NIST 800-171 | SYSTEM AND COMMUNICATIONS PROTECTION
Communication protection has to do with controlling the flow of information and protecting the flow of information. Like everything else within NIST guidance - it requires experience and interpretation. NIST often refers to "communication control points" as network infrastructures such as routers, switches, firewalls, and IDSes.
Communication protection also expands its scope into not only the network but also software that is normally installed on any computer (server OS and/or desktops). The requirements mention "separating the user from from management" - this refers to basically separating out administration level privileges from that of a normal user for all software including server OS, desktops and even network OS such as Cisco IOS. For example, Cisco calls this concept of "user plane".
Family Name: System and Communications Protection
3.13.1 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
Boundary components include
Network-based malicious code analysis
Encrypted tunnels implemented within a system security architecture.
Restrict external web traffic to designated web servers within managed interfaces and prohibit external traffic that appears to be spoofing internal addresses.
NIST Special Publication 800-41 provides guidance on firewalls and firewall policy.
NIST Special Publication 800-125 provides guidance on security for virtualization technologies.
3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems
Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades.
For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible
Establishing security policies, architecture, and controls as the foundation for design
Incorporating security requirements into the system development life cycle
Delineating physical and logical security boundaries
Ensuring that developers are trained on how to build secure software
Performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk
NIST Special Publication 800-160 provides guidance on systems security engineering.
3.13.3 Separate user functionality from information system management functionality.
The separation of user functionality from system management functionality is physical or logical.
Organizations can implement separation of system management functionality from user functionality by:
Using different computers
Different central processing units
Different instances of operating systems
Different network addresses, virtualization techniques, combinations of these or other methods
Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls.
3.13.4 Prevent unauthorized and unintended information transfer via shared system resources.
This prevents information produced by the actions of prior users or roles from being available to any current users or roles that obtain access to shared system resources
This requirement also applies to encrypted representations of information.
The control of information in shared system resources is also commonly referred to as object reuse and residual information protection.
3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs.
DMZs are typically implemented with boundary control devices and techniques
NIST Special Publication 800-41 provides guidance on firewalls and firewall policy.
NIST Special Publication 800-125 provides guidance on security for virtualization technologies
3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
This requirement applies to inbound and outbound network communications traffic, both at the system boundary and at identified points within the system.
A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.
3.13.7 Prevent remote devices from simultaneously establishing non-remote connections with the information system and communicating via some other connection to resources in external networks.
This requirement is implemented in remote devices through configuration settings to:
Disable split tunneling in those devices
Prevent configuration settings from being readily configurable by users.
Split tunneling might be desirable by remote users to communicate with local system resources
However, split tunneling would allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information
3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
This requirement applies to internal and external networks and any system components that can transmit information.
Communication paths outside the physical protection of a controlled boundary are susceptible to interception and modification.
An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted.
3.13.9 Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
Terminating network connections associated with communications sessions include
De-allocating associated TCP/IP address or port pairs at the operating system level
De-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection.
Time periods of user inactivity may be established by organizations.
3.13.10 Establish and manage cryptographic keys for cryptography employed in the information system.
Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures.
Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores.
3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
The Federal Information Processing Standard or just FIPS is a set of publications ( Publication 140-2, (FIPSPUB140-2), is a government security standard used for all cryptography. CUI and all government data need to be encrypted using algorithms that are FIPS-approved.
NIST maintains all of the FIPS-approved software programs through its Cryptographic Module Validation Program
Vendors must submit their software to a lab for it to be certified as a FIPS-approved software package.
When complying with DFARs, CMMC, NIST-171 and FedRAMP, ISSOs and security officers much check all software that uses crypto to ensure algorithms are certified and approved through the FIPS validation program.
This includes any encryption such as database encryption at rest, HTTPS for in transit and even hashing modules used within the software for basic tasks such as random number generation.
3.13.12 Prohibit remote activation of collaborative computing devices and provide an indication of devices in use to users present at the device.
Collaborative computing devices include networked white boards, cameras, and microphones.
Dedicated video conferencing systems, which rely on one of the participants calling or connecting to the other party to activate the video conference, are excluded.
3.13.13 Control and monitor the use of mobile code.
Decisions regarding the use of mobile code in organizational systems are based on the potential for the code to cause damage to the systems if used maliciously.
Mobile code technologies include
NIST Special Publication 800-28 provides guidance on mobile code.
3.13.14 Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
To address the threats associated with VoIP, usage restrictions and implementation guidelines are based on the potential for the VoIP technology to cause damage to the system if it is used maliciously.
NIST Special Publication 800-58 provides guidance on Voice Over IP Systems
3.13.15 Protect the authenticity of communications sessions.
This requirement addresses communications protection at the session versus packet level and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted.
Protecting against man-in -the-middle attacks
Insertion of false information into sessions
3.13.16 Protect the confidentiality of CUI at rest.
This requirement addresses the confidentiality of information at rest.
Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems.
Organizations can use different mechanisms to achieve confidentiality protections
File share scanning