Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The IS protects the confidentiality and integrity of transmitted information. This control applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). When more than one computer network exists, a color coding scheme shall be developed to assist in the proper handling of classified information. Color coding of cables may be met by any of the following:
• Purchasing/making cables with the proper color.
• Placing colored tape every five feet along the cable length.
• Wrapping tape around the length of the cable run.
When networks are present other than those listed above, a different color must be selected for the network cables to assist in minimizing the risk to classified IS.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system implements cryptographic mechanisms to prevent unauthorized disclosure of, and detect changes to, information during transmission unless otherwise protected by alternative physical safeguards such as keeping transmission within physical areas rated IAW the sensitivity of the information or within a Protected Distribution System (PDS) when traversing areas not approved for the sensitivity of the information. This applies to sensitive unclassified information, such as PII, as well as classified information.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.22.8.2SC-8(2) – Transmission Confidentiality and Integrity: Pre/Post Transmission Handling (+ Classified Overlay) (- Standalone Overlay) – NEW BASELINE
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The IS implements cryptographic mechanisms to protect message externals unless otherwise protected by alternative physical or logical safeguards. Message externals include, for example, message headers/routing information.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.22.8.4SC-8(4) – Transmission Confidentiality and Integrity: Conceal/Randomize Communications (+ Classified Overlay) – NEW
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The IS implements cryptographic mechanisms to conceal or randomize communications patterns unless otherwise protected by alternative physical or logical safeguards. Communication patterns include, for example, frequency, periods, amount, and predictability. Changes to communications patterns can reveal information having intelligence value especially when combined with other available information related to missions/business functions supported by organizational information systems.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The IS terminates the network connection associated with a communications session at the end of the session or after no more than one (1) hour of inactivity.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization establishes and manages cryptographic keys for required cryptography employed within the IS in accordance with NSA-approved key management technology and processes.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.22.10.1SC-12(2) – Cryptographic Key Establishment and Management/Symmetric Keys (+ Classified Overlay) – NEW
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The IS implements using NSA-approved cryptography for protecting classified information from access by personnel who lack the necessary security clearance in accordance with applicable Federal laws, Executive Orders, directives, policies, regulations, and standards. To protect classified information organizations shall employ NSA-approved cryptography. Cryptography shall also be used to protect information that must be separated from individuals who have the necessary clearances, but lack the necessary access approvals.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.22.11.1SC-13(3) – Cryptographic Protection: Individuals without Formal Access Approvals – WITHDRAWN Incorporated into SC-13
10.22.12SC-14 – Public Access Protections WITHDRAWN Incorporated into multiple controls
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Collaborative computing devices include, but are not limited to, VTC, VoIP telephones, VVoIP, networked white boards, video cameras, and microphones. All collaborative computing devices must be approved by the AO. In addition, all collaborative computing equipment, collateral, or unclassified information systems or networks must be approved by the AO prior to introduction into the facility.
Additional requirements include:
Camera lenses shall be covered with an opaque covering when the camera is not in use. No systems, documents, or media of higher classification may be displayed or in view of the camera.
Microphones must have a mute or hold capability (e.g., on/off switch) and should have a push to talk button (implemented in hardware or software).
While conducting a collaborative computing session, users shall take all reasonable measures to ensure that no unintended information is made audible or visible via the collaborative computing device. Users shall advise all personnel in the immediate area that the collaborative computing device will be operating and shall sanitize all sensitive material/systems that may be in view of the collaborative computing device.
Users shall not leave the collaborative computing device unattended while a session is in progress. Once the collaborative session is completed, the user shall take explicit action to disconnect/terminate the collaborative computing device.
Desktop level collaborative computing devices may use external loud speakers/amplified sound only if they are installed within a closed room with walls that meet the requirement of DoDM 5205.07-V3, otherwise a headset must be used.
Microphones must be used in such a way to ensure no unintended conversations are picked up and transmitted outside the facility. This may be accomplished by using microphones in enclosed offices, or by ensuring no other higher classified discussions occur in the area when the microphone is in use.
The information system:
Prohibits remote activation of collaborative computing devices with no exceptions
Click here to enter text.
Provides an explicit indication of use to users physically present at the devices
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization disables or removes collaborative computing devices from organizationally-identified IS or IS components in specified secure work areas.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.22.14SC-17 – Public Key Infrastructure Certificates (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization issues public key certificates under the organizationally-defined certificate policy or obtains public key certificates from an approved service provider. This requirement addresses certificates with visibility external to the information system and certificates related to internal system operations.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Mobile code is software obtained from remote systems outside the system authorization boundary, transferred across a network, and then downloaded and executed on a local system (e.g., a computer with a web browser) without explicit installation or execution by the recipient. ‘Transferred across a network’ includes transfers via media, aka sneakernet.
See the DAA PM security control SC-18 for additional definition of mobile code.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The IS identifies unacceptable mobile code and takes corrective action. Corrective actions when unauthorized mobile code is detected include, for example, blocking, quarantine, or alerting the SA. Disallowed transfers include, for example, sending word processing files with embedded macros.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.22.15.2SC-18(2) – Mobile Code: Acquisition/Development/Use
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization ensures that the acquisition, development and use of mobile code to be deployed in the information system meets mobile code requirements, usage restrictions, and implementation guidance for acceptable mobile code and mobile code technologies as follows:
Category 1 mobile code shall be signed by a trusted Certificate Authority. Use of unsigned Category 1 mobile code is prohibited. Use of Category 1 mobile code technologies that cannot block or disable unsigned mobile code (e.g., Windows Scripting Host) is prohibited.
Category 2 mobile code which executes in a constrained environment without access to system resources (e.g., Windows registry, file system, system parameters, and network connections to other than the originating host) may be used. Category 2 mobile code which does not execute in a constrained environment may be used when obtained from a trusted source over an assured channel (e.g., JWICS, SIPRNet, SSL connection, S/MIME) or when signed with an approved code signing certificate.
Category 3 mobile code may be used.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.22.15.3SC-18(3) – Mobile Code: Prevent Downloading/Execution
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Organizations shall ensure VoIP technologies are implemented with DAO and approval. The organization shall further ensure:
VoIP telephone instruments shall have a “Consent to Monitor” label (e.g. DD Form 2056) or banner and an appropriate classification label or banner. VoIP telephone instruments must be used in such a way to ensure no unintended conversations are picked up and transmitted outside the facility. This may include use in an enclosed office, or ensuring no other higher classified discussions occur in the area when the VoIP telephone is in use.
The organization:
Establishes usage restrictions and implementation guidance for VoIP technologies based on the potential to cause damage to the IS if used maliciously
Click here to enter text.
Authorizes, monitors and controls the use of VoIP within the IS.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
A Domain Name System (DNS) server is an example of an information system that provides name/address resolution service.
The information system:
Provides additional data origin and integrity artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries
Click here to enter text.
Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.22.17.1SC-20(1) – Secure Name/Address Resolution Service (Authoritative Source): Child Subspaces WITHDRAWN Incorporated into SC-20
10.22.18SC-21 – Secure Name/Address Resolution Service (Recursive or Caching Resolver) (- Standalone & CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and CRNs.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.22.19SC-22 – Architecture and Provisioning for Name/Address Resolution Service (- Standalone & CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and CRNs.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The IS that collectively provide name/address resolution service for an organization shall be fault-tolerant and implement internal/external role separation.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The IS protects the authenticity of communications sessions. This control addresses communications protection at the session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Information at rest refers to the state of information when it is located on a non-volatile device (e.g., hard drive, tapes) within an information system. laptop hard drives must be encrypted using either Bitlocker or other DAO-approved encryption technology and must be labeled with “authorized/not authorized for travel” and “compliant with DAR policy.”
Information systems shall protect the confidentiality and integrity of information at rest.
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.22.21.1SC-28(1) – Protection of Information at Rest: Cryptographic Protection (+Classified)
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The IS implements DoD/NSA approved cryptographic mechanisms to prevent unauthorized disclosure and modification of data at rest, to include mobile devices, CDs and other removable media (e.g., USB hard drives).
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.22.22SC-38 – Operations Security – NEW BASELINE
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
This control often applies to types of information systems or system components characterized as mobile devices, for example, smart phones, tablets, and E-readers. These systems often include sensors that can collect and record data regarding the environment where the system is in use. Sensors that are embedded within mobile devices include, for example, cameras, microphones, Global Positioning System (GPS) mechanisms, and accelerometers.
The information system:
Prohibits the remote activation of environmental sensing capabilities unless determined to be essential for mission execution
Click here to enter text.
Provides an explicit indication of sensor use
Click here to enter text.
CONTINUOUS MONITORING STRATEGY
Click here to enter text.
10.22.24.1SC-42(3) – Sensor Capability and Data: Prohibit Use of Services (+ Classified Overlay) – NEW