The RMF Control Family SC, System and Communications Protection, addresses the need for organizations to protect their systems and communications from unauthorized access, use, disclosure, disruption, modification, or destruction.
Why is the SC Control Family Important?
The SC Control Family is important because it helps organizations to:
- Protect their systems and communications from unauthorized access, use, disclosure, disruption, modification, or destruction.
- Maintain the confidentiality, integrity, and availability of their systems and communications.
- Comply with applicable laws and regulations.
Key Controls in the SC Security Control Family
The following are some of the key controls in the SC Security Control Family:
- SC-1: Policy and Procedures: This control requires organizations to develop and implement a system and communications protection policy and procedures.
- SC-2: Application Partitioning: This control requires organizations to partition applications to prevent unauthorized access to data and resources.
- SC-3: Security Function Isolation: This control requires organizations to isolate security functions to prevent unauthorized access to those functions.
- SC-4: Information in Shared Resources: This control requires organizations to protect information in shared resources from unauthorized access, use, disclosure, disruption, modification, or destruction.
- SC-5: Denial of Service Protection: This control requires organizations to protect their systems and communications from denial of service attacks.
- SC-6: Resource Availability: This control requires organizations to ensure that their systems and communications have adequate resources to meet mission requirements.
- SC-7: Boundary Protection: This control requires organizations to protect the boundaries of their systems and communications from unauthorized access.
- SC-8: Transmission Confidentiality and Integrity: This control requires organizations to protect the confidentiality and integrity of data transmitted over networks.
- SC-9: Transmission Confidentiality: This control requires organizations to protect the confidentiality of data transmitted over networks.
- SC-10: Network Disconnect: This control requires organizations to have the ability to disconnect their systems and networks from the Internet and other external networks.
- SC-11: Trusted Path: This control requires organizations to provide a trusted path for users to access systems and networks.
- SC-12: Cryptographic Key Establishment and Management: This control requires organizations to establish and manage cryptographic keys in a secure manner.
- SC-13: Cryptographic Protection: This control requires organizations to use cryptography to protect sensitive data.
- SC-14: Public Access Protections: This control requires organizations to protect public access systems and networks from unauthorized access.
- SC-15: Collaborative Computing Devices: This control requires organizations to protect collaborative computing devices from unauthorized access and use.
- SC-16: Transmission of Security Attributes: This control requires organizations to transmit security attributes with data to ensure that the data is protected appropriately.
- SC-17: Public Key Infrastructure Certificates: This control requires organizations to use public key infrastructure (PKI) certificates to authenticate users and systems.
- SC-18: Mobile Code: This control requires organizations to protect systems and networks from mobile code.
By implementing the SC Control Family, organizations can help to protect their systems and communications from a wide range of threats.
Tips for Implementing the SC Control Family
Here are some tips for implementing the SC Control Family:
- Start by developing a system and communications protection policy and procedures. This policy should define the roles and responsibilities for system and communications protection, and the process for protecting systems and communications.
- Conduct a risk assessment to identify and assess the risks to your systems and communications. Once you have identified the risks, you can select and implement appropriate security controls to mitigate those risks.
- Monitor your systems and communications for unauthorized activity. This will help you to detect security incidents early and to take steps to respond to those incidents.
- Test your security controls on a regular basis to ensure that they are effective.
- Update your security controls as needed to address new threats and vulnerabilities