System Security Plan (ssp) Categorization: Moderate-Low-Low


SC-5 – Denial of Service Protection (- Standalone and CRN Overlay)



Yüklə 1,92 Mb.
səhifə26/29
tarix16.05.2018
ölçüsü1,92 Mb.
#50588
1   ...   21   22   23   24   25   26   27   28   29

10.22.5SC-5 – Denial of Service Protection (- Standalone and CRN Overlay)


After a relevance determination, this control can be tailored out for standalone IS and CRNs.

Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks.

The IS protects against or limits the effects of denial of service attacks.



Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.22.6SC-5(1) – Denial of Service Protection: Restrict Internal Users (- Standalone and CRN Overlay)


After a relevance determination, this control can be tailored out for standalone IS and CRNs

Recommended Continuous Monitoring Frequency: Annual

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



Protection against individuals having the ability to launch denial of service attacks may be implemented on specific information systems or on boundary devices prohibiting egress to potential target systems.

The IS restricts the ability of individuals to launch denial of service attacks against other IS.



Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.22.7SC-7 – Boundary Protection (- Standalone and CRN Overlay)


After a relevance determination, this control can be tailored out for standalone IS and CRNs.

Recommended Continuous Monitoring Frequency: Quarterly

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



This requirement also applies to ports, protocols, and services. Information systems, in conjunction with the environment in which they are installed, shall: • Provide for remote access only for an authorized, specific purpose (for example, to provide email access for a guest agency’s employee via a VPN). The remote connection must be restricted to approved purposes. Authorized remote access shall not enable the user to communicate as an extension of the IS or to communicate with local resources such as a printer or file server unless explicitly authorized by the AO. • Route specific internal communications traffic through authenticated proxy servers within the managed interfaces of boundary protection devices, (e.g., as defined in DoDI 8551.1, Ports, Protocols, and Services Management (PPSM), and DISA STIGs), to external networks (i.e., networks outside the control of the organization). The list of traffic to be routed through managed interfaces may be augmented with service/agency or site-specific requirements and approved by the AO or designee. • Use private/non-publicly routable IP addresses for isolated LANs. • Host-based boundary protection mechanisms shall be employed on mobile devices, (e.g.,

notebook/laptop computers and other types of mobile devices) where boundary protection mechanisms are available. This typically applies when your internal network has classification or access levels that differ.

The information system:


Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system

Click here to enter text.



Implements subnetworks for publicly accessible system components that are physically and logically separated from internal organizational networks

Click here to enter text.

Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with organizational security architecture

Click here to enter text.

CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.22.7.1SC-7(3) – Boundary Protection: Access Points (- Standalone and CRN Overlay)


After a relevance determination, this control can be tailored out for standalone IS and CRNs.

Recommended Continuous Monitoring Frequency: Quarterly

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization:

Limits the number of external network connections to the information system and prevents public access into the organization’s internal networks except as allowed by managed interfaces employing boundary protection devices. This control generally applies when the system is connected to unclassified system.

Physically allocate publicly accessible information system components to separate sub-networks with separate physical network interfaces. Publicly accessible information system components include, for example, public web servers.

Limits the number of access points to information systems under their purview to allow for more comprehensive monitoring of inbound and outbound communications and network traffic.



Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.22.7.2SC-7(4) – Boundary Protection: External Telecommunications Services (- Standalone and CRN Overlay)


After a relevance determination, this control can be tailored out for standalone IS and CRNs.

Recommended Continuous Monitoring Frequency: Quarterly

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization: (a) Implements a managed interface for each external telecommunication service; (b) Establishes a traffic flow policy for each managed interface; (c) Protects the confidentiality and integrity of information being transmitted across each interface; (d) Documents exceptions to the traffic flow policy with a supporting mission/business need and the duration of that need in the SSP; (e) Reviews exceptions to the traffic flow policy at least annually; Eliminates traffic flow policy exceptions that are no longer required by an explicit mission/business need; and update the SSP accordingly.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.22.7.3SC-7(5) – Boundary Protection: Deny by Default/Allow by Exception (- Standalone and CRN Overlay)


After a relevance determination, this control can be tailored out for standalone IS and CRNs.

Recommended Continuous Monitoring Frequency: Quarterly

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization at managed interfaces denies network traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception). This requirement applies to ports, protocols, and services.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.22.7.4SC-7(7) – Boundary Protection: Prevent Split Tunneling for Remote Devices (- Standalone and CRN Overlay)


After a relevance determination, this control can be tailored out for standalone IS and CRNs.

Recommended Continuous Monitoring Frequency: Quarterly

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The IS, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks. The use of VPNs for remote connections, when adequately provisioned with appropriate security controls, may provide the organization with sufficient assurance that it can effectively treat such connections as non-remote connections from the confidentiality and integrity perspective. VPNs thus provide a means for allowing non-remote communications paths from remote devices. The use of an adequately provisioned VPN does not eliminate the need for preventing split tunneling.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.22.7.5SC-7(8) – Boundary Protection: Route Traffic to Authenticated Proxy Servers (- Standalone and CRN Overlay)


After a relevance determination, this control can be tailored out for standalone IS and CRNs.

Recommended Continuous Monitoring Frequency: Quarterly

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The IS routes specific internal communications traffic through authenticated proxy servers within the managed interfaces of boundary protection devices, (e.g. as defined in DoDI 8551.1, Ports, Protocols, and Services Management (PPSM), and DISA STIGs), to external networks (i.e., networks outside the control of the organization). The list of traffic to be routed through managed interfaces may be augmented with Service or site-specific requirements and approved by the DAO or designee.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.22.7.6SC-7(9) – Boundary Protection: Restrict Threatening Outgoing Communications Traffic (- Standalone and CRN Overlay) – NEW BASELINE


After a relevance determination, this control can be tailored out for standalone IS and CRNs.

Recommended Continuous Monitoring Frequency: Quarterly

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The IS (a) detects and denies outgoing communications traffic posing a threat to external IS; and (b) audits the identity of internal users associated with denied communications. This is sometimes termed extrusion detection and includes traffic indicative of denial of service attacks and traffic containing malicious code.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.22.7.7SC-7(10) – Boundary Protection: Prevent Unauthorized Exfiltration (- Standalone and CRN Overlay)


This control is required for IS that process, store or transmit SCI.

After a relevance determination, this control can be tailored out for standalone IS and CRNs.

Recommended Continuous Monitoring Frequency: Quarterly

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization prevents the unauthorized exfiltration of information across managed interfaces.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.22.7.8SC-7(11) – Boundary Protection: Restrict Incoming Communications Traffic (- Standalone and CRN Overlay)


After a relevance determination, this control can be tailored out for standalone IS and CRNs.

Recommended Continuous Monitoring Frequency: Quarterly

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The IS only allows incoming traffic from authorized sources routed to an authorized destination.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.22.7.9SC-7(12) – Boundary Protection: Host-Based Protection (- Standalone and CRN Overlay)


After a relevance determination, this control can be tailored out for standalone IS and CRNs.

Recommended Continuous Monitoring Frequency: Quarterly

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization implements host-based boundary protection mechanisms (e.g., a host-based firewall) for servers, workstations, and mobile devices. Host-based boundary protection mechanisms shall be employed on mobile devices, (e.g., notebook/laptop computers and other types of mobile devices) where boundary protection mechanisms are available. This typically applies when the internal network has classification or access levels that differ.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.22.7.10SC-7(13) – Boundary Protection: Isolation of Security Tools/Mechanisms/Support Components (- Standalone and CRN Overlay)


After a relevance determination, this control can be tailored out for standalone IS and CRNs.

Recommended Continuous Monitoring Frequency: Quarterly

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization isolates, at a minimum, vulnerability scanning tools, audit log servers, patch servers, and CND tools from other internal information system components via physically separate subnets with managed interfaces to other system or network components.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.22.7.11SC-7(14) – Boundary Protection: Protects Against Unauthorized Physical Connections (- Standalone Overlay)


After a relevance determination, this control can be tailored out for standalone IS.

Recommended Continuous Monitoring Frequency: Quarterly

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The organization protects against unauthorized physical connections at any managed interface that crosses security domains or connects to an external network; such as, but not limited to cross domain solutions, a network boundary with a WAN, a partner network, or the Internet.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

10.22.7.12SC-7(17) – Boundary Protection: Automated Enforcement of Protocol Formats


After a relevance determination, this control can be tailored out for standalone IS.

Recommended Continuous Monitoring Frequency: Quarterly

Program Frequency:

Choose an item.

Implementation Status:

 Implemented  Planned

Organizational Tailoring:

 Compensatory Control (Provide justification below)  Tailored In (Provide justification below)

 Tailored Out (Provide justification below)  Modified (Provide justification below)


Control Origination (check all that apply):

 Common  System Specific  Hybrid (Common and System Specific)



The IS enforces adherence to protocol formats. Information system components that enforce protocol formats include, for example, deep packet inspection firewalls and XML gateways. Such system components verify adherence to protocol formats/specifications (e.g., IEEE) at the application layer and identify significant vulnerabilities that cannot be detected by devices operating at the network or transport layers.

Click here to enter text.



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

Yüklə 1,92 Mb.

Dostları ilə paylaş:
1   ...   21   22   23   24   25   26   27   28   29




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©muhaz.org 2024
rəhbərliyinə müraciət

gir | qeydiyyatdan keç
    Ana səhifə


yükləyin