myctrl.tools
Compare

SC-37Out-Of-Band Channels

>Control Description

Employ the following out-of-band channels for the physical delivery or electronic transmission of organization-defined information, system components, or devices to organization-defined individuals or systems: organization-defined out-of-band channels.

>Control Enhancements(1)

SC-37(1)

>Cross-Framework Mappings

SCF

NET-11
Compare

>Supplemental Guidance

Out-of-band channels include local, non-network accesses to systems; network paths physically separate from network paths used for operational traffic; or non-electronic paths, such as the U.S. Postal Service. The use of out-of-band channels is contrasted with the use of in-band channels (i.e., the same channels) that carry routine operational traffic.

Out-of-band channels do not have the same vulnerability or exposure as in-band channels. Therefore, the confidentiality, integrity, or availability compromises of in-band channels will not compromise or adversely affect the out-of-band channels. Organizations may employ out-of-band channels in the delivery or transmission of organizational items, including authenticators and credentials; cryptographic key management information; system and data backups; configuration management changes for hardware, firmware, or software; security updates; maintenance information; and malicious code protection updates.

For example, cryptographic keys for encrypted files are delivered using a different channel than the file.

>Related Controls

AC-2
CM-3
CM-5
CM-7
IA-2
IA-4
IA-5
MA-4
SC-12
SI-3
SI-4
SI-7

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of out-of-band channels?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-37?
  • What is your cryptographic key management policy?

Technical Implementation:

  • How is out-of-band channels technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that out-of-band channels remains effective as the system evolves?
  • What network boundary protections are in place (firewalls, gateways, etc.)?
  • What encryption mechanisms and algorithms are used to protect data?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-37?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?
  • Can you provide network architecture diagrams and firewall rulesets?
  • Can you demonstrate that FIPS 140-2 validated cryptography is used?

Ask AI

Configure your API key to use AI features.