- Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;
- Implement subnetworks for publicly accessible system components that are [Assignment: physically, logically] separated from internal organizational networks; and
- Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.
Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary).
Limit the number of external network connections to the system.
Implement a managed interface for each external telecommunication service; Establish a traffic flow policy for each managed interface; Protect the confidentiality and integrity of the information being transmitted across each interface; Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; Review exceptions to the…
Deny network communications traffic by default and allow network communications traffic by exception [Assignment (one or more): at managed interfaces, for [Assignment: organization-defined systems] ].
Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using [Assignment: organization-defined safeguards].
Route [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces.
Detect and deny outgoing communications traffic posing a threat to external systems; and Audit the identity of internal users associated with denied communications.
Prevent the exfiltration of information; and Conduct exfiltration tests [Assignment: organization-defined frequency].
Only allow incoming communications from [Assignment: organization-defined authorized sources] to be routed to [Assignment: organization-defined authorized destinations].
Implement [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined system components].
Isolate [Assignment: organization-defined information security tools, mechanisms, and support components] from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system.
Protect against unauthorized physical connections at [Assignment: organization-defined managed interfaces].
Route networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.
Prevent the discovery of specific system components that represent a managed interface.
Enforce adherence to protocol formats.
Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device.
Block inbound and outbound communications traffic between [Assignment: organization-defined communication clients] that are independently configured by end users and external service providers.
Provide the capability to dynamically isolate [Assignment: organization-defined system components] from other system components.
Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions].
Implement separate network addresses to connect to systems in different security domains.
Disable feedback to senders on protocol format validation failure.
For systems that process personally identifiable information: Apply the following processing rules to data elements of personally identifiable information: [Assignment: organization-defined processing rules]; Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system; Document each processing exception; and Review and remove exceptions that are no longer…
Prohibit the direct connection of [Assignment: organization-defined unclassified national security system] to an external network without the use of [Assignment: organization-defined boundary protection device].
Prohibit the direct connection of a classified national security system to an external network without the use of [Assignment: organization-defined boundary protection device].
Prohibit the direct connection of [Assignment: organization-defined unclassified non-national security system] to an external network without the use of [Assignment: organization-defined boundary protection device].
Prohibit the direct connection of [Assignment: organization-defined system] to a public network.
Implement [Assignment: physically, logically] separate subnetworks to isolate the following critical system components and functions: [Assignment: organization-defined critical system components and functions].