1913 System and Communications Protection Policy

Georgia State Seal

Department of Human Services
Online Directives Information System

Index:

POL1913

Revised:

06/02/2025

Next Review:

06/02/2027

Subject: DHS Information Security Policies

Policy

This policy establishes the Enterprise System and Communications Protection Policy for managing risks from vulnerable system configurations, denial of service, data communication and transfer through the establishment of an effective System and Communications Protection program. The system and communications protection program helps DHS implement security best practices with regard to system configuration, data communication and transfer.

Authority

  1. United States Department of Commerce National Institute for Standards and Technology (NIST)

  2. United States Internal Revenue Service

  3. United States Department of Health & Human Services – Administration of Children and Families (ACF), Office of Child Support Services (OCSS)

  4. United States Department of Health & Human Services - Centers for Medicare & Medicaid Services (CMS)

  5. Georgia Technology Authority

  6. Social Security Administration

  7. Federal Bureau Investigation (Criminal Justice Information Services)

References

Applicability

The scope of this policy is applicable to all Information Technology (IT) resources owned or operated by DHS. Any information, not specifically identified as the property of other parties, that is transmitted or stored on DHS IT resources (including email, messages, and files) is the property of DHS. All users (DHS employees, contractors, vendors, or others) of IT resources are responsible for adhering to this policy.

Definitions

None

Responsibilities

DHS shall adopt the System and Communications Protection principles established in NIST SP 800-53 “System and Communications Protection,” Control Family guidelines, as the official policy for this domain. The following subsections outline the System and Communications Protection standards that constitute DHS policy. Each DHS Business System is then bound to this policy, and shall develop or adhere to a program plan which demonstrates compliance with the policy related the standards documented.

SC-1 System and Communications Protection Procedures

  1. Develop, document, and disseminate to designated agency personnel:

    1. All organizational level system and communications protection policy that:

      1. Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

      2. Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

    2. Procedures to facilitate the implementation of the system and communications protection policy and the associated controls.

  2. Designate an agency official to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and

  3. Review and update the current system and communications protection control:

    1. Policy every one (1) year (or if there is a significant change); and

    2. Procedures every one (1) year, (or when there is a significant change).

SC-2 Application Partitioning

Separate user functionality, including user interface services, from system management functionality.

SC-2 (1) Interfaces for Non-Privileged Users:

Prevent the presentation of system management functionality at interfaces to non-privileged users.

SC-4 Information in Shared Resources

Prevent unauthorized and unintended information transfer via shared system resources.

SC-5 Denial of Service Protection

  1. Protect against the effects of the following denial-of-service event types: at a minimum, Internet Control Message Protocol (ICMP) flood, SYN flood, slowloris, buffer overflow attack, and volume attack; and

  2. Employ appropriate controls to achieve the denial-of-service objective. The Agency business unit leadership will consult with managed network service providers as appropriate to determine specific controls and types of denial-of-service events that will be addressed.

SC-5 (1) Restrict Ability to Attack Other Systems

Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: organization-defined denial-of-service attacks.

SC-5 (2) Capacity, Bandwidth, and Redundancy

Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial-of-service attacks.

SC-5 (3) Detection and Monitoring

  1. Employ organization-defined monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system; and

  2. Monitor organization-defined system resources to determine if sufficient resources exist to prevent effective denial of service attacks.

SC-7 Boundary Protection

  1. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;

  2. Implement subnetworks for publicly accessible system components that are physically and logically separated from internal organizational networks; and

  3. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.

SSA.1:

Provides SSA with a logical network layout as part of the system authorization process.

SC-7 (3) Access Points:

Limit the number of external network connections to the system.

SC-7 (4) External Telecommunications Services:

  1. Implement a managed interface for each external telecommunication service;

  2. Establish a traffic flow policy for each managed interface;

  3. Protect the confidentiality and integrity of the information being transmitted across each interface;

  4. Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;

  5. Review exceptions to the traffic flow policy at a minimum quarterly and remove exceptions that are no longer supported by an explicit mission or business need;

  6. Prevent unauthorized exchange of control plane traffic with external networks;

  7. Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and

  8. Filter unauthorized control plane traffic from external networks.

SC-7 (5) Deny by Default – Allow by Exception:

Deny network communications traffic by default and allow network communications traffic by exception on information systems where CUI is accessed, processed, stored, or transmitted.

SC-7 (7) Prevent Split Tunneling for Remote Devices:

Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using:

  1. Individual users shall not have the ability to configure split tunneling

  2. Auditing must be performed semi-annually on each workstation with split tunneling enabled. Auditing must include:

    1. Only those users authorized for split tunneling have it enabled in their user profile or policy object

    2. There is a continued need for split tunneling for the user

    3. Only the correct and authorized split tunneling configurations are present on the workstation

  3. Host Checking is enabled and configured on the VPN server;

    1. Ensure the OS is supported

    2. Ensure that anti-malware is installed and up to date

    3. The most current hotfixes are applied

    4. Agency-defined additional parameters

SC-7 (8) Route Traffic to Authenticated Proxy Servers:

Route internal communications traffic to external networks through authenticated proxy servers at managed interfaces.

SC-7 (9) Restrict Threatening Outgoing Communications Traffic:

  1. Detect and deny outgoing communications traffic posing a threat to external systems; and

  2. Audit the identity of internal users associated with denied communications.

SC-7 (10) Prevent Exfiltration:

  1. Prevent the exfiltration of information; and

  2. Conduct exfiltration tests at least semi-annually.

SC-7 (11) Restrict Incoming Communications Traffic:

Only allow incoming communications from agency-defined authorized sources to be routed to agency-defined authorized destinations.

SC-7 (12) Host-Based Protection:

Implement firewalls , Host Intrusion Prevention System (HIPS) and Host Intrusion Detection systems (HIDS) at access points and end user equipment as appropriate.

SC-7 (15) Networked Privileged Accesses:

Route networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.

SC-7 (17) Automated Enforcement of Protocol Format:

Enforce adherence to protocol formats.

SC-7 (18) Fail Secure:

Prevent systems from entering unsecure states in the event of an operations failure of a boundary protection area.

SC-7 (24) Personally Identifiable Information

For systems that process Personally Identifiable Information (CUI):

  1. Apply the following processing rules to data elements of CUI: processing rules for compliance with ACA, Privacy Act, and other applicable CUI processing laws and regulations.

  2. Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system;

  3. Document each processing exception; and

  4. Review and remove exceptions that are no longer supported.

SC-7 (29) Separate Subnets to Isolate Functions

Implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.

IRS.1:

Agencies shall implement and manage boundary protection (typically using firewalls) at trust boundaries. Each trust boundary shall be monitored and communications across each boundary shall be controlled.

IRS.2:

Agencies must block known malicious sites (inbound or outbound), as identified to the agency from US-CERT, MS-ISAC or other sources, at each Internet Access Point (unless explicit instructions are provided to agencies not to block specific sites). Blocking is to be accomplished within two business days following release of such sites.

SC-8 Transmission Confidentiality and Integrity

Protect the confidentiality and integrity of transmitted information.

SC-8 (1) Cryptographic Protection:

Implement cryptographic mechanisms to prevent unauthorized disclosure of information and detect changes to information during transmission.

SC-8 (2) _Pre- and Post-Transmission Handling

Maintain the confidentiality and integrity of information during preparation for transmission and during reception.

IRS.1:

Agencies shall ensure appropriate transmission protections are in place commensurate with the highest sensitivity of information to be discussed over video and voice telecommunication and teleconferences.

SC-10 Network Disconnect

Terminate the network connection associated with a communications session at the end of the session or after 30 minutes of inactivity.

SC-12 Cryptographic Key Establishment and Management

The agency must establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: NIST SP 800-57, Recommendation for Key Management, for key generation, distribution, storage, access, and destruction.

SC-13 Cryptographic Protection

  1. Determine the cryptographic uses; and

  2. Implement the following types of cryptography required for each specified cryptographic use: Latest FIPS-140 validated encryption mechanism, NIST 800-52, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations, Encryption in transit (payload encryption). Use of SHA-1 for digital signatures is prohibited.

SC-15 Collaborative Computing Devices

  1. Prohibit remote activation of collaborative computing devices and applications with the following exceptions: users are notified by signage of the presence of such devices; and

  2. Provide an explicit indication of use to users physically present at the devices.

SC-15 (4) Explicitly Indicate Current Participants:

Provide an explicit indication of current participants in meetings that involve CUI.

SC-17 Public Key Infrastructure Certificates

  1. Issue public key certificates under an agency-defined certificate authority or obtain public key certificates from an approved service provider; and

  2. Include only approved trust anchors in trust stores or certificate stores managed by the organization.

SC-18 Mobile Code

  1. Define acceptable and unacceptable mobile code and mobile code technologies; and

  2. Authorize, monitor, and control the use of mobile code within the system.

SC-18 (1) Identify Unacceptable Code and Take Corrective Actions:

Identify unacceptable mobile code and take corrective actions.

SC-18 (2) Acquisition, Development and Use:

Verify that the acquisition, development, and use of mobile code to be deployed in the system meets IRS Publication 1075 requirements.

SC-20 Secure Name/Address Resolution Service (Authoritative Source)

  1. Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and

  2. Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.

SC-20 (2) Data Origin and Integrity:

Provide data origin and integrity protection artifacts for internal name/address resolution queries.

SC-21 Secure Name/Address Resolution Service (Recursive or CachingResolver)

Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.

SC-22 Architecture and Provisioning for Name/Address Resolution Service

Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.

SC-23 Session Authenticity

Protect the authenticity of communications sessions.

SC-23 (1) Invalidate Session Identifies at Logout:

Invalidate session identifiers upon user logout or other session termination.

SC-23 (3) Unique System-Generate Session Identifiers:

Generate a unique session identifier for each session with session with agency-defined randomness requirements and recognize only session identifiers that are system-generated.

SC-23 (5) Allowed Certificate Authorities:

Only allow the use of agency-defined certificate authorities for verification of the establishment of protected sessions.

SC-28 Protection of Information at Rest

Protect the confidentiality and integrity of the following information at rest: .. Controlled Unclassified Information .. b. IT System-related information (e.g., configurations, rule sets);

SC-28 (1) Cryptographic Protection:

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of CUI at rest on end user computing systems (i.e., desktop computers, laptop computers, mobile devices, portable and removable storage devices) in non-volatile storage.

SC-39 Process Isolation

Maintain a separate execution domain for each executing process.

SC-45 System Time Synchronization

Synchronize system clocks within and between systems and system components

SC-45 (1) Synchronization with Authoritative Time Source:

  1. Compare the internal system clocks daily with an agency-defined authoritative time source; and

  2. Synchronize the internal system clocks to the authoritative time source when the time difference is greater than agency-defined time period.

History

Date Change User Version

Evaluation

The Office of Information Technology (OIT), upon recommendation of the DHS Chief Information Security Officer (CISO), evaluates this policy annually by:

  1. Comparing its content and intent to evolving regulatory compliance standards imposed upon the Agency, such as, IRS 1075, NIST 800-53, and CMS MARS-E.

  2. Addressing any deficiencies or gaps discovered during periodic audits conducted by Georgia DOAA or other regulatory bodies, such as, IRS, CMS, SSA, FBI, etc.