ARTIFACTS
SC: SYSTEM & COMMUNICATIONS PROTECTION
What's On This Page
Each control family has a page dedicated to presenting all of the artifacts associated with the controls and control enhancements in that family. This is a consolidated view of the artifacts organized in a way to make the information usable. From here you can navigate to the individual control pages where the artifacts associated with each control or control enhancement are displayed with the control. You can use the Links Panels to select the individual controls or control enhancements you want to work with.
Supplement the artifacts here with other relevent documents and records dictated by your risk-based cybersecurity program and your information supply chain requirements.
The Source of the Artifacts
The control information comes from NIST Special Publication 800-53R4, Security and Privacy Controls for Information Systems and Organizationsand Special Publication and NIST Special Publication 800-53AR4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations Building Effective Assessment Plans. We've normalized the artifact names and annotated them with information useful in understanding these artifacts in the context of your digital enterprise, information supply chain, and security architecture.
Essential Artifacts for Risk-Based Cybersecurity Programs
This section includes core documents for risk-based cybersecurity; the POLICY & PROCEDURES document for System & Communications Protection (SC) ; and documents that are widely used in the assessment of controls and control enhancements in the System & Communications Protection (SC) family. Policy and Procedure documents from control families are in CAPS and identified with their two letter code.
| CORE ARTIFACTS |
| WIDELY USED ARTIFACTS FOR SYSTEM AND COMMUNICATIONS PROTECTION (SC) |
| SYSTEM AND COMMUNICATIONS PROTECTION POLICY & PROCEDURES (AU) |
| System & Communications Protection policy |
| Information system design documentation |
| Information system configuration settings and associated documentation |
| Information system audit records |
Security Authorization Package Documents:
|
| ESSENTIALS |
| ACCESS CONTROL POLICY & PROCEDURES (AC) |
| Asset Inventory |
| AUDIT & ACCOUNTABILITY POLICY & PROCEDURES (AU) | Configuration Management Plan |
| CONFIGURATION MANAGEMENT POLICY & PROCEDURES (CM) |
Contingency Plan
|
| CONTINGENCY PLANNING POLICY & PROCEDURES (CP) |
| Continuous Monitoring Strategy |
| Continuous Monitoring Plan |
| Enterprise Architecture (EA) |
| IDENTIFICATION & AUTHENTICATION POLICY & PROCEDURES (IA) |
| INCIDENT RESPONSE POLICY & PROCEDURES (IR) |
| INFORMATION SECURITY PROGRAM PLAN (PM) |
| MEDIA PROTECTION POLICY & PROCEDURES (MP) |
| PERSONNEL SECURITY POLICY & PROCEDURES (PS) |
| PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY & PROCEDURES (PE) |
| Privacy Impact Assessment |
| Privacy Program Plan |
| Risk Assessment |
| RISK ASSESSMENT POLICY & PROCEDURES (RA) |
| SECURITY ASSESSMENT & AUTHORIZATION POLICY & PROCEDURES (CA) |
| SECURITY AWARENESS AND TRAINING POLICY & PROCEDURES (AT) |
| Security Configurations |
| SECURITY PLANNING POLICY & PROCEDURES (PL) |
| SYSTEM AND COMMUNICATIONS PROTECTION POLICY & PROCEDURES (SC) |
| SYSTEM AND INFORMATION INTEGRITY POLICY & PROCEDURES (SI) |
| SYSTEM AND SERVICES ACQUISITION POLICY & PROCEDURES (SA) |
| System Interconnection Agreements |
| SYSTEM MAINTENANCE POLICY & PROCEDURES (MA) |
Policy & Procedures
Here you'll find a catalog of System & Communications Protection (SC) related policies and procedures for managing access to your digital enterprise and information supply chain. Select those that enable your risk-based cybersecurity program.
| POLICES & PROCEDURES | APPLICABLE CONTROL(S) |
| Access control POLICY & PROCEDURES | SC-15 SC-15 (1) SC-15 (3) SC-15 (4) SC-16 SC-16 (1) SC-22 SC-37 SC-37 (1) SC-40 SC-40 (1) SC-40 (2) SC-40 (3) SC-40 (4) SC-41 SC-42 SC-42 (1) SC-42 (2) SC-42 (3 |
| Configuration management POLICY & PROCEDURES | SC-29 (1) SC-30 (3) SC-30 (4) SC-30 (5) |
| Contingency planning POLICY & PROCEDURES | SC-36 |
| IDENTIFICATION & AUTHENTICATION POLICY & PROCEDURES | SC-37 SC-37 (1) |
| Implementation POLICY & PROCEDURES | SC-43 |
| Information flow control policy | SC-7 (4) |
| Mobile code implementation POLICY & PROCEDURES | SC-18 (4) |
| Mobile code usage restrictions, mobile code implementation POLICY & PROCEDURES | SC-18 SC-18 (1) SC-18 (2) SC-18 (3) |
| Mobile code implementation POLICY & PROCEDURES | SC-18 SC-18 (1) SC-18 (2) SC-18 (3) |
| Procedures addressing application partitioning | SC-2 SC-2 (1) |
| Procedures addressing architecture and provisioning for name/address resolution service | SC-22 |
| Procedures addressing boundary protection | SC-7 SC-7 (3) SC-7 (4) SC-7 (5) SC-7 (7) SC-7 (8) SC-7 (9) SC-7 (10) SC-7 (11) SC-7 (12) SC-7 (13) SC-7 (14) SC-7 (15) SC-7 (16) SC-7 (17) SC-7 (18) SC-7 (19) SC-7 (20) SC-7 (21) SC-7 (22) SC-7 (23) |
| Procedures addressing collaborative computing | SC-15 SC-15 (1) SC-15 (3) SC-15 (4) |
| Procedures addressing concealment and misdirection techniques for the information system | SC-30 SC-30 (2) SC-30 (3) SC-30 (4) SC-30 (5) |
| Procedures addressing covert channel analysis | SC-31 SC-31 (1) SC-31 (2) SC-31 (3) |
| Procedures addressing cryptographic key establishment and management | SC-12 SC-12 (2) SC-12 (3) |
| Procedures addressing cryptographic key establishment, management, and recovery | SC-12 (1) |
| Procedures addressing cryptographic protection | SC-13 |
| Procedures addressing denial of service protection | SC-5 SC-5 (1) SC-5 (2) SC-5 (3) |
| Procedures addressing detonation chambers | SC-44 |
| Procedures addressing firmware modifications | SC-34 (3) |
| Procedures addressing honeyclients | SC-35 |
| Procedures addressing information protection in shared system resources | SC-4 |
| Procedures addressing information protection in shared system resources | SC-4 (2) |
| Procedures addressing information system design documentation | SC-40 (3) SC-40 (4) |
| Procedures addressing information system failure to known state | SC-24 |
| Procedures addressing information system partitioning | SC-32 |
| Procedures addressing mobile code | SC-18 SC-18 (1) SC-18 (2) SC-18 (3) SC-18 (4) SC-18 (5) |
| Procedures addressing network disconnect | SC-10 |
| Procedures addressing non-modifiable executable programs | SC-34 SC-34 (1) SC-34 (2) |
| Procedures addressing operations security | SC-38 |
| Procedures addressing platform-independent applications | SC-27 |
| Procedures addressing port and input/output device access | SC-41 |
| Procedures addressing prioritization of information system resources | SC-6 |
| Procedures addressing protection of information at rest | SC-28 SC-28 (1) SC-28 (2) |
| Procedures addressing public key infrastructure certificates | SC-17 |
| Procedures addressing secure name/address resolution service (authoritative source) | SC-20 |
| Procedures addressing secure name/address resolution service (authoritative source) | SC-20 (2) |
| Procedures addressing secure name/address resolution service (recursive or caching resolver) | SC-21 |
| Procedures addressing security function isolation | SC-3 SC-3 (1) SC-3 (2) SC-3 (3) SC-3 (4) SC-3 (5) |
| Procedures addressing security function isolation | SC-3 (1) |
| Procedures addressing sensor capability and data collection | SC-42 SC-42 (1) SC-42 (3) |
| Procedures addressing session authenticity | SC-23 SC-23 (1) SC-23 (3) SC-23 (5) |
| Procedures addressing transmission confidentiality and integrity | "
SC-8 SC-8 (1) SC-8 (2) SC-8 (3) SC-8 (4)" |
| Procedures addressing transmission of security attributes | SC-16 SC-16 (1) |
| Procedures addressing trusted communications paths | SC-11 SC-11 (1) |
| Procedures addressing usage restrictions | SC-43 |
| Procedures addressing use of honeypots | SC-26 |
| Procedures addressing use of out-of-band channels | SC-37 SC-37 (1) |
| Procedures addressing use of thin nodes | SC-25 |
| Procedures addressing VoIP | SC-19 |
| Procedures addressing wireless link protection | SC-40 SC-40 (1) SC-40 (2) |
| Public key certificate policy or policies | SC-17 |
Evidence, Records & Artifacts
Here you'll find a catalog of System & Communications Protection (SC) related policies and procedures for managing access to your digital enterprise and information supply chain. Select those that enable your risk-based cybersecurity program.
| ARTIFACT | APPLICABLE CONTROL(S) |
| Acquisition contracts for information system components or services | SC-29 |
| Acquisition contracts for information system, system component, or information system service | SC-18 (2) |
| Acquisition contracts for information systems or services | SC-31 (2) |
| Acquisition documentation | SC-18 (2) SC-29 SC-31 (2) |
| Assessment results from independent, testing organizations | SC-11 SC-11 (1) SC-22 |
| Audit logs | SC-7 (15) |
| Authorization records | SC-18 |
| Authorization records | SC-43 |
| Boundary protection hardware and software | SC-7 SC-7 (3) SC-7 (4) SC-7 (12) |
| Change control records | SC-29 (1) SC-30 (3) |
| Communications and network traffic monitoring logs | SC-7 (3) |
| Configuration management records | SC-29 (1) |
| Configuration management records | SC-30 (3) |
| Covert channel analysis documentation | SC-31 SC-31 (1) SC-31 (2) SC-31 (3) |
| Cryptographic mechanisms | SC-12 |
| Cryptographic mechanisms and associated configuration documentation | SC-28 SC-28 (1) SC-28 (2) |
| Cryptographic module validation certificates | SC-13 |
| Electronic transmission records | SC-37 |
| Enterprise architecture documentation | SC-7 (21) |
| Enterprise security architecture documentation | SC-7 |
| Facilities, areas, or systems where use of devices possessing environmental sensing capabilities is prohibited | SC-42 (3) |
| Facility communications and wiring diagram | SC-7 (14) |
| Hardware separation mechanisms | SC-3 (1) |
| Independent verification and validation documentation | SC-39 SC-39 (1) SC-39 (2) |
| Information system architecture and configuration documentation | SC-7 (3) SC-7 (4) |
| Information system communications hardware and software | SC-40 (1) SC-40 (2) SC-40 (3) SC-40 (4) |
| Information system components deployed to identify malicious websites and/or web-based malicious code | SC-35 |
| Information system documentation for hardware separation mechanisms | SC-39 (1) |
| Information system documentation for multi-threaded processing | SC-39 (2) |
| Information system documentation from vendors, manufacturers or developers | SC-39 (1) SC-39 (2) |
| Information system facility diagrams | SC-32 |
| Information system facility diagrams | SC-36 |
| Information system hardware and software | SC-7 (7) SC-7 (8) SC-7 (9) SC-7 (13) SC-7 (14) SC-7 (15) SC-7 (16) SC-7 (19) SC-7 (20) SC-7 (21) SC-7 (22) SC-7 (23) |
| Information system monitoring records | SC-18 SC-18 (1) SC-19 SC-43 |
| Information system monitoring tools and techniques documentation | SC-5 (3) |
| Information system network diagrams | SC-32 |
| Information system polling techniques and associated documentation or records | SC-36 (1) |
| Information system security architecture | SC-7 (4) |
| Information systems or information system components in secured work areas where collaborative computing devices are to be disabled or removed | SC-15 (3) |
| Information systems or information system components list of connection ports or input/output devices to be physically disabled or removed on information systems or information system components | SC-41 |
| Media used to load and execute information system applications | SC-34 |
| Media used to load and execute information system operating environment | SC-34 |
| Mobile code requirements | SC-18 (2) |
| Mobile code usage allowances | SC-18 (5) |
| Mobile code usage restrictions | SC-18 (4) SC-18 (5) |
| Off-line storage locations for information at rest | SC-28 (2) |
| Physical delivery records | SC-37 |
| Plans of action and milestones | SC-38 |
| Processing site agreements | SC-36 |
| Public key issuing process | SC-17 |
| Records of traffic flow policy exceptions | SC-7 (4) |
| Risk assessments | SC-38 |
| Security categorization results | SC-40 (1) SC-40 (2) |
| Security control assessments | SC-38 |
| Sensor capability and data collection | SC-42 (2) |
| State information to be preserved in system failure | SC-24 |
| Storage site agreements | SC-36 |
| System development life cycle documentation | SC-18 (2) SC-38 |
| Testing and evaluation documentation, | SC-39 |
| Threat and vulnerability assessments | SC-38 |
| Traffic flow policy | SC-7 (4) |
| Types of information, information system components, or devices requiring use of out-of-band channels for physical delivery or electronic transmission to authorized individuals or information systems | SC-37 |
| Usage restrictions | SC-43 |
| VOIP implementation guidance | SC-19 |
| VOIP usage restrictions | SC-19 |
| Wireless network diagrams | SC-40 SC-40 (1) SC-40 (2) SC-40 (3) SC-40 (4) SC-42 (3) |
System & Communications Protection (SC) Related Lists
These are the System & Communications Protection (SC) related lists you may need to support your security program. For the lists applicable to your systems and informations supply chain you should know the source of the list and the data it contains; how the lists are generated, where they are stored, and how they are maintained, and how to get the when you have an incident, an incident investigation or an audit.
| LIST | APPLICABLE CONTROL(S) |
| List of acceptable mobile code and mobile code technologies | SC-18 |
| List of actions required before execution of mobile code | SC-18 (4) |
| List of applications to be loaded from hardware-enforced, read-only media | SC-34 |
| List of approved PKI Class 3 and Class 4 certificates | SC-12 (3) |
| List of certificate authorities allowed for verification of the establishment of protected sessions | SC-23 (5) |
| List of communication clients independently configured by end users and external service providers | SC-7 (19) |
| List of concealment and misdirection techniques to be employed for organizational information systems | SC-30 |
| List of confined virtual machine environments for which execution of organizationally-acceptable mobile code is allowed | SC-18 (5) |
| List of corrective actions to be taken when unacceptable mobile code is identified | SC-18 (1) |
| List of covert channels | SC-31 (1) |
| List of critical security functions | SC-3 (2) |
| List of denial of service attacks launched by individuals against information systems | SC-5 (1) |
| List of denial of services attacks requiring employment of security safeguards to protect against or limit effects of such attacks | SC-5 |
| List of devices possessing environmental sensing capabilities | SC-42 (3) |
| List of distributed processing and storage components subject to polling | SC-36 (1) |
| List of failures requiring information system to fail in a known state | SC-24 |
| List of FIPS validated cryptographic modules | SC-13 |
| List of FIPS validated cryptographic products | SC-12 (2) |
| List of information at rest requiring confidentiality and integrity protections | SC-28 |
| List of information system components to be dynamically isolated/segregated from other components of the system | SC-7 (20) |
| List of information system components to be employed without writeable storage capability | SC-34 (1) |
| List of information system components to be hidden or concealed | SC-30 (5) |
| List of information system execution domains for each thread in multi-threaded processing | SC-39 (2) |
| List of information system physical domains (or environments) | SC-32 |
| List of information system physical locations (or environments) with distributed processing and storage | SC-36 |
| List of information, information system components, or devices to be delivered to designated individuals or information systems | SC-37 (1) |
| List of key internal boundaries of the information system | SC-7 |
| List of measures to be employed to ensure data or information collected by sensors is only used for authorized purposes | SC-42 (2) |
| List of NSA-approved cryptographic products | SC-12 (2) SC-12 (3) |
| List of operating system components to be loaded from hardware-enforced, read-only media | SC-34 |
| List of operating systems and applications deployed using virtualization techniques | SC-29 (1) |
| List of operations security safeguards | SC-38 |
| List of out-of-band channels | SC-37 |
| List of platform-independent applications | SC-27 |
| List of processing/storage locations to be changed at organizational time intervals | SC-30 (3) |
| List of secure work areas | SC-15 (3) |
| List of security functions to be isolated from nonsecurity functions | SC-3 |
| List of security safeguards for delivering designated information, information system components, or devices to designated individuals or information systems | SC-37 (1) |
| List of security safeguards protecting against or limiting the effects of denial of service attacks | SC-5 |
| List of security safeguards to be employed to ensure designated individuals or information systems receive organization-defined information, information system components, or devices | SC-37 (1) |
| List of security tools and support components to be isolated from other internal information system components | SC-7 (13) |
| List of signal parameter attacks or references to sources for attacks | SC-40 |
| List of software applications for which automatic execution of mobile code must be prohibited | SC-18 (4) |
| List of techniques employed to hide or conceal information system components | SC-30 (5) |
| List of techniques to be employed to introduce randomness into organizational operations and assets | SC-30 (2) |
| List of technologies deployed in the information system | SC-29 |
| List of types of meetings and teleconferences requiring explicit indication of current participants | SC-15 (4) |
| List of unacceptable mobile code | SC-18 (1) |
| List of unacceptable mobile code and mobile technologies | SC-18 |
| List or internal and external wireless links | SC-40 |