BRACKETOLOGY | FEDRAMP
SC-5: DENIAL OF SERVICE PROTECTION
FedRAMP Baseline Membership SC-5:
Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH
Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.
Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.
To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open
Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.
The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or references to sources for such information] by employing [Assignment: organization-defined security safeguards].
Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.
There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.
There are no FedRAMP-specific requirements if this control is used for a MODERATE Impact system.
There are no FedRAMP-specific requirements if this control is used for a HIGH Impact system.
A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect information system components on internal organizational networks from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks.
RELATED CONTROLS: SC-5
SC-5 (1) DENIAL OF SERVICE PROTECTION | RESTRICT INTERNAL USERS
The information system restricts the ability of individuals to launch [Assignment: organization-defined denial of service attacks] against other information systems.
Restricting the ability of individuals to launch denial of service attacks requires that the mechanisms used for such attacks are unavailable. Individuals of concern can include, for example, hostile insiders or external adversaries that have successfully breached the information system and are using the system as a platform to launch cyber attacks on third parties. Organizations can restrict the ability of individuals to connect and transmit arbitrary information on the transport medium (i.e., network, wireless spectrum). Organizations can also limit the ability of individuals to use excessive information system resources. Protection against individuals having the ability to launch denial of service attacks may be implemented on specific information systems or on boundary devices prohibiting egress to potential target systems.
SC-5 (2) DENIAL OF SERVICE PROTECTION | EXCESS CAPACITY / BANDWIDTH / REDUNDANCY
The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding denial of service attacks.
Managing excess capacity ensures that sufficient capacity is available to counter flooding attacks. Managing excess capacity may include, for example, establishing selected usage priorities, quotas, or partitioning.
SC-5 (3) DENIAL OF SERVICE PROTECTION | DETECTION/MONITORING
- (a) Employs [Assignment: organization-defined monitoring tools] to detect indicators of denial of service attacks against the information system; and
- (b) Monitors [Assignment: organization-defined information system resources] to determine if sufficient resources exist to prevent effective denial of service attacks.
Organizations consider utilization and capacity of information system resources when managing risk from denial of service due to malicious attacks. Denial of service attacks can originate from external or internal sources. Information system resources sensitive to denial of service include, for example, physical disk storage, memory, and CPU cycles. Common safeguards to prevent denial of service attacks related to storage utilization and capacity include, for example, instituting disk quotas, configuring information systems to automatically alert administrators when specific storage capacity thresholds are reached, using file compression technologies to maximize available storage space, and imposing separate partitions for system and user data.
RELATED CONTROLS: SC-5 (3)
- NO REFERENCES