compliance controls are associated with this Policy definition 'Implement system boundary protection' (01ae60e2-38bb-0a32-7b20-d3a091423409)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
CA-3(3) |
FedRAMP_High_R4_CA-3(3) |
FedRAMP High CA-3 (3) |
Security Assessment And Authorization |
Unclassified Non-National Security System Connections |
Shared |
n/a |
The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non-national security system] to an external network without the use of [Assignment; organization-defined boundary protection device].
Supplemental Guidance: Organizations typically do not have control over external networks (e.g., the Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between unclassified non-national security systems and external networks. This control enhancement is required for organizations processing, storing, or transmitting Controlled Unclassified Information (CUI). |
link |
1 |
| FedRAMP_High_R4 |
SC-7 |
FedRAMP_High_R4_SC-7 |
FedRAMP High SC-7 |
System And Communications Protection |
Boundary Protection |
Shared |
n/a |
The information system:
a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;
b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and
c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
Supplemental Guidance: Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13.
References: FIPS Publication 199; NIST Special Publications 800-41, 800-77. |
link |
52 |
| FedRAMP_High_R4 |
SC-7(12) |
FedRAMP_High_R4_SC-7(12) |
FedRAMP High SC-7 (12) |
System And Communications Protection |
Host-Based Protection |
Shared |
n/a |
The organization implements [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined information system components].
Supplemental Guidance: Host-based boundary protection mechanisms include, for example, host-based firewalls. Information system components employing host-based boundary protection mechanisms include, for example, servers, workstations, and mobile devices. |
link |
1 |
| FedRAMP_High_R4 |
SC-7(18) |
FedRAMP_High_R4_SC-7(18) |
FedRAMP High SC-7 (18) |
System And Communications Protection |
Fail Secure |
Shared |
n/a |
The information system fails securely in the event of an operational failure of a boundary protection device.
Supplemental Guidance: Fail secure is a condition achieved by employing information system mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces (e.g., routers, firewalls, guards, and application gateways residing on protected subnetworks commonly referred to as demilitarized zones), information systems do not enter into unsecure states where intended security properties no longer hold. Failures of boundary protection devices cannot lead to, or cause information external to the devices to enter the devices, nor can failures permit unauthorized information releases. Related controls: CP-2, SC-24. |
link |
2 |
| FedRAMP_High_R4 |
SC-7(4) |
FedRAMP_High_R4_SC-7(4) |
FedRAMP High SC-7 (4) |
System And Communications Protection |
External Telecommunications Services |
Shared |
n/a |
The organization:
(a) Implements a managed interface for each external telecommunication service;
(b) Establishes a traffic flow policy for each managed interface;
(c) Protects the confidentiality and integrity of the information being transmitted across each interface;
(d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and
(e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need.
Supplemental Guidance: Related control: SC-8. |
link |
3 |
| FedRAMP_High_R4 |
SI-4(4) |
FedRAMP_High_R4_SI-4(4) |
FedRAMP High SI-4 (4) |
System And Information Integrity |
Inbound And Outbound Communications Traffic |
Shared |
n/a |
The information system monitors inbound and outbound communications traffic [Assignment: organization-defined frequency] for unusual or unauthorized activities or conditions.
Supplemental Guidance: Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components. |
link |
4 |
| FedRAMP_Moderate_R4 |
CA-3(3) |
FedRAMP_Moderate_R4_CA-3(3) |
FedRAMP Moderate CA-3 (3) |
Security Assessment And Authorization |
Unclassified Non-National Security System Connections |
Shared |
n/a |
The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non-national security system] to an external network without the use of [Assignment; organization-defined boundary protection device].
Supplemental Guidance: Organizations typically do not have control over external networks (e.g., the Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between unclassified non-national security systems and external networks. This control enhancement is required for organizations processing, storing, or transmitting Controlled Unclassified Information (CUI). |
link |
1 |
| FedRAMP_Moderate_R4 |
SC-7 |
FedRAMP_Moderate_R4_SC-7 |
FedRAMP Moderate SC-7 |
System And Communications Protection |
Boundary Protection |
Shared |
n/a |
The information system:
a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;
b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and
c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
Supplemental Guidance: Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13.
References: FIPS Publication 199; NIST Special Publications 800-41, 800-77. |
link |
52 |
| FedRAMP_Moderate_R4 |
SC-7(12) |
FedRAMP_Moderate_R4_SC-7(12) |
FedRAMP Moderate SC-7 (12) |
System And Communications Protection |
Host-Based Protection |
Shared |
n/a |
The organization implements [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined information system components].
Supplemental Guidance: Host-based boundary protection mechanisms include, for example, host-based firewalls. Information system components employing host-based boundary protection mechanisms include, for example, servers, workstations, and mobile devices. |
link |
1 |
| FedRAMP_Moderate_R4 |
SC-7(18) |
FedRAMP_Moderate_R4_SC-7(18) |
FedRAMP Moderate SC-7 (18) |
System And Communications Protection |
Fail Secure |
Shared |
n/a |
The information system fails securely in the event of an operational failure of a boundary protection device.
Supplemental Guidance: Fail secure is a condition achieved by employing information system mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces (e.g., routers, firewalls, guards, and application gateways residing on protected subnetworks commonly referred to as demilitarized zones), information systems do not enter into unsecure states where intended security properties no longer hold. Failures of boundary protection devices cannot lead to, or cause information external to the devices to enter the devices, nor can failures permit unauthorized information releases. Related controls: CP-2, SC-24. |
link |
2 |
| FedRAMP_Moderate_R4 |
SC-7(4) |
FedRAMP_Moderate_R4_SC-7(4) |
FedRAMP Moderate SC-7 (4) |
System And Communications Protection |
External Telecommunications Services |
Shared |
n/a |
The organization:
(a) Implements a managed interface for each external telecommunication service;
(b) Establishes a traffic flow policy for each managed interface;
(c) Protects the confidentiality and integrity of the information being transmitted across each interface;
(d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and
(e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need.
Supplemental Guidance: Related control: SC-8. |
link |
3 |
| FedRAMP_Moderate_R4 |
SI-4(4) |
FedRAMP_Moderate_R4_SI-4(4) |
FedRAMP Moderate SI-4 (4) |
System And Information Integrity |
Inbound And Outbound Communications Traffic |
Shared |
n/a |
The information system monitors inbound and outbound communications traffic [Assignment: organization-defined frequency] for unusual or unauthorized activities or conditions.
Supplemental Guidance: Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components. |
link |
4 |
| hipaa |
0401.01x1System.124579-01.x |
hipaa-0401.01x1System.124579-01.x |
0401.01x1System.124579-01.x |
04 Mobile Device Security |
0401.01x1System.124579-01.x 01.07 Mobile Computing and Teleworking |
Shared |
n/a |
Mobile computing devices are protected at all times by access controls, usage restrictions, connection requirements, encryption, virus protections, host-based firewalls, or equivalent functionality, secure configurations, and physical protections. |
|
7 |
| hipaa |
0663.10h1System.7-10.h |
hipaa-0663.10h1System.7-10.h |
0663.10h1System.7-10.h |
06 Configuration Management |
0663.10h1System.7-10.h 10.04 Security of System Files |
Shared |
n/a |
The operating system has in place supporting technical controls such as antivirus, file integrity monitoring, host-based (personal) firewalls or port filtering tools, and logging as part of its baseline. |
|
16 |
| hipaa |
0805.01m1Organizational.12-01.m |
hipaa-0805.01m1Organizational.12-01.m |
0805.01m1Organizational.12-01.m |
08 Network Protection |
0805.01m1Organizational.12-01.m 01.04 Network Access Control |
Shared |
n/a |
The organization's security gateways (e.g., firewalls) (i) enforce security policies; (ii) are configured to filter traffic between domains; (iii) block unauthorized access; (iv) are used to maintain segregation between internal wired, internal wireless, and external network segments (e.g., the Internet), including DMZs; and, (vi) enforce access control policies for each of the domains. |
|
12 |
| hipaa |
0806.01m2Organizational.12356-01.m |
hipaa-0806.01m2Organizational.12356-01.m |
0806.01m2Organizational.12356-01.m |
08 Network Protection |
0806.01m2Organizational.12356-01.m 01.04 Network Access Control |
Shared |
n/a |
The organization’s network is logically and physically segmented with a defined security perimeter and a graduated set of controls, including subnetworks for publicly accessible system components that are logically separated from the internal network, based on organizational requirements; traffic is controlled based on functionality required and classification of the data/systems based on a risk assessment and their respective security requirements. |
|
13 |
| hipaa |
0808.10b2System.3-10.b |
hipaa-0808.10b2System.3-10.b |
0808.10b2System.3-10.b |
08 Network Protection |
0808.10b2System.3-10.b 10.02 Correct Processing in Applications |
Shared |
n/a |
For any public-facing web applications, application-level firewalls have been implemented to control traffic. For any public-facing applications that are not web-based, the organization has implemented a network-based firewall specific to the application type. If the traffic to the public-facing application is encrypted, the device either sits behind the encryption or is capable of decrypting the traffic prior to analysis. |
|
2 |
| hipaa |
0809.01n2Organizational.1234-01.n |
hipaa-0809.01n2Organizational.1234-01.n |
0809.01n2Organizational.1234-01.n |
08 Network Protection |
0809.01n2Organizational.1234-01.n 01.04 Network Access Control |
Shared |
n/a |
Network traffic is controlled in accordance with the organization’s access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. |
|
17 |
| hipaa |
08101.09m2Organizational.14-09.m |
hipaa-08101.09m2Organizational.14-09.m |
08101.09m2Organizational.14-09.m |
08 Network Protection |
08101.09m2Organizational.14-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization uses secured and encrypted communication channels when migrating physical servers, applications, or data to virtualized servers. |
|
8 |
| hipaa |
08102.09nCSPOrganizational.1-09.n |
hipaa-08102.09nCSPOrganizational.1-09.n |
08102.09nCSPOrganizational.1-09.n |
08 Network Protection |
08102.09nCSPOrganizational.1-09.n 09.06 Network Security Management |
Shared |
n/a |
Business-critical or customer (tenant) impacting (physical and virtual) application and interface designs (API), configurations, network infrastructure, and systems components, are designed, developed, and deployed in accordance with mutually agreed-upon service and capacity-level expectations, as well as IT governance and service management policies and procedures. |
|
2 |
| hipaa |
0811.01n2Organizational.6-01.n |
hipaa-0811.01n2Organizational.6-01.n |
0811.01n2Organizational.6-01.n |
08 Network Protection |
0811.01n2Organizational.6-01.n 01.04 Network Access Control |
Shared |
n/a |
Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. |
|
23 |
| hipaa |
0815.01o2Organizational.123-01.o |
hipaa-0815.01o2Organizational.123-01.o |
0815.01o2Organizational.123-01.o |
08 Network Protection |
0815.01o2Organizational.123-01.o 01.04 Network Access Control |
Shared |
n/a |
Requirements for network routing control are based on the access control policy, including positive source and destination checking mechanisms, such as firewall validation of source/destination addresses, and the hiding of internal directory services and IP addresses. The organization designed and implemented network perimeters so that all outgoing network traffic to the Internet passes through at least one application layer filtering proxy server. The proxy supports decrypting network traffic, logging individual TCP sessions, blocking specific URLs, domain names, and IP addresses to implement a blacklist, and applying whitelists of allowed sites that can be accessed through the proxy while blocking all other sites. The organization forces outbound traffic to the Internet through an authenticated proxy server on the enterprise perimeter. |
|
4 |
| hipaa |
0817.01w2System.123-01.w |
hipaa-0817.01w2System.123-01.w |
0817.01w2System.123-01.w |
08 Network Protection |
0817.01w2System.123-01.w 01.06 Application and Information Access Control |
Shared |
n/a |
Unless the risk is identified and accepted by the data owner, sensitive systems are isolated (physically or logically) from non-sensitive applications/systems. |
|
13 |
| hipaa |
0822.09m2Organizational.4-09.m |
hipaa-0822.09m2Organizational.4-09.m |
0822.09m2Organizational.4-09.m |
08 Network Protection |
0822.09m2Organizational.4-09.m 09.06 Network Security Management |
Shared |
n/a |
Firewalls restrict inbound and outbound traffic to the minimum necessary. |
|
7 |
| hipaa |
0825.09m3Organizational.23-09.m |
hipaa-0825.09m3Organizational.23-09.m |
0825.09m3Organizational.23-09.m |
08 Network Protection |
0825.09m3Organizational.23-09.m 09.06 Network Security Management |
Shared |
n/a |
Technical tools such as an IDS/IPS are implemented and operating on the network perimeter and other key points to identify vulnerabilities, monitor traffic, detect attack attempts and successful compromises, and mitigate threats; and these tools are updated on a regular basis. |
|
7 |
| hipaa |
0826.09m3Organizational.45-09.m |
hipaa-0826.09m3Organizational.45-09.m |
0826.09m3Organizational.45-09.m |
08 Network Protection |
0826.09m3Organizational.45-09.m 09.06 Network Security Management |
Shared |
n/a |
Firewall and router configuration standards are defined and implemented, and are reviewed every six months. |
|
3 |
| hipaa |
0829.09m3Organizational.911-09.m |
hipaa-0829.09m3Organizational.911-09.m |
0829.09m3Organizational.911-09.m |
08 Network Protection |
0829.09m3Organizational.911-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization utilizes firewalls from at least two different vendors that employ stateful packet inspection (also known as dynamic packet filtering). |
|
2 |
| hipaa |
0830.09m3Organizational.1012-09.m |
hipaa-0830.09m3Organizational.1012-09.m |
0830.09m3Organizational.1012-09.m |
08 Network Protection |
0830.09m3Organizational.1012-09.m 09.06 Network Security Management |
Shared |
n/a |
A DMZ is established with all database(s), servers, and other system components storing or processing covered information placed behind it to limit external network traffic to the internal network. |
|
8 |
| ISO27001-2013 |
A.12.4.1 |
ISO27001-2013_A.12.4.1 |
ISO 27001:2013 A.12.4.1 |
Operations Security |
Event Logging |
Shared |
n/a |
Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. |
link |
53 |
| ISO27001-2013 |
A.12.4.3 |
ISO27001-2013_A.12.4.3 |
ISO 27001:2013 A.12.4.3 |
Operations Security |
Administrator and operator logs |
Shared |
n/a |
System administrator and system operator activities shall be logged and the logs protected and regularly reviewed. |
link |
29 |
| ISO27001-2013 |
A.13.1.1 |
ISO27001-2013_A.13.1.1 |
ISO 27001:2013 A.13.1.1 |
Communications Security |
Network controls |
Shared |
n/a |
Networks shall be managed and controlled to protect information in systems and applications. |
link |
40 |
| ISO27001-2013 |
A.13.1.2 |
ISO27001-2013_A.13.1.2 |
ISO 27001:2013 A.13.1.2 |
Communications Security |
Security of network services |
Shared |
n/a |
Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced. |
link |
16 |
| ISO27001-2013 |
A.13.1.3 |
ISO27001-2013_A.13.1.3 |
ISO 27001:2013 A.13.1.3 |
Communications Security |
Segregation of networks |
Shared |
n/a |
Groups of information services, users, and information systems shall be segregated on networks. |
link |
17 |
| ISO27001-2013 |
A.13.2.1 |
ISO27001-2013_A.13.2.1 |
ISO 27001:2013 A.13.2.1 |
Communications Security |
Information transfer policies and procedures |
Shared |
n/a |
Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. |
link |
32 |
| ISO27001-2013 |
A.14.1.3 |
ISO27001-2013_A.14.1.3 |
ISO 27001:2013 A.14.1.3 |
System Acquisition, Development And Maintenance |
Protecting application services transactions |
Shared |
n/a |
Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. |
link |
29 |
| ISO27001-2013 |
C.8.3 |
ISO27001-2013_C.8.3 |
ISO 27001:2013 C.8.3 |
Operation |
Information security risk treatment |
Shared |
n/a |
The organization shall implement the information security risk treatment plan.
The organization shall retain documented information of the results of the information security
risk treatment. |
link |
4 |
|
mp.com.1 Secure perimeter |
mp.com.1 Secure perimeter |
404 not found |
|
|
|
n/a |
n/a |
|
49 |
|
mp.com.2 Protection of confidentiality |
mp.com.2 Protection of confidentiality |
404 not found |
|
|
|
n/a |
n/a |
|
55 |
|
mp.com.3 Protection of integrity and authenticity |
mp.com.3 Protection of integrity and authenticity |
404 not found |
|
|
|
n/a |
n/a |
|
62 |
|
mp.com.4 Separation of information flows on the network |
mp.com.4 Separation of information flows on the network |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
|
mp.info.2 Rating of information |
mp.info.2 Rating of information |
404 not found |
|
|
|
n/a |
n/a |
|
45 |
|
mp.info.3 Electronic signature |
mp.info.3 Electronic signature |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
|
mp.info.4 Time stamps |
mp.info.4 Time stamps |
404 not found |
|
|
|
n/a |
n/a |
|
33 |
|
mp.s.2 Protection of web services and applications |
mp.s.2 Protection of web services and applications |
404 not found |
|
|
|
n/a |
n/a |
|
102 |
| NIST_SP_800-53_R4 |
CA-3(3) |
NIST_SP_800-53_R4_CA-3(3) |
NIST SP 800-53 Rev. 4 CA-3 (3) |
Security Assessment And Authorization |
Unclassified Non-National Security System Connections |
Shared |
n/a |
The organization prohibits the direct connection of an [Assignment: organization-defined unclassified, non-national security system] to an external network without the use of [Assignment; organization-defined boundary protection device].
Supplemental Guidance: Organizations typically do not have control over external networks (e.g., the Internet). Approved boundary protection devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between unclassified non-national security systems and external networks. This control enhancement is required for organizations processing, storing, or transmitting Controlled Unclassified Information (CUI). |
link |
1 |
| NIST_SP_800-53_R4 |
SC-7 |
NIST_SP_800-53_R4_SC-7 |
NIST SP 800-53 Rev. 4 SC-7 |
System And Communications Protection |
Boundary Protection |
Shared |
n/a |
The information system:
a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;
b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and
c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
Supplemental Guidance: Managed interfaces include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational information systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. Related controls: AC-4, AC-17, CA-3, CM-7, CP-8, IR-4, RA-3, SC-5, SC-13.
References: FIPS Publication 199; NIST Special Publications 800-41, 800-77. |
link |
52 |
| NIST_SP_800-53_R4 |
SC-7(12) |
NIST_SP_800-53_R4_SC-7(12) |
NIST SP 800-53 Rev. 4 SC-7 (12) |
System And Communications Protection |
Host-Based Protection |
Shared |
n/a |
The organization implements [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined information system components].
Supplemental Guidance: Host-based boundary protection mechanisms include, for example, host-based firewalls. Information system components employing host-based boundary protection mechanisms include, for example, servers, workstations, and mobile devices. |
link |
1 |
| NIST_SP_800-53_R4 |
SC-7(18) |
NIST_SP_800-53_R4_SC-7(18) |
NIST SP 800-53 Rev. 4 SC-7 (18) |
System And Communications Protection |
Fail Secure |
Shared |
n/a |
The information system fails securely in the event of an operational failure of a boundary protection device.
Supplemental Guidance: Fail secure is a condition achieved by employing information system mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces (e.g., routers, firewalls, guards, and application gateways residing on protected subnetworks commonly referred to as demilitarized zones), information systems do not enter into unsecure states where intended security properties no longer hold. Failures of boundary protection devices cannot lead to, or cause information external to the devices to enter the devices, nor can failures permit unauthorized information releases. Related controls: CP-2, SC-24. |
link |
2 |
| NIST_SP_800-53_R4 |
SC-7(4) |
NIST_SP_800-53_R4_SC-7(4) |
NIST SP 800-53 Rev. 4 SC-7 (4) |
System And Communications Protection |
External Telecommunications Services |
Shared |
n/a |
The organization:
(a) Implements a managed interface for each external telecommunication service;
(b) Establishes a traffic flow policy for each managed interface;
(c) Protects the confidentiality and integrity of the information being transmitted across each interface;
(d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and
(e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need.
Supplemental Guidance: Related control: SC-8. |
link |
3 |
| NIST_SP_800-53_R4 |
SI-4(4) |
NIST_SP_800-53_R4_SI-4(4) |
NIST SP 800-53 Rev. 4 SI-4 (4) |
System And Information Integrity |
Inbound And Outbound Communications Traffic |
Shared |
n/a |
The information system monitors inbound and outbound communications traffic [Assignment: organization-defined frequency] for unusual or unauthorized activities or conditions.
Supplemental Guidance: Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components. |
link |
4 |
| NIST_SP_800-53_R5 |
SC-7 |
NIST_SP_800-53_R5_SC-7 |
NIST SP 800-53 Rev. 5 SC-7 |
System and Communications Protection |
Boundary Protection |
Shared |
n/a |
a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;
b. Implement subnetworks for publicly accessible system components that are [Selection: physically;logically] separated from internal organizational networks; and
c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. |
link |
52 |
| NIST_SP_800-53_R5 |
SC-7(12) |
NIST_SP_800-53_R5_SC-7(12) |
NIST SP 800-53 Rev. 5 SC-7 (12) |
System and Communications Protection |
Host-based Protection |
Shared |
n/a |
Implement [Assignment: organization-defined host-based boundary protection mechanisms] at [Assignment: organization-defined system components]. |
link |
1 |
| NIST_SP_800-53_R5 |
SC-7(18) |
NIST_SP_800-53_R5_SC-7(18) |
NIST SP 800-53 Rev. 5 SC-7 (18) |
System and Communications Protection |
Fail Secure |
Shared |
n/a |
Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device. |
link |
2 |
| NIST_SP_800-53_R5 |
SC-7(4) |
NIST_SP_800-53_R5_SC-7(4) |
NIST SP 800-53 Rev. 5 SC-7 (4) |
System and Communications Protection |
External Telecommunications Services |
Shared |
n/a |
(a) Implement a managed interface for each external telecommunication service;
(b) Establish a traffic flow policy for each managed interface;
(c) Protect the confidentiality and integrity of the information being transmitted across each interface;
(d) Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;
(e) Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need;
(f) Prevent unauthorized exchange of control plane traffic with external networks;
(g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and
(h) Filter unauthorized control plane traffic from external networks. |
link |
3 |
| NIST_SP_800-53_R5 |
SI-4(4) |
NIST_SP_800-53_R5_SI-4(4) |
NIST SP 800-53 Rev. 5 SI-4 (4) |
System and Information Integrity |
Inbound and Outbound Communications Traffic |
Shared |
n/a |
(a) Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic;
(b) Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignment: organization-defined unusual or unauthorized activities or conditions]. |
link |
4 |
|
op.acc.6 Authentication mechanism (organization users) |
op.acc.6 Authentication mechanism (organization users) |
404 not found |
|
|
|
n/a |
n/a |
|
78 |
|
op.exp.8 Recording of the activity |
op.exp.8 Recording of the activity |
404 not found |
|
|
|
n/a |
n/a |
|
67 |
|
op.ext.4 Interconnection of systems |
op.ext.4 Interconnection of systems |
404 not found |
|
|
|
n/a |
n/a |
|
68 |
|
op.mon.1 Intrusion detection |
op.mon.1 Intrusion detection |
404 not found |
|
|
|
n/a |
n/a |
|
50 |
|
op.pl.1 Risk analysis |
op.pl.1 Risk analysis |
404 not found |
|
|
|
n/a |
n/a |
|
70 |
|
op.pl.2 Security Architecture |
op.pl.2 Security Architecture |
404 not found |
|
|
|
n/a |
n/a |
|
65 |
|
op.pl.3 Acquisition of new components |
op.pl.3 Acquisition of new components |
404 not found |
|
|
|
n/a |
n/a |
|
61 |
|
org.3 Security procedures |
org.3 Security procedures |
404 not found |
|
|
|
n/a |
n/a |
|
83 |
| PCI_DSS_v4.0 |
1.4.1 |
PCI_DSS_v4.0_1.4.1 |
PCI DSS v4.0 1.4.1 |
Requirement 01: Install and Maintain Network Security Controls |
Network connections between trusted and untrusted networks are controlled |
Shared |
n/a |
NSCs are implemented between trusted and untrusted networks. |
link |
5 |
| PCI_DSS_v4.0 |
1.4.2 |
PCI_DSS_v4.0_1.4.2 |
PCI DSS v4.0 1.4.2 |
Requirement 01: Install and Maintain Network Security Controls |
Network connections between trusted and untrusted networks are controlled |
Shared |
n/a |
Inbound traffic from untrusted networks to trusted networks is restricted to:
• Communications with system components that are authorized to provide publicly accessible services, protocols, and ports.
• Stateful responses to communications initiated by system components in a trusted network.
• All other traffic is denied. |
link |
7 |
| SOC_2 |
CC6.6 |
SOC_2_CC6.6 |
SOC 2 Type 2 CC6.6 |
Logical and Physical Access Controls |
Security measures against threats outside system boundaries |
Shared |
The customer is responsible for implementing this recommendation. |
• Restricts Access — The types of activities that can occur through a communication
channel (for example, FTP site, router port) are restricted.
• Protects Identification and Authentication Credentials — Identification and authentication credentials are protected during transmission outside its system boundaries.
• Requires Additional Authentication or Credentials — Additional authentication information or credentials are required when accessing the system from outside its
boundaries.
• Implements Boundary Protection Systems — Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and
are monitored to detect such attempts |
|
40 |
| SWIFT_CSCF_v2022 |
1.1 |
SWIFT_CSCF_v2022_1.1 |
SWIFT CSCF v2022 1.1 |
1. Restrict Internet Access & Protect Critical Systems from General IT Environment |
Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. |
Shared |
n/a |
A separated secure zone safeguards the user's SWIFT infrastructure from compromises and attacks on the broader enterprise and external environments. |
link |
19 |
| SWIFT_CSCF_v2022 |
1.3 |
SWIFT_CSCF_v2022_1.3 |
SWIFT CSCF v2022 1.3 |
1. Restrict Internet Access & Protect Critical Systems from General IT Environment |
Secure the virtualisation platform and virtual machines (VMs) that host SWIFT-related components to the same level as physical systems. |
Shared |
n/a |
Secure the virtualisation platform, virtualised machines, and the supporting virtual infrastructure (such as firewalls) to the same level as physical systems. |
link |
2 |
| SWIFT_CSCF_v2022 |
1.5A |
SWIFT_CSCF_v2022_1.5A |
SWIFT CSCF v2022 1.5A |
1. Restrict Internet Access & Protect Critical Systems from General IT Environment |
Ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. |
Shared |
n/a |
A separated secure zone safeguards the customer's infrastructure used for external connectivity from external environments and compromises or attacks on the broader enterprise environment. |
link |
24 |
| SWIFT_CSCF_v2022 |
2.1 |
SWIFT_CSCF_v2022_2.1 |
SWIFT CSCF v2022 2.1 |
2. Reduce Attack Surface and Vulnerabilities |
Ensure the confidentiality, integrity, and authenticity of application data flows between local SWIFT-related components. |
Shared |
n/a |
Confidentiality, integrity, and authentication mechanisms are implemented to protect SWIFT-related component-to-component or system-to-system data flows. |
link |
36 |
| SWIFT_CSCF_v2022 |
2.9 |
SWIFT_CSCF_v2022_2.9 |
SWIFT CSCF v2022 2.9 |
2. Reduce Attack Surface and Vulnerabilities |
Ensure outbound transaction activity within the expected bounds of normal business. |
Shared |
n/a |
Implement transaction detection, prevention, and validation controls to ensure outbound transaction activity within the expected bounds of normal business. |
link |
7 |
| SWIFT_CSCF_v2022 |
6.5A |
SWIFT_CSCF_v2022_6.5A |
SWIFT CSCF v2022 6.5A |
6. Detect Anomalous Activity to Systems or Transaction Records |
Detect and contain anomalous network activity into and within the local or remote SWIFT environment. |
Shared |
n/a |
Intrusion detection is implemented to detect unauthorised network access and anomalous activity. |
link |
17 |
| SWIFT_CSCF_v2022 |
9.4 |
SWIFT_CSCF_v2022_9.4 |
SWIFT CSCF v2022 9.4 |
9. Ensure Availability through Resilience |
Providers' availability and quality of service is ensured through usage of the recommended SWIFT connectivity packs and the appropriate line bandwidth |
Shared |
n/a |
Providers' availability and quality of service is ensured through usage of the recommended SWIFT connectivity packs and the appropriate line bandwidth |
link |
5 |