This is the thirteenth (oooh scary) of a fourteen piece blog series intended to describe how Ascolta Greenfield environments achieve National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 1, Protecting Controlled Unclassified Information in Non-federal Systems, compliance. This entry covers the controls contained in the System and Communications Protection Policy and Procedures family.
What is it?
System and communications protection requirements provide an array of safeguards for the system. Some of the requirements in this family address the confidentiality of information at rest and in transit.
The protection of information can be provided by these requirements through physical or logical means. For example, a company can provide physical protection by segregating certain functions to separate servers, each having its own set of IP addresses. Companies can better safeguard their information by separating user functionality and system management functionality. Providing this type of protection prevents the presentation of system management-related functionality on an interface for non-privileged users. System and communications protection also establishes boundaries that restrict access to publicly accessible information within a system. Using boundary protections, a company can monitor and control communications at external boundaries as well as key internal boundaries within the system.
How does Greenfield solve it?
Greenfield provides System and Communications Protection by monitoring and controlling communications at the system external boundary and at key internal boundaries; by connecting to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture; and by employing best practice information security tactics, techniques and procedures.
Greenfield separates user functionality (including user interface services) from information system management functionality by role-based authentication and access and prevents unauthorized and unintended information transfer via shared system resources through the Greenfield Data Handling and Storage Policy.
Greenfield terminates network connections associated with a communications session at the end of the session or after 15 minutes of inactivity, prohibits remote activation of collaborative computing devices, and provides an explicit indication of use to users physically present at the devices.
Greenfield protects the authenticity of communications sessions through the use of multi-factor authentication and encryption.
The Greenfield client is responsible for configuring web browsers, mobile devices, etc., to enable communications through encryption. In addition, they are responsible for implementing the Transmission Integrity, Transmission Confidentiality, Use of Cryptography, and Session Authenticity controls for the applications that they establish within their storage and virtual machine environments.