SC-7: Boundary Protection
Control Family:
Threats Addressed:
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- SC-7: Boundary Protection
Control Statement
- Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;
- Implement subnetworks for publicly accessible system components that are [Assignment: physically, logically] separated from internal organizational networks; and
- Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.
Supplemental Guidance
Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary).
Control Enhancements
SC-7(3): Access Points
Baseline(s):
- Moderate
- High
Limit the number of external network connections to the system.
SC-7(4): External Telecommunications Services
Baseline(s):
- Moderate
- High
Implement a managed interface for each external telecommunication service; Establish a traffic flow policy for each managed interface; Protect the confidentiality and integrity of the information being transmitted across each interface; Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; Review exceptions to the…
SC-7(5): Deny by Default – Allow by Exception
Baseline(s):
- Moderate
- High
Deny network communications traffic by default and allow network communications traffic by exception [Assignment (one or more): at managed interfaces, for [Assignment: organization-defined systems] ].
SC-7(7): Split Tunneling for Remote Devices
Baseline(s):
- Moderate
- High
Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using [Assignment: organization-defined safeguards].
SC-7(8): Route Traffic to Authenticated Proxy Servers
Baseline(s):
- Moderate
- High
Route [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces.
SC-7(9): Restrict Threatening Outgoing Communications Traffic
Baseline(s):
Detect and deny outgoing communications traffic posing a threat to external systems; and Audit the identity of internal users associated with denied communications.
SC-7(10): Prevent Exfiltration
Baseline(s):
Prevent the exfiltration of information; and Conduct exfiltration tests [Assignment: organization-defined frequency].
SC-7(11): Restrict Incoming Communications Traffic
Baseline(s):
Only allow incoming communications from [Assignment: organization-defined authorized sources] to be routed to [Assignment: organization-defined authorized destinations].
SC-7(12): Host-based Protection
Baseline(s):
Implement [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined system components].
SC-7(13): Isolation of Security Tools, Mechanisms, and Support Components
Baseline(s):
Isolate [Assignment: organization-defined information security tools, mechanisms, and support components] from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system.
SC-7(14): Protect Against Unauthorized Physical Connections
Baseline(s):
Protect against unauthorized physical connections at [Assignment: organization-defined managed interfaces].
SC-7(15): Networked Privileged Accesses
Baseline(s):
Route networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.
SC-7(16): Prevent Discovery of System Components
Baseline(s):
Prevent the discovery of specific system components that represent a managed interface.
SC-7(17): Automated Enforcement of Protocol Formats
Baseline(s):
Enforce adherence to protocol formats.
SC-7(18): Fail Secure
Baseline(s):
- High
Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device.
SC-7(19): Block Communication from Non-organizationally Configured Hosts
Baseline(s):
Block inbound and outbound communications traffic between [Assignment: organization-defined communication clients] that are independently configured by end users and external service providers.
SC-7(20): Dynamic Isolation and Segregation
Baseline(s):
Provide the capability to dynamically isolate [Assignment: organization-defined system components] from other system components.
SC-7(21): Isolation of System Components
Baseline(s):
- High
Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions].
SC-7(22): Separate Subnets for Connecting to Different Security Domains
Baseline(s):
Implement separate network addresses to connect to systems in different security domains.
SC-7(23): Disable Sender Feedback on Protocol Validation Failure
Baseline(s):
Disable feedback to senders on protocol format validation failure.
SC-7(24): Personally Identifiable Information
Baseline(s):
- Privacy
For systems that process personally identifiable information: Apply the following processing rules to data elements of personally identifiable information: [Assignment: organization-defined processing rules]; Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system; Document each processing exception; and Review and remove exceptions that are no longer…
SC-7(25): Unclassified National Security System Connections
Baseline(s):
Prohibit the direct connection of [Assignment: organization-defined unclassified national security system] to an external network without the use of [Assignment: organization-defined boundary protection device].
SC-7(26): Classified National Security System Connections
Baseline(s):
Prohibit the direct connection of a classified national security system to an external network without the use of [Assignment: organization-defined boundary protection device].
SC-7(27): Unclassified Non-national Security System Connections
Baseline(s):
Prohibit the direct connection of [Assignment: organization-defined unclassified non-national security system] to an external network without the use of [Assignment: organization-defined boundary protection device].
SC-7(28): Connections to Public Networks
Baseline(s):
Prohibit the direct connection of [Assignment: organization-defined system] to a public network.
SC-7(29): Separate Subnets to Isolate Functions
Baseline(s):
Implement [Assignment: physically, logically] separate subnetworks to isolate the following critical system components and functions: [Assignment: organization-defined critical system components and functions].