NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION
SC-5(1) — Restrict Ability to Attack Other Systems
Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: {{ insert: param, sc-05.01_odp }}.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
No related controls listed
Supplemental Guidance
Restricting the ability of individuals to launch denial-of-service attacks requires the mechanisms commonly used for such attacks to be unavailable. Individuals of concern include hostile insiders or external adversaries who have breached or compromised the system and are using it to launch a denial-of-service attack. Organizations can restrict the ability of individuals to connect and transmit arbitrary information on the transport medium (i.e., wired networks, wireless networks, spoofed Internet protocol packets). Organizations can also limit the ability of individuals to use excessive system resources. Protection against individuals having the ability to launch denial-of-service attacks may be implemented on specific systems or boundary devices that prohibit egress to potential target systems.
Practitioner Notes
This enhancement prevents your own systems from being used as launch platforms for denial-of-service attacks against other organizations. If an attacker compromises your network, they should not be able to use your bandwidth to attack others.
Example 1: Configure egress filtering on your firewall to block outbound traffic with spoofed source IP addresses (BCP38/BCP84). This prevents your network from being used in amplification attacks.
Example 2: Use your endpoint protection platform (like Microsoft Defender for Endpoint) to detect and block botnet command-and-control communications. If a compromised workstation tries to participate in a DDoS botnet, the agent blocks the outbound traffic and alerts your SOC.