SC-7(9): Restrict Threatening Outgoing Communications Traffic

Control Family:

System And Communications Protection

Parent Control:

SC-7: Boundary Protection

Priority:

P1: Implement P1 security controls first.

CSF v1.1 References:

Threats Addressed:

Lateral Movement

Baselines:

(Not part of any baseline)

Next Version:

NIST Special Publication 800-53 Revision 5:
SC-7(9): Restrict Threatening Outgoing Communications Traffic

Control Statement

The information system:

Detects and denies outgoing communications traffic posing a threat to external information systems; and
Audits the identity of internal users associated with denied communications.

Supplemental Guidance

Detecting outgoing communications traffic from internal actions that may pose threats to external information systems is sometimes termed extrusion detection. Extrusion detection at information system boundaries as part of managed interfaces includes the analysis of incoming and outgoing communications traffic searching for indications of internal threats to the security of external systems. Such threats include, for example, traffic indicative of denial of service attacks and traffic containing malicious code.