Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/SC/Moderate

Template:Doc:NIST SP 800-53r3 Appendix F/SC-1

Determine if: (i) the organization develops and formally documents system and communications protection policy; (ii) the organization system and communications protection policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented system and communications protection policy to elements within the organization having associated system and communications protection roles and responsibilities; (iv) the organization develops and formally documents system and communications protection procedures; (v) the organization system and communications protection procedures facilitate implementation of the system and communications protection policy and associated system and communications protection controls; and (vi) the organization disseminates formal documented system and communications protection procedures to elements within the organization having associated system and communications protection roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with system and communications protection responsibilities].

Determine if: (i) the organization defines the frequency of system and communications protection policy reviews/updates; (ii) the organization reviews/updates system and communications protection policy in accordance with organization-defined frequency; and (iii) the organization defines the frequency of system and communications protection procedure reviews/updates; (iv) the organization reviews/updates system and communications protection procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with system and communications protection responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SC-2

Determine if the information system separates user functionality (including user interface services) from information system management functionality.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing application partitioning; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Separation of user functionality from information system management functionality].

Template:Doc:NIST SP 800-53r3 Appendix F/SC-4

Determine if the information system prevents unauthorized and unintended information transfer via shared system resources.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing information remnance; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Information system for unauthorized and unintended transfer of information via shared system resources].

Template:Doc:NIST SP 800-53r3 Appendix F/SC-5

Determine if: (i) the organization defines the types of denial of service attacks (or provides references to sources of current denial of service attacks) that can be addressed by the information system; and (ii) the information system protects against or limits the effects of the organization-defined or referenced types of denial of service attacks.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing denial of service protection; information system design documentation; security plan; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Information system for protection against or limitation of the effects of denial of service attacks].

Template:Doc:NIST SP 800-53r3 Appendix F/SC-7

Determine if: (i) the organization defines the external boundary of the information system; (ii) the organization defines key internal boundaries of the information system; (iii) the information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system; and (iv) the information system connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; list of key internal boundaries of the information system; information system design documentation; boundary protection hardware and software; information system configuration settings and associated documentation; enterprise security architecture documentation; other relevant documents or records].

Interview: [SELECT FROM: Selected organizational personnel with boundary protection responsibilities].

Test: [SELECT FROM: Automated mechanisms implementing boundary protection capability within the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/SC-7/1

Determine if the organization physically allocates publicly accessible information system components to separate subnetworks with separate, physical network interfaces.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; information system design documentation; information system hardware and software; information system architecture; information system configuration settings and associated documentation; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SC-7/2

Determine if: (i) the organization defines the mediation necessary for public access to the organization's internal networks; and (ii) the information system prevents public access into the organization's internal networks except as appropriately mediated by managed interfaces employing boundary protection devices.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; list of mediation vehicles for allowing public access to the organization's internal networks; information system design documentation; boundary protection hardware and software; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing access controls for public access to the organization's internal networks].

Template:Doc:NIST SP 800-53r3 Appendix F/SC-7/3

Determine if the organization limits the number of access points to the information system to allow for more comprehensive monitoring of inbound and outbound communications and network traffic.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; information system design documentation; boundary protection hardware and software; information system architecture and configuration documentation; information system configuration settings and associated documentation; communications and network traffic monitoring logs; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SC-7/4

Determine if: (i) the organization defines the frequency for reviewing exceptions to traffic flow policy; (ii) the organization implements a managed interface for each external telecommunication service; (iii) the organization establishes a traffic flow policy for each managed interface; (iv) the organization employs security controls as needed to protect the confidentiality and integrity of the information being transmitted; (v) the organization documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; (vi) the organization reviews exceptions to the traffic flow policy in accordance with the organization-defined frequency; and (vii) the organization removes traffic flow policy exceptions that are no longer supported by an explicit mission/business need.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; traffic flow policy; information system security architecture; information system design documentation; boundary protection hardware and software; information system architecture and configuration documentation; information system configuration settings and associated documentation; records of traffic flow policy exceptions; other relevant documents or records].

Interview: [SELECT FROM: Selected organizational personnel with boundary protection responsibilities].

Test: [SELECT FROM: Managed interfaces implementing organizational traffic flow policy].

Template:Doc:NIST SP 800-53r3 Appendix F/SC-7/5

Determine if: (i) the information system, at managed interfaces, denies network traffic by default; and (ii) the information system, at managed interfaces, allows network traffic by exception.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Selected organizational personnel with boundary protection responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SC-7/7

Determine if the information system prevents remote devices that have established a non-remote connection with the system from communicating outside of that communications path with resources in external networks.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; information system design documentation; information system hardware and software; information system architecture; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms supporting non-remote connections with the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/SC-8

Determine if the information system protects the integrity of transmitted information.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing transmission integrity; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Transmission integrity capability within the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/SC-8/1

Determine if the organization employs cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing transmission integrity; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Cryptographic mechanisms implementing transmission integrity capability within the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/SC-9

Determine if the information system protects the confidentiality of transmitted information.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing transmission confidentiality; information system design documentation; contracts for telecommunications services; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Transmission confidentiality capability within the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/SC-9/1

Determine if: (i) the organization optionally defines alternative physical measures to prevent unauthorized disclosure of information during transmission ; and (ii) the organization employs cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by organization-defined alternative physical measures.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing transmission confidentiality; information system design documentation; information system communications hardware and software or Protected Distribution System protection mechanisms; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Cryptographic mechanisms implementing transmission confidentiality capability within the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/SC-10

Determine if: (i) the organization defines the time period of inactivity before the information system terminates a network connection associated with a communications session; and (ii) the information system terminates a network connection associated with a communication session at the end of the session or after the organization-defined time period of inactivity.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing network disconnect; information system design documentation; organization-defined time period of inactivity before network disconnect; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Network disconnect capability within the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/SC-12

Determine if the organization establishes and manages cryptographic keys for required cryptography employed within the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing cryptographic key management and establishment; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for cryptographic key establishment or management].

Test: [SELECT FROM: Automated mechanisms implementing cryptographic key management and establishment within the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/SC-13

Determine if the information system implements cryptographic protections using cryptographic modules that comply with applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing use of cryptography; information system design documentation; information system configuration settings and associated documentation; cryptographic module validation certificates; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/SC-14

Determine if the information system protects the integrity and availability of publicly available information and applications.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing public access protections; access control policy and procedures; boundary protection procedures; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms protecting the integrity and availability of publicly available information and applications within the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/SC-15

Determine if: (i) the organization defines exceptions to the prohibiting of collaborative computing devices where remote activation is to be allowed; (ii) the organization prohibits remote activation of collaborative computing devices, excluding the organization-defined exceptions where remote activation is to be allowed; and (iii) the organization provides an explicit indication of use to users physically present at the devices.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing collaborative computing; access control policy and procedures; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing access controls for collaborative computing environments; alert notification for local users].

Template:Doc:NIST SP 800-53r3 Appendix F/SC-17

Determine if: (i) the organization defines a certificate policy for issuing public key certificates; and (ii) the organization issues public key certificates under the organization-defined certificate policy or obtains public key certificates under a certificate policy from an approved service provider.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing public key infrastructure certificates; public key certificate policy or policies; public key issuing process; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with public key infrastructure certificate issuing responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/SC-18

Determine if: (i) the organization defines acceptable and unacceptable mobile code and mobile code technologies; (ii) the organization establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and (iii) the organization authorizes, monitors, and controls the use of mobile code within the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing mobile code; mobile code usage restrictions, mobile code implementation policy and procedures; list of acceptable mobile code and mobile code technologies; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with mobile code authorization, monitoring, and control responsibilities].

Test: [SELECT FROM: Mobile code authorization and monitoring capability for the organization].

Template:Doc:NIST SP 800-53r3 Appendix F/SC-19

Determine if: (i) the organization establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and (ii) the organization authorizes, monitors, and controls the use of VoIP within the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing VoIP; VoIP usage restrictions; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with VoIP authorization and monitoring responsibilities].

Test: [SELECT FROM: VoIP authorization and monitoring capability for the organization].

Template:Doc:NIST SP 800-53r3 Appendix F/SC-20

Determine if the information system provides additional data origin and integrity artifacts along with the authoritative data the system returns in response to name/address resolution queries.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing secure name/address resolution service (authoritative source); information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing secure name/address resolution service (authoritative source)].

Template:Doc:NIST SP 800-53r3 Appendix F/SC-20/1

Determine if (i) the information system, when operating as part of a distributed, hierarchical namespace, provides the means to indicate the security status of child subspaces; and (ii) the information system, when operating as part of a distributed, hierarchical namespace, enable verification of a chain of trust among parent and child domains (if the child supports secure resolution services).

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing secure name/address resolution service (authoritative source); information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing child subspace security status indicators and chain of trust verification for resolution services].

Template:Doc:NIST SP 800-53r3 Appendix F/SC-22

Determine if: (i) the information systems that collectively provide name/address resolution service for an organization are fault tolerant; and (ii) the information systems that collectively provide name/address resolution service for an organization implement internal/external role separation.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing architecture and provisioning for name/address resolution service; access control policy and procedures; information system design documentation; assessment results from independent, testing organizations; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms supporting name/address resolution service for fault tolerance and role separation].

Template:Doc:NIST SP 800-53r3 Appendix F/SC-23

Determine if the information system provides mechanisms to protect the authenticity of communications sessions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing session authenticity; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing session authenticity].

Template:Doc:NIST SP 800-53r3 Appendix F/SC-28

Determine if the information system protects the confidentiality and integrity of information at rest.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy; procedures addressing protection of information at rest; information system design documentation; information system configuration settings and associated documentation; cryptographic mechanisms and associated configuration documentation; list of information at rest requiring confidentiality and integrity protections; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing confidentiality and integrity protections for information at-rest].

Template:Doc:NIST SP 800-53r3 Appendix F/SC-32

Determine if the organization partitions the information system into components residing in separate physical domains (or environments) as deemed necessary.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: System and communications protection policy; information system design documentation; information system configuration settings and associated documentation; information system architecture; list of information system physical domains (or environments); information system facility diagrams; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel installing, configuring, and/or maintaining the information system].