System and communications protection

Overview

This updated standard is to help align existing IT practices around System and Communications Protection to the requirements in NIST 800-171 (SC | 3.13.x) as well as industry best practices. This document does not give full coverage of 3.13.x controls within 171 due to existing limitations and other requirements that are specific to CUI.

What is in this document:

  • System firewall requirement
  • Some firewall configuration requirements
  • Requirement for public systems to separate networks from non-public systems

What is NOT in this document:

  • Network logging requirements (AU standard)
  • Complete firewall configuration requirements 

Policy Reference

Purpose
This Access Control standard supports APM 30.11 University Data Classification and Standards and other relevant university policies.

Scope
These standards are the minimum baseline for all managed and unmanaged systems that access, store or process University of Idaho data (see APM 30.14 C-6) or using University of Idaho technology resources (see APM 30.12 C-1) at the Low, Moderate- or High risk levels (see APM 30.11) not otherwise covered by an approved systems security plan.

Standards

U of I Office of Information Technology (OIT) is responsible for the content and management of these standards.

To request an exception to this standard contact: oit-security@uidaho.edu 

1. Network boundary requirements

To ensure network connectivity is monitored, controlled and protected to adequate levels:

  1. All systems capable of running a host-based firewall, must have it turned on and configured consistent with the principles of least privilege.
  2. Both the external (north-south) and internal (east-west) edges of U of I Internal Networks must be monitored as per the Audit and Accountability standard.

  3. Both the external (north-south) and internal (east-west) edges of U of I managed networks must have a default block rule.

    1. Exceptions to the default block action must go through change management approval.
       

    Both the external (north-south) and internal (east-west) edges of U of I Internal Networks must be scanned using inline protection tools such as IPS.

    1. Instances that cannot use inline protections such as the Science DMZ must use out-of-path protections as approved by OIT Security.
2. Public systems

Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

  1. Public Systems must be registered with OIT Security as per Access Control standard.
    1. OIT Security May scan public U of I IP space to review what is and is not a public system and may respond to those accordingly.
  2. Non-public university-managed technology resources must be on separate VLANs from Public Systems.
    Applies to: Moderate and High
3. Split tunneling

Split tunneling must not be implemented unless specifically approved by OIT Security.

Other references

  1. NIST SP800-171r2 (February 2020)
  2. NIST SP800-53r5 (September 2020)
  3. NIST SP 800-94 (February 2007)
  4. NIST SP 800-113 (July 2008)
  5. CMMC glossary
  6. Audit and Accountability standard
  7. Access Control standard
  8. What are Azure AD "Named Locations"?

Definitions

  1. Firewall

    “A device or program that controls the flow of network traffic between networks or hosts that employ differing security postures.” (CMMC Glossary)

  2. U OF I internal networks

    Networks controlled by University of Idaho excluding networks for student or public systems such as AirVandalHome or AirVandalGuest as defined by ‘What are Azure AD "Named Locations"?’ (3.13.1[a-b])

  3. Public system

    A system that can be accessed in any form from the general public or internet.

  4. Intrusion Prevention System (IPS)

    “Software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents. Also called an intrusion detection and prevention system.” (NIST SP800-94)

  5. Virtual Private Network (VPN)

    “A virtual network built on top of existing networks that can provide a secure communications mechanism for data and IP information transmitted between networks.” (NIST SP800-113)

  6. Internal network edge

    The boundary between two internal networks. Also referred to as east-west traffic.

  7. External network edge

    The boundary between an internal network and external network. Also referred to as north-south traffic.

  8. Split tunneling

    “The process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remote devices (e.g., a networked printer) at the same time as accessing uncontrolled networks.” (NIST SP800-171)Revision History

3/1/2024 — Minor updates

  • Minor formatting/wording/reference changes.

6/23/2023 — Original standard

  • Full re-write to align with NIST 800-171r2