SC-37: Out-of-band Channels

RMF Control SC-37: Out-of-band Channels requires organizations to establish and maintain out-of-band channels for the physical delivery or electronic transmission of information, system components, or devices to designated individuals or information systems. Out-of-band channels are communication paths that are separate from the normal operational channels of an information system. This separation helps to protect organizations from security incidents that may affect the normal operational channels.

Supplemental Guidance

The Risk Management Framework (RMF) is a cybersecurity framework that provides a process for managing cybersecurity risk to systems and organizations. RMF Control SC-37: Out-of-band Channels is one of the controls in the SC family, which addresses system and communications protection.

Out-of-band channels are important for a number of reasons. First, they provide a backup communication path in case the normal operational channels are unavailable or compromised. Second, they can be used to transmit sensitive information without having to expose it to the normal operational channels. Third, they can be used to implement security controls, such as multi-factor authentication and two-factor authentication.

Benefits of Implementing RMF Control SC-37

There are a number of benefits to implementing RMF Control SC-37, including:

• Improved security posture: Out-of-band channels can help organizations to improve their security posture by providing a backup communication path in case the normal operational channels are unavailable or compromised and by providing a way to transmit sensitive information without having to expose it to the normal operational channels.
• Reduced risk of security incidents: Out-of-band channels can help to reduce the risk of security incidents by making it more difficult for attackers to compromise the organization’s information systems.
• Improved compliance: Many regulations require organizations to have out-of-band channels in place.

How to Implement RMF Control SC-37

To implement RMF Control SC-37, organizations should:

1. Identify the information, system components, or devices that need to be protected using out-of-band channels.
2. Identify the individuals or information systems that need to receive the information, system components, or devices.
3. Establish and maintain out-of-band channels for the physical delivery or electronic transmission of the information, system components, or devices to the designated individuals or information systems.
4. Monitor the out-of-band channels to ensure that they are available and secure.

Examples of Out-of-Band Channels

Some examples of out-of-band channels include:

• Courier services: Courier services can be used to physically deliver information, system components, or devices to designated individuals or information systems.
• Encrypted email: Encrypted email can be used to electronically transmit sensitive information to designated individuals or information systems.
• Secure file transfer protocols (SFTPs): SFTPs can be used to electronically transfer files to designated individuals or information systems.
• Satellite communications: Satellite communications can be used to provide a backup communication path in case the normal operational channels are unavailable or compromised.

Conclusion

RMF Control SC-37: Out-of-band Channels is an important control that can help organizations to improve their security posture, reduce the risk of security incidents, and improve compliance. By implementing RMF Control SC-37, organizations can establish and maintain out-of-band channels for the physical delivery or electronic transmission of information, system components, or devices to designated individuals or information systems.

Additional Tips for Implementing RMF Control SC-37

• Use multiple out-of-band channels: Organizations should use multiple out-of-band channels to reduce the risk of a single point of failure.
• Test the out-of-band channels regularly: Organizations should test the out-of-band channels regularly to ensure that they are available and secure.
• Document the out-of-band channels: Organizations should document the out-of-band channels so that employees know how to use them in the event of a security incident.