SC — System and Communications Protection
162 controls in the System and Communications Protection family
SC-1Policy And Procedures
LOW
MODERATE
HIGH
SC-2Separation Of System And User Functionality
MODERATE
HIGH
SC-2(1)Interfaces For Non-Privileged Users
SC-2(2)Disassociability
SC-3Security Function Isolation
HIGH
SC-3(1)Hardware Separation
SC-3(2)Access And Flow Control Functions
SC-3(3)Minimize Nonsecurity Functionality
SC-3(4)Module Coupling And Cohesiveness
SC-3(5)Layered Structures
SC-4Information In Shared System Resources
MODERATE
HIGH
SC-4(1)Security Levels
SC-4(2)Multilevel Or Periods Processing
SC-5Denial-Of-Service Protection
LOW
MODERATE
HIGH
SC-5(1)Restrict Ability To Attack Other Systems
SC-5(2)Capacity, Bandwidth, And Redundancy
SC-5(3)Detection And Monitoring
SC-6Resource Availability
SC-7Boundary Protection
LOW
MODERATE
HIGH
SC-7(1)Physically Separated Subnetworks
SC-7(2)Public Access
SC-7(3)Access Points
MODERATE
HIGH
SC-7(4)External Telecommunications Services
MODERATE
HIGH
SC-7(5)Deny By Default -- Allow By Exception
MODERATE
HIGH
SC-7(6)Response To Recognized Failures
SC-7(7)Split Tunneling For Remote Devices
MODERATE
HIGH
SC-7(8)Route Traffic To Authenticated Proxy Servers
MODERATE
HIGH
SC-7(9)Restrict Threatening Outgoing Communications Traffic
SC-7(10)Prevent Exfiltration
SC-7(11)Restrict Incoming Communications Traffic
SC-7(12)Host-Based Protection
SC-7(13)Isolation Of Security Tools, Mechanisms, And Support Components
SC-7(14)Protect Against Unauthorized Physical Connections
SC-7(15)Networked Privileged Accesses
SC-7(16)Prevent Discovery Of System Components
SC-7(17)Automated Enforcement Of Protocol Formats
SC-7(18)Fail Secure
HIGH
SC-7(19)Block Communication From Non-Organizationally Configured Hosts
SC-7(20)Dynamic Isolation And Segregation
SC-7(21)Isolation Of System Components
HIGH
SC-7(22)Separate Subnets For Connecting To Different Security Domains
SC-7(23)Disable Sender Feedback On Protocol Validation Failure
SC-7(24)Personally Identifiable Information
PRIVACY
SC-7(25)Unclassified National Security System Connections
SC-7(26)Classified National Security System Connections
SC-7(27)Unclassified Non-National Security System Connections
SC-7(28)Connections To Public Networks
SC-7(29)Separate Subnets To Isolate Functions
SC-8Transmission Confidentiality And Integrity
MODERATE
HIGH
SC-8(1)Cryptographic Protection
MODERATE
HIGH
SC-8(2)Pre- And Post-Transmission Handling
SC-8(3)Cryptographic Protection For Message Externals
SC-8(4)Conceal Or Randomize Communications
SC-8(5)Protected Distribution System
SC-9Transmission Confidentiality
SC-10Network Disconnect
MODERATE
HIGH
SC-11Trusted Path
SC-11(1)Irrefutable Communications Path
SC-12Cryptographic Key Establishment And Management
LOW
MODERATE
HIGH
SC-12(1)Availability
HIGH
SC-12(2)Symmetric Keys
SC-12(3)Asymmetric Keys
SC-12(4)Pki Certificates
SC-12(5)Pki Certificates / Hardware Tokens
SC-12(6)Physical Control Of Keys
SC-13Cryptographic Protection
LOW
MODERATE
HIGH
SC-13(1)Fips-Validated Cryptography
SC-13(2)Nsa-Approved Cryptography
SC-13(3)Individuals Without Formal Access Approvals
SC-13(4)Digital Signatures
SC-14Public Access Protections
SC-15Collaborative Computing Devices And Applications
LOW
MODERATE
HIGH
SC-15(1)Physical Or Logical Disconnect
SC-15(2)Blocking Inbound And Outbound Communications Traffic
SC-15(3)Disabling And Removal In Secure Work Areas
SC-15(4)Explicitly Indicate Current Participants
SC-16Transmission Of Security And Privacy Attributes
SC-16(1)Integrity Verification
SC-16(2)Anti-Spoofing Mechanisms
SC-16(3)Cryptographic Binding
SC-17Public Key Infrastructure Certificates
MODERATE
HIGH
SC-18Mobile Code
MODERATE
HIGH
SC-18(1)Identify Unacceptable Code And Take Corrective Actions
SC-18(2)Acquisition, Development, And Use
SC-18(3)Prevent Downloading And Execution
SC-18(4)Prevent Automatic Execution
SC-18(5)Allow Execution Only In Confined Environments
SC-19Voice Over Internet Protocol
SC-20Secure Name/Address Resolution Service (Authoritative Source)
LOW
MODERATE
HIGH
SC-20(1)Child Subspaces
SC-20(2)Data Origin And Integrity
SC-21Secure Name/Address Resolution Service (Recursive Or Caching Resolver)
LOW
MODERATE
HIGH
SC-21(1)Data Origin And Integrity
SC-22Architecture And Provisioning For Name/Address Resolution Service
LOW
MODERATE
HIGH
SC-23Session Authenticity
MODERATE
HIGH
SC-23(1)Invalidate Session Identifiers At Logout
SC-23(2)User-Initiated Logouts And Message Displays
SC-23(3)Unique System-Generated Session Identifiers
SC-23(4)Unique Session Identifiers With Randomization
SC-23(5)Allowed Certificate Authorities
SC-24Fail In Known State
HIGH
SC-25Thin Nodes
SC-26Decoys
SC-26(1)Detection Of Malicious Code
SC-27Platform-Independent Applications
SC-28Protection Of Information At Rest
MODERATE
HIGH
SC-28(1)Cryptographic Protection
MODERATE
HIGH
SC-28(2)Offline Storage
SC-28(3)Cryptographic Keys
SC-29Heterogeneity
SC-29(1)Virtualization Techniques
SC-30Concealment And Misdirection
SC-30(1)Virtualization Techniques
SC-30(2)Randomness
SC-30(3)Change Processing And Storage Locations
SC-30(4)Misleading Information
SC-30(5)Concealment Of System Components
SC-31Covert Channel Analysis
SC-31(1)Test Covert Channels For Exploitability
SC-31(2)Maximum Bandwidth
SC-31(3)Measure Bandwidth In Operational Environments
SC-32System Partitioning
SC-32(1)Separate Physical Domains For Privileged Functions
SC-33Transmission Preparation Integrity
SC-34Non-Modifiable Executable Programs
SC-34(1)No Writable Storage
SC-34(2)Integrity Protection On Read-Only Media
SC-34(3)Hardware-Based Protection
SC-35External Malicious Code Identification
SC-36Distributed Processing And Storage
SC-36(1)Polling Techniques
SC-36(2)Synchronization
SC-37Out-Of-Band Channels
SC-37(1)Ensure Delivery And Transmission
SC-38Operations Security
SC-39Process Isolation
LOW
MODERATE
HIGH
SC-39(1)Hardware Separation
SC-39(2)Separate Execution Domain Per Thread
SC-40Wireless Link Protection
SC-40(1)Electromagnetic Interference
SC-40(2)Reduce Detection Potential
SC-40(3)Imitative Or Manipulative Communications Deception
SC-40(4)Signal Parameter Identification
SC-41Port And I/O Device Access
SC-42Sensor Capability And Data
SC-42(1)Reporting To Authorized Individuals Or Roles
SC-42(2)Authorized Use
SC-42(3)Prohibit Use Of Devices
SC-42(4)Notice Of Collection
SC-42(5)Collection Minimization
SC-43Usage Restrictions
SC-44Detonation Chambers
SC-45System Time Synchronization
SC-45(1)Synchronization With Authoritative Time Source
SC-45(2)Secondary Authoritative Time Source
SC-46Cross Domain Policy Enforcement
SC-47Alternate Communications Paths
SC-48Sensor Relocation
SC-48(1)Dynamic Relocation Of Sensors Or Monitoring Capabilities
SC-49Hardware-Enforced Separation And Policy Enforcement
SC-50Software-Enforced Separation And Policy Enforcement
SC-51Hardware-Based Protection