System and Communications Protection Plan

Approach basics → §4.x

Tooling and one-line summaries that anchor the rest of the plan.

Boundary protection tooling (one-liner) * Primary boundary defense (e.g., 'Palo Alto NGFW + AWS Network Firewall + AWS WAF', 'Cisco Firepower + ACI segmentation', 'Azure Firewall Premium + App Gateway WAF').

Encryption in transit (one-liner) * TLS terminator(s) + version policy (e.g., 'TLS 1.3 enforced at AWS ALB; TLS 1.2 minimum on internal mTLS via Istio').

Encryption at rest (one-liner) * Mechanisms protecting data at rest (e.g., 'AWS KMS-managed CMKs for EBS / S3 / RDS; LUKS for on-prem; SQL TDE for legacy DB').

Key management system (one-liner) * Cryptographic key custody (e.g., 'AWS KMS (FIPS 140-2 L3 HSM-backed) for app data; HashiCorp Vault for secrets; internal CA for mTLS certificates').

FIPS 140-3 validation evidence location Where FIPS 140-3 / 140-2 validation certificates are tracked (e.g., 'Cryptographic-inventory register in GRC tool; vendor CMVP certs filed at /repo/compliance/crypto/').

DNS protection summary (one-liner) Brief phrase summarizing DNS integrity / DNSSEC / DoH posture. Detail goes in the Name Resolution sub-section.

Boundary Protection (SC-7) → §4.x

Network boundary architecture, ingress / egress controls, and managed interfaces.

Boundary topology summary Where the authorization boundary sits relative to the internet, partner networks, and other systems. DMZ structure, public subnets, private subnets, transit gateway, etc. Reference an architecture diagram if maintained.

Managed interfaces (SC-7(3))

Public-facing web (WAF + ALB) Public-facing API gateway Site-to-site VPN Client VPN / ZTNA Partner-network direct connect Reverse proxy / bastion Mail gateway DNS forwarder Outbound proxy / SWG

Default-deny enforcement — Select — Default deny on ingress and egress (SC-7(5) full) Default deny ingress, monitored egress (SC-7(5) ingress only) Allowlist-only outbound (high-assurance) Stateful inspection without strict default deny

Egress filtering approach (SC-7(4) / SC-7(5)) How outbound traffic is restricted: allowlisted destinations, DNS-based egress filtering (e.g., AWS Route 53 Resolver DNS Firewall), proxy-enforced URL category filtering, SNI inspection.

Split-tunneling restriction (SC-7(7)) — Select — Split-tunneling prohibited (all traffic tunneled) Split-tunneling allowed only for specific allowlisted destinations Split-tunneling allowed (with documented risk acceptance) Not applicable (no remote access tunnels in this system)

External telecom routing (SC-7(8)) How traffic to external organizations or networks is routed through proxies / gateways for inspection. Reference any TIC / TIC 3.0 alignment for federal systems.

Boundary-rule change review Cadence at which boundary-policy / firewall-rule sets are reviewed for stale or overly permissive rules (e.g., 'Quarterly NIPR review; immediate review on any expedited add').

Transmission Protection (SC-8) → §4.x

TLS / mTLS / IPsec coverage, version policy, and inspection.

Minimum TLS version (external) — Select — TLS 1.3 TLS 1.2 TLS 1.2 with HSTS preload

Internal traffic TLS posture — Select — mTLS enforced on all internal east-west traffic (zero trust) TLS enforced on all internal traffic (one-way auth) TLS enforced for service-to-service; cleartext only on isolated control plane Mixed (documented exceptions)

Cipher / curve policy Approved ciphers and elliptic curves (e.g., 'TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256; ECDH curves P-256 / P-384'). Reference NIST SP 800-52 r2.

TLS certificate source

Public CA (Let's Encrypt / DigiCert / etc.) AWS Certificate Manager (ACM) Internal CA (enterprise PKI) GovTLS / federal CA Self-signed (development only)

TLS inspection / break-and-inspect Whether and how outbound TLS is inspected for malware / DLP. Boundary location of break-and-inspect; PKI trust establishment on endpoints; bypass list for sensitive destinations (banking, healthcare).

Legacy cleartext traffic register Any cleartext flows that remain (e.g., legacy SCADA, isolated test net). Compensating controls and POA&M reference.

Cryptographic Key Establishment & Management (SC-12) → §4.x

Key lifecycle: generation, distribution, storage, rotation, destruction.

Key generation method — Select — FIPS 140-3 / 140-2 validated HSM FIPS 140-3 / 140-2 validated software module Cloud KMS (FIPS-validated) Mixed (HSM for high-assurance keys; software module otherwise)

Key storage protection How key material is protected at rest. HSM-backed, sealed by KMS, escrow process. Reference NIST SP 800-57 Part 1 §6 for storage requirements.

Rotation policy by key class Rotation frequency by key class. Example: 'Customer master keys: annual; data encryption keys: per-object; signing keys: 2 years (overlapping); session keys: per-session; TLS certificates: 90 days (Let's Encrypt) / 1 year (internal CA).'

Key compromise recovery procedure Steps when a key is suspected compromised. Revocation of dependent certs, rotation of dependent secrets, notification to stakeholders. Reference IR plan for incident handling.

Key destruction method How keys are destroyed at end of life. Cryptographic erasure for cloud KMS, zeroize commands for HSM, NIST SP 800-88 r1 sanitization for media holding key material.

Cryptographic key inventory location Where the cryptographic-key inventory is maintained (CMDB, GRC tool, dedicated KMS dashboard). Reference SC-13 cryptographic inventory.

FIPS 140-3 Cryptographic Protection (SC-13) → §4.x

Cryptographic module validation and inventory.

Cryptographic module inventory summary List of cryptographic modules in use with FIPS 140-3 / 140-2 certificate numbers. Example: 'OpenSSL FIPS 3.0 (CMVP #4282) for app TLS; AWS KMS HSM (CMVP #4523) for key custody; macOS CoreCrypto (CMVP #4244) for endpoint encryption.'

Validation status posture — Select — All modules FIPS 140-3 validated All modules FIPS 140-2 validated (transitioning to 140-3) Mixed validated + non-validated (with documented exceptions) Not currently FIPS-aligned (non-federal system)

Use contexts requiring FIPS validation

Authentication (passwords, tokens, SSH) Encryption in transit (TLS, IPsec, SSH) Encryption at rest (filesystem, database, object storage) Code signing Digital signature on transactions Key wrapping / key transport PRNG / random-number generation MAC / HMAC for integrity

Re-accreditation tracking How FIPS certificate expiration is tracked and re-validated modules are adopted before expiry. Lead time, owner role.

Data at Rest (SC-28) → §4.x

Encryption coverage by storage class and what's not yet protected.

Coverage by storage class

Block storage (EBS / managed disks) Object storage (S3 / Blob / GCS) Relational databases (RDS / Cloud SQL / on-prem) NoSQL databases (DynamoDB / Cosmos / Firestore) Filesystems (EFS / FSx / NFS / on-prem) Backups + snapshots Endpoint disks (laptops / mobile) Removable media Cache / queue persistence (ElastiCache / SQS / Kafka) Logs at rest

Key origin for at-rest encryption — Select — Cloud-managed (CMKs in cloud KMS) Customer-managed in cloud KMS (BYOK) Customer-held HSM (HYOK / external KMS) On-prem HSM-backed Mixed (per data classification)

Envelope-encryption strategy How DEKs and KEKs are layered. Per-object DEKs, per-tenant DEKs, per-database DEKs. KEK rotation independent of DEK rotation. Reference NIST SP 800-57 Part 1 §5 envelope encryption.

Classified / sensitive data handling If CUI / PII / classified data is in scope: special handling (separate keys, FIPS 140-3 L3, hardware-backed). Reference SI-12 for retention.

Unprotected-data register (if any) Any locations where encryption at rest is not yet applied. Compensating controls (physical security, network isolation) and POA&M reference.

Name Resolution Security (SC-20, SC-21, SC-22) → §4.x

DNSSEC, DNS forwarding, and DNS architecture.

Authoritative DNS provider Who hosts the authoritative zones for system domains (e.g., 'AWS Route 53', 'Cloudflare DNS', 'enterprise BIND clusters').

DNSSEC signing status (SC-20) — Select — DNSSEC signed on all authoritative zones DNSSEC signed on external zones only DNSSEC signed on critical zones only (with rationale) Not signed (with compensating controls and POA&M)

Recursive / caching DNS provider (SC-21) Resolver(s) used by hosts (e.g., 'AWS Route 53 Resolver with DNS Firewall', 'Cisco Umbrella', 'Quad9 with DoT').

DNSSEC validation enforcement (SC-21) — Select — Validating resolvers (DNSSEC validation enforced on lookup) Validating resolvers with permissive logging Non-validating (relies on upstream)

Internal / external DNS separation (SC-22) How internal and external DNS views are separated. Split-horizon DNS, internal-only zones, exfiltration-resistance via DNS firewall.

DoH / DoT policy Whether DNS-over-HTTPS or DNS-over-TLS is enforced or restricted. Some orgs block external DoH to retain DNS-firewall visibility.

Session Authenticity & Network Disconnect (SC-10, SC-15, SC-23) → §4.x

Session integrity, idle disconnect, and collaborative-computing controls.

Session integrity mechanism (SC-23) How session authenticity is preserved (signed JWTs, session-bound tokens, mTLS-enforced bindings, Token Binding). Anti-replay, session-fixation prevention.

Idle disconnect threshold (SC-10) Time after which an idle session is terminated. SC-10 ODV (e.g., '15 minutes for privileged sessions; 30 minutes for standard').

Maximum total session lifetime Hard cap on session duration regardless of activity (e.g., '8 hours for users; 1 hour for service-to-service tokens').

Collaborative-computing controls (SC-15) Camera / microphone / screen-share controls. Whether SC-15 ODV requires explicit indication when active. Common with VTC, Teams / Zoom integrations.

Session revocation mechanism How sessions can be invalidated globally (compromise scenario): token-version increment, denylist cache, force-logout, OAuth refresh-token revocation.

Mobile Code (SC-18) → §4.x

Restrictions on JavaScript / WASM / mobile applets / browser extensions.

Mobile-code technologies in scope

Browser JavaScript (server-rendered + client-side) Browser WebAssembly (WASM) Browser extensions (Chrome / Edge / Firefox) Java applets (legacy) Adobe Flash (legacy — should be eliminated) Microsoft ActiveX (legacy) Office macros (VBA) PostScript / PDF JavaScript Mobile applications (iOS / Android)

Authorized mobile-code list What mobile code is authorized to run in the system, by source / origin / trust level. Allowlist sources.

Content Security Policy (CSP) posture If browser-facing: CSP policy summary. Strict-source vs nonce/hash, frame-ancestors, blocking inline scripts. Reference OWASP guidance.

Office macro policy — Select — Office macros disabled by GPO (allowlist signed only) Office macros disabled (no exceptions) Macros allowed with warning prompt (legacy) Not applicable (no Office in environment)

Architectural Protections (SC-2, SC-3, SC-4, SC-39) → §4.x

Process isolation, separation of system and user functionality.

User vs admin function separation (SC-2) How user and admin functionality are separated (different ports, different hosts, different identity domains, different management VLAN).

Security-function isolation (SC-3) How security-relevant functions are isolated from non-security functions. Privilege rings, hypervisor / container boundaries, separate management plane.

Shared-resource handling (SC-4) How information in shared system resources (memory, scratch disk, cache) is prevented from leaking between users / processes. Object reuse, memory-zeroing, cache partitioning.

Process-isolation mechanism (SC-39) — Select — Hypervisor virtualization (VMs) OS-level virtualization (containers) Process-level (separate OS users / namespaces) Microkernel / capability-based OS Unikernel / language-runtime sandbox Mixed (per workload)

Denial-of-Service Protection (SC-5) → §4.x

DoS / DDoS resilience for availability.

DoS threats in scope

Volumetric (bandwidth saturation) Protocol (SYN flood, fragmented packets) Application-layer (HTTP flood, slowloris) Authentication-layer (credential stuffing → lockout) Resource-exhaustion (CPU, memory, connection pool) Algorithmic (hash collision, ReDoS) Cryptographic-key DoS (asymmetric key wear)

DoS mitigation mechanisms

DDoS-protection service (AWS Shield / Cloudflare / Azure DDoS Protection) WAF rate-limiting API gateway throttling Connection-rate caps at boundary Auto-scaling for elasticity Circuit breakers in app code Request-size + timeout limits Caching / CDN absorption Tar-pitting / temporary blackhole

DoS runbook reference Pointer to the DoS-response runbook in the IR plan / wiki. Activation criteria, escalation path.

Protection Scope and Coverage → §2.x

Quantitative scope numbers that anchor metrics later in the plan.

Endpoints / services with TLS requirement Approximate count of services that must serve TLS (informs TLS coverage rate in metrics).

Active certificate count Approximate count of active TLS / signing certificates managed by the system.

Data-at-rest volume (approximate) Total volume of data at rest under encryption (e.g., '50 TB across S3 + RDS + EFS').

Managed-interface count at boundary Approximate count of managed interfaces at the authorization boundary (informs SC-7(3) summary).

Communications-Protection Metrics & KPIs → §6.x

Metrics tracked to demonstrate SC control effectiveness.

Tracked metrics

Add item

Suggested: + TLS coverage rate (% of services serving TLS minimum version) + Certificate-expiration lead time (mean days from alert to renewal) + Expired-certificate incidents per quarter (target: 0) + FIPS-validated module coverage (% of crypto operations on validated modules) + Boundary alarm volume (per day; trend) + Boundary alarm signal-to-noise ratio + DNSSEC-signed zone coverage rate + DNSSEC validation-failure rate + Key-rotation SLA compliance (% rotated within policy) + Encryption-at-rest coverage rate (% of storage volume encrypted) + Open POA&M items linked to SC controls

Boundary Coverage Verification → §6.x

How the org continuously verifies SC boundary tooling is correctly deployed.

Boundary-inventory reconciliation cadence How often the documented boundary diagram is reconciled with actual deployed firewalls / SGs / WAFs.

Boundary-rule review cadence How often firewall rule sets are reviewed for stale, overly permissive, or deprecated rules.

Certificate-inventory reconciliation cadence How often certificate inventory is reconciled (CT logs, ACM, internal CA exports). Detects shadow / orphan certs.

Cross-references to other RMF artifacts → §7

Where this plan plugs into the broader RMF package.

SSP section reference Where in the SSP the SC control implementations are summarized (e.g., 'SSP §13.13').

POA&M ID prefix for SC findings Convention for SC-related POA&M items (e.g., 'POAM-SC-' for general; 'POAM-SC7-' for boundary findings).

CM change-workflow integration How boundary / TLS / cryptographic configuration changes route through CM-3 change control. Emergency-bypass for incident response.

SI-4 monitoring handoff How SC-7 boundary alarms (denied connections, fail-secure events, anomalous flows) feed the SI-4 monitoring pipeline.

AU event handoff How cryptographic-key-management events, certificate-issuance events, and boundary-incident events flow into the audit pipeline.

IA-5 authenticator dependency Where IA-5 authenticator material relies on SC-12 key establishment (PIV cert issuance, FIDO-key attestation, mTLS service identity).

CP recovery dependency Where CP recovery procedures depend on SC key material (KMS keys must be available for backup decryption; HSM partition restoration during DR).

CA-7 continuous-monitoring strategy reference Pointer to the CA-7 monitoring strategy document tying SC continuous-monitoring metrics to the broader ConMon plan.