Electronic Communication Plan

8/10/2019 Electronic Communication Plan

1/37

Defense Security Service

Office of the DesignatedApproving Authority

DSS ELECTRONIC COMMUNICATIONSPLAN TEMPLATE

September 20


2/37


3/37

TA$LE OF CONTENTS

%& INTRODUCTION&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&'

(& PURPOSE&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&'

)& ROLES*PERSONNEL SECURITY&&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&& &&&&& &&&&+

,& DETAILED SYSTEM DESCRIPTION*TEC-NICAL OVERVIE.&&&&&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&& &&&&&& &&&&&+

'& IDENTIFICATION AND AUT-ENTICATION POLICY AND PROCEDURES&&&&&&&&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&& &&&&&+

5.1 USER IDENTIFICATION AND AUTHENTICATION.......................................................................................6

5.2 DEVICE IDENTIFICATION AND AUTHENTICATION..................................................................................6

5.3 IDENTIFIER MANAGEMENT...........................................................................................................................6

5.4 AUTHENTICATOR MANAGEMENT................................................................................................................75.5 ACCESS CONTROL POLICY AND PROCEDURES........................................................................................7

5.6 ACCOUNT MANAGEMENT..............................................................................................................................7

5.7 ACCESS ENFORCEMENT.................................................................................................................................8

5.8 INFORMATION FLOW ENFORCEMENT........................................................................................................9

5.9 SEPARATION OF DUTIES...............................................................................................................................15.1 LEAST PRIVILEGE........................................................................................................................................1

5.11 UNSUCCESSFUL LOGIN ATTEMPTS..........................................................................................................1

5.12 SYSTEM USE NOTIFICATION......................................................................................................................115.13 SESSION LOC!...............................................................................................................................................11

5.15 SUPERVISION AND REVIEW " ACCESS CONTROL..............................................................................12

5.16 REMOTE ACCESS..........................................................................................................................................12

5.17 USE OF E#TERNAL INFORMATION SYSTEMS.......................................................................................13

+& SECURITY A.ARENESS AND TRAININ/ POLICY AND PROCEDURES&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&%,

6.1 SECURITY TRAINING.....................................................................................................................................14

0& AUDIT AND ACCOUNTA$ILITY POLICY AND PROCEDURES&&&&&&&&&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&& &&%,

7.1 AUDITA$LE EVENTS......................................................................................................................................15

7.2 CONTENT OF AUDIT RECORDS...................................................................................................................15

7.3 AUDIT STORAGE CAPACITY........................................................................................................................15

7.4 AUDIT MONITORING% ANALYSIS% AND REPORTING...............................................................................157.5 TIME STAMPS...................................................................................................................................................16

7.6 PROTECTION OF AUDIT INFORMATION....................................................................................................16

7.7 CONTINUOUS MONITORING........................................................................................................................16

1& CONFI/URATION MANA/EMENT POLICY AND PROCEDURES&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&& &&&&&& &&&&& &&&&&& &&&&%+

8.1 MONITORING CONFIGURATION CHANGES.............................................................................................16

8.2 ACCESS RESTRICTIONS FOR CHANGE......................................................................................................178.3 LEAST FUNCTIONALITY...............................................................................................................................18

2& INCIDENT RESPONSE&&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&& &&&&& &&&&&& &&&&& &&&&&& &%1

9.1 INCIDENT RESPONSE POLICY AND PROCEDURES.................................................................................189.2 INCIDENT RESPONSE TRAINING................................................................................................................18

9.3 INCIDENT RESPONSE TESTING AND E#ERCISES...................................................................................189.4 INCIDENT HANDLING....................................................................................................................................18

9.5 INCIDENT MONITORING...............................................................................................................................19

9.6 INCIDENT REPORTING..................................................................................................................................19

9.7 INCIDENT RESPONSE ASSISTANCE............................................................................................................19

%3& P-YSICAL AND ENVIRONMENTAL PROTECTION&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&&& &&&&&&&&& &&&&%2

3


4/37

1.1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES.............................19

1.2 PHYSICAL ACCESS AUTHORI&ATIONS....................................................................................................2

1.3 PHYSICAL ACCESS CONTROL...................................................................................................................2

1.4 MONITORING PHYSICAL ACCESS............................................................................................................2

%%& CONTIN/ENCY PLANNIN/ AND OPERATION&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&&& &&&&&& &(3

11.1 CONTINGENCY PLANNING POLICY AND PROCEDURES.....................................................................211.2 CONTINGENCY PLAN..................................................................................................................................21

11.3 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION..........................................................21

%(& SYSTEM AND COMMUNICATIONS PROTECTIONS&&&&&&&&& &&&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&& &&&(%

12.1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES..............................21

%)& APPLICATION PARTITIONIN/ 4IF APPLICA$LE5&&&&&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&& &&&&& &&&&&& &&&(%

13.1 INFORMATION REMNANCE........................................................................................................................22

13.2 DENIAL OF SERVICE PROTECTION..........................................................................................................2213.3 $OUNDARY PROTECTION..........................................................................................................................22

13.4 TRANSMISSION INTEGRITY.......................................................................................................................23

13.5 TRANSMISSION CONFIDENTIALITY........................................................................................................23

13.6 NETWOR! DISCONNECT............................................................................................................................2313.7 CRYPTOGRAPHIC !EY ESTA$LISHMENT AND MANAGEMENT........................................................24

13.8 COLLA$ORATIVE COMPUTING................................................................................................................24

13.9 MO$ILE CODE...............................................................................................................................................24

13.1 VOICE OVER INTERNET PROTOCOL......................................................................................................2413.11 SECURE NAME ' ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE........................24

13.12 ARCHITECTURE AND PROVISIONING FOR NAME ' ADDRESS RESOLUTION SERVICE.............25

13.13 SESSION AUTHENTICITY..........................................................................................................................25

13.14 MALICIOUS CODE PROTECTION.............................................................................................................2513.15 INFORMATION SYSTEM MONITORING TOOLS AND TECHNI)UES................................................26

%,& MAINTENANCE&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&(0

14.1 SYSTEM MAINTENANCE POLICY AND PROCEDURES.........................................................................27

14.2 CONTROLLED MAINTENANCE..................................................................................................................27

14.3 MAINTENANCE TOOLS...............................................................................................................................2814.4 REMOTE MAINTENANCE............................................................................................................................2814.5 MAINTENANCE PERSONNEL.....................................................................................................................29

%'& MEDIA PROTECTION&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&& &&&&&& &&&&& &&(2

15.1 MEDIA PROTECTION POLICY AND PROCEDURES................................................................................29

15.2 MEDIA ACCESS..............................................................................................................................................3

15.3 MEDIA SANITI&ATION AND DISPOSAL...................................................................................................3

%+& E6PORT CONTROL PROCEDURES&&&&&&&&& &&&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&& &&&&& &&&&&& &&&&& &&&&&)3

%0& ADDITIONAL FOCI PROCEDURES&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&&&&&& &&&&&&&&&& &&&&&& &&&&& &&&&&& &&&)3

17.1 TELEPHONE PROCEDURES........................................................................................................................317.2 FACSIMILE PROCEDURES..........................................................................................................................31

17.3 COMPUTER COMMUNICATIONS...............................................................................................................31

ATTAC-MENT % 7 NET.OR8 DIA/RAM&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&)(

ATTAC-MENT ( 7 E6PORT RELEASE FORMS&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&))

ATTAC-MENT ) 7 USER AC8NO.LED/EMENT&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&),

ATTAC-MENT , 9 ECP REVISION LO/ &&&&)'

4


5/37

5


6/37

%& INTRODUCTION

W* +,-* ,/**0 + +* D*** S*/ S*/-* (DSS: ; ,0;>,; P=, (ECP: ;*; + ;/ ?Describe applicable FOCI mitigation

agreement@. The ECP template applies only to unclassified systems and can be modified to meetthe facilities needs. Items that do not apply may be annotated as Not pplicable.!

S* ;/+ +*/* ,/* /* ** (GSC: ,0 DSS +, *=*/; ;>>,; *** ;/;/ 0,/* ,0 ;/ ,; ;/ *,;% (: 0; ; ;+*/* -;=,* , OPSEC

/*/*>* ,0 (: ,/* ; *0 ;/


7/37

Instructions# In place of these instructions% please describe the Company)s specific re*uirements

from the mitigation agreement% the electronic communications of the company% and ho" the

company intends to comply "ith the terms of the mitigation agreement. Identify the persons andentities "hose electronic communications are sub'ect to the ECP re*uirements of the Company)s

mitigation agreement.

)& ROLES*PERSONNEL SECURITY

Instructions# In place of these instructions% please describe specific points of contact "ith phonenumbers and email addresses identifying the F&O% TCO% IT Personnel% and Outside Directors

etc.

,& DETAILED SYSTEM DESCRIPTION*TEC-NICAL OVERVIE.

Instructions# In place of these instructions% please describe all resources and ser$ers that "ill beshared identifying all associated facilities% locations and legal entities.

'& IDENTIFICATION AND AUT-ENTICATION POLICY AND PROCEDURES

Instructions# In place of these instructions% please describe ho" the Company "ill de$elop%disseminate% and periodically re$ie" and update# +i, a formal% documented% identification and

authentication policy that addresses purpose% scope% roles% responsibilities% management

commitment% coordination among organi-ation entities% and compliance and +ii, formal%documented procedures to facilitate the implementation of the identification and authentication

policy and associated identification and authentication controls.

5.1 USER IDENTIFICATION AND AUTHENTICATION

To Company# In place of this instructional statement% please describe ho" the Company)sinformation system "ill uni*uely identify and authenticate users +or process acting on behalf of

users,.

5.2 DEVICE IDENTIFICATION AND AUTHENTICATION

Instructions# In place of these instructions% please describe ho" the Company)s informationsystem "ill identify and authenticate specific de$ices before establishing a connection. /ou may

describe% for e(ample% ho" the Company)s information system "ill use either shared 0no"n

information +e.g.% 1edia ccess Control +1C, or Transmission Control Protocol2InternetProtocol +TCP2IP, addresses, or an Organi-ational authentication solution +e.g.% IEEE 345.6(and E(tensible uthentication Protocol +EP, or a 7adius ser$er "ith EP8Transport 9ayer

&ecurity +T9&, authentication, to identify and authenticate de$ices on local and2or "ide area

net"or0s.

5.3 IDENTIFIER MANAGEMENT

7


8/37

Instructions# In place of these instructions% please describe ho" the Company "ill manage user

identifiers by# +i, uni*uely identifying each user +ii, $erifying the identity of each user +iii,

recei$ing authori-ation to issue a user identifier from an appropriate Contractor official +i$,issuing the user identifier to the intended party +$, disabling the user identifier after :state time

period; of inacti$ity and +$i, archi$ing user identifiers.

5.4 AUTHENTICATOR MANAGEMENT

Instructions# In place of these instructions% please describe ho" the Company "ill manageinformation system authenticators by# +i, defining initial authenticator content +ii, establishing

administrati$e procedures for initial authenticator distribution% for lost2compromised% or

damaged authenticators% and for re$o0ing authenticators +iii, changing default authenticatorsupon information system installation and +i$, changing2refreshing authenticators periodically.

/ou may describe for e(ample% the follo"ing#


9/37

5.6 ACCOUNT MANAGEMENT

Instructions# In place of these instructions% please describe ho" the Company "ill manageinformation system accounts% including establishing% acti$ating% modifying% re$ie"ing% disabling%

and remo$ing accounts. >e "ill re$ie" information system accounts :state fre*uency% at least

annually;. /ou may describe% for e(ample% the follo"ing#


10/37

5.7 ACCESS ENFORCEMENT

Instructions# In place of these instructions% please describe ho" the Company)s informationsystem enforces assigned authori-ations for controlling access to the system in accordance "ith

applicable policy. /ou may describe% for e(ample% the follo"ing#


11/37

net"or0s% indi$iduals% de$ices, "ithin information systems and bet"een interconnected

systems.


12/37

information system "ill enforce a limit of :state the appropriate number; consecuti$e in$alid

access attempts by a user during a :state the appropriate time period; time period. /ou may

describe% for e(ample% the follo"ing#


13/37

appropriate time period; of inacti$ity% and the session loc0 "ill remain in effect until the user

reestablishes access using appropriate identification and authentication procedures.

/ou may describe% for e(ample% ho" the Company)s users "ill be able to directly initiate session

loc0 mechanisms. It is recommended that Company not consider a session loc0 as a substitute

for logging out of the information system. 1oreo$er% Company policy in this respect should%"here possible% be consistent "ith federal policy for e(ample% in accordance "ith O1A

1emorandum 4B86B% the time period of inacti$ity resulting in session loc0 is no greater than

thirty minutes for remote access and portable de$ices.

'&%, SESSIONTERMINATION

Instructions# In place of these instructions% please describe ho" the Company)sinformation system "ill automatically terminate a remote session after :state appropriate time

period; of inacti$ity. Company should consider a remote session to ha$e been initiated

"hene$er an organi-ational information system is accessed by a user +or an information system,

communicating through an e(ternal% net"or0 not under the control of the Company such as theInternet.

5.15 SUPERVISION AND REVIEW " ACCESS CONTROL

Instructions# In place of these instructions% please describe ho" the Company "ill super$ise andre$ie" the acti$ities of users "ith respect to the enforcement and usage of information system

access controls. /ou may describe% for e(ample% the follo"ing#


14/37

hether any of the Company)s e(ternal information systems "ill be information systems

or components of information systems for "hich the Company has no direct control o$er

the application of re*uired security controls or the assessment of security control

effecti$eness.

>hether any of the Company)s e(ternal information systems "ill include% "ithout

limitation% personally o"ned information systems +e.g.% computers% cellular telephones%

or personal digital assistants, pri$ately o"ned computing and communications de$icesresident in commercial or public facilities +e.g.% hotels% con$ention centers% or airports,

information systems o"ned or controlled by nonfederal go$ernmental contractors and

federal information systems that are not o"ned by% operated by% or under the directcontrol of the Company.

>hether any of the Company)s authori-ed indi$iduals "ill include Contractor personnel%

contractors% or any other indi$iduals "ith authori-ed access to the Contractor)sinformation system and information that is not intended for public access.

14


15/37

>hether the Company "ill establish terms and conditions for the use of e(ternal

information systems in accordance "ith organi-ational security policies and procedures.

The Company should establish terms and conditions that "ill address as a minimum thetypes of applications that can be accessed on the organi-ational information system from

the e(ternal information system.

/ou may also e(plain ho" the Company "ill use the follo"ing control element to manage

use of e(ternal information systems

prohibition on authori-ed indi$iduals using an e(ternal information system to access

the information system or to process% store% or transmit Company8controlled informatione(cept in situations "here the Company# +i, can $erify the employment of re*uired

security controls on the e(ternal system as specified in the Company)s information

security policy and system security plan or +ii, has appro$ed information systemconnection or processing agreements "ith the Company entity hosting the e(ternal

information system.

+& SECURITY A.ARENESS AND TRAININ/ POLICY AND PROCEDURES

Instructions# In place of these instructions% please describe ho" the Company "ill de$elop%disseminate% and periodically re$ie"2update# +i, a formal% documented% security a"areness and

training policy that addresses purpose% scope% roles% responsibilities% management commitment%

coordination among Contractor entities% and compliance and +ii, formal% documentedprocedures to facilitate the implementation of the security a"areness and training policy and

associated security a"areness and training controls. /ou may describe% for e(ample% ho" the

Company)s security a"areness and training policy and procedures "ill be consistent "ithapplicable la"s% E(ecuti$e Orders% directi$es% policies% regulations% standards% and guidance.

6.1 SECURITY TRAINING

Instructions# In place of these instructions% please describe ho" the Company

"ill identify personnel that ha$e significant information system security roles and

responsibilities during the system de$elopment life cycle% document those roles andresponsibilities% and pro$ide appropriate information system security training# +i, before

authori-ing access to the system or performing assigned duties +ii, "hen re*uired by system

changes and +iii, :state appropriate fre*uency; thereafter. /ou may describe% for e(ample% thefollo"ing#


16/37


17/37


18/37

documented procedures to facilitate the implementation of the configuration management policy

and associated configuration management controls.

8.1 MONITORING CONFIGURATION CHANGES

Instructions# In place of these instructions% please describe ho" the Company :ContractorName; monitors changes to the information system conducting security impact analyses to

determine the effects of the changes. /ou may describe% for e(ample% the follo"ing#


19/37


20/37

9.4 INCIDENT HANDLING

Instructions# In place of these instructions% please describe ho" the Company "ill implement anincident handling capability for security incidents that includes preparation% detection and

analysis% containment% eradication% and reco$ery. /ou may describe% for e(ample% the follo"ing#


21/37

formal% documented procedures to facilitate the implementation of the physical and

en$ironmental protection policy and associated physical and en$ironmental protection controls.

1.2 PHYSICAL ACCESS AUTHORI&ATIONS

Instructions# In place of these instructions% please describe ho" the Company "ill de$elop and0eep current a list of personnel "ith authori-ed access to the facility "here the information

system resides +e(cept for those areas "ithin the facility officially designated as publicly

accessible, and issues appropriate authori-ation credentials. /ou may describe% for e(ample% thefollo"ing#


22/37

%%& CONTIN/ENCY PLANNIN/ AND OPERATION

11.1 CONTINGENCY PLANNING POLICY AND PROCEDURES

Instructions# In place of these instructions% please describe ho" the Company "ill de$elop%

disseminate% and periodically re$ie"2update# +i, a formal% documented% contingency planningpolicy that addresses purpose% scope% roles% responsibilities% management commitment%

coordination among Company entities% and compliance and +ii, formal% documented procedures

to facilitate the implementation of the contingency planning policy and associated contingencyplanning controls. /ou may describe% for e(ample% ho" the Company)s contingency planning

policy and procedures are consistent "ith applicable federal la"s% directi$es% policies%

regulations% standards% and guidance.

11.2 CONTINGENCY PLAN

Instructions# In place of these instructions% please describe ho" the Company "ill de$elop and

implement a contingency plan for the information system addressing contingency roles%responsibilities% assigned indi$iduals "ith contact information% and acti$ities associated "ithrestoring the system after a disruption or failure. /ou may describe% for e(ample% ho"

designated officials "ithin the Company "ill re$ie" and appro$e the contingency plan and

distribute copies of the plan to 0ey contingency personnel.

11.3 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION

Instructions# In place of these instructions% please describe ho" the Company "ill employ

mechanisms "ith supporting procedures to allo" the information system to be reco$ered and

reconstituted to a 0no"n secure state after a disruption or failure.

%(& SYSTEM AND COMMUNICATIONS PROTECTIONS

12.1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES

Instructions# In place of these instructions% please describe ho" the Company "ill de$elop%disseminate% and periodically re$ie"2update# +i, a formal% documented% system and

communications protection policy that addresses purpose% scope% roles% responsibilities%

management commitment% coordination among Company entities% and compliance and +ii,formal% documented procedures to facilitate the implementation of the system and

communications protection policy and associated system and communications protection

controls. /ou may describe% for e(ample% ho" the Company)s system and communicationsprotection policy and procedures "ill be consistent "ith applicable federal la"s% directi$es%

policies% regulations% standards% and guidance.

%)& APPLICATION PARTITIONIN/ 4IF APPLICA$LE5

Instructions# In place of these instructions% please describe ho" the Company)s informationsystem "ill separate user functionality +including user interface ser$ices, from information

22


23/37

system management functionality. /ou may describe% for e(ample% ho" the Company)s

information system "ill physically or logically separate user interface ser$ices +e.g.% public "eb

pages, from information storage and management ser$ices +e.g.% database management,. Note#&eparation may be accomplished through the use of different computers% different central

processing units% different instances of the operating system% different net"or0 addresses%

combinations of these methods% or other methods as appropriate.

13.1 INFORMATION REMNANCE

Instructions# In place of these instructions% please describe ho" the Company)s information

system "ill pre$ent unauthori-ed and unintended information transfer $ia shared system

resources. /ou may describe% for e(ample% ho" the Company "ill control information systemremnance% sometimes referred to as ob'ect reuse% or data remnance% in order to pre$ent

information% including encrypted representations of information% produced by the actions of a

prior user2role +or the actions of a process acting on behalf of a prior user2role, from being

a$ailable to any current user2role +or current process, that obtains access to a shared system

resource +e.g.% registers% main memory% secondary storage, after that resource has been releasedbac0 to the information system.

13.2 DENIAL OF SERVICE PROTECTION

Instructions# In place of these instructions% please describe ho" the Company)s informationsystem "ill protect against or limits the effects of the follo"ing types of denial of ser$ice attac0s#

:please list types of denial of ser$ice attac0s or reference to source for current list;. /ou may

also describe% for e(ample% the follo"ing#


24/37

encrypted tunnels, arranged in an effecti$e architecture +e.g.% routers protecting fire"alls

and application gate"ays residing on a protected subnet"or0 commonly referred to as a

demilitari-ed -one or D1,.


25/37


26/37

name2address resolution information obtained through the ser$ice. Note# domain name

system +DN&, ser$er is an e(ample of an information system that pro$ides name2address

resolution ser$ice digital signatures and cryptographic 0eys are e(amples of additionalartifacts and DN& resource records are e(amples of authoritati$e data.

13.12 ARCHITECTURE AND PROVISIONING FOR NAME ' ADDRESS RESOLUTIONSERVICE

Instructions# In place of these instructions% please describe ho" the Company)s informationsystems "ill collecti$ely pro$ide name2address resolution ser$ice for the Company that are fault

tolerant and implement role separation. /ou may describe% for e(ample% the follo"ing#


27/37


28/37


29/37

14.2 CONTROLLED MAINTENANCE

Instructions# In place of these instructions% please describe ho" the Company "ill schedule%perform% document% and re$ie" records of routine pre$entati$e and regular maintenance

+including repairs, on the components of the information system in accordance "ith

manufacturer or $endor specifications and2or Company re*uirements. /ou may describe% fore(ample% the follo"ing#


30/37

Instructions# In place of these instructions% please describe ho" the Company "ill authori-e%

monitor% and control any remotely e(ecuted maintenance and diagnostic acti$ities% if employed.

/ou may describe% for e(ample% the follo"ing#


31/37

%'& MEDIA PROTECTION

15.1 MEDIA PROTECTION POLICY AND PROCEDURES

Instructions# In place of these instructions% please describe ho" the Company "ill de$elop%

disseminate% and periodically re$ie"2update# +i, a formal% documented% media protection policythat addresses purpose% scope% roles% responsibilities% management commitment% coordination

among Company entities% and compliance and +ii, formal% documented procedures to facilitate

the implementation of the media protection policy and associated media protection controls. /oumay describe% for e(ample% ho" the Company)s media protection policy and procedures "ill be

consistent "ith applicable federal la"s% directi$es% policies% regulations% standards% and

guidance.

15.2 MEDIA ACCESS

Instructions# In place of these instructions% please describe ho" the Company "ill +i, restrict

access to information system media to authori-ed indi$iduals and +ii, employ automatedmechanisms to restrict access to media storage areas and to audit access attempts and accessgranted.

15.3 MEDIA SANITI&ATION AND DISPOSAL

Instructions# In place of these instructions% please describe ho" the Company "ill saniti-e

information system media% both digital and non8digital% prior to disposal or release for reuse./ou may describe% for e(ample% the follo"ing#


32/37


33/37


34/37

ATTAC-MENT % 7 NET.OR8 DIA/RAM

34


35/37

ATTAC-MENT ( 7 E6PORT RELEASE FORMS

35


36/37


37/37

ATTACHMENT 4 J ECP REVISION LOG

D!te Revisi"n P!r!#r!p$ Descripti"n "f C$!n#e Pers"n %C"mp!nyif App&ic!b&e'

Up(!te Re)uiresAppr"v!& by DSS in

!cc"r(!nce *it$ECP Secti"n +,

-es.N"

Documents

Electronic Communication Plan