SC-07 Boundary Protection

Baselines

Guidance

Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary).

References 6

• OMB A-130 Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016.
• FIPS 199 National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199.
• SP 800-37 Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2.
• SP 800-41 Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1.
• SP 800-77 Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1.
• SP 800-189 Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189.

Control Enhancements 29

• SC-07(01) Physically Separated Subnetworks
• SC-07(02) Public Access
• SC-07(03) Access Points L M H P
• SC-07(04) External Telecommunications Services L M H P
• SC-07(05) Deny by Default — Allow by Exception L M H P
• SC-07(06) Response to Recognized Failures
• SC-07(07) Split Tunneling for Remote Devices L M H P
• SC-07(08) Route Traffic to Authenticated Proxy Servers L M H P
• SC-07(09) Restrict Threatening Outgoing Communications Traffic L M H P
• SC-07(10) Prevent Exfiltration L M H P
• SC-07(11) Restrict Incoming Communications Traffic L M H P
• SC-07(12) Host-based Protection L M H P
• SC-07(13) Isolation of Security Tools, Mechanisms, and Support Components L M H P
• SC-07(14) Protect Against Unauthorized Physical Connections L M H P
• SC-07(15) Networked Privileged Accesses L M H P
• SC-07(16) Prevent Discovery of System Components L M H P
• SC-07(17) Automated Enforcement of Protocol Formats L M H P
• SC-07(18) Fail Secure L M H P
• SC-07(19) Block Communication from Non-organizationally Configured Hosts L M H P
• SC-07(20) Dynamic Isolation and Segregation L M H P
• SC-07(21) Isolation of System Components L M H P
• SC-07(22) Separate Subnets for Connecting to Different Security Domains L M H P
• SC-07(23) Disable Sender Feedback on Protocol Validation Failure L M H P
• SC-07(24) Personally Identifiable Information L M H P
• SC-07(25) Unclassified National Security System Connections L M H P
• SC-07(26) Classified National Security System Connections L M H P
• SC-07(27) Unclassified Non-national Security System Connections L M H P
• SC-07(28) Connections to Public Networks L M H P
• SC-07(29) Separate Subnets to Isolate Functions L M H P

Related controls 25

• AC-04 Information Flow Enforcement L M H P
• AC-17 Remote Access L M H P
• AC-18 Wireless Access L M H P
• AC-19 Access Control for Mobile Devices L M H P
• AC-20 Use of External Systems L M H P
• AU-13 Monitoring for Information Disclosure L M H P
• CA-03 Information Exchange L M H P
• CM-02 Baseline Configuration L M H P
• CM-04 Impact Analyses L M H P
• CM-07 Least Functionality L M H P
• CM-10 Software Usage Restrictions L M H P
• CP-08 Telecommunications Services L M H P
• CP-10 System Recovery and Reconstitution L M H P
• IR-04 Incident Handling L M H P
• MA-04 Nonlocal Maintenance L M H P
• PE-03 Physical Access Control L M H P
• PL-08 Security and Privacy Architectures L M H P
• PM-12 Insider Threat Program L M H P
• SA-08 Security and Privacy Engineering Principles L M H P
• SA-17 Developer Security and Privacy Architecture and Design L M H P
• SC-05 Denial-of-service Protection L M H P
• SC-26 Decoys L M H P
• SC-32 System Partitioning L M H P
• SC-35 External Malicious Code Identification L M H P
• SC-43 Usage Restrictions L M H P