SC-31

Requirement
1. Perform a covert channel analysis to identify those aspects of communications within the system that are potential avenues for covert [Selection (one or more): storage; timing] channels; and
2. Estimate the maximum bandwidth of those channels.

Discussion

Developers are in the best position to identify potential areas within systems that might lead to covert channels. Covert channel analysis is a meaningful activity when there is the potential for unauthorized information flows across security domains, such as in the case of systems that contain export-controlled information and have connections to external networks (i.e., networks that are not controlled by organizations). Covert channel analysis is also useful for multilevel secure systems, multiple security level systems, and cross-domain systems.

NIST 800-53A Assessment Guidance

Examine

[SELECT FROM: System and communications protection policy; procedures addressing covert channel analysis; system design documentation; system configuration settings and associated documentation; covert channel analysis documentation; system audit records; system security plan; other relevant documents or records].

Interview

[SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with covert channel analysis responsibilities; system developers/integrators].

Test

[SELECT FROM: Organizational process for conducting covert channel analysis; mechanisms supporting and/or implementing covert channel analysis; mechanisms supporting and/or implementing the capability to estimate the bandwidth of covert channels].

ID	Assessment Objectives
SC-31a.	a covert channel analysis is performed to identify those aspects of communications within the system that are potential avenues for covert <SC-31_ODP SELECTED PARAMETER VALUES> channels;
SC-31b.	the maximum bandwidth of those channels is estimated.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!