System and Communications Protection
This updated standard is to help align existing IT practices around System and Communications Protection to the requirements in NIST 800-171 (SC | 3.13.x) as well as industry best practices. This document does not give full coverage of 3.13.x controls within 171 due to existing limitations and other requirements that are specific to CUI.
What is in this document:
- System firewall requirement
- Some firewall configuration requirements
- Requirement for public systems to separate networks from non-public systems
What is NOT in this document:
- Network logging requirements (AU standard)
- Complete firewall configuration requirements
Potential impact or action items for implementing this standard:
- System owners of public systems need to register the device as a public system with Office of Information Technology (OIT). (see: Public System Registration)
- Public systems will need to be moved to networks intended for public systems if not already on them.
This System and Communications Protection standard supports APM 30.11 University Data Classification and Standards, and other relevant university policies.
These Standards are the minimum baseline for all managed and unmanaged systems that access, store or process University of Idaho data (see APM 30.14 C-6) or using University of Idaho technology resources (see APM 30.12 C-1) at the Low, Moderate or High risk levels (see APM 30.11) not otherwise covered by an approved system security plan.
To ensure network connectivity is monitored, controlled and protected to adequate levels:
- All systems capable of running a host-based firewall, must have it turned on and configured consistent with the principles of least privilege.
- Both the external (north-south) and internal (east-west) edges of U of I Internal Networks must be monitored as per the Audit and Accountability standard. (3.13.1[c-d])
- Both the external (north-south) and internal (east-west) edges of U of I managed networks must have a default block rule. (3.13.1[e-f], 3.13.6[a])
- Exceptions to the default block action must go through change management approval. (3.13.6[b])
- Both the external (north-south) and internal (east-west) edges of U of I Internal Networks must be scanned using inline protection tools such as IPS. (3.13.1[g-h])
- Instances that cannot use inline protections such as the Science DMZ must use out-of-path protections as approved by OIT Security.
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
- Public Systems must be registered with OIT Security as per Access Control standard. (3.13.5[a])
- OIT Security May scan public U of I IP space to review what is and is not a public system and may respond to those accordingly.
- Non-public university-managed technology resources must be on separate VLANs from Public Systems. (3.13.5[b])
Applies to: Moderate and High
Split tunneling must not be implemented unless specifically approved by OIT Security. (3.13.7[a])
1. NIST SP800-171r2 (February 2020)
2. NIST SP800-53r5 (September 2020)
3. NIST SP 800-94 (February 2007)
4. NIST SP 800-113 (July 2008)
“A device or program that controls the flow of network traffic between networks or hosts that employ differing security postures.” (CMMC Glossary)
2. U OF I internal Networks
Networks controlled by University of Idaho excluding networks for student or public systems such as AirVandalHome or AirVandalGuest as defined by ‘What are Azure AD "Named Locations"?’ (3.13.1[a-b])
3. Public system
A system that can be accessed in any form from the general public or internet.
4. Intrusion Prevention System (IPS)
“Software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents. Also called an intrusion detection and prevention system.” (NIST SP800-94)
5. Virtual Private Network (VPN)
“A virtual network built on top of existing networks that can provide a secure communications mechanism for data and IP information transmitted between networks.” (NIST SP800-113)
6. Internal network edge
The boundary between two internal networks. Also referred to as east-west traffic.
7. External network edge
The boundary between an internal network and external network. Also referred to as north-south traffic.
8. Split tunneling
“The process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remote devices (e.g., a networked printer) at the same time as accessing uncontrolled networks.” (NIST SP800-171)
OIT is responsible for the content and management of these standards.
|V1||N. Flynn, M. Parks||6/23/2023|