Control: The organisation:
Covert Channel Analysis Supplemental Guidance:
Developers are in the best position to identify potential areas within systems that might lead to covert channels. Covert channel analysis is a meaningful activity when there is the potential for unauthorised information flows across security domains, for example, in the case of information systems containing export-controlled information and having connections to external networks (i.e., networks not controlled by organisations). Covert channel analysis is also meaningful for multilevel secure (MLS) information systems, multiple security level (MSL) systems, and cross-domain systems.
Covert Channel Analysis Control Enhancements:
SC-31 (1) Covert Channel Analysis - Test Covert Channels for Exploitability
The organisation tests a subset of the identified covert channels to determine which channels are exploitable.
SC-31 (2) Covert Channel Analysis - Maximum Bandwidth
The organisation reduces the maximum bandwidth for identified covert [Selection (one or more); storage; timing] channels to [Assignment: organisation-defined values].
Supplemental Guidance: Information system developers are in the best position to reduce the maximum bandwidth for identified covert storage and timing channels.
SC-31 (3) Covert Channel Analysis - Measure Bandwidth in Operational Environments
The organisation measures the bandwidth of [Assignment: organisation-defined subset of identified covert channels] in the operational environment of the information system.
Supplemental Guidance: This control enhancement addresses covert channel bandwidth in operational environments versus developmental environments. Measuring covert channel bandwidth in operational environments helps organisations to determine how much information can be covertly leaked before such leakage adversely affects organisational missions/business functions. Covert channel bandwidth may be significantly different when measured in those settings that are independent of the particular environments of operation (e.g., laboratories or development environments).