>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SC-45(1)System Time Synchronization | Synchronization with Authoritative Time Source

IL4 Mod
IL4 High
IL5
IL6

>Control Description

(a) Compare the internal system clocks organization-defined frequency with organization-defined authoritative time source; and (b) Synchronize the internal system clocks to the authoritative time source when the time difference is greater than organization-defined time period.

>DoD Impact Level Requirements

FedRAMP Parameter Values

SC-45 (1) (a) [At least hourly] [http://tf.nist.gov/tf-cgi/servers.cgi] SC-45 (1) (b) [any difference]

Additional Requirements and Guidance

SC-45 (1) Requirement: The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server. SC-45 (1) Requirement: The service provider synchronizes the system clocks of network computers that run operating systems other than Windows to the Windows Server Domain Controller emulator or to the same time source for that server. SC-45 (1) Guidance: Synchronization of system clocks improves the accuracy of log analysis.

>Discussion

Synchronization of internal system clocks with an authoritative source provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of synchronization with authoritative time source?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-45(1)?

Technical Implementation:

  • How is synchronization with authoritative time source technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that synchronization with authoritative time source remains effective as the system evolves?
  • What network boundary protections are in place (firewalls, gateways, etc.)?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-45(1)?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?
  • Can you provide network architecture diagrams and firewall rulesets?

Ask AI

Configure your API key to use AI features.