OVERVIEW (SC-1)

The purpose of this policy is to define information security controls around system and communications protection.

DENIAL OF SERVICE PROTECTION (SC-2)

Only FedRAMP accredited hosting partners are used. Hosting partners must have an IDS (Intrusion Detection System) in place to continuously monitor for various threats including DOS (Denial of Service).

BOUNDARY PROTECTION (SC-3)

Only FedRAMP accredited hosting partners are used. Hosting partners must have an boundary protection mechanisms in place (e.g. perimeter firewalls) to block invalid, malicious or suspicious traffic. See Network diagram for details.

CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT (SC-12)

Only industry standard cryptographic methods (Reference NIST SP 800-57 guidelines) are to be used with our applications. Encryption at rest and in transit shall only use FIPS or NSA approved cryptographic methods. Fips validated encryption modules will be used wherever possible within our code base.

Reference Development Methodology for additional information.

CRYPTOGRAPHIC PROTECTION (SC-13)

Cryptographic keys shall be stored secured using a key vault (provided by FedRAMP accredited hosting partner). (POAM-001)

COLLABORATIVE COMPUTING DEVICES (SC-15)

When collaborative computing devices are used (for example, screen share or web cams), users must be trained to protect sensitive information. Reference Information Security Training for additional information.

SECURE NAME /ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) (SC-20)

Company shall never provide any DNS services to customers or employees. DNS services are managed by hosting providers with resilient/secure infrastructure (Reference OMB Memorandum 08-23; NIST Special Publication 800-81).

SECURE NAME /ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) (SC-21)

Company shall never provide any DNS services to customers or employees. DNS services are managed by hosting providers with resilient/secure infrastructure (Reference OMB Memorandum 08-23; NIST Special Publication 800-81).

ARCHITECTURE AND PROVISIONING FOR NAME/ADDRESS RESOLUTION SERVICE (SC-22)

Company shall never provide any DNS services to customers or employees. DNS services are managed by hosting providers with resilient/secure infrastructure (Reference OMB Memorandum 08-23; NIST Special Publication 800-81).

PROCESS ISOLATION (SC-39)

No technologies that allow one process to directly modify another process shall be used in any system. All interprocess communication shall be performed in a manner controlled through the security functions. Reference Development Methodology for additional information.

For any new or existing information systems used, we will evaluate the underlying technology to determine if vulnerabilities associated with process isolation pose a security risk.

AUDIT

Reference System and Information Integrity Policy Audit for Process Isolation control.

  • Annual Management Review (MR002) includes review of this policy.

Revision 1.0.0 - last updated January 19, 2020