home || catalog: SP800-53rev3 / class: Technical / family: (SC) System and Communications Protection ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
RA
SA
SC

SC-01
SC-02
SC-03
SC-04
SC-05 *
SC-06
SC-07
SC-08
SC-09
SC-10
SC-11
SC-12
SC-13
SC-14
SC-15
SC-16
SC-17
SC-18
SC-19
SC-20
SC-21
SC-22
SC-23
SC-24
SC-25
SC-26
SC-27
SC-28
SC-29
SC-30
SC-31
SC-32
SC-33

SI
MMMMM

  SC-05: Denial of Service Protection  

base control objective:
The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined list of types of denial of service attacks or reference to source for current list].

supplemental objective information:
A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, boundary protection devices can filter certain types of packets to protect devices on an organization’s internal network from being directly affected by denial of service attacks. Employing increased capacity and bandwidth combined with service redundancy may reduce the susceptibility to some denial of service attacks. Related control SC-7.

enhancements to the base objective:

(1) The information system restricts the ability of users to launch denial of service attacks against other information systems or networks.

(2) The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.

(3) The information system fails securely.
Enhancement Supplemental Guidance: Fail secure is a condition achieved by the application of a set of information system mechanisms to ensure that in the event of an operational failure of a boundary protection device at a managed interface (e.g., router, firewall, guard, application gateway residing on a protected subnetwork commonly referred to as a demilitarized zone or DMZ), no information external to the interconnected information system, enters the system. An operational failure may be related to the failure of any process, service, or mechanism (hardware or software). A failure of any kind in a boundary protection device cannot lead to, or cause information external to the boundary protection device to enter the device, nor can a failure permit unauthorized information release.

mapping to FIPS199 baseline:

  LOW: base     MOD: base     HIGH: base  

related (regimented) controls:

None.

documents referenced in SP800-53rev3 for SC-05:

Document Date Status Title
NIST SP800-44 September 2002 current   Guidelines on Securing Public Web Servers
NIST SP800-54 September, 2006 DRAFT   Border Gateway Protocol Security
NIST SP800-81 August, 2010 current   Secure Domain Name System (DNS) Deployment Guide
NIST SP800-94 August, 2006 DRAFT   Guide to Intrusion Detection and Prevention Systems (IDPS)
NIST SP800-95 August, 2006 DRAFT   Guide to Secure Web Services

Search SP800-53rev3 catalog: