
sc-08_odp		Select one-or-more: confidentiality; integrity

—

SC-08(01)

Cryptographic Protection 1 param

Implement cryptographic mechanisms to {{ insert: param, sc-08.01_odp }} during transmission.

► View parameters

Param ID	Label	Constraint / Choices
sc-08.01_odp		Select one-or-more: prevent unauthorized disclosure of information; detect changes to information

—

SC-08(02)

Pre- and Post-transmission Handling 1 param

Maintain the {{ insert: param, sc-08.02_odp }} of information during preparation for transmission and during reception.

► View parameters

Param ID	Label	Constraint / Choices
sc-08.02_odp		Select one-or-more: confidentiality; integrity

—

SC-08(03)

Cryptographic Protection for Message Externals 1 param

Implement cryptographic mechanisms to protect message externals unless otherwise protected by {{ insert: param, sc-08.03_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-08.03_odp	alternative physical controls	alternative physical controls to protect message externals are defined;

—

SC-08(04)

Conceal or Randomize Communications 1 param

Implement cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by {{ insert: param, sc-08.04_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-08.04_odp	alternative physical controls	alternative physical controls to protect against unauthorized disclosure of communication patterns are defined;

—

SC-08(05)

Protected Distribution System 2 params

Implement {{ insert: param, sc-08.05_odp.01 }} to {{ insert: param, sc-08.05_odp.02 }} during transmission.

► View parameters

Param ID	Label	Constraint / Choices
sc-08.05_odp.01	protected distribution system	the protected distribution system is defined;
sc-08.05_odp.02		Select one-or-more: prevent unauthorized disclosure of information; detect changes to information

—

SC-09

Transmission Confidentiality

—

SC-10

Network Disconnect 1 param

Terminate the network connection associated with a communications session at the end of the session or after {{ insert: param, sc-10_odp }} of inactivity.

► View parameters

Param ID	Label	Constraint / Choices
sc-10_odp	time period	a time period of inactivity after which the system terminates a network connection associated with a communication se...

—

SC-11

Trusted Path 2 params

a. Provide a {{ insert: param, sc-11_odp.01 }} isolated trusted communications path for communications between the user and the trusted components of the system; and b. Permit users to invoke t...

► View parameters

Param ID	Label	Constraint / Choices
sc-11_odp.01		Select one: physically; logically
sc-11_odp.02	security functions	security functions of the system are defined;

—

SC-11(01)

Irrefutable Communications Path 1 param

(a) Provide a trusted communications path that is irrefutably distinguishable from other communications paths; and (b) Initiate the trusted communications path for communications between the {{...

► View parameters

Param ID	Label	Constraint / Choices
sc-11.01_odp	security functions	security functions of the system are defined;

—

└ sc-11.1.(a)

Provide a trusted communications path that is irrefutably distinguishable from other communications paths; and

—

└ sc-11.1.(b)

Initiate the trusted communications path for communications between the {{ insert: param, sc-11.01_odp }} of the system and the user.

—

└ sc-11a

Provide a {{ insert: param, sc-11_odp.01 }} isolated trusted communications path for communications between the user and the trusted components of ...

—

└ sc-11b

Permit users to invoke the trusted communications path for communications between the user and the following security functions of the system, incl...

—

SC-12

Cryptographic Key Establishment and Management 1 param

Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: {{ insert: param, sc-12_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-12_odp	requirements	requirements for key generation, distribution, storage, access, and destruction are defined;

—

SC-12(01)

Availability

Maintain availability of information in the event of the loss of cryptographic keys by users.

—

SC-12(02)

Symmetric Keys 1 param

Produce, control, and distribute symmetric cryptographic keys using {{ insert: param, sc-12.02_odp }} key management technology and processes.

► View parameters

Param ID	Label	Constraint / Choices
sc-12.02_odp		Select one: NIST FIPS-validated; NSA-approved

—

SC-12(03)

Asymmetric Keys 1 param

Produce, control, and distribute asymmetric cryptographic keys using {{ insert: param, sc-12.03_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-12.03_odp		Select one: NSA-approved key management technology and processes; prepositioned keying material; DoD-approved or DoD-issued Medium Assurance PKI certificates; DoD-approved or DoD-issued Medium Hardware Assurance PKI certificates and hardware security tokens that protect the user’s private key; certificates issued in accordance with organization-defined requirements

—

SC-12(04)

PKI Certificates

—

SC-12(05)

PKI Certificates / Hardware Tokens

—

SC-12(06)

Physical Control of Keys

Maintain physical control of cryptographic keys when stored information is encrypted by external service providers.

—

SC-13

Cryptographic Protection 2 params

a. Determine the {{ insert: param, sc-13_odp.01 }} ; and b. Implement the following types of cryptography required for each specified cryptographic use: {{ insert: param, sc-13_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-13_odp.01	cryptographic uses	cryptographic uses are defined;
sc-13_odp.02	types of cryptography	types of cryptography for each specified cryptographic use are defined;

—

SC-13(01)

FIPS-validated Cryptography

—

SC-13(02)

NSA-approved Cryptography

—

SC-13(03)

Individuals Without Formal Access Approvals

—

SC-13(04)

Digital Signatures

—

└ sc-13a

Determine the {{ insert: param, sc-13_odp.01 }} ; and

—

└ sc-13b

Implement the following types of cryptography required for each specified cryptographic use: {{ insert: param, sc-13_odp.02 }}.

—

SC-14

Public Access Protections

—

SC-15

Collaborative Computing Devices and Applications 1 param

a. Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ insert: param, sc-15_odp }} ; and b. Provide an explicit indication of use to...

► View parameters

Param ID	Label	Constraint / Choices
sc-15_odp	exceptions where remote activation is to be allowed	exceptions where remote activation is to be allowed are defined;

—

SC-15(01)

Physical or Logical Disconnect 1 param

Provide {{ insert: param, sc-15.01_odp }} disconnect of collaborative computing devices in a manner that supports ease of use.

► View parameters

Param ID	Label	Constraint / Choices
sc-15.01_odp		Select one-or-more: physical; logical

—

SC-15(02)

Blocking Inbound and Outbound Communications Traffic

—

SC-15(03)

Disabling and Removal in Secure Work Areas 2 params

Disable or remove collaborative computing devices and applications from {{ insert: param, sc-15.03_odp.01 }} in {{ insert: param, sc-15.03_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-15.03_odp.01	systems or system components	systems or system components from which collaborative computing devices are to be disabled or removed are defined;
sc-15.03_odp.02	secure work areas	secure work areas where collaborative computing devices are to be disabled or removed from systems or system componen...

—

SC-15(04)

Explicitly Indicate Current Participants 1 param

Provide an explicit indication of current participants in {{ insert: param, sc-15.04_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-15.04_odp	online meetings and teleconferences	online meetings and teleconferences for which an explicit indication of current participants is to be provided are de...

—

└ sc-15a

Prohibit remote activation of collaborative computing devices and applications with the following exceptions: {{ insert: param, sc-15_odp }} ; and

—

└ sc-15b

Provide an explicit indication of use to users physically present at the devices.

—

SC-16

Transmission of Security and Privacy Attributes 3 params

Associate {{ insert: param, sc-16_prm_1 }} with information exchanged between systems and between system components.

► View parameters

Param ID	Label	Constraint / Choices
sc-16_prm_1	organization-defined security and privacy attributes	Organization-defined
sc-16_odp.01	security attributes	security attributes to be associated with information exchanged are defined;
sc-16_odp.02	privacy attributes	privacy attributes to be associated with information exchanged are defined;

—

SC-16(01)

Integrity Verification

Verify the integrity of transmitted security and privacy attributes.

—

SC-16(02)

Anti-spoofing Mechanisms

Implement anti-spoofing mechanisms to prevent adversaries from falsifying the security attributes indicating the successful application of the security process.

—

SC-16(03)

Cryptographic Binding 1 param

Implement {{ insert: param, sc-16.03_odp }} to bind security and privacy attributes to transmitted information.

► View parameters

Param ID	Label	Constraint / Choices
sc-16.03_odp	mechanisms or techniques	mechanisms or techniques to bind security and privacy attributes to transmitted information are defined;

—

SC-17

Public Key Infrastructure Certificates 1 param

a. Issue public key certificates under an {{ insert: param, sc-17_odp }} or obtain public key certificates from an approved service provider; and b. Include only approved trust anchors in trust...

► View parameters

Param ID	Label	Constraint / Choices
sc-17_odp	certificate policy	a certificate policy for issuing public key certificates is defined;

—

└ sc-17a

Issue public key certificates under an {{ insert: param, sc-17_odp }} or obtain public key certificates from an approved service provider; and

—

└ sc-17b

Include only approved trust anchors in trust stores or certificate stores managed by the organization.

—

SC-18

Mobile Code

a. Define acceptable and unacceptable mobile code and mobile code technologies; and b. Authorize, monitor, and control the use of mobile code within the system.

—

SC-18(01)

Identify Unacceptable Code and Take Corrective Actions 2 params

Identify {{ insert: param, sc-18.01_odp.01 }} and take {{ insert: param, sc-18.01_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-18.01_odp.01	unacceptable mobile code	unacceptable mobile code to be identified is defined;
sc-18.01_odp.02	corrective actions	corrective actions to be taken when unacceptable mobile code is identified are defined;

—

SC-18(02)

Acquisition, Development, and Use 1 param

Verify that the acquisition, development, and use of mobile code to be deployed in the system meets {{ insert: param, sc-18.02_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-18.02_odp	mobile code requirements	mobile code requirements for the acquisition, development, and use of mobile code to be deployed in the system are de...

—

SC-18(03)

Prevent Downloading and Execution 1 param

Prevent the download and execution of {{ insert: param, sc-18.03_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-18.03_odp	unacceptable mobile code	unacceptable mobile code to be prevented from downloading and executing is defined;

—

SC-18(04)

Prevent Automatic Execution 2 params

Prevent the automatic execution of mobile code in {{ insert: param, sc-18.04_odp.01 }} and enforce {{ insert: param, sc-18.04_odp.02 }} prior to executing the code.

► View parameters

Param ID	Label	Constraint / Choices
sc-18.04_odp.01	software applications	software applications in which the automatic execution of mobile code is to be prevented are defined;
sc-18.04_odp.02	actions	actions to be enforced by the system prior to executing mobile code are defined;

—

SC-18(05)

Allow Execution Only in Confined Environments

Allow execution of permitted mobile code only in confined virtual machine environments.

—

└ sc-18a

Define acceptable and unacceptable mobile code and mobile code technologies; and

—

└ sc-18b

Authorize, monitor, and control the use of mobile code within the system.

—

SC-19

Voice Over Internet Protocol

Technology-specific; addressed as any other technology or protocol.

—

└ sc-1a

Develop, document, and disseminate to {{ insert: param, sc-1_prm_1 }}:

—

└ sc-1a.1

{{ insert: param, sc-01_odp.03 }} system and communications protection policy that:

—

└ sc-1a.1.(a)

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

—

└ sc-1a.1.(b)

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

—

└ sc-1a.2

Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protect...

—

└ sc-1b

Designate an {{ insert: param, sc-01_odp.04 }} to manage the development, documentation, and dissemination of the system and communications protect...

—

└ sc-1c

Review and update the current system and communications protection:

—

└ sc-1c.1

Policy {{ insert: param, sc-01_odp.05 }} and following {{ insert: param, sc-01_odp.06 }} ; and

—

└ sc-1c.2

Procedures {{ insert: param, sc-01_odp.07 }} and following {{ insert: param, sc-01_odp.08 }}.

—

SC-20

Secure Name/Address Resolution Service (Authoritative Source)

a. Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address res...

—

SC-20(01)

Child Subspaces

—

SC-20(02)

Data Origin and Integrity

Provide data origin and integrity protection artifacts for internal name/address resolution queries.

—

└ sc-20a

Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system ret...

—

└ sc-20b

Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a...

—

SC-21

Secure Name/Address Resolution Service (Recursive or Caching Resolver)

Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

—

SC-21(01)

Data Origin and Integrity

—

SC-22

Architecture and Provisioning for Name/Address Resolution Service

Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.

—

SC-23

Session Authenticity

Protect the authenticity of communications sessions.

—

SC-23(01)

Invalidate Session Identifiers at Logout

Invalidate session identifiers upon user logout or other session termination.

—

SC-23(02)

User-initiated Logouts and Message Displays

—

SC-23(03)

Unique System-generated Session Identifiers 1 param

Generate a unique session identifier for each session with {{ insert: param, sc-23.03_odp }} and recognize only session identifiers that are system-generated.

► View parameters

Param ID	Label	Constraint / Choices
sc-23.03_odp	randomness requirements	randomness requirements for generating a unique session identifier for each session are defined;

—

SC-23(04)

Unique Session Identifiers with Randomization

—

SC-23(05)

Allowed Certificate Authorities 1 param

Only allow the use of {{ insert: param, sc-23.05_odp }} for verification of the establishment of protected sessions.

► View parameters

Param ID	Label	Constraint / Choices
sc-23.05_odp	certificated authorities	certificate authorities to be allowed for verification of the establishment of protected sessions are defined;

—

SC-24

Fail in Known State 3 params

Fail to a {{ insert: param, sc-24_odp.02 }} for the following failures on the indicated components while preserving {{ insert: param, sc-24_odp.03 }} in failure: {{ insert: param, sc-24_odp.01 }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-24_odp.01	types of system failures on system components	types of system failures for which the system components fail to a known state are defined;
sc-24_odp.02	known system state	known system state to which system components fail in the event of a system failure is defined;
sc-24_odp.03	system state information	system state information to be preserved in the event of a system failure is defined;

—

SC-25

Thin Nodes 1 param

Employ minimal functionality and information storage on the following system components: {{ insert: param, sc-25_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-25_odp	system components	system components to be employed with minimal functionality and information storage are defined;

—

SC-26

Decoys

Include components within organizational systems specifically designed to be the target of malicious attacks for detecting, deflecting, and analyzing such attacks.

—

SC-26(01)

Detection of Malicious Code

—

SC-27

Platform-independent Applications 1 param

Include within organizational systems the following platform independent applications: {{ insert: param, sc-27_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-27_odp	platform-independent applications	platform-independent applications to be included within organizational systems are defined;

—

SC-28

Protection of Information at Rest 2 params

Protect the {{ insert: param, sc-28_odp.01 }} of the following information at rest: {{ insert: param, sc-28_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-28_odp.01		Select one-or-more: confidentiality; integrity
sc-28_odp.02	information at rest	information at rest requiring protection is defined;

—

SC-28(01)

Cryptographic Protection 2 params

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on {{ insert: param, sc-28.01_odp.02 }}: {{ insert: param, sc-28.01_odp.0...

► View parameters

Param ID	Label	Constraint / Choices
sc-28.01_odp.01	information	information requiring cryptographic protection is defined;
sc-28.01_odp.02	system components or media	system components or media requiring cryptographic protection is/are defined;

—

SC-28(02)

Offline Storage 1 param

Remove the following information from online storage and store offline in a secure location: {{ insert: param, sc-28.02_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-28.02_odp	information	information to be removed from online storage and stored offline in a secure location is defined;

—

SC-28(03)

Cryptographic Keys 2 params

Provide protected storage for cryptographic keys {{ insert: param, sc-28.03_odp.01 }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-28.03_odp.01		Select one: {{ insert: param, sc-28.03_odp.02 }} ; hardware-protected key store
sc-28.03_odp.02	safeguards	safeguards for protecting the storage of cryptographic keys are defined (if selected);

—

SC-29

Heterogeneity 1 param

Employ a diverse set of information technologies for the following system components in the implementation of the system: {{ insert: param, sc-29_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-29_odp	system components	system components requiring a diverse set of information technologies to be employed in the implementation of the sys...

—

SC-29(01)

Virtualization Techniques 1 param

Employ virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed {{ insert: param, sc-29.01_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-29.01_odp	frequency	the frequency at which to change the diversity of operating systems and applications deployed using virtualization te...

—

SC-30

Concealment and Misdirection 3 params

Employ the following concealment and misdirection techniques for {{ insert: param, sc-30_odp.02 }} at {{ insert: param, sc-30_odp.03 }} to confuse and mislead adversaries: {{ insert: param, sc-30_o...

► View parameters

Param ID	Label	Constraint / Choices
sc-30_odp.01	concealment and misdirection techniques	concealment and misdirection techniques to be employed to confuse and mislead adversaries potentially targeting syste...
sc-30_odp.02	systems	systems for which concealment and misdirection techniques are to be employed are defined;
sc-30_odp.03	time periods	time periods to employ concealment and misdirection techniques for systems are defined;

—

SC-30(01)

Virtualization Techniques

—

SC-30(02)

Randomness 1 param

Employ {{ insert: param, sc-30.02_odp }} to introduce randomness into organizational operations and assets.

► View parameters

Param ID	Label	Constraint / Choices
sc-30.02_odp	techniques	techniques employed to introduce randomness into organizational operations and assets are defined;

—

SC-30(03)

Change Processing and Storage Locations 3 params

Change the location of {{ insert: param, sc-30.03_odp.01 }} {{ insert: param, sc-30.03_odp.02 }}].

► View parameters

Param ID	Label	Constraint / Choices
sc-30.03_odp.01	processing and/or storage	processing and/or storage locations to be changed are defined;
sc-30.03_odp.02		Select one: {{ insert: param, sc-30.03_odp.03 }} ; random time intervals
sc-30.03_odp.03	time frequency	time frequency at which to change the location of processing and/or storage is defined (if selected);

—

SC-30(04)

Misleading Information 1 param

Employ realistic, but misleading information in {{ insert: param, sc-30.04_odp }} about its security state or posture.

► View parameters

Param ID	Label	Constraint / Choices
sc-30.04_odp	system components	system components for which realistic but misleading information about their security state or posture is employed ar...

—

SC-30(05)

Concealment of System Components 2 params

Employ the following techniques to hide or conceal {{ insert: param, sc-30.05_odp.02 }}: {{ insert: param, sc-30.05_odp.01 }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-30.05_odp.01	techniques	techniques to be employed to hide or conceal system components are defined;
sc-30.05_odp.02	system components	system components to be hidden or concealed using techniques (defined in SC-30(05)_ODP[01]) are defined;

—

SC-31

Covert Channel Analysis 1 param

a. Perform a covert channel analysis to identify those aspects of communications within the system that are potential avenues for covert {{ insert: param, sc-31_odp }} channels; and b. Estimate...

► View parameters

Param ID	Label	Constraint / Choices
sc-31_odp		Select one-or-more: storage; timing

—

SC-31(01)

Test Covert Channels for Exploitability

Test a subset of the identified covert channels to determine the channels that are exploitable.

—

SC-31(02)

Maximum Bandwidth 2 params

Reduce the maximum bandwidth for identified covert {{ insert: param, sc-31.02_odp.01 }} channels to {{ insert: param, sc-31.02_odp.02 }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-31.02_odp.01		Select one-or-more: storage; timing
sc-31.02_odp.02	values	values for the maximum bandwidth for identified covert channels are defined;

—

SC-31(03)

Measure Bandwidth in Operational Environments 1 param

Measure the bandwidth of {{ insert: param, sc-31.03_odp }} in the operational environment of the system.

► View parameters

Param ID	Label	Constraint / Choices
sc-31.03_odp	subset of identified covert channels	subset of identified covert channels whose bandwidth is to be measured in the operational environment of the system i...

—

└ sc-31a

Perform a covert channel analysis to identify those aspects of communications within the system that are potential avenues for covert {{ insert: pa...

—

└ sc-31b

Estimate the maximum bandwidth of those channels.

—

SC-32

System Partitioning 3 params

Partition the system into {{ insert: param, sc-32_odp.01 }} residing in separate {{ insert: param, sc-32_odp.02 }} domains or environments based on {{ insert: param, sc-32_odp.03 }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-32_odp.01	system components	system components to reside in separate physical or logical domains or environments based on circumstances for the ph...
sc-32_odp.02		Select one: physical; logical
sc-32_odp.03	circumstances for the physical or logical separation of components	circumstances for the physical or logical separation of components are defined;

—

SC-32(01)

Separate Physical Domains for Privileged Functions

Partition privileged functions into separate physical domains.

—

SC-33

Transmission Preparation Integrity

—

SC-34

Non-modifiable Executable Programs 2 params

For {{ insert: param, sc-34_odp.01 }} , load and execute: a. The operating environment from hardware-enforced, read-only media; and b. The following applications from hardware-enforced, read-on...

► View parameters

Param ID	Label	Constraint / Choices
sc-34_odp.01	system components	system components for which the operating environment and applications are to be loaded and executed from hardware-en...
sc-34_odp.02	applications	applications to be loaded and executed from hardware-enforced, read-only media are defined;

—

SC-34(01)

No Writable Storage 1 param

Employ {{ insert: param, sc-34.01_odp }} with no writeable storage that is persistent across component restart or power on/off.

► View parameters

Param ID	Label	Constraint / Choices
sc-34.01_odp	system components	system components to be employed with no writeable storage are defined;

—

SC-34(02)

Integrity Protection on Read-only Media

Protect the integrity of information prior to storage on read-only media and control the media after such information has been recorded onto the media.

—

SC-34(03)

Hardware-based Protection

—

└ sc-34a

The operating environment from hardware-enforced, read-only media; and

—

└ sc-34b

The following applications from hardware-enforced, read-only media: {{ insert: param, sc-34_odp.02 }}.

—

SC-35

External Malicious Code Identification

Include system components that proactively seek to identify network-based malicious code or malicious websites.

—

SC-36

Distributed Processing and Storage 6 params

Distribute the following processing and storage components across multiple {{ insert: param, sc-36_prm_1 }}: {{ insert: param, sc-36_prm_2 }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-36_prm_1		Select one: physical locations; logical domains
sc-36_prm_2	organization-defined processing and storage components	Organization-defined
sc-36_odp.01	processing components	processing components to be distributed across multiple locations/domains are defined;
sc-36_odp.02		Select one: physical locations; logical domains
sc-36_odp.03	storage components	storage components to be distributed across multiple locations/domains are defined;
sc-36_odp.04		Select one: physical locations; logical domains

—

SC-36(01)

Polling Techniques 2 params

(a) Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: {{ insert: param, sc-36.01_odp.01 }} ; and (b) Take the fo...

► View parameters

Param ID	Label	Constraint / Choices
sc-36.01_odp.01	distributed processing and storage components	distributed processing and storage components for which polling techniques are to be employed to identify potential f...
sc-36.01_odp.02	actions	actions to be taken in response to identified faults, errors, or compromise are defined;

—

SC-36(02)

Synchronization 1 param

Synchronize the following duplicate systems or system components: {{ insert: param, sc-36.02_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-36.02_odp	duplicate systems or system components	duplicate systems or system components to be synchronized are defined;

—

└ sc-36.1.(a)

Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: {{ insert: param...

—

└ sc-36.1.(b)

Take the following actions in response to identified faults, errors, or compromises: {{ insert: param, sc-36.01_odp.02 }}.

—

SC-37

Out-of-band Channels 3 params

Employ the following out-of-band channels for the physical delivery or electronic transmission of {{ insert: param, sc-37_odp.02 }} to {{ insert: param, sc-37_odp.03 }}: {{ insert: param, sc-37_odp...

► View parameters

Param ID	Label	Constraint / Choices
sc-37_odp.01	out-of-band channels	out-of-band channels to be employed for the physical delivery or electronic transmission of information, system compo...
sc-37_odp.02	information, system components, or devices	information, system components, or devices to employ out-of-band-channels for physical delivery or electronic transmi...
sc-37_odp.03	individuals or systems	individuals or systems to which physical delivery or electronic transmission of information, system components, or de...

—

SC-37(01)

Ensure Delivery and Transmission 3 params

Employ {{ insert: param, sc-37.01_odp.01 }} to ensure that only {{ insert: param, sc-37.01_odp.02 }} receive the following information, system components, or devices: {{ insert: param, sc-37.01_odp...

► View parameters

Param ID	Label	Constraint / Choices
sc-37.01_odp.01	controls	controls to be employed to ensure that only designated individuals or systems receive specific information, system co...
sc-37.01_odp.02	individuals or systems	individuals or systems designated to receive specific information, system components, or devices are defined;
sc-37.01_odp.03	information, system components, or devices	information, system components, or devices that only individuals or systems are designated to receive are defined;

—

SC-38

Operations Security 1 param

Employ the following operations security controls to protect key organizational information throughout the system development life cycle: {{ insert: param, sc-38_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-38_odp	operations security controls	operations security controls to be employed to protect key organizational information throughout the system developme...

—

SC-39

Process Isolation

Maintain a separate execution domain for each executing system process.

—

SC-39(01)

Hardware Separation

Implement hardware separation mechanisms to facilitate process isolation.

—

SC-39(02)

Separate Execution Domain Per Thread 1 param

Maintain a separate execution domain for each thread in {{ insert: param, sc-39.02_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-39.02_odp	multi-threaded processing	multi-thread processing for which a separate execution domain is to be maintained for each thread is defined;

—

SC-40

Wireless Link Protection 6 params

Protect external and internal {{ insert: param, sc-40_prm_1 }} from the following signal parameter attacks: {{ insert: param, sc-40_prm_2 }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-40_prm_1	organization-defined wireless links	Organization-defined
sc-40_prm_2	organization-defined types of signal parameter attacks or references to sources for such attacks	Organization-defined
sc-40_odp.01	wireless links	external wireless links to be protected from particular types of signal parameter attacks are defined;
sc-40_odp.02	types of signal parameter attacks or references to sources for such attacks	types of signal parameter attacks or references to sources for such attacks from which to protect external wireless l...
sc-40_odp.03	wireless links	internal wireless links to be protected from particular types of signal parameter attacks are defined;
sc-40_odp.04	types of signal parameter attacks or references to sources for such attacks	types of signal parameter attacks or references to sources for such attacks from which to protect internal wireless l...

—

SC-40(01)

Electromagnetic Interference 1 param

Implement cryptographic mechanisms that achieve {{ insert: param, sc-40.01_odp }} against the effects of intentional electromagnetic interference.

► View parameters

Param ID	Label	Constraint / Choices
sc-40.01_odp	level of protection	level of protection to be employed against the effects of intentional electromagnetic interference is defined;

—

SC-40(02)

Reduce Detection Potential 1 param

Implement cryptographic mechanisms to reduce the detection potential of wireless links to {{ insert: param, sc-40.02_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-40.02_odp	level of reduction	the level of reduction to be achieved to reduce the detection potential of wireless links is defined;

—

SC-40(03)

Imitative or Manipulative Communications Deception

Implement cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters.

—

SC-40(04)

Signal Parameter Identification 1 param

Implement cryptographic mechanisms to prevent the identification of {{ insert: param, sc-40.04_odp }} by using the transmitter signal parameters.

► View parameters

Param ID	Label	Constraint / Choices
sc-40.04_odp	wireless transmitters	wireless transmitters for which cryptographic mechanisms are to be implemented are defined;

—

SC-41

Port and I/O Device Access 3 params

{{ insert: param, sc-41_odp.02 }} disable or remove {{ insert: param, sc-41_odp.01 }} on the following systems or system components: {{ insert: param, sc-41_odp.03 }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-41_odp.01	connection ports or input/output devices	connection ports or input/output devices to be disabled or removed are defined;
sc-41_odp.02		Select one: physically; logically
sc-41_odp.03	systems or system components	systems or system components with connection ports or input/output devices to be disabled or removed are defined;

—

SC-42

Sensor Capability and Data 5 params

a. Prohibit {{ insert: param, sc-42_odp.01 }} ; and b. Provide an explicit indication of sensor use to {{ insert: param, sc-42_odp.05 }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-42_odp.01		Select one-or-more: the use of devices possessing {{ insert: param, sc-42_odp.02 }} in {{ insert: param, sc-42_odp.03 }} ; the remote activation of environmental sensing capabilities on organizational systems or system components with the following exceptions: {{ insert: param, sc-42_odp.04 }}
sc-42_odp.02	environmental sensing capabilities	environmental sensing capabilities in devices are defined (if selected);
sc-42_odp.03	facilities, areas, or systems	facilities, areas, or systems where the use of devices possessing environmental sensing capabilities is prohibited ar...
sc-42_odp.04	exceptions where remote activation of sensors is allowed	exceptions where remote activation of sensors is allowed are defined (if selected);
sc-42_odp.05	group of users	group of users to whom an explicit indication of sensor use is to be provided is defined;

—

SC-42(01)

Reporting to Authorized Individuals or Roles 1 param

Verify that the system is configured so that data or information collected by the {{ insert: param, sc-42.01_odp }} is only reported to authorized individuals or roles.

► View parameters

Param ID	Label	Constraint / Choices
sc-42.01_odp	sensors	sensors to be used to collect data or information are defined;

—

SC-42(02)

Authorized Use 1 param

Employ the following measures so that data or information collected by {{ insert: param, sc-42.01_odp }} is only used for authorized purposes: {{ insert: param, sc-42.02_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-42.02_odp	measures	measures to be employed so that data or information collected by sensors is only used for authorized purposes are def...

—

SC-42(03)

Prohibit Use of Devices

—

SC-42(04)

Notice of Collection 2 params

Employ the following measures to facilitate an individual’s awareness that personally identifiable information is being collected by {{ insert: param, sc-42.04_odp.02 }}: {{ insert: param, sc-42.04...

► View parameters

Param ID	Label	Constraint / Choices
sc-42.04_odp.01	measures	measures to facilitate an individual’s awareness that personally identifiable information is being collected are defi...
sc-42.04_odp.02	sensors	sensors that collect personally identifiable information are defined;

—

SC-42(05)

Collection Minimization 1 param

Employ {{ insert: param, sc-42.05_odp }} that are configured to minimize the collection of information about individuals that is not needed.

► View parameters

Param ID	Label	Constraint / Choices
sc-42.05_odp	sensors	the sensors that are configured to minimize the collection of unneeded information about individuals are defined;

—

└ sc-42a

Prohibit {{ insert: param, sc-42_odp.01 }} ; and

—

└ sc-42b

Provide an explicit indication of sensor use to {{ insert: param, sc-42_odp.05 }}.

—

SC-43

Usage Restrictions 1 param

a. Establish usage restrictions and implementation guidelines for the following system components: {{ insert: param, sc-43_odp }} ; and b. Authorize, monitor, and control the use of such compon...

► View parameters

Param ID	Label	Constraint / Choices
sc-43_odp	components	the components for which usage restrictions and implementation guidance are to be established are defined;

—

└ sc-43a

Establish usage restrictions and implementation guidelines for the following system components: {{ insert: param, sc-43_odp }} ; and

—

└ sc-43b

Authorize, monitor, and control the use of such components within the system.

—

SC-44

Detonation Chambers 1 param

Employ a detonation chamber capability within {{ insert: param, sc-44_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-44_odp	system, system component, or location	the system, system component, or location where a detonation chamber capability is to be employed is defined;

—

SC-45

System Time Synchronization

Synchronize system clocks within and between systems and system components.

—

SC-45(01)

Synchronization with Authoritative Time Source 3 params

(a) Compare the internal system clocks {{ insert: param, sc-45.01_odp.01 }} with {{ insert: param, sc-45.01_odp.02 }} ; and (b) Synchronize the internal system clocks to the authoritative time ...

► View parameters

Param ID	Label	Constraint / Choices
sc-45.01_odp.01	frequency	the frequency at which to compare the internal system clocks with the authoritative time source is defined;
sc-45.01_odp.02	authoritative time source	the authoritative time source to which internal system clocks are to be compared is defined;
sc-45.01_odp.03	time period	the time period to compare the internal system clocks with the authoritative time source is defined;

—

SC-45(02)

Secondary Authoritative Time Source

(a) Identify a secondary authoritative time source that is in a different geographic region than the primary authoritative time source; and (b) Synchronize the internal system clocks to the sec...

—

└ sc-45.1.(a)

Compare the internal system clocks {{ insert: param, sc-45.01_odp.01 }} with {{ insert: param, sc-45.01_odp.02 }} ; and

—

└ sc-45.1.(b)

Synchronize the internal system clocks to the authoritative time source when the time difference is greater than {{ insert: param, sc-45.01_odp.03 }}.

—

└ sc-45.2.(a)

Identify a secondary authoritative time source that is in a different geographic region than the primary authoritative time source; and

—

└ sc-45.2.(b)

Synchronize the internal system clocks to the secondary authoritative time source if the primary authoritative time source is unavailable.

—

SC-46

Cross Domain Policy Enforcement 1 param

Implement a policy enforcement mechanism {{ insert: param, sc-46_odp }} between the physical and/or network interfaces for the connecting security domains.

► View parameters

Param ID	Label	Constraint / Choices
sc-46_odp		Select one: physically; logically

—

SC-47

Alternate Communications Paths 1 param

Establish {{ insert: param, sc-47_odp }} for system operations organizational command and control.

► View parameters

Param ID	Label	Constraint / Choices
sc-47_odp	alternate communication paths	alternate communication paths for system operations and operational command and control are defined;

—

SC-48

Sensor Relocation 3 params

Relocate {{ insert: param, sc-48_odp.01 }} to {{ insert: param, sc-48_odp.02 }} under the following conditions or circumstances: {{ insert: param, sc-48_odp.03 }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-48_odp.01	sensors and monitoring capabilities	sensors and monitoring capabilities to be relocated are defined;
sc-48_odp.02	locations	locations to where sensors and monitoring capabilities are to be relocated are defined;
sc-48_odp.03	conditions or circumstances	conditions or circumstances for relocating sensors and monitoring capabilities are defined;

—

SC-48(01)

Dynamic Relocation of Sensors or Monitoring Capabilities 3 params

Dynamically relocate {{ insert: param, sc-48.01_odp.01 }} to {{ insert: param, sc-48.01_odp.02 }} under the following conditions or circumstances: {{ insert: param, sc-48.01_odp.03 }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-48.01_odp.01	sensors and monitoring capabilities	sensors and monitoring capabilities to be dynamically relocated are defined;
sc-48.01_odp.02	locations	locations to where sensors and monitoring capabilities are to be dynamically relocated are defined;
sc-48.01_odp.03	conditions or circumstances	conditions or circumstances for dynamically relocating sensors and monitoring capabilities are defined;

—

SC-49

Hardware-enforced Separation and Policy Enforcement 1 param

Implement hardware-enforced separation and policy enforcement mechanisms between {{ insert: param, sc-49_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-49_odp	security domains	security domains requiring hardware-enforced separation and policy enforcement mechanisms are defined;

—

SC-50

Software-enforced Separation and Policy Enforcement 1 param

Implement software-enforced separation and policy enforcement mechanisms between {{ insert: param, sc-50_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
sc-50_odp	security domains	security domains requiring software-enforced separation and policy enforcement mechanisms are defined;

—

SC-51

Hardware-based Protection 2 params

a. Employ hardware-based, write-protect for {{ insert: param, sc-51_odp.01 }} ; and b. Implement specific procedures for {{ insert: param, sc-51_odp.02 }} to manually disable hardware write-pro...

► View parameters

Param ID	Label	Constraint / Choices
sc-51_odp.01	system firmware components	system firmware components requiring hardware-based write-protect are defined;
sc-51_odp.02	authorized individuals	authorized individuals requiring procedures for disabling and re-enabling hardware write-protect are defined;

—

└ sc-51a

Employ hardware-based, write-protect for {{ insert: param, sc-51_odp.01 }} ; and

—

└ sc-51b

Implement specific procedures for {{ insert: param, sc-51_odp.02 }} to manually disable hardware write-protect for firmware modifications and re-en...

—

└ sc-5.3.(a)

Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: {{ insert: param, sc...

—

└ sc-5.3.(b)

Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: {{ insert: param,...

—

└ sc-5a

{{ insert: param, sc-05_odp.02 }} the effects of the following types of denial-of-service events: {{ insert: param, sc-05_odp.01 }} ; and

—

└ sc-5b

Employ the following controls to achieve the denial-of-service objective: {{ insert: param, sc-05_odp.03 }}.

—

└ sc-7.10.(a)

Prevent the exfiltration of information; and

—

└ sc-7.10.(b)

Conduct exfiltration tests {{ insert: param, sc-07.10_odp }}.

—

└ sc-7.24.(a)

Apply the following processing rules to data elements of personally identifiable information: {{ insert: param, sc-07.24_odp }};

—

└ sc-7.24.(b)

Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system;

—

└ sc-7.24.(c)

Document each processing exception; and

—

└ sc-7.24.(d)

Review and remove exceptions that are no longer supported.

—

└ sc-7.4.(a)

Implement a managed interface for each external telecommunication service;

—

└ sc-7.4.(b)

Establish a traffic flow policy for each managed interface;

—

└ sc-7.4.(c)

Protect the confidentiality and integrity of the information being transmitted across each interface;

—

└ sc-7.4.(d)

Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;

—

└ sc-7.4.(e)

Review exceptions to the traffic flow policy {{ insert: param, sc-07.04_odp }} and remove exceptions that are no longer supported by an explicit mi...

—

└ sc-7.4.(f)

Prevent unauthorized exchange of control plane traffic with external networks;

—

└ sc-7.4.(g)

Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and

—

└ sc-7.4.(h)

Filter unauthorized control plane traffic from external networks.

—

└ sc-7.9.(a)

Detect and deny outgoing communications traffic posing a threat to external systems; and

—

└ sc-7.9.(b)

Audit the identity of internal users associated with denied communications.

—

└ sc-7a

Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;

—

└ sc-7b

Implement subnetworks for publicly accessible system components that are {{ insert: param, sc-07_odp }} separated from internal organizational netw...

—

└ sc-7c

Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an or...

—