Upload
bedorlehacker
View
228
Download
0
Embed Size (px)
Citation preview
8/10/2019 Electronic Communication Plan
1/37
Defense Security Service
Office of the DesignatedApproving Authority
DSS ELECTRONIC COMMUNICATIONSPLAN TEMPLATE
September 20
8/10/2019 Electronic Communication Plan
2/37
8/10/2019 Electronic Communication Plan
3/37
TA$LE OF CONTENTS
%& INTRODUCTION&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&'
(& PURPOSE&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&'
)& ROLES*PERSONNEL SECURITY&&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&& &&&&& &&&&+
,& DETAILED SYSTEM DESCRIPTION*TEC-NICAL OVERVIE.&&&&&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&& &&&&&& &&&&&+
'& IDENTIFICATION AND AUT-ENTICATION POLICY AND PROCEDURES&&&&&&&&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&& &&&&&+
5.1 USER IDENTIFICATION AND AUTHENTICATION.......................................................................................6
5.2 DEVICE IDENTIFICATION AND AUTHENTICATION..................................................................................6
5.3 IDENTIFIER MANAGEMENT...........................................................................................................................6
5.4 AUTHENTICATOR MANAGEMENT................................................................................................................75.5 ACCESS CONTROL POLICY AND PROCEDURES........................................................................................7
5.6 ACCOUNT MANAGEMENT..............................................................................................................................7
5.7 ACCESS ENFORCEMENT.................................................................................................................................8
5.8 INFORMATION FLOW ENFORCEMENT........................................................................................................9
5.9 SEPARATION OF DUTIES...............................................................................................................................15.1 LEAST PRIVILEGE........................................................................................................................................1
5.11 UNSUCCESSFUL LOGIN ATTEMPTS..........................................................................................................1
5.12 SYSTEM USE NOTIFICATION......................................................................................................................115.13 SESSION LOC!...............................................................................................................................................11
5.15 SUPERVISION AND REVIEW " ACCESS CONTROL..............................................................................12
5.16 REMOTE ACCESS..........................................................................................................................................12
5.17 USE OF E#TERNAL INFORMATION SYSTEMS.......................................................................................13
+& SECURITY A.ARENESS AND TRAININ/ POLICY AND PROCEDURES&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&%,
6.1 SECURITY TRAINING.....................................................................................................................................14
0& AUDIT AND ACCOUNTA$ILITY POLICY AND PROCEDURES&&&&&&&&&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&& &&%,
7.1 AUDITA$LE EVENTS......................................................................................................................................15
7.2 CONTENT OF AUDIT RECORDS...................................................................................................................15
7.3 AUDIT STORAGE CAPACITY........................................................................................................................15
7.4 AUDIT MONITORING% ANALYSIS% AND REPORTING...............................................................................157.5 TIME STAMPS...................................................................................................................................................16
7.6 PROTECTION OF AUDIT INFORMATION....................................................................................................16
7.7 CONTINUOUS MONITORING........................................................................................................................16
1& CONFI/URATION MANA/EMENT POLICY AND PROCEDURES&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&& &&&&&& &&&&& &&&&&& &&&&%+
8.1 MONITORING CONFIGURATION CHANGES.............................................................................................16
8.2 ACCESS RESTRICTIONS FOR CHANGE......................................................................................................178.3 LEAST FUNCTIONALITY...............................................................................................................................18
2& INCIDENT RESPONSE&&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&& &&&&& &&&&&& &&&&& &&&&&& &%1
9.1 INCIDENT RESPONSE POLICY AND PROCEDURES.................................................................................189.2 INCIDENT RESPONSE TRAINING................................................................................................................18
9.3 INCIDENT RESPONSE TESTING AND E#ERCISES...................................................................................189.4 INCIDENT HANDLING....................................................................................................................................18
9.5 INCIDENT MONITORING...............................................................................................................................19
9.6 INCIDENT REPORTING..................................................................................................................................19
9.7 INCIDENT RESPONSE ASSISTANCE............................................................................................................19
%3& P-YSICAL AND ENVIRONMENTAL PROTECTION&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&&& &&&&&&&&& &&&&%2
3
8/10/2019 Electronic Communication Plan
4/37
1.1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES.............................19
1.2 PHYSICAL ACCESS AUTHORI&ATIONS....................................................................................................2
1.3 PHYSICAL ACCESS CONTROL...................................................................................................................2
1.4 MONITORING PHYSICAL ACCESS............................................................................................................2
%%& CONTIN/ENCY PLANNIN/ AND OPERATION&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&&& &&&&&& &(3
11.1 CONTINGENCY PLANNING POLICY AND PROCEDURES.....................................................................211.2 CONTINGENCY PLAN..................................................................................................................................21
11.3 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION..........................................................21
%(& SYSTEM AND COMMUNICATIONS PROTECTIONS&&&&&&&&& &&&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&& &&&(%
12.1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES..............................21
%)& APPLICATION PARTITIONIN/ 4IF APPLICA$LE5&&&&&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&& &&&&& &&&&&& &&&(%
13.1 INFORMATION REMNANCE........................................................................................................................22
13.2 DENIAL OF SERVICE PROTECTION..........................................................................................................2213.3 $OUNDARY PROTECTION..........................................................................................................................22
13.4 TRANSMISSION INTEGRITY.......................................................................................................................23
13.5 TRANSMISSION CONFIDENTIALITY........................................................................................................23
13.6 NETWOR! DISCONNECT............................................................................................................................2313.7 CRYPTOGRAPHIC !EY ESTA$LISHMENT AND MANAGEMENT........................................................24
13.8 COLLA$ORATIVE COMPUTING................................................................................................................24
13.9 MO$ILE CODE...............................................................................................................................................24
13.1 VOICE OVER INTERNET PROTOCOL......................................................................................................2413.11 SECURE NAME ' ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE........................24
13.12 ARCHITECTURE AND PROVISIONING FOR NAME ' ADDRESS RESOLUTION SERVICE.............25
13.13 SESSION AUTHENTICITY..........................................................................................................................25
13.14 MALICIOUS CODE PROTECTION.............................................................................................................2513.15 INFORMATION SYSTEM MONITORING TOOLS AND TECHNI)UES................................................26
%,& MAINTENANCE&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&(0
14.1 SYSTEM MAINTENANCE POLICY AND PROCEDURES.........................................................................27
14.2 CONTROLLED MAINTENANCE..................................................................................................................27
14.3 MAINTENANCE TOOLS...............................................................................................................................2814.4 REMOTE MAINTENANCE............................................................................................................................2814.5 MAINTENANCE PERSONNEL.....................................................................................................................29
%'& MEDIA PROTECTION&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&& &&&&&& &&&&& &&(2
15.1 MEDIA PROTECTION POLICY AND PROCEDURES................................................................................29
15.2 MEDIA ACCESS..............................................................................................................................................3
15.3 MEDIA SANITI&ATION AND DISPOSAL...................................................................................................3
%+& E6PORT CONTROL PROCEDURES&&&&&&&&& &&&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&& &&&&& &&&&&& &&&&& &&&&&)3
%0& ADDITIONAL FOCI PROCEDURES&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&& &&&&&& &&&&& &&&&&& &&&)3
17.1 TELEPHONE PROCEDURES........................................................................................................................317.2 FACSIMILE PROCEDURES..........................................................................................................................31
17.3 COMPUTER COMMUNICATIONS...............................................................................................................31
ATTAC-MENT % 7 NET.OR8 DIA/RAM&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&)(
ATTAC-MENT ( 7 E6PORT RELEASE FORMS&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&))
ATTAC-MENT ) 7 USER AC8NO.LED/EMENT&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&),
ATTAC-MENT , 9 ECP REVISION LO/ &&&&)'
4
8/10/2019 Electronic Communication Plan
5/37
5
8/10/2019 Electronic Communication Plan
6/37
%& INTRODUCTION
W* +,-* ,/**0 + +* D*** S*/ S*/-* (DSS: ; ,0;>,; P=, (ECP: ;*; + ;/ ?Describe applicable FOCI mitigation
agreement@. The ECP template applies only to unclassified systems and can be modified to meetthe facilities needs. Items that do not apply may be annotated as Not pplicable.!
S* ;/+ +*/* ,/* /* ** (GSC: ,0 DSS +, *=*/; ;>>,; *** ;/;/ 0,/* ,0 ;/ ,; ;/ *,;% (: 0; ; ;+*/* -;=,* , OPSEC
/*/*>* ,0 (: ,/* ; *0 ;/
8/10/2019 Electronic Communication Plan
7/37
Instructions# In place of these instructions% please describe the Company)s specific re*uirements
from the mitigation agreement% the electronic communications of the company% and ho" the
company intends to comply "ith the terms of the mitigation agreement. Identify the persons andentities "hose electronic communications are sub'ect to the ECP re*uirements of the Company)s
mitigation agreement.
)& ROLES*PERSONNEL SECURITY
Instructions# In place of these instructions% please describe specific points of contact "ith phonenumbers and email addresses identifying the F&O% TCO% IT Personnel% and Outside Directors
etc.
,& DETAILED SYSTEM DESCRIPTION*TEC-NICAL OVERVIE.
Instructions# In place of these instructions% please describe all resources and ser$ers that "ill beshared identifying all associated facilities% locations and legal entities.
'& IDENTIFICATION AND AUT-ENTICATION POLICY AND PROCEDURES
Instructions# In place of these instructions% please describe ho" the Company "ill de$elop%disseminate% and periodically re$ie" and update# +i, a formal% documented% identification and
authentication policy that addresses purpose% scope% roles% responsibilities% management
commitment% coordination among organi-ation entities% and compliance and +ii, formal%documented procedures to facilitate the implementation of the identification and authentication
policy and associated identification and authentication controls.
5.1 USER IDENTIFICATION AND AUTHENTICATION
To Company# In place of this instructional statement% please describe ho" the Company)sinformation system "ill uni*uely identify and authenticate users +or process acting on behalf of
users,.
5.2 DEVICE IDENTIFICATION AND AUTHENTICATION
Instructions# In place of these instructions% please describe ho" the Company)s informationsystem "ill identify and authenticate specific de$ices before establishing a connection. /ou may
describe% for e(ample% ho" the Company)s information system "ill use either shared 0no"n
information +e.g.% 1edia ccess Control +1C, or Transmission Control Protocol2InternetProtocol +TCP2IP, addresses, or an Organi-ational authentication solution +e.g.% IEEE 345.6(and E(tensible uthentication Protocol +EP, or a 7adius ser$er "ith EP8Transport 9ayer
&ecurity +T9&, authentication, to identify and authenticate de$ices on local and2or "ide area
net"or0s.
5.3 IDENTIFIER MANAGEMENT
7
8/10/2019 Electronic Communication Plan
8/37
Instructions# In place of these instructions% please describe ho" the Company "ill manage user
identifiers by# +i, uni*uely identifying each user +ii, $erifying the identity of each user +iii,
recei$ing authori-ation to issue a user identifier from an appropriate Contractor official +i$,issuing the user identifier to the intended party +$, disabling the user identifier after :state time
period; of inacti$ity and +$i, archi$ing user identifiers.
5.4 AUTHENTICATOR MANAGEMENT
Instructions# In place of these instructions% please describe ho" the Company "ill manageinformation system authenticators by# +i, defining initial authenticator content +ii, establishing
administrati$e procedures for initial authenticator distribution% for lost2compromised% or
damaged authenticators% and for re$o0ing authenticators +iii, changing default authenticatorsupon information system installation and +i$, changing2refreshing authenticators periodically.
/ou may describe for e(ample% the follo"ing#
8/10/2019 Electronic Communication Plan
9/37
5.6 ACCOUNT MANAGEMENT
Instructions# In place of these instructions% please describe ho" the Company "ill manageinformation system accounts% including establishing% acti$ating% modifying% re$ie"ing% disabling%
and remo$ing accounts. >e "ill re$ie" information system accounts :state fre*uency% at least
annually;. /ou may describe% for e(ample% the follo"ing#
8/10/2019 Electronic Communication Plan
10/37
5.7 ACCESS ENFORCEMENT
Instructions# In place of these instructions% please describe ho" the Company)s informationsystem enforces assigned authori-ations for controlling access to the system in accordance "ith
applicable policy. /ou may describe% for e(ample% the follo"ing#
8/10/2019 Electronic Communication Plan
11/37
net"or0s% indi$iduals% de$ices, "ithin information systems and bet"een interconnected
systems.
8/10/2019 Electronic Communication Plan
12/37
information system "ill enforce a limit of :state the appropriate number; consecuti$e in$alid
access attempts by a user during a :state the appropriate time period; time period. /ou may
describe% for e(ample% the follo"ing#
8/10/2019 Electronic Communication Plan
13/37
appropriate time period; of inacti$ity% and the session loc0 "ill remain in effect until the user
reestablishes access using appropriate identification and authentication procedures.
/ou may describe% for e(ample% ho" the Company)s users "ill be able to directly initiate session
loc0 mechanisms. It is recommended that Company not consider a session loc0 as a substitute
for logging out of the information system. 1oreo$er% Company policy in this respect should%"here possible% be consistent "ith federal policy for e(ample% in accordance "ith O1A
1emorandum 4B86B% the time period of inacti$ity resulting in session loc0 is no greater than
thirty minutes for remote access and portable de$ices.
'&%, SESSIONTERMINATION
Instructions# In place of these instructions% please describe ho" the Company)sinformation system "ill automatically terminate a remote session after :state appropriate time
period; of inacti$ity. Company should consider a remote session to ha$e been initiated
"hene$er an organi-ational information system is accessed by a user +or an information system,
communicating through an e(ternal% net"or0 not under the control of the Company such as theInternet.
5.15 SUPERVISION AND REVIEW " ACCESS CONTROL
Instructions# In place of these instructions% please describe ho" the Company "ill super$ise andre$ie" the acti$ities of users "ith respect to the enforcement and usage of information system
access controls. /ou may describe% for e(ample% the follo"ing#
8/10/2019 Electronic Communication Plan
14/37
hether any of the Company)s e(ternal information systems "ill be information systems
or components of information systems for "hich the Company has no direct control o$er
the application of re*uired security controls or the assessment of security control
effecti$eness.
>hether any of the Company)s e(ternal information systems "ill include% "ithout
limitation% personally o"ned information systems +e.g.% computers% cellular telephones%
or personal digital assistants, pri$ately o"ned computing and communications de$icesresident in commercial or public facilities +e.g.% hotels% con$ention centers% or airports,
information systems o"ned or controlled by nonfederal go$ernmental contractors and
federal information systems that are not o"ned by% operated by% or under the directcontrol of the Company.
>hether any of the Company)s authori-ed indi$iduals "ill include Contractor personnel%
contractors% or any other indi$iduals "ith authori-ed access to the Contractor)sinformation system and information that is not intended for public access.
14
8/10/2019 Electronic Communication Plan
15/37
>hether the Company "ill establish terms and conditions for the use of e(ternal
information systems in accordance "ith organi-ational security policies and procedures.
The Company should establish terms and conditions that "ill address as a minimum thetypes of applications that can be accessed on the organi-ational information system from
the e(ternal information system.
/ou may also e(plain ho" the Company "ill use the follo"ing control element to manage
use of e(ternal information systems
prohibition on authori-ed indi$iduals using an e(ternal information system to access
the information system or to process% store% or transmit Company8controlled informatione(cept in situations "here the Company# +i, can $erify the employment of re*uired
security controls on the e(ternal system as specified in the Company)s information
security policy and system security plan or +ii, has appro$ed information systemconnection or processing agreements "ith the Company entity hosting the e(ternal
information system.
+& SECURITY A.ARENESS AND TRAININ/ POLICY AND PROCEDURES
Instructions# In place of these instructions% please describe ho" the Company "ill de$elop%disseminate% and periodically re$ie"2update# +i, a formal% documented% security a"areness and
training policy that addresses purpose% scope% roles% responsibilities% management commitment%
coordination among Contractor entities% and compliance and +ii, formal% documentedprocedures to facilitate the implementation of the security a"areness and training policy and
associated security a"areness and training controls. /ou may describe% for e(ample% ho" the
Company)s security a"areness and training policy and procedures "ill be consistent "ithapplicable la"s% E(ecuti$e Orders% directi$es% policies% regulations% standards% and guidance.
6.1 SECURITY TRAINING
Instructions# In place of these instructions% please describe ho" the Company
"ill identify personnel that ha$e significant information system security roles and
responsibilities during the system de$elopment life cycle% document those roles andresponsibilities% and pro$ide appropriate information system security training# +i, before
authori-ing access to the system or performing assigned duties +ii, "hen re*uired by system
changes and +iii, :state appropriate fre*uency; thereafter. /ou may describe% for e(ample% thefollo"ing#
8/10/2019 Electronic Communication Plan
16/37
8/10/2019 Electronic Communication Plan
17/37
8/10/2019 Electronic Communication Plan
18/37
documented procedures to facilitate the implementation of the configuration management policy
and associated configuration management controls.
8.1 MONITORING CONFIGURATION CHANGES
Instructions# In place of these instructions% please describe ho" the Company :ContractorName; monitors changes to the information system conducting security impact analyses to
determine the effects of the changes. /ou may describe% for e(ample% the follo"ing#
8/10/2019 Electronic Communication Plan
19/37
8/10/2019 Electronic Communication Plan
20/37
9.4 INCIDENT HANDLING
Instructions# In place of these instructions% please describe ho" the Company "ill implement anincident handling capability for security incidents that includes preparation% detection and
analysis% containment% eradication% and reco$ery. /ou may describe% for e(ample% the follo"ing#
8/10/2019 Electronic Communication Plan
21/37
formal% documented procedures to facilitate the implementation of the physical and
en$ironmental protection policy and associated physical and en$ironmental protection controls.
1.2 PHYSICAL ACCESS AUTHORI&ATIONS
Instructions# In place of these instructions% please describe ho" the Company "ill de$elop and0eep current a list of personnel "ith authori-ed access to the facility "here the information
system resides +e(cept for those areas "ithin the facility officially designated as publicly
accessible, and issues appropriate authori-ation credentials. /ou may describe% for e(ample% thefollo"ing#
8/10/2019 Electronic Communication Plan
22/37
%%& CONTIN/ENCY PLANNIN/ AND OPERATION
11.1 CONTINGENCY PLANNING POLICY AND PROCEDURES
Instructions# In place of these instructions% please describe ho" the Company "ill de$elop%
disseminate% and periodically re$ie"2update# +i, a formal% documented% contingency planningpolicy that addresses purpose% scope% roles% responsibilities% management commitment%
coordination among Company entities% and compliance and +ii, formal% documented procedures
to facilitate the implementation of the contingency planning policy and associated contingencyplanning controls. /ou may describe% for e(ample% ho" the Company)s contingency planning
policy and procedures are consistent "ith applicable federal la"s% directi$es% policies%
regulations% standards% and guidance.
11.2 CONTINGENCY PLAN
Instructions# In place of these instructions% please describe ho" the Company "ill de$elop and
implement a contingency plan for the information system addressing contingency roles%responsibilities% assigned indi$iduals "ith contact information% and acti$ities associated "ithrestoring the system after a disruption or failure. /ou may describe% for e(ample% ho"
designated officials "ithin the Company "ill re$ie" and appro$e the contingency plan and
distribute copies of the plan to 0ey contingency personnel.
11.3 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION
Instructions# In place of these instructions% please describe ho" the Company "ill employ
mechanisms "ith supporting procedures to allo" the information system to be reco$ered and
reconstituted to a 0no"n secure state after a disruption or failure.
%(& SYSTEM AND COMMUNICATIONS PROTECTIONS
12.1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES
Instructions# In place of these instructions% please describe ho" the Company "ill de$elop%disseminate% and periodically re$ie"2update# +i, a formal% documented% system and
communications protection policy that addresses purpose% scope% roles% responsibilities%
management commitment% coordination among Company entities% and compliance and +ii,formal% documented procedures to facilitate the implementation of the system and
communications protection policy and associated system and communications protection
controls. /ou may describe% for e(ample% ho" the Company)s system and communicationsprotection policy and procedures "ill be consistent "ith applicable federal la"s% directi$es%
policies% regulations% standards% and guidance.
%)& APPLICATION PARTITIONIN/ 4IF APPLICA$LE5
Instructions# In place of these instructions% please describe ho" the Company)s informationsystem "ill separate user functionality +including user interface ser$ices, from information
22
8/10/2019 Electronic Communication Plan
23/37
system management functionality. /ou may describe% for e(ample% ho" the Company)s
information system "ill physically or logically separate user interface ser$ices +e.g.% public "eb
pages, from information storage and management ser$ices +e.g.% database management,. Note#&eparation may be accomplished through the use of different computers% different central
processing units% different instances of the operating system% different net"or0 addresses%
combinations of these methods% or other methods as appropriate.
13.1 INFORMATION REMNANCE
Instructions# In place of these instructions% please describe ho" the Company)s information
system "ill pre$ent unauthori-ed and unintended information transfer $ia shared system
resources. /ou may describe% for e(ample% ho" the Company "ill control information systemremnance% sometimes referred to as ob'ect reuse% or data remnance% in order to pre$ent
information% including encrypted representations of information% produced by the actions of a
prior user2role +or the actions of a process acting on behalf of a prior user2role, from being
a$ailable to any current user2role +or current process, that obtains access to a shared system
resource +e.g.% registers% main memory% secondary storage, after that resource has been releasedbac0 to the information system.
13.2 DENIAL OF SERVICE PROTECTION
Instructions# In place of these instructions% please describe ho" the Company)s informationsystem "ill protect against or limits the effects of the follo"ing types of denial of ser$ice attac0s#
:please list types of denial of ser$ice attac0s or reference to source for current list;. /ou may
also describe% for e(ample% the follo"ing#
8/10/2019 Electronic Communication Plan
24/37
encrypted tunnels, arranged in an effecti$e architecture +e.g.% routers protecting fire"alls
and application gate"ays residing on a protected subnet"or0 commonly referred to as a
demilitari-ed -one or D1,.
8/10/2019 Electronic Communication Plan
25/37
8/10/2019 Electronic Communication Plan
26/37
name2address resolution information obtained through the ser$ice. Note# domain name
system +DN&, ser$er is an e(ample of an information system that pro$ides name2address
resolution ser$ice digital signatures and cryptographic 0eys are e(amples of additionalartifacts and DN& resource records are e(amples of authoritati$e data.
13.12 ARCHITECTURE AND PROVISIONING FOR NAME ' ADDRESS RESOLUTIONSERVICE
Instructions# In place of these instructions% please describe ho" the Company)s informationsystems "ill collecti$ely pro$ide name2address resolution ser$ice for the Company that are fault
tolerant and implement role separation. /ou may describe% for e(ample% the follo"ing#
8/10/2019 Electronic Communication Plan
27/37
8/10/2019 Electronic Communication Plan
28/37
8/10/2019 Electronic Communication Plan
29/37
14.2 CONTROLLED MAINTENANCE
Instructions# In place of these instructions% please describe ho" the Company "ill schedule%perform% document% and re$ie" records of routine pre$entati$e and regular maintenance
+including repairs, on the components of the information system in accordance "ith
manufacturer or $endor specifications and2or Company re*uirements. /ou may describe% fore(ample% the follo"ing#
8/10/2019 Electronic Communication Plan
30/37
Instructions# In place of these instructions% please describe ho" the Company "ill authori-e%
monitor% and control any remotely e(ecuted maintenance and diagnostic acti$ities% if employed.
/ou may describe% for e(ample% the follo"ing#
8/10/2019 Electronic Communication Plan
31/37
%'& MEDIA PROTECTION
15.1 MEDIA PROTECTION POLICY AND PROCEDURES
Instructions# In place of these instructions% please describe ho" the Company "ill de$elop%
disseminate% and periodically re$ie"2update# +i, a formal% documented% media protection policythat addresses purpose% scope% roles% responsibilities% management commitment% coordination
among Company entities% and compliance and +ii, formal% documented procedures to facilitate
the implementation of the media protection policy and associated media protection controls. /oumay describe% for e(ample% ho" the Company)s media protection policy and procedures "ill be
consistent "ith applicable federal la"s% directi$es% policies% regulations% standards% and
guidance.
15.2 MEDIA ACCESS
Instructions# In place of these instructions% please describe ho" the Company "ill +i, restrict
access to information system media to authori-ed indi$iduals and +ii, employ automatedmechanisms to restrict access to media storage areas and to audit access attempts and accessgranted.
15.3 MEDIA SANITI&ATION AND DISPOSAL
Instructions# In place of these instructions% please describe ho" the Company "ill saniti-e
information system media% both digital and non8digital% prior to disposal or release for reuse./ou may describe% for e(ample% the follo"ing#
8/10/2019 Electronic Communication Plan
32/37
8/10/2019 Electronic Communication Plan
33/37
8/10/2019 Electronic Communication Plan
34/37
ATTAC-MENT % 7 NET.OR8 DIA/RAM
34
8/10/2019 Electronic Communication Plan
35/37
ATTAC-MENT ( 7 E6PORT RELEASE FORMS
35
8/10/2019 Electronic Communication Plan
36/37
8/10/2019 Electronic Communication Plan
37/37
ATTACHMENT 4 J ECP REVISION LOG
D!te Revisi"n P!r!#r!p$ Descripti"n "f C$!n#e Pers"n %C"mp!nyif App&ic!b&e'
Up(!te Re)uiresAppr"v!& by DSS in
!cc"r(!nce *it$ECP Secti"n +,
-es.N"