System and Communications Protection
The System and Communications Protection family in NIST 800-171 Rev 2 addresses the safeguards necessary to protect the security and confidentiality of Controlled Unclassified Information (CUI) as it is processed, transmitted, or stored within an organization's information systems. This family emphasizes the need to secure both system boundaries and communication channels to prevent unauthorized access, tampering, or data leakage.
Key System and Communications Protection Requirements in NIST 800-171 Rev 2:
The System and Communications Protection family contains 16 security requirements that focus on ensuring the confidentiality and integrity of data in transit, protecting system boundaries, and preventing unauthorized access to systems and communications.
1. Monitor and Control Communications at System Boundaries (3.13.1)
Basic Requirement: Organizations must monitor and control communications at external boundaries and key internal boundaries of the information system.
Key Focus:
- Use firewalls, gateways, and intrusion detection/prevention systems (IDS/IPS) to monitor and control traffic entering and leaving the network.
- Ensure that only authorized communications and traffic are allowed to cross system boundaries.
Example: Implementing firewalls to block unauthorized incoming traffic and using IDS/IPS to detect and respond to potential security threats.
2. Implement Subnetworks for Publicly Accessible System Components (3.13.2)
Basic Requirement: Organizations must implement demilitarized zones (DMZs) or subnetworks to separate publicly accessible system components (e.g., web servers) from internal systems where CUI is stored.
Key Focus:
- Isolate publicly accessible systems (e.g., public websites, external servers) from internal networks to protect sensitive systems and data from external threats.
Example: Placing a company’s web server in a DMZ to limit access to internal systems, ensuring that external users cannot directly access the internal network.
3. Deny Network Communications Traffic by Default and Allow Only Authorized Traffic (3.13.3)
Derived Requirement: Organizations must configure systems to deny network communications traffic by default and allow only authorized traffic.
Key Focus:
- Implement a default deny policy, where all traffic is blocked unless explicitly permitted by firewall or system rules.
- This reduces the attack surface and ensures only necessary and authorized traffic is allowed.
Example: Configuring firewalls to block all inbound traffic except for specific IP addresses or ports needed for authorized services.
4. Control the Flow of CUI Between System Components (3.13.4)
Derived Requirement: Organizations must control the flow of CUI within and between system components to prevent unauthorized access, modification, or leakage.
Key Focus:
- Implement internal controls to restrict how CUI moves across systems, ensuring that only authorized systems and users can access or transfer CUI.
Example: Using network segmentation to limit access to CUI to specific parts of the network, ensuring that only authorized systems can access sensitive data.
5. Separate User Functionality from Administrative Functions (3.13.5)
Derived Requirement: Organizations must ensure that user functionality is separate from administrative functions.
Key Focus:
- Regular users should not have access to administrative controls or tools, which could be exploited to alter system configurations or access sensitive data.
Example: Using separate accounts for administrative tasks, ensuring that day-to-day user accounts do not have elevated privileges or access to system administration functions.
6. Prevent Unauthorized and Unintended Information Transfer (3.13.6)
Derived Requirement: Organizations must implement measures to prevent unauthorized and unintended transfer of CUI via shared resources or services, such as cloud storage or file-sharing systems.
Key Focus:
- Prevent unauthorized information transfer by securing shared systems, ensuring that only authorized users can access shared resources that handle CUI.
Example: Configuring access controls on shared network drives to prevent unauthorized users from viewing or copying CUI.
7. Implement Cryptographic Protection for CUI (3.13.7)
Derived Requirement: Organizations must use cryptographic mechanisms to protect the confidentiality of CUI when transmitted across networks and stored on systems.
Key Focus:
- Ensure that CUI is encrypted during transmission (e.g., using TLS for web traffic or IPsec for VPNs) and at rest (e.g., using AES encryption for stored data).
- Encryption should meet federal standards, such as FIPS 140-2.
Example: Encrypting sensitive emails using S/MIME or encrypting files stored in cloud storage using AES-256.
8. Terminate Network Connections After Periods of Inactivity (3.13.8)
Derived Requirement: Organizations must automatically terminate network sessions or connections after defined periods of inactivity to prevent unauthorized access.
Key Focus:
- Implement session timeout mechanisms to automatically log off or disconnect users after a specific period of inactivity.
Example: Automatically terminating remote desktop sessions after 15 minutes of inactivity.
9. Establish a Trusted Communications Path (3.13.9)
Derived Requirement: Organizations must ensure that secure and trusted communications paths are used for critical system functions, such as authentication and data transmission.
Key Focus:
- Use secure communication channels (e.g., SSL/TLS, VPNs) to protect sensitive data and ensure secure user interactions with the system.
Example: Requiring SSL/TLS encryption for all internal web applications that handle CUI.
10. Separate Communications of Users from Those of Processes (3.13.10)
Derived Requirement: Organizations must ensure that user communications (e.g., emails, instant messaging) are kept separate from system-level communications or processes.
Key Focus:
- Prevent interference or exposure of system communications by isolating user-level interactions from core system functions.
Example: Configuring separate communication channels for internal administrative functions versus user access to system resources.
11. Prevent Remote Activation of Collaborative Computing Devices (3.13.11)
Derived Requirement: Organizations must prevent the unauthorized or remote activation of collaborative computing devices, such as video or audio conferencing systems.
Key Focus:
- Ensure that collaborative tools, such as webcams and microphones, cannot be activated remotely without proper authorization.
Example: Disabling remote access to video conferencing systems unless explicitly authorized by the system administrator.
12. Control and Protect Cryptographic Keys (3.13.12)
Derived Requirement: Organizations must control and securely manage cryptographic keys used for protecting CUI.
Key Focus:
- Implement secure key management practices, such as using hardware security modules (HSMs) or key vaults to store and protect encryption keys.
Example: Storing cryptographic keys in an HSM and ensuring they are rotated and backed up securely.
13. Implement DNS Filtering and Protection (3.13.13)
Derived Requirement: Organizations must implement Domain Name System (DNS) filtering and protection mechanisms to prevent unauthorized or malicious domain resolution requests.
Key Focus:
- Use DNS filtering services to block access to known malicious domains, protecting the network from malware or phishing attacks.
Example: Using a DNS filtering service to block access to websites known to host malware or phishing campaigns.
14. Control Wireless Access (3.13.14)
Derived Requirement: Organizations must control wireless access to systems that handle CUI to prevent unauthorized connections.
Key Focus:
- Use encryption (e.g., WPA2 or WPA3) to secure wireless networks and limit wireless access to authorized users and devices.
Example: Requiring multi-factor authentication (MFA) for wireless network access in areas where CUI is processed or stored.
15. Protect the Confidentiality of CUI Using Secure Remote Access (3.13.15)
Derived Requirement: Organizations must ensure the confidentiality of CUI when it is accessed remotely by implementing secure remote access methods.
Key Focus:
- Use secure remote access tools such as VPNs or encrypted tunnels to protect CUI during remote access sessions.
- Ensure remote access is granted only to authorized users with strong authentication mechanisms, such as multi-factor authentication (MFA).
Example: Requiring all remote workers to use a VPN with multi-factor authentication to access the organization's network.
16. Route Remote Access Connections Through Managed Access Control Points (3.13.16)
Derived Requirement: All remote access connections to internal systems must pass through managed access control points, such as firewalls, VPN gateways, or other access control systems.
Key Focus:
- Ensure that remote access is filtered, monitored, and secured by routing all connections through centralized access control points that enforce security policies.
Example: Routing all VPN traffic through a central firewall for inspection and logging before it can access internal systems.
Importance of System and Communications Protection in Cybersecurity:
Prevents Data Leaks: Implementing cryptographic protections and controlling communications flow ensures that sensitive CUI is not exposed to unauthorized individuals, reducing the risk of data breaches.
Protects System Boundaries: By monitoring and controlling communications at system boundaries, organizations can protect against external threats, such as hackers or malware, that attempt to exploit network vulnerabilities.
Ensures Secure Data Transmission: Encrypting data in transit and at rest helps ensure that CUI is protected from interception, tampering, or unauthorized access as it moves across networks or is stored on systems.
Prevents Unauthorized Access: By controlling remote access, wireless access, and internal communications, organizations can prevent unauthorized users or devices from accessing systems that handle CUI.
Supports Compliance: System and communications protection controls help organizations comply with NIST 800-171 requirements and other regulations that mandate the protection of sensitive information from unauthorized access or disclosure.
Best Practices for System and Communications Protection:
Encrypt Data in Transit and at Rest: Always use encryption to protect CUI when it is transmitted over networks or stored on devices. Ensure that encryption methods meet federal standards, such as FIPS 140-2.
Use Firewalls and IDS/IPS: Deploy firewalls and intrusion detection/prevention systems to monitor and control traffic at system boundaries, ensuring that only authorized traffic is allowed.
Segment Networks: Implement network segmentation to isolate sensitive systems from publicly accessible or less secure systems, reducing the attack surface.
Secure Remote Access: Use VPNs, MFA, and strong encryption for remote access to ensure that only authorized users can access systems handling CUI.
Implement DNS Filtering: Use DNS filtering to block access to known malicious domains and prevent users from accidentally visiting sites that could compromise system security.
Control Wireless Access: Use strong encryption protocols (e.g., WPA2 or WPA3) for wireless networks and ensure that wireless access is limited to authorized users.
Manage Cryptographic Keys Securely: Implement key management solutions to protect cryptographic keys from unauthorized access, ensuring that they are stored securely and rotated regularly.
Summary:
The System and Communications Protection family in NIST 800-171 Rev 2 is critical for ensuring the security of communications and protecting Controlled Unclassified Information (CUI) as it moves through an organization’s systems and networks. By implementing controls such as encryption, firewalls, network segmentation, and secure remote access, organizations can safeguard the confidentiality and integrity of CUI, prevent unauthorized access, and comply with regulatory requirements. Proper system and communications protection is essential for maintaining a strong and resilient cybersecurity posture.