Difference between revisions of "Template:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Appendix 1.18 System and communications protection"
Shawndouglas (talk | contribs) m (Shawndouglas moved page Template:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Appendix 1.16 System and communications protection to Template:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Appendix 1.18 System and communications protection: Updates bumped...) |
Shawndouglas (talk | contribs) (Updated for 2023.) |
||
Line 1: | Line 1: | ||
===Appendix 1. | ===Appendix 1.18 System and communications protection=== | ||
====SC-1 | ====SC-1 Policy and procedures==== | ||
This control recommends the organization develop, document, disseminate, review, and update system and communications protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system and communications protection action but also to address how those policies and procedures will be implemented, reviewed, and updated. | This control recommends the organization develop, document, disseminate, review, and update system and communications protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system and communications protection action but also to address how those policies and procedures will be implemented, reviewed, and updated. | ||
'''Additional resources''': | '''Additional resources''': | ||
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], pages 69–70 | * [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], pages 69–70 | ||
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7. | * [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management LIMSpec 7.1, 7.2] | ||
====SC-5 Denial of service protection==== | ====SC-5 Denial of service protection==== | ||
Line 18: | Line 18: | ||
'''Additional resources''': | '''Additional resources''': | ||
* [https://csrc.nist.gov/publications/detail/sp/800-41/rev-1/final NIST Special Publications 800-41, Rev. 1] | * [https://csrc.nist.gov/publications/detail/sp/800-41/rev-1/final NIST Special Publications 800-41, Rev. 1] | ||
* [https://csrc.nist.gov/publications/detail/sp/800-77/final NIST Special Publications 800-77] | * [https://csrc.nist.gov/publications/detail/sp/800-77/rev-1/final NIST Special Publications 800-77, Rev. 1] | ||
* No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems) | * No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems) | ||
====SC-8 Transmission confidentiality and integrity==== | |||
This control recommends the system have tools or methods of protecting the confidentiality and integrity of transmitted information. "Logical protection can be achieved by employing encryption techniques," the NIST adds (see the next control enhancement). | |||
'''Additional resources''': | |||
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity 35.1] | |||
====SC-8 (1) Transmission confidentiality and integrity: Cryptographic protection==== | |||
This control enhancement recommends that encryption methods be used to fulfill the requirements of SC-8. This includes the use of TLS and IPSec for information in motion, and cryptographic hash functions for maintaining integrity. | |||
'''Additional resources''': | |||
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity 35.1] | |||
====SC-12 Cryptographic key establishment and management==== | ====SC-12 Cryptographic key establishment and management==== | ||
Line 27: | Line 39: | ||
* [https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/final NIST Special Publications 800-56A, Rev. 3] | * [https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/final NIST Special Publications 800-56A, Rev. 3] | ||
* [https://csrc.nist.gov/publications/detail/sp/800-56b/rev-2/final NIST Special Publications 800-56B, Rev. 2] | * [https://csrc.nist.gov/publications/detail/sp/800-56b/rev-2/final NIST Special Publications 800-56B, Rev. 2] | ||
* [https://csrc.nist.gov/publications/detail/sp/800-56c/rev- | * [https://csrc.nist.gov/publications/detail/sp/800-56c/rev-2/final NIST Special Publications 800-56C, Rev. 2] | ||
* [https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev- | * [https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final NIST Special Publications 800-57, Part 1, Rev. 5] | ||
* [https://csrc.nist.gov/publications/detail/sp/800-57-part-2/rev-1/final NIST Special Publications 800-57, Part 2, Rev. 1] | * [https://csrc.nist.gov/publications/detail/sp/800-57-part-2/rev-1/final NIST Special Publications 800-57, Part 2, Rev. 1] | ||
* [https://csrc.nist.gov/publications/detail/sp/800-57-part-3/rev-1/final NIST Special Publications 800-57, Part 3, Rev. 1] | * [https://csrc.nist.gov/publications/detail/sp/800-57-part-3/rev-1/final NIST Special Publications 800-57, Part 3, Rev. 1] | ||
Line 39: | Line 51: | ||
* [https://www.limswiki.org/index.php/LII:LIMSpec/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management LIMSpec 21.12] and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity 35.2] | * [https://www.limswiki.org/index.php/LII:LIMSpec/Specialty_Laboratory_Functions#21._Forensic_case_and_data_management LIMSpec 21.12] and [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity 35.2] | ||
====SC-15 Collaborative computing devices==== | ====SC-15 Collaborative computing devices and applications==== | ||
This control recommends the system prohibit remote activation of collaborative computing devices such as attached cameras, microphones, and networked whiteboards, unless explicitly allowed by the organization. Additional, the system should provide an explicit notification that the device is in use to users physically present at the device. | This control recommends the system prohibit remote activation of collaborative computing devices and applications such as attached cameras, microphones, and networked whiteboards, as well as remote meeting applications, unless explicitly allowed by the organization. Additional, the system should provide an explicit notification that the device or application is in-use to users physically present at the device. | ||
'''Additional resources''': | '''Additional resources''': | ||
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity LIMSpec 35.6] | * [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#35._Cybersecurity LIMSpec 35.6] | ||
====SC-20 Secure name-address | ====SC-20 Secure name-address resolution service (authoritative source)==== | ||
This control recommends the system, when returning a response to external name-address resolution queries, provide additional contextual information about the origin and integrity of the data received. Additional, the system should indicate what security statuses exist for child zones and enable chain-of-trust verification among parent and child domains, particularly when operating as part of a distributed, hierarchical namespace. (Note that this control is networking-related and difficult to put into simplified terms.) | This control recommends the system, when returning a response to external name-address resolution queries, provide additional contextual information about the origin and integrity of the data received. Additional, the system should indicate what security statuses exist for child zones and enable chain-of-trust verification among parent and child domains, particularly when operating as part of a distributed, hierarchical namespace. (Note that this control is networking-related and difficult to put into simplified terms.) | ||
Line 52: | Line 64: | ||
* No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems) | * No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems) | ||
====SC-21 Secure name-address | ====SC-21 Secure name-address resolution service (recursive or caching resolver)==== | ||
This control recommends the system request and perform authentication and data integrity verification of the name-address resolution responses it receives. (Note that this control is networking-related and difficult to put into simplified terms.) | This control recommends the system request and perform authentication and data integrity verification of the name-address resolution responses it receives. (Note that this control is networking-related and difficult to put into simplified terms.) | ||
Line 59: | Line 71: | ||
* No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems) | * No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems) | ||
====SC-22 Architecture and | ====SC-22 Architecture and provisioning for name-address resolution service==== | ||
This control recommends the system be fault-tolerant and implement internal-external role separation if it collectively provides a name-address resolution service to the organization. (Note that this control is networking-related and difficult to put into simplified terms.) | This control recommends the system be fault-tolerant and implement internal-external role separation if it collectively provides a name-address resolution service to the organization. (Note that this control is networking-related and difficult to put into simplified terms.) | ||
Line 67: | Line 79: | ||
====SC-28 Protection of information at rest==== | ====SC-28 Protection of information at rest==== | ||
This control recommends the system protect the confidentiality and/or integrity of designated information at rest contained in the system. (" Information at rest refers to the state of information when it is located on storage devices as specific components of information systems.") | This control recommends the system protect the confidentiality and/or integrity of designated information at rest contained in the system. ("Information at rest refers to the state of information when it is located on storage devices as specific components of information systems.") | ||
'''Additional resources''': | '''Additional resources''': | ||
* [https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/final NIST Special Publications 800-56A, Rev. 3] | * [https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/final NIST Special Publications 800-56A, Rev. 3] | ||
* [https://csrc.nist.gov/publications/detail/sp/800-56b/rev-2/final NIST Special Publications 800-56B, Rev. 2] | * [https://csrc.nist.gov/publications/detail/sp/800-56b/rev-2/final NIST Special Publications 800-56B, Rev. 2] | ||
* [https://csrc.nist.gov/publications/detail/sp/800-56c/rev- | * [https://csrc.nist.gov/publications/detail/sp/800-56c/rev-2/final NIST Special Publications 800-56C, Rev. 2] | ||
* [https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev- | * [https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final NIST Special Publications 800-57, Part 1, Rev. 5] | ||
* [https://csrc.nist.gov/publications/detail/sp/800-57-part-2/rev-1/final NIST Special Publications 800-57, Part 2, Rev. 1] | * [https://csrc.nist.gov/publications/detail/sp/800-57-part-2/rev-1/final NIST Special Publications 800-57, Part 2, Rev. 1] | ||
* [https://csrc.nist.gov/publications/detail/sp/800-57-part-3/rev-1/final NIST Special Publications 800-57, Part 3, Rev. 1] | * [https://csrc.nist.gov/publications/detail/sp/800-57-part-3/rev-1/final NIST Special Publications 800-57, Part 3, Rev. 1] |
Revision as of 16:03, 21 March 2023
Appendix 1.18 System and communications protection
SC-1 Policy and procedures
This control recommends the organization develop, document, disseminate, review, and update system and communications protection policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of system and communications protection action but also to address how those policies and procedures will be implemented, reviewed, and updated.
Additional resources:
- NIST Special Publications 800-12, Rev. 1, pages 69–70
- LIMSpec 7.1, 7.2
SC-5 Denial of service protection
This control recommends the system be capable of protecting against and limiting the damage from a denial of service (DoS) attack by using specific safeguards. The organization will typically identify what types of DoS attacks are most likely to be a risk and state its plans for safeguarding against them.
Additional resources:
- No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)
SC-7 Boundary protection
This control recommends the system monitor and control communications at external logical boundaries and at critical internal logical boundaries. Additionally subnetworks for publicly accessible system components that are logically or physically separated from internal networks should be implemented. The system should solely depend on managed interfaces (boundary detection devices) for connecting to external networks and information systems.
Additional resources:
- NIST Special Publications 800-41, Rev. 1
- NIST Special Publications 800-77, Rev. 1
- No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)
SC-8 Transmission confidentiality and integrity
This control recommends the system have tools or methods of protecting the confidentiality and integrity of transmitted information. "Logical protection can be achieved by employing encryption techniques," the NIST adds (see the next control enhancement).
Additional resources:
SC-8 (1) Transmission confidentiality and integrity: Cryptographic protection
This control enhancement recommends that encryption methods be used to fulfill the requirements of SC-8. This includes the use of TLS and IPSec for information in motion, and cryptographic hash functions for maintaining integrity.
Additional resources:
SC-12 Cryptographic key establishment and management
This control recommends the organization establish and manage cryptographic keys for the cryptography modules implemented within the system using organization-defined key generation, distribution, storage, access, and destruction requirements.
Additional resources:
- NIST Special Publications 800-56A, Rev. 3
- NIST Special Publications 800-56B, Rev. 2
- NIST Special Publications 800-56C, Rev. 2
- NIST Special Publications 800-57, Part 1, Rev. 5
- NIST Special Publications 800-57, Part 2, Rev. 1
- NIST Special Publications 800-57, Part 3, Rev. 1
- No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)
SC-13 Cryptographic protection
This control recommends the system implement the types and uses of cryptography required for organizational security in such a way that they comply with applicable laws, regulations, and standards.
Additional resources:
- LIMSpec 21.12 and 35.2
SC-15 Collaborative computing devices and applications
This control recommends the system prohibit remote activation of collaborative computing devices and applications such as attached cameras, microphones, and networked whiteboards, as well as remote meeting applications, unless explicitly allowed by the organization. Additional, the system should provide an explicit notification that the device or application is in-use to users physically present at the device.
Additional resources:
SC-20 Secure name-address resolution service (authoritative source)
This control recommends the system, when returning a response to external name-address resolution queries, provide additional contextual information about the origin and integrity of the data received. Additional, the system should indicate what security statuses exist for child zones and enable chain-of-trust verification among parent and child domains, particularly when operating as part of a distributed, hierarchical namespace. (Note that this control is networking-related and difficult to put into simplified terms.)
Additional resources:
- NIST Special Publications 800-81-2
- No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)
SC-21 Secure name-address resolution service (recursive or caching resolver)
This control recommends the system request and perform authentication and data integrity verification of the name-address resolution responses it receives. (Note that this control is networking-related and difficult to put into simplified terms.)
Additional resources:
- NIST Special Publications 800-81-2
- No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)
SC-22 Architecture and provisioning for name-address resolution service
This control recommends the system be fault-tolerant and implement internal-external role separation if it collectively provides a name-address resolution service to the organization. (Note that this control is networking-related and difficult to put into simplified terms.)
Additional resources:
- NIST Special Publications 800-81-2
- No LIMSpec comp (largely outside the domain of laboratory software and more the domain of networking and IT systems)
SC-28 Protection of information at rest
This control recommends the system protect the confidentiality and/or integrity of designated information at rest contained in the system. ("Information at rest refers to the state of information when it is located on storage devices as specific components of information systems.")
Additional resources:
- NIST Special Publications 800-56A, Rev. 3
- NIST Special Publications 800-56B, Rev. 2
- NIST Special Publications 800-56C, Rev. 2
- NIST Special Publications 800-57, Part 1, Rev. 5
- NIST Special Publications 800-57, Part 2, Rev. 1
- NIST Special Publications 800-57, Part 3, Rev. 1
- NIST Special Publications 800-111
- LIMSpec 21.12
SC-28 (1) Protection of information at rest: Cryptographic protection
This control enhancement recommends the system be capable of implementing cryptographic mechanisms to protect against the misuse and modification of specified organizational information housed in specified system components (or across the entire system).
Additional resources:
SC-39 Process isolation
This control recommends the system maintain a separate execution domain for each executing process (i.e., assign each process a separate address space) "so that communication between processes is performed in a manner controlled through the security functions, and one process cannot modify the executing code of another process."
Additional resources: