Establishes requirements for monitoring, controlling, and protecting communications at system boundaries — covering 16 controls per NIST SP 800-171 Rev 2.
OCSI shall monitor, control, and protect organizational communications at external and key internal boundaries of organizational systems. Cryptographic mechanisms shall be employed to protect the confidentiality and integrity of CUI in transit and at rest.
| Control | Requirement | Implementation | Status |
|---|---|---|---|
| 3.13.1 | Monitor, control, and protect communications at the external boundaries and key internal boundaries of organizational systems | External boundary protected via: HTTPS/TLS encryption for all traffic, GoDaddy SSL certificate, Content Security Policy (CSP) restricting resource loading, X-Frame-Options preventing framing. Internal boundary: authenticated Command Center isolates CUI from public pages. | Implemented |
| 3.13.2 | Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security | Separation of concerns: public marketing site isolated from CUI-containing Command Center. No server-side code reduces attack surface. CSP prevents code injection. Principle of least privilege in application design. Static HTML reduces vulnerability footprint. | Implemented |
| 3.13.3 | Separate user functionality from system management functionality | Public-facing site (marketing content) completely separated from Command Center (CUI management). Command Center requires authentication. No admin functionality exposed on public pages. Deploy mechanism separated from application. | Implemented |
| 3.13.4 | Prevent unauthorized and unintended information transfer via shared system resources | Browser origin isolation ensures localStorage is domain-scoped. No cross-origin data sharing. CSP prevents data exfiltration via unauthorized outbound connections. SessionStorage scoped to individual browser tabs. | Implemented |
| 3.13.5 | Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks | Public website content served as static HTML — no connection to internal databases or networks. CUI stored client-side in browser localStorage, not on shared server filesystem. GoDaddy infrastructure provides network-level isolation. | Implemented |
| 3.13.6 | Deny network communications traffic by default and allow network communications traffic by exception | CSP implements default-deny policy: default-src 'self' blocks all non-approved sources. Only explicitly allowlisted CDN domains permitted (Google Fonts, FontAwesome). .htaccess restricts directory browsing and file access. | Implemented |
| 3.13.7 | Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks | Web application architecture prevents split-tunneling concerns — browser-based access does not establish persistent network connections. No VPN or direct network access required. | Implemented |
| 3.13.8 | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission | All communications encrypted via HTTPS/TLS (SSL certificate managed by GoDaddy). HSTS header enforces HTTPS. FTP deployment uses secure channel. No unencrypted data transmission paths exist. | Implemented |
| 3.13.9 | Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity | Sessions terminated after 30 minutes of inactivity (mousemove/keydown activity reset). Absolute 8-hour session maximum. SessionStorage clears on browser close. Visual warning displayed 5 minutes before timeout. | Implemented |
| 3.13.10 | Establish and manage cryptographic keys for cryptography employed in organizational systems | SHA-256 credential hashing uses Web Crypto API built-in key management. SSL/TLS certificate managed by GoDaddy with automatic renewal. No custom cryptographic keys requiring manual management. | Implemented |
| 3.13.11 | Employ FIPS-validated cryptography when used to protect the confidentiality of CUI | PARTIAL. SHA-256 via Web Crypto API is FIPS 140-2 compatible for hashing. TLS 1.2+ for transport. However, SHA-256 is used for password hashing (not recommended — bcrypt/Argon2 preferred), and plaintext password in source code negates cryptographic protection. | Partial |
| 3.13.12 | Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device | Web application does not access collaborative computing devices (cameras, microphones). Permissions-Policy header explicitly denies: camera=(), microphone=(), geolocation=(). No remote activation capability exists. | Implemented |
| 3.13.13 | Control and monitor the use of mobile code | PARTIAL. CSP restricts JavaScript execution to first-party scripts. FontAwesome and Google Fonts are style-only. However, CSP includes 'unsafe-inline' for styles (required for current architecture), which weakens protection. No nonce-based inline script controls. | Partial |
| 3.13.14 | Control and monitor the use of Voice over Internet Protocol (VoIP) technologies | OCSI system does not implement VoIP. No real-time communications features in the web application. Business VoIP, if used, governed by separate organizational policy. | Implemented |
| 3.13.15 | Protect the authenticity of communications sessions | HTTPS/TLS provides session authenticity via certificate validation. SessionStorage-based authentication tokens tied to browser session. SHA-256 hash verification protects credential authenticity. | Implemented |
| 3.13.16 | Protect the confidentiality of CUI at rest | NOT IMPLEMENTED — CRITICAL GAP. CUI in browser localStorage is stored as plaintext JSON. There is NO application-level encryption at rest. Same-origin policy provides isolation but is NOT encryption. Any person with physical access to the device can read all CUI data in browser DevTools. Device-level encryption is not enforced by the application. | Not Implemented |
| Header | Value | Control(s) |
|---|---|---|
| Content-Security-Policy | default-src 'self'; style-src 'self' 'unsafe-inline' fonts.googleapis.com cdnjs.cloudflare.com; font-src fonts.gstatic.com cdnjs.cloudflare.com; script-src 'self'; img-src 'self' data:; connect-src 'self' | 3.13.1, 3.13.6, 3.13.13 |
| X-Frame-Options | DENY | 3.13.1 |
| X-Content-Type-Options | nosniff | 3.13.2 |
| Strict-Transport-Security | max-age=31536000; includeSubDomains | 3.13.8 |
| Referrer-Policy | strict-origin-when-cross-origin | 3.13.4 |
| Permissions-Policy | camera=(), microphone=(), geolocation=() | 3.13.12 |