SC-37 Out-of-band Channels
Employ the following out-of-band channels for the physical delivery or electronic transmission of sc-37_odp.02 to sc-37_odp.03: sc-37_odp.01.
| Parameter ID | Definition |
|---|---|
| sc-37_odp.01 | out-of-band channels |
| sc-37_odp.02 | information, system components, or devices |
| sc-37_odp.03 | individuals or systems |
Baselines
- L
- M
- H
- P
Guidance
Out-of-band channels include local, non-network accesses to systems; network paths physically separate from network paths used for operational traffic; or non-electronic paths, such as the U.S. Postal Service. The use of out-of-band channels is contrasted with the use of in-band channels (i.e., the same channels) that carry routine operational traffic. Out-of-band channels do not have the same vulnerability or exposure as in-band channels. Therefore, the confidentiality, integrity, or availability compromises of in-band channels will not compromise or adversely affect the out-of-band channels. Organizations may employ out-of-band channels in the delivery or transmission of organizational items, including authenticators and credentials; cryptographic key management information; system and data backups; configuration management changes for hardware, firmware, or software; security updates; maintenance information; and malicious code protection updates. For example, cryptographic keys for encrypted files are delivered using a different channel than the file.
References 3
- SP 800-57-1 Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5.
- SP 800-57-2 Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1.
- SP 800-57-3 Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1.
Control Enhancements 1
Related controls 12
- AC-02 Account Management L M H P
- CM-03 Configuration Change Control L M H P
- CM-05 Access Restrictions for Change L M H P
- CM-07 Least Functionality L M H P
- IA-02 Identification and Authentication (Organizational Users) L M H P
- IA-04 Identifier Management L M H P
- IA-05 Authenticator Management L M H P
- MA-04 Nonlocal Maintenance L M H P
- SC-12 Cryptographic Key Establishment and Management L M H P
- SI-03 Malicious Code Protection L M H P
- SI-04 System Monitoring L M H P
- SI-07 Software, Firmware, and Information Integrity L M H P