SC-7(22): Separate Subnets for Connecting to Different Security Domains

Control Family:

System and Communications Protection

Parent Control:

SC-7: Boundary Protection

CSF v1.1 References:

PR.AC-5
PR.DS-5
PR.PT-4
DE.CM-1

Threats Addressed:

Lateral Movement

Baselines:

(Not part of any baseline)

Previous Version:

NIST Special Publication 800-53 Revision 4:
SC-7(22): Separate Subnets For Connecting To Different Security Domains

Control Statement

Implement separate network addresses to connect to systems in different security domains.

Supplemental Guidance

The decomposition of systems into subnetworks (i.e., subnets) helps to provide the appropriate level of protection for network connections to different security domains that contain information with different security categories or classification levels.