SC 37 OUT OF BAND CHANNELS - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

Control: Employ the following out-of-band channels for the physical delivery or electronic transmission of [ Assignment: organization-defined information, system components, or devices ] to [ Assignment: organization-defined individuals or systems ]: [ Assignment: organization-defined out-of-band channels ].

Discussion: Out-of-band channels include local, non-network accesses to systems; network paths physically separate from network paths used for operational traffic; or non-electronic paths, such as the U.S. Postal Service. The use of out-of-band channels is contrasted with the use of in-band channels (i.e., the same channels) that carry routine operational traffic. Out-of-band channels do not have the same vulnerability or exposure as in-band channels. Therefore, the confidentiality, integrity, or availability compromises of in-band channels will not compromise or adversely affect the out-of-band channels. Organizations may employ out-of-band channels in the delivery or transmission of organizational items, including authenticators and credentials; cryptographic key management information; system and data backups; configuration management changes for hardware, firmware, or software; security updates; maintenance information; and malicious code protection updates.

Related Controls: AC-2, CM-3, CM-5, CM-7, IA-2, IA-4, IA-5, MA-4, SC-12, SI-3, SI-4, SI-7.

Control Enhancements:

• (1) OUT-OF-BAND CHANNELS / ENSURE DELIVERY AND TRANSMISSION
  Employ [ Assignment: organization-defined controls ] to ensure that only [ Assignment: organization-defined individuals or systems ] receive the following information, system components, or devices: [ Assignment: organization-defined information, system components, or devices ].

  Discussion: Techniques employed by organizations to ensure that only designated systems or individuals receive certain information, system components, or devices include sending authenticators via an approved courier service but requiring recipients to show some form of government-issued photographic identification as a condition of receipt.

  Related Controls: None.

References: [SP 800-57-1], [SP 800-57-2], [SP 800-57-3].