Red Hat Virtualization Host - System and Communications Protection

Control responses for NIST 800-53 rev4.


Requirements Traceability Matrix

Control Name Status
SC-1 System And Communications Protection Policy And Procedures

not applicable

SC-2 Application Partitioning
SC-2 (1) Interfaces For Non-Privileged Users
SC-3 Security Function Isolation
SC-3 (1) Hardware Separation
SC-3 (2) Access / Flow Control Functions
SC-3 (3) Minimize Nonsecurity Functionality
SC-3 (4) Module Coupling And Cohesiveness
SC-3 (5) Layered Structures
SC-4 Information In Shared Resources
SC-4 (1) Security Levels
SC-4 (2) Periods Processing
SC-5 Denial Of Service Protection

not applicable

SC-5 (1) Restrict Internal Users
SC-5 (2) Excess Capacity / Bandwidth / Redundancy
SC-5 (3) Detection / Monitoring
SC-6 Resource Availability
SC-7 Boundary Protection

not applicable

SC-7 (1) Physically Separated Subnetworks
SC-7 (2) Public Access
SC-7 (3) Access Points
SC-7 (4) External Telecommunications Services
SC-7 (5) Deny By Default / Allow By Exception
SC-7 (6) Response To Recognized Failures
SC-7 (7) Prevent Split Tunneling For Remote Devices
SC-7 (8) Route Traffic To Authenticated Proxy Servers
SC-7 (9) Restrict Threatening Outgoing Communications Traffic
SC-7 (10) Prevent Unauthorized Exfiltration
SC-7 (11) Restrict Incoming Communications Traffic
SC-7 (12) Host-Based Protection
SC-7 (13) Isolation Of Security Tools / Mechanisms / Support Components
SC-7 (14) Protects Against Unauthorized Physical Connections
SC-7 (15) Route Privileged Network Accesses
SC-7 (16) Prevent Discovery Of Components / Devices
SC-7 (17) Automated Enforcement Of Protocol Formats
SC-7 (18) Fail Secure
SC-7 (19) Blocks Communication From Non-Organizationally Configured Hosts
SC-7 (20) Dynamic Isolation / Segregation
SC-7 (21) Isolation Of Information System Components
SC-7 (22) Separate Subnets For Connecting To Different Security Domains
SC-7 (23) Disable Sender Feedback On Protocol Validation Failure
SC-8 Transmission Confidentiality And Integrity
SC-8 (1) Cryptographic Or Alternate Physical Protection
SC-8 (2) Pre / Post Transmission Handling
SC-8 (3) Cryptographic Protection For Message Externals
SC-8 (4) Conceal / Randomize Communications
SC-9 Transmission Confidentiality
SC-10 Network Disconnect
SC-11 Trusted Path
SC-11 (1) Logical Isolation
SC-12 Cryptographic Key Establishment And Management

complete

SC-12 (1) Availability
SC-12 (2) Symmetric Keys
SC-12 (3) Asymmetric Keys
SC-12 (4) Pki Certificates
SC-12 (5) Pki Certificates / Hardware Tokens
SC-13 Cryptographic Protection

complete

SC-13 (1) Fips-Validated Cryptography
SC-13 (2) Nsa-Approved Cryptography
SC-13 (3) Individuals Without Formal Access Approvals
SC-13 (4) Digital Signatures
SC-14 Public Access Protections
SC-15 Collaborative Computing Devices

not applicable

SC-15 (1) Physical Disconnect
SC-15 (2) Blocking Inbound / Outbound Communications Traffic
SC-15 (3) Disabling / Removal In Secure Work Areas
SC-15 (4) Explicitly Indicate Current Participants
SC-16 Transmission Of Security Attributes
SC-16 (1) Integrity Validation
SC-17 Public Key Infrastructure Certificates
SC-18 Mobile Code
SC-18 (1) Identify Unacceptable Code / Take Corrective Actions
SC-18 (2) Acquisition / Development / Use
SC-18 (3) Prevent Downloading / Execution
SC-18 (4) Prevent Automatic Execution
SC-18 (5) Allow Execution Only In Confined Environments
SC-19 Voice Over Internet Protocol
SC-20 Secure Name / Address Resolution Service (Authoritative Source)

not applicable

SC-20 (1) Child Subspaces
SC-20 (2) Data Origin / Integrity
SC-21 Secure Name / Address Resolution Service (Recursive Or Caching Resolver)

complete

SC-21 (1) Data Origin / Integrity
SC-22 Architecture And Provisioning For Name / Address Resolution Service

not applicable

SC-23 Session Authenticity
SC-23 (1) Invalidate Session Identifiers At Logout
SC-23 (2) User-Initiated Logouts / Message Displays
SC-23 (3) Unique Session Identifiers With Randomization
SC-23 (4) Unique Session Identifiers With Randomization
SC-23 (5) Allowed Certificate Authorities
SC-24 Fail In Known State
SC-25 Thin Nodes
SC-26 Honeypots
SC-26 (1) Detection Of Malicious Code
SC-27 Platform-Independent Applications
SC-28 Protection Of Information At Rest
SC-28 (1) Cryptographic Protection
SC-28 (2) Off-Line Storage
SC-29 Heterogeneity
SC-29 (1) Virtualization Techniques
SC-30 Concealment And Misdirection
SC-30 (1) Virtualization Techniques
SC-30 (2) Randomness
SC-30 (3) Change Processing / Storage Locations
SC-30 (4) Misleading Information
SC-30 (5) Concealment Of System Components
SC-31 Covert Channel Analysis
SC-31 (1) Test Covert Channels For Exploitability
SC-31 (2) Maximum Bandwidth
SC-31 (3) Measure Bandwidth In Operational Environments
SC-32 Information System Partitioning
SC-33 Transmission Preparation Integrity
SC-34 Non-Modifiable Executable Programs
SC-34 (1) No Writable Storage
SC-34 (2) Integrity Protection / Read-Only Media
SC-34 (3) Hardware-Based Protection
SC-35 Honeyclients
SC-36 Distributed Processing And Storage
SC-36 (1) Polling Techniques
SC-37 Out-Of-Band Channels
SC-37 (1) Ensure Delivery / Transmission
SC-38 Operations Security
SC-39 Process Isolation

complete

SC-39 (1) Hardware Separation
SC-39 (2) Thread Isolation
SC-40 Wireless Link Protection
SC-40 (1) Electromagnetic Interference
SC-40 (2) Reduce Detection Potential
SC-40 (3) Imitative Or Manipulative Communications Deception
SC-40 (4) Signal Parameter Identification
SC-41 Port And I/O Device Access
SC-42 Sensor Capability And Data
SC-42 (1) Reporting To Authorized Individuals Or Roles
SC-42 (2) Authorized Use
SC-42 (3) Prohibit Use Of Devices
SC-43 Usage Restrictions
SC-44 Detonation Chambers



SC-1: System And Communications Protection Policy And Procedures

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and b. Reviews and updates the current: 1. System and communications protection policy [Assignment: organization-defined frequency]; and 2. System and communications protection procedures [Assignment: organization-defined frequency].

SC-1 Control Response Information
Implementation Status:

not applicable

SC-1: What is the solution and how is it implemented?
SC-1(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

SC-1(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




SC-2: Application Partitioning

“The information system separates user functionality (including user interface services) from information system management functionality.”

SC-2 Control Response Information
Implementation Status:
SC-2: What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



SC-2 (1): Interfaces For Non-Privileged Users

“The information system prevents the presentation of information system management-related functionality at an interface for non-privileged users.”

SC-2 (1) Control Response Information
Implementation Status:
SC-2 (1): What is the solution and how is it implemented?