NIST SP 800-53A
.pdf
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION |
CLASS: TECHNICAL |
|
|||
|
|
|
|
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
|
|
|
|
|
SC-8 |
|
TRANSMISSION INTEGRITY |
|
|
|
|
|
|
|
|
|
SC-8.1 |
|
ASSESSMENT OBJECTIVE: |
|
|
|
|
|
Determine if the information system protects the integrity of transmitted information. |
|
|
|
|
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
|
|
|
|
Examine: [SELECT FROM: System and communications protection policy; procedures addressing |
|
|
|
|
|
transmission integrity; information system design documentation; information system |
|
|
|
|
|
configuration settings and associated documentation; other relevant documents or records]. |
|
|
|
|
|
Test: [SELECT FROM: Transmission integrity capability within the information system]. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SC-8(1) |
|
TRANSMISSION INTEGRITY |
|
|
|
|
|
|
|
|
|
SC-8(1).1 |
|
ASSESSMENT OBJECTIVE: |
|
|
|
|
|
Determine if the organization employs cryptographic mechanisms to recognize changes to |
|
|
|
|
|
information during transmission unless otherwise protected by alternative physical |
|
|
|
|
|
measures. |
|
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing transmission integrity; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Cryptographic mechanisms implementing transmission integrity capability within the information system].
SC-8(2) TRANSMISSION INTEGRITY
SC-8(2).1 ASSESSMENT OBJECTIVE:
Determine if the information system in preparation for transmission maintains the integrity of information during:
-aggregation;
-packaging; and
-transformation.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing transmission integrity; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Transmission integrity capability within the information system].
APPENDIX F-SC |
PAGE F-271 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION |
CLASS: TECHNICAL |
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
SC-9 |
TRANSMISSION CONFIDENTIALITY |
|
|
|
|
SC-9.1 |
ASSESSMENT OBJECTIVE: |
|
|
Determine if the information system protects the confidentiality of transmitted |
|
|
information. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing transmission confidentiality; information system design documentation; contracts for telecommunications services; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Transmission confidentiality capability within the information system].
SC-9(1) TRANSMISSION CONFIDENTIALITY
SC-9(1).1 ASSESSMENT OBJECTIVE:
Determine if:
(i)the organization optionally defines alternative physical measures to prevent unauthorized disclosure of information during transmission ; and
(ii)the organization employs cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected by organization-defined alternative physical measures.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing transmission confidentiality; information system design documentation; information system communications hardware and software or Protected Distribution System protection mechanisms; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Cryptographic mechanisms implementing transmission confidentiality capability within the information system].
SC-9(2) TRANSMISSION CONFIDENTIALITY
SC-9(2).1 ASSESSMENT OBJECTIVE:
Determine if the information system in preparation for transmission maintains the confidentiality of information during:
-aggregation;
-packaging; and
-transformation.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing transmission confidentiality; information system design documentation; information system communications hardware and software or Protected Distribution System protection mechanisms; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Transmission confidentiality capability within the information system].
APPENDIX F-SC |
PAGE F-272 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION |
CLASS: TECHNICAL |
||
|
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
|
SC-10 |
NETWORK DISCONNECT |
|
|
|
|
|
|
SC-10.1 |
ASSESSMENT OBJECTIVE: |
|
|
|
Determine if: |
|
|
|
(i) |
the organization defines the time period of inactivity before the information system |
|
|
|
terminates a network connection associated with a communications session; and |
|
|
(ii) |
the information system terminates a network connection associated with a |
|
|
|
communication session at the end of the session or after the organization-defined |
|
|
|
time period of inactivity. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing network disconnect; information system design documentation; organization-defined time period of inactivity before network disconnect; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Network disconnect capability within the information system].
APPENDIX F-SC |
PAGE F-273 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION |
CLASS: TECHNICAL |
||
|
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
|
SC-11 |
TRUSTED PATH |
|
|
|
|
|
|
SC-11.1 |
ASSESSMENT OBJECTIVE: |
|
|
|
Determine if: |
|
|
|
(i) |
the organization defines the security functions within the information system to be |
|
|
|
included in a trusted communications path; |
|
|
(ii) |
the organization-defined security functions include information system |
|
|
|
authentication and reauthentication; and |
|
|
(iii) |
the information system establishes a trusted communications path between the user |
|
|
|
and the organization-defined security functions within the information system. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing trusted communications paths; security plan; information system design documentation; information system configuration settings and associated documentation; assessment results from independent, testing organizations; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing trusted communications paths within the information system].
APPENDIX F-SC |
PAGE F-274 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION |
CLASS: TECHNICAL |
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
SC-12 |
CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT |
|
|
|
|
SC-12.1 |
ASSESSMENT OBJECTIVE: |
|
|
Determine if the organization establishes and manages cryptographic keys for required |
|
|
cryptography employed within the information system. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing cryptographic key management and establishment; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for cryptographic key establishment or management].
Test: [SELECT FROM: Automated mechanisms implementing cryptographic key management and establishment within the information system].
SC-12(1) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT
SC-12(1).1 ASSESSMENT OBJECTIVE:
Determine if the organization maintains availability of information in the event of the loss of cryptographic keys by users.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing cryptographic key management, establishment, and recovery; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
SC-12(2) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT
SC-12(2).1 ASSESSMENT OBJECTIVE:
Determine if:
(i)the organization defines whether it will use NIST-approved or NSA-approved key management technology and processes; and
(ii)the organization produces, controls, and distributes symmetric cryptographic keys using the organization-defined key management technology and processes.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing cryptographic key management, establishment, and recovery; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for cryptographic key establishment or management].
APPENDIX F-SC |
PAGE F-275 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
SC-12(3) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT
SC-12(3).1 ASSESSMENT OBJECTIVE:
Determine if the organization produces, controls, and distributes symmetric and asymmetric cryptographic keys using NSA-approved key management technology and processes.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing cryptographic key management, establishment, and recovery; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for cryptographic key establishment or management].
SC-12(4) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT
SC-12(4).1 ASSESSMENT OBJECTIVE:
Determine if the organization produces, controls, and distributes asymmetric cryptographic keys using approved PKI Class 3 certificates or prepositioned keying material.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing cryptographic key management, establishment, and recovery; information system design documentation; information system configuration settings and associated documentation; information system cryptographic keys; other relevant documents or records].
SC-12(5) CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT
SC-12(5).1 ASSESSMENT OBJECTIVE:
Determine if the organization produces, controls, and distributes asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user’s private key.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing cryptographic key management, establishment, and recovery; information system design documentation; information system configuration settings and associated documentation; information system cryptographic keys; other relevant documents or records].
APPENDIX F-SC |
PAGE F-276 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION |
CLASS: TECHNICAL |
|
|||
|
|
|
|
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
|
|
|
|
|
SC-13 |
|
USE OF CRYPTOGRAPHY |
|
|
|
|
|
|
|
|
|
SC-13.1 |
|
ASSESSMENT OBJECTIVE: |
|
|
|
|
|
Determine if the information system implements cryptographic protections using |
|
|
|
|
|
cryptographic modules that comply with applicable laws, Executive Orders, directives, |
|
|
|
|
|
policies, regulations, standards, and guidance. |
|
|
|
|
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
|
|
|
|
Examine: [SELECT FROM: System and communications protection policy; procedures addressing use of |
|
|
|
|
|
cryptography; information system design documentation; information system configuration |
|
|
|
|
|
settings and associated documentation; cryptographic module validation certificates; other |
|
|
|
|
|
relevant documents or records]. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SC-13(1) |
|
USE OF CRYPTOGRAPHY |
|
|
|
|
|
|
|
|
|
SC-13(1).1 |
|
ASSESSMENT OBJECTIVE: |
|
|
|
|
|
Determine if the organization employs, at a minimum, FIPS-validated cryptography to |
|
|
|
|
|
protect unclassified information. |
|
|
|
|
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS: |
|
|
|
|
|
Examine: [SELECT FROM: System and communications protection policy; procedures addressing use of |
|
|
|
|
|
cryptography; FIPS cryptography standards; information system design documentation; |
|
|
|
|
|
information system configuration settings and associated documentation; cryptographic |
|
|
|
|
|
module validation certificates; other relevant documents or records]. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SC-13(2) |
|
USE OF CRYPTOGRAPHY |
|
|
|
|
|
|
|
|
|
SC-13(2).1 |
|
ASSESSMENT OBJECTIVE: |
|
|
|
|
|
Determine if the organization employs NSA-approved cryptography to protect classified |
|
|
|
|
|
information. |
|
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing use of cryptography; NSA cryptography standards; information system design documentation; information system configuration settings and associated documentation; cryptographic module validation certificates; other relevant documents or records].
APPENDIX F-SC |
PAGE F-277 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
SC-13(3) USE OF CRYPTOGRAPHY
SC-13(3).1 ASSESSMENT OBJECTIVE:
Determine if the organization employs, at a minimum, FIPS-validated cryptography to protect information when such information must be separated from individuals who have the necessary clearances yet lack the necessary access approvals.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing use of cryptography; FIPS cryptography standards; information system design documentation; information system configuration settings and associated documentation; FIPS cryptographic module validation certificates; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel with responsibilities for implementing cryptography within the information system].
SC-13(4) USE OF CRYPTOGRAPHY
SC-13(4).1 ASSESSMENT OBJECTIVE:
Determine if:
(i)the organization defines whether it will use NIST-approved or NSA-approved cryptography to implement digital signatures; and
(ii)the organization employs the organization-defined cryptography to implement digital signatures
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing use of cryptography; information system design documentation; information system configuration settings and associated documentation; cryptographic module validation certificates; other relevant documents or records].
APPENDIX F-SC |
PAGE F-278 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION |
CLASS: TECHNICAL |
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
SC-14 |
PUBLIC ACCESS PROTECTIONS |
|
|
|
|
SC-14.1 |
ASSESSMENT OBJECTIVE: |
|
|
Determine if the information system protects the integrity and availability of publicly |
|
|
available information and applications. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing public access protections; access control policy and procedures; boundary protection procedures; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms protecting the integrity and availability of publicly available information and applications within the information system].
APPENDIX F-SC |
PAGE F-279 |
Special Publication 800-53A |
Guide for Assessing the Security Controls in |
|
Federal Information Systems and Organizations |
________________________________________________________________________________________________
FAMILY: SYSTEM AND COMMUNICATIONS PROTECTION |
CLASS: TECHNICAL |
||
|
|
|
|
|
|
ASSESSMENT PROCEDURE |
|
|
|
|
|
SC-15 |
COLLABORATIVE COMPUTING DEVICES |
|
|
|
|
|
|
SC-15.1 |
ASSESSMENT OBJECTIVE: |
|
|
|
Determine if: |
|
|
|
(i) |
the organization defines exceptions to the prohibiting of collaborative computing |
|
|
|
devices where remote activation is to be allowed; |
|
|
(ii) |
the organization prohibits remote activation of collaborative computing devices, |
|
|
|
excluding the organization-defined exceptions where remote activation is to be |
|
|
|
allowed; and |
|
|
(iii) |
the organization provides an explicit indication of use to users physically present at |
|
|
|
the devices. |
|
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing collaborative computing; access control policy and procedures; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Automated mechanisms implementing access controls for collaborative computing environments; alert notification for local users].
SC-15(1) COLLABORATIVE COMPUTING DEVICES
SC-15(1).1 ASSESSMENT OBJECTIVE:
Determine if the information system provides physical disconnect of collaborative computing devices in a manner that supports ease of use.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing collaborative computing; access control policy and procedures; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Physical disconnect of collaborative computing devices].
SC-15(2) COLLABORATIVE COMPUTING DEVICES
SC-15(2).1 ASSESSMENT OBJECTIVE:
Determine if the information system or supporting environment blocks both inbound and outbound traffic between instant messaging clients that are independently configured by end users and external service providers.
POTENTIAL ASSESSMENT METHODS AND OBJECTS:
Examine: [SELECT FROM: System and communications protection policy; procedures addressing collaborative computing; access control policy and procedures; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].
Test: [SELECT FROM: Mechanisms blocking inbound and outbound traffic between instant message clients that are independently configured].
APPENDIX F-SC |
PAGE F-280 |