UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

SC-37 OUT-OF-BAND CHANNELS


Overview

Number Title Impact Priority Subject Area
SC-37 Out-Of-Band Channels P0 System And Communications Protection

Instructions
The organization employs Assignment: organization-defined out-of-band channels for the physical delivery or electronic transmission of Assignment: organization-defined information, information system components, or devices to Assignment: organization-defined individuals or information systems.
Guidance
Out-of-band channels include, for example, local (nonnetwork) accesses to information systems, network paths physically separate from network paths used for operational traffic, or nonelectronic paths such as the US Postal Service. This is in contrast with using the same channels (i.e., in-band channels) that carry routine operational traffic. Out-of-band channels do not have the same vulnerability/exposure as in-band channels, and hence the confidentiality, integrity, or availability compromises of in-band channels will not compromise the out-of-band channels. Organizations may employ out-of-band channels in the delivery or transmission of many organizational items including, for example, identifiers/authenticators, configuration management changes for hardware, firmware, or software, cryptographic key management information, security updates, system/data backups, maintenance information, and malicious code protection updates.

Enhancements
SC-37 (1) Ensure Delivery / Transmission
Techniques and/or methods employed by organizations to ensure that only designated information systems or individuals receive particular information, system components, or devices include, for example, sending authenticators via courier service but requiring recipients to show some form of government-issued photographic identification as a condition of receipt.

The organization employs Assignment: organization-defined security safeguards to ensure that only Assignment: organization-defined individuals or information systems receive the Assignment: organization-defined information, information system components, or devices.