compliance controls are associated with this Policy definition 'Implement a fault tolerant name/address service' (ced727b3-005e-3c5b-5cd5-230b79d56ee8)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
SC-20 |
FedRAMP_High_R4_SC-20 |
FedRAMP High SC-20 |
System And Communications Protection |
Secure Name / Address Resolution Service (Authoritative Source) |
Shared |
n/a |
The information system:
a. Provides additional data origin and integrity artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and
b. Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.
Supplemental Guidance: This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data. Related controls: AU-10, SC-8, SC-12, SC-13, SC-21, SC-22.
References: OMB Memorandum 08-23; NIST Special Publication 800-81. |
link |
2 |
| FedRAMP_High_R4 |
SC-21 |
FedRAMP_High_R4_SC-21 |
FedRAMP High SC-21 |
System And Communications Protection |
Secure Name / Address Resolution Service (Recursive Or Caching Resolver) |
Shared |
n/a |
The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.
Supplemental Guidance: Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data. Related controls: SC-20, SC-22.
References: NIST Special Publication 800-81. |
link |
2 |
| FedRAMP_High_R4 |
SC-22 |
FedRAMP_High_R4_SC-22 |
FedRAMP High SC-22 |
System And Communications Protection |
Architecture And Provisioning For Name / Address Resolution Service |
Shared |
n/a |
The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.
Supplemental Guidance: Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. To eliminate single points of failure and to enhance redundancy, organizations employ at least two authoritative domain name system servers, one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including
the Internet). Organizations specify clients that can access authoritative DNS servers in particular roles (e.g., by address ranges, explicit lists). Related controls: SC-2, SC-20, SC-21, SC-24.
Control Enhancements: None.
References: NIST Special Publication 800-81. |
link |
1 |
| FedRAMP_Moderate_R4 |
SC-20 |
FedRAMP_Moderate_R4_SC-20 |
FedRAMP Moderate SC-20 |
System And Communications Protection |
Secure Name / Address Resolution Service (Authoritative Source) |
Shared |
n/a |
The information system:
a. Provides additional data origin and integrity artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and
b. Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.
Supplemental Guidance: This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data. Related controls: AU-10, SC-8, SC-12, SC-13, SC-21, SC-22.
References: OMB Memorandum 08-23; NIST Special Publication 800-81. |
link |
2 |
| FedRAMP_Moderate_R4 |
SC-21 |
FedRAMP_Moderate_R4_SC-21 |
FedRAMP Moderate SC-21 |
System And Communications Protection |
Secure Name /Address Resolution Service (Recursive Or Caching Resolver) |
Shared |
n/a |
The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.
Supplemental Guidance: Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data. Related controls: SC-20, SC-22.
References: NIST Special Publication 800-81. |
link |
2 |
| FedRAMP_Moderate_R4 |
SC-22 |
FedRAMP_Moderate_R4_SC-22 |
FedRAMP Moderate SC-22 |
System And Communications Protection |
Architecture And Provisioning For Name/Address Resolution Service |
Shared |
n/a |
The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.
Supplemental Guidance: Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. To eliminate single points of failure and to enhance redundancy, organizations employ at least two authoritative domain name system servers, one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including
the Internet). Organizations specify clients that can access authoritative DNS servers in particular roles (e.g., by address ranges, explicit lists). Related controls: SC-2, SC-20, SC-21, SC-24.
Control Enhancements: None.
References: NIST Special Publication 800-81. |
link |
1 |
| hipaa |
0832.09m3Organizational.14-09.m |
hipaa-0832.09m3Organizational.14-09.m |
0832.09m3Organizational.14-09.m |
08 Network Protection |
0832.09m3Organizational.14-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization uses at least two DNS servers located on different subnets, which are geographically separated and perform different roles (internal and external) to eliminate single points of failure and enhance redundancy. |
|
3 |
| hipaa |
0871.09m3Organizational.22-09.m |
hipaa-0871.09m3Organizational.22-09.m |
0871.09m3Organizational.22-09.m |
08 Network Protection |
0871.09m3Organizational.22-09.m 09.06 Network Security Management |
Shared |
n/a |
Authoritative DNS servers are segregated into internal and external roles. |
|
4 |
| hipaa |
0926.09v1Organizational.2-09.v |
hipaa-0926.09v1Organizational.2-09.v |
0926.09v1Organizational.2-09.v |
09 Transmission Protection |
0926.09v1Organizational.2-09.v 09.08 Exchange of Information |
Shared |
n/a |
Approvals are obtained prior to using external public services, including instant messaging or file sharing. |
|
5 |
| hipaa |
0929.09v1Organizational.6-09.v |
hipaa-0929.09v1Organizational.6-09.v |
0929.09v1Organizational.6-09.v |
09 Transmission Protection |
0929.09v1Organizational.6-09.v 09.08 Exchange of Information |
Shared |
n/a |
The organization never sends unencrypted sensitive information by end-user messaging technologies (e.g., email, instant messaging, and chat). |
|
9 |
| ISO27001-2013 |
A.13.1.1 |
ISO27001-2013_A.13.1.1 |
ISO 27001:2013 A.13.1.1 |
Communications Security |
Network controls |
Shared |
n/a |
Networks shall be managed and controlled to protect information in systems and applications. |
link |
40 |
| ISO27001-2013 |
A.13.1.3 |
ISO27001-2013_A.13.1.3 |
ISO 27001:2013 A.13.1.3 |
Communications Security |
Segregation of networks |
Shared |
n/a |
Groups of information services, users, and information systems shall be segregated on networks. |
link |
17 |
| ISO27001-2013 |
A.13.2.1 |
ISO27001-2013_A.13.2.1 |
ISO 27001:2013 A.13.2.1 |
Communications Security |
Information transfer policies and procedures |
Shared |
n/a |
Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. |
link |
32 |
| ISO27001-2013 |
A.13.2.3 |
ISO27001-2013_A.13.2.3 |
ISO 27001:2013 A.13.2.3 |
Communications Security |
Electronic messaging |
Shared |
n/a |
Information involved in electronic messaging shall be appropriately protected. |
link |
10 |
| ISO27001-2013 |
A.14.1.2 |
ISO27001-2013_A.14.1.2 |
ISO 27001:2013 A.14.1.2 |
System Acquisition, Development And Maintenance |
Securing application services on public networks |
Shared |
n/a |
Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. |
link |
32 |
| ISO27001-2013 |
A.14.1.3 |
ISO27001-2013_A.14.1.3 |
ISO 27001:2013 A.14.1.3 |
System Acquisition, Development And Maintenance |
Protecting application services transactions |
Shared |
n/a |
Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. |
link |
29 |
| ISO27001-2013 |
A.8.2.3 |
ISO27001-2013_A.8.2.3 |
ISO 27001:2013 A.8.2.3 |
Asset Management |
Handling of assets |
Shared |
n/a |
Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. |
link |
26 |
|
mp.com.2 Protection of confidentiality |
mp.com.2 Protection of confidentiality |
404 not found |
|
|
|
n/a |
n/a |
|
55 |
|
mp.com.3 Protection of integrity and authenticity |
mp.com.3 Protection of integrity and authenticity |
404 not found |
|
|
|
n/a |
n/a |
|
62 |
|
mp.com.4 Separation of information flows on the network |
mp.com.4 Separation of information flows on the network |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
|
mp.info.2 Rating of information |
mp.info.2 Rating of information |
404 not found |
|
|
|
n/a |
n/a |
|
45 |
|
mp.info.3 Electronic signature |
mp.info.3 Electronic signature |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
|
mp.info.4 Time stamps |
mp.info.4 Time stamps |
404 not found |
|
|
|
n/a |
n/a |
|
33 |
|
mp.s.1 E-mail protection |
mp.s.1 E-mail protection |
404 not found |
|
|
|
n/a |
n/a |
|
48 |
|
mp.s.2 Protection of web services and applications |
mp.s.2 Protection of web services and applications |
404 not found |
|
|
|
n/a |
n/a |
|
102 |
| NIST_SP_800-53_R4 |
SC-20 |
NIST_SP_800-53_R4_SC-20 |
NIST SP 800-53 Rev. 4 SC-20 |
System And Communications Protection |
Secure Name /Address Resolution Service (Authoritative Source) |
Shared |
n/a |
The information system:
a. Provides additional data origin and integrity artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and
b. Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.
Supplemental Guidance: This control enables external clients including, for example, remote Internet clients, to obtain origin authentication and integrity verification assurances for the host/service name to network address resolution information obtained through the service. Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. Additional artifacts include, for example, DNS Security (DNSSEC) digital signatures and cryptographic keys. DNS resource records are examples of authoritative data. The means to indicate the security status of child zones includes, for example, the use of delegation signer resource records in the DNS. The DNS security controls reflect (and are referenced from) OMB Memorandum 08-23. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to assure the authenticity and integrity of response data. Related controls: AU-10, SC-8, SC-12, SC-13, SC-21, SC-22.
References: OMB Memorandum 08-23; NIST Special Publication 800-81. |
link |
2 |
| NIST_SP_800-53_R4 |
SC-21 |
NIST_SP_800-53_R4_SC-21 |
NIST SP 800-53 Rev. 4 SC-21 |
System And Communications Protection |
Secure Name /Address Resolution Service (Recursive Or Caching Resolver) |
Shared |
n/a |
The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.
Supplemental Guidance: Each client of name resolution services either performs this validation on its own, or has authenticated channels to trusted validation providers. Information systems that provide name and address resolution services for local clients include, for example, recursive resolving or caching domain name system (DNS) servers. DNS client resolvers either perform validation of DNSSEC signatures, or clients use authenticated channels to recursive resolvers that perform such validations. Information systems that use technologies other than the DNS to map between host/service names and network addresses provide other means to enable clients to verify the authenticity and integrity of response data. Related controls: SC-20, SC-22.
References: NIST Special Publication 800-81. |
link |
2 |
| NIST_SP_800-53_R4 |
SC-22 |
NIST_SP_800-53_R4_SC-22 |
NIST SP 800-53 Rev. 4 SC-22 |
System And Communications Protection |
Architecture And Provisioning For Name/Address Resolution Service |
Shared |
n/a |
The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.
Supplemental Guidance: Information systems that provide name and address resolution services include, for example, domain name system (DNS) servers. To eliminate single points of failure and to enhance redundancy, organizations employ at least two authoritative domain name system servers, one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks including
the Internet). Organizations specify clients that can access authoritative DNS servers in particular roles (e.g., by address ranges, explicit lists). Related controls: SC-2, SC-20, SC-21, SC-24.
Control Enhancements: None.
References: NIST Special Publication 800-81. |
link |
1 |
| NIST_SP_800-53_R5 |
SC-20 |
NIST_SP_800-53_R5_SC-20 |
NIST SP 800-53 Rev. 5 SC-20 |
System and Communications Protection |
Secure Name/address Resolution Service (authoritative Source) |
Shared |
n/a |
a. Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and
b. Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace. |
link |
2 |
| NIST_SP_800-53_R5 |
SC-21 |
NIST_SP_800-53_R5_SC-21 |
NIST SP 800-53 Rev. 5 SC-21 |
System and Communications Protection |
Secure Name/address Resolution Service (recursive or Caching Resolver) |
Shared |
n/a |
Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. |
link |
2 |
| NIST_SP_800-53_R5 |
SC-22 |
NIST_SP_800-53_R5_SC-22 |
NIST SP 800-53 Rev. 5 SC-22 |
System and Communications Protection |
Architecture and Provisioning for Name/address Resolution Service |
Shared |
n/a |
Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation. |
link |
1 |
|
op.acc.6 Authentication mechanism (organization users) |
op.acc.6 Authentication mechanism (organization users) |
404 not found |
|
|
|
n/a |
n/a |
|
78 |
|
op.exp.2 Security configuration |
op.exp.2 Security configuration |
404 not found |
|
|
|
n/a |
n/a |
|
112 |
|
op.ext.4 Interconnection of systems |
op.ext.4 Interconnection of systems |
404 not found |
|
|
|
n/a |
n/a |
|
68 |
|
op.mon.1 Intrusion detection |
op.mon.1 Intrusion detection |
404 not found |
|
|
|
n/a |
n/a |
|
50 |
|
op.pl.2 Security Architecture |
op.pl.2 Security Architecture |
404 not found |
|
|
|
n/a |
n/a |
|
65 |
|
op.pl.3 Acquisition of new components |
op.pl.3 Acquisition of new components |
404 not found |
|
|
|
n/a |
n/a |
|
61 |
|
org.3 Security procedures |
org.3 Security procedures |
404 not found |
|
|
|
n/a |
n/a |
|
83 |
|
org.4 Authorization process |
org.4 Authorization process |
404 not found |
|
|
|
n/a |
n/a |
|
127 |