Joint task force transformation initiative



Yüklə 5,64 Mb.
səhifə141/186
tarix08.01.2019
ölçüsü5,64 Mb.
#93199
1   ...   137   138   139   140   141   142   143   144   ...   186

P1

LOW SC-12

MOD SC-12

HIGH SC-12 (1)

SC-13 CRYPTOGRAPHIC PROTECTION


Control: The information system implements [Assignment: organization-defined cryptographic uses and type of cryptography required for each use] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Supplemental Guidance: Cryptography can be employed to support a variety of security solutions including, for example, the protection of classified and Controlled Unclassified Information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Generally applicable cryptographic standards include FIPS-validated cryptography and NSA-approved cryptography. This control does not impose any requirements on organizations to use cryptography. However, if cryptography is required based on the selection of other security controls, organizations define each type of cryptographic use and the type of cryptography required (e.g., protection of classified information: NSA-approved cryptography; provision of digital signatures: FIPS-validated cryptography). Related controls: AC-2, AC-3, AC-7, AC-17, AC-18, AU-9, AU-10, CM-11, CP-9, IA-3, IA-7, MA-4, MP-2, MP-4, MP-5, SA-4, SC-8, SC-12, SC-28, SI-7.

Control Enhancements: None.

  1. cryptographic protection | fips-validated cryptography

[Withdrawn: Incorporated into SC-13].

  1. cryptographic protection | nsa-approved cryptography

[Withdrawn: Incorporated into SC-13].

  1. cryptographic protection | individuals without formal access approvals

[Withdrawn: Incorporated into SC-13].

  1. cryptographic protection | digital signatures

[Withdrawn: Incorporated into SC-13].

References: FIPS Publication 140; Web: http://csrc.nist.gov/cryptval, http://www.cnss.gov.

Priority and Baseline Allocation:

P1

LOW SC-13

MOD SC-13

HIGH SC-13



SC-14 PUBLIC ACCESS PROTECTIONS


[Withdrawn: Capability provided by AC-2, AC-3, AC-5, AC-6, SI-3, SI-4, SI-5, SI-7, SI-10].

SC-15 COLLABORATIVE COMPUTING DEVICES


Control: The information system:

  1. Prohibits remote activation of collaborative computing devices with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed]; and

  2. Provides an explicit indication of use to users physically present at the devices.

Supplemental Guidance: Collaborative computing devices include, for example, networked white boards, cameras, and microphones. Explicit indication of use includes, for example, signals to users when collaborative computing devices are activated. Related control: AC-21.

Control Enhancements:

  1. collaborative computing devices | physical disconnect

The information system provides physical disconnect of collaborative computing devices in a manner that supports ease of use.

Supplemental Guidance: Failing to physically disconnect from collaborative computing devices can result in subsequent compromises of organizational information. Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure that participants actually carry out the disconnect activity without having to go through complex and tedious procedures.

  1. collaborative computing devices | blocking inbound / outbound communications traffic

[Withdrawn: Incorporated into SC-7].

  1. collaborative computing devices | disabling / removal in secure work areas

The organization disables or removes collaborative computing devices from [Assignment: organization-defined information systems or information system components] in [Assignment: organization-defined secure work areas].

Supplemental Guidance: Failing to disable or remove collaborative computing devices from information systems or information system components can result in subsequent compromises of organizational information including, for example, eavesdropping on conversations.

  1. collaborative computing devices | explicitly indicate current participants

The information system provides an explicit indication of current participants in [Assignment: organization-defined online meetings and teleconferences].

Supplemental Guidance: This control enhancement helps to prevent unauthorized individuals from participating in collaborative computing sessions without the explicit knowledge of other participants.

References: None.

Priority and Baseline Allocation:

Yüklə 5,64 Mb.

Dostları ilə paylaş:
1   ...   137   138   139   140   141   142   143   144   ...   186




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©muhaz.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin