compliance controls are associated with this Policy definition 'Route traffic through managed network access points' (bab9ef1d-a16d-421a-822d-3fa94e808156)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
AC-17(3) |
FedRAMP_High_R4_AC-17(3) |
FedRAMP High AC-17 (3) |
Access Control |
Managed Access Control Points |
Shared |
n/a |
The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points.
Supplemental Guidance: Limiting the number of access control points for remote accesses reduces the attack surface for organizations. Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections. Related control: SC-7. |
link |
1 |
| FedRAMP_High_R4 |
SI-4(4) |
FedRAMP_High_R4_SI-4(4) |
FedRAMP High SI-4 (4) |
System And Information Integrity |
Inbound And Outbound Communications Traffic |
Shared |
n/a |
The information system monitors inbound and outbound communications traffic [Assignment: organization-defined frequency] for unusual or unauthorized activities or conditions.
Supplemental Guidance: Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components. |
link |
4 |
| FedRAMP_Moderate_R4 |
AC-17(3) |
FedRAMP_Moderate_R4_AC-17(3) |
FedRAMP Moderate AC-17 (3) |
Access Control |
Managed Access Control Points |
Shared |
n/a |
The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points.
Supplemental Guidance: Limiting the number of access control points for remote accesses reduces the attack surface for organizations. Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections. Related control: SC-7. |
link |
1 |
| FedRAMP_Moderate_R4 |
SI-4(4) |
FedRAMP_Moderate_R4_SI-4(4) |
FedRAMP Moderate SI-4 (4) |
System And Information Integrity |
Inbound And Outbound Communications Traffic |
Shared |
n/a |
The information system monitors inbound and outbound communications traffic [Assignment: organization-defined frequency] for unusual or unauthorized activities or conditions.
Supplemental Guidance: Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components. |
link |
4 |
| hipaa |
0809.01n2Organizational.1234-01.n |
hipaa-0809.01n2Organizational.1234-01.n |
0809.01n2Organizational.1234-01.n |
08 Network Protection |
0809.01n2Organizational.1234-01.n 01.04 Network Access Control |
Shared |
n/a |
Network traffic is controlled in accordance with the organization’s access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. |
|
17 |
| hipaa |
0811.01n2Organizational.6-01.n |
hipaa-0811.01n2Organizational.6-01.n |
0811.01n2Organizational.6-01.n |
08 Network Protection |
0811.01n2Organizational.6-01.n 01.04 Network Access Control |
Shared |
n/a |
Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. |
|
23 |
| hipaa |
0815.01o2Organizational.123-01.o |
hipaa-0815.01o2Organizational.123-01.o |
0815.01o2Organizational.123-01.o |
08 Network Protection |
0815.01o2Organizational.123-01.o 01.04 Network Access Control |
Shared |
n/a |
Requirements for network routing control are based on the access control policy, including positive source and destination checking mechanisms, such as firewall validation of source/destination addresses, and the hiding of internal directory services and IP addresses. The organization designed and implemented network perimeters so that all outgoing network traffic to the Internet passes through at least one application layer filtering proxy server. The proxy supports decrypting network traffic, logging individual TCP sessions, blocking specific URLs, domain names, and IP addresses to implement a blacklist, and applying whitelists of allowed sites that can be accessed through the proxy while blocking all other sites. The organization forces outbound traffic to the Internet through an authenticated proxy server on the enterprise perimeter. |
|
4 |
| hipaa |
0822.09m2Organizational.4-09.m |
hipaa-0822.09m2Organizational.4-09.m |
0822.09m2Organizational.4-09.m |
08 Network Protection |
0822.09m2Organizational.4-09.m 09.06 Network Security Management |
Shared |
n/a |
Firewalls restrict inbound and outbound traffic to the minimum necessary. |
|
7 |
| hipaa |
0825.09m3Organizational.23-09.m |
hipaa-0825.09m3Organizational.23-09.m |
0825.09m3Organizational.23-09.m |
08 Network Protection |
0825.09m3Organizational.23-09.m 09.06 Network Security Management |
Shared |
n/a |
Technical tools such as an IDS/IPS are implemented and operating on the network perimeter and other key points to identify vulnerabilities, monitor traffic, detect attack attempts and successful compromises, and mitigate threats; and these tools are updated on a regular basis. |
|
7 |
| hipaa |
0830.09m3Organizational.1012-09.m |
hipaa-0830.09m3Organizational.1012-09.m |
0830.09m3Organizational.1012-09.m |
08 Network Protection |
0830.09m3Organizational.1012-09.m 09.06 Network Security Management |
Shared |
n/a |
A DMZ is established with all database(s), servers, and other system components storing or processing covered information placed behind it to limit external network traffic to the internal network. |
|
8 |
| hipaa |
0866.09m3Organizational.1516-09.m |
hipaa-0866.09m3Organizational.1516-09.m |
0866.09m3Organizational.1516-09.m |
08 Network Protection |
0866.09m3Organizational.1516-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization describes the groups, roles, and responsibilities for the logical management of network components, and ensures coordination of and consistency in the elements of the network infrastructure. |
|
11 |
| hipaa |
0868.09m3Organizational.18-09.m |
hipaa-0868.09m3Organizational.18-09.m |
0868.09m3Organizational.18-09.m |
08 Network Protection |
0868.09m3Organizational.18-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization builds a firewall configuration to restrict inbound and outbound traffic to that which is necessary for the covered data environment. |
|
5 |
| hipaa |
0902.09s2Organizational.13-09.s |
hipaa-0902.09s2Organizational.13-09.s |
0902.09s2Organizational.13-09.s |
09 Transmission Protection |
0902.09s2Organizational.13-09.s 09.08 Exchange of Information |
Shared |
n/a |
Remote (external) access to the organization's information assets and access to external information assets (for which the organization has no control) is based on clearly defined terms and conditions. |
|
14 |
| hipaa |
0912.09s1Organizational.4-09.s |
hipaa-0912.09s1Organizational.4-09.s |
0912.09s1Organizational.4-09.s |
09 Transmission Protection |
0912.09s1Organizational.4-09.s 09.08 Exchange of Information |
Shared |
n/a |
Cryptography is used to protect the confidentiality and integrity of remote access sessions to the internal network and to external systems. |
|
9 |
| hipaa |
1118.01j2Organizational.124-01.j |
hipaa-1118.01j2Organizational.124-01.j |
1118.01j2Organizational.124-01.j |
11 Access Control |
1118.01j2Organizational.124-01.j 01.04 Network Access Control |
Shared |
n/a |
The organization has implemented encryption (e.g., VPN solutions or private lines) and logs remote access to the organization's network by employees, contractors, or third-party. |
|
9 |
| hipaa |
1213.09ab2System.128-09.ab |
hipaa-1213.09ab2System.128-09.ab |
1213.09ab2System.128-09.ab |
12 Audit Logging & Monitoring |
1213.09ab2System.128-09.ab 09.10 Monitoring |
Shared |
n/a |
Automated systems deployed throughout the organization's environment are used to monitor key events and anomalous activity, and analyze system logs, the results of which are reviewed regularly. |
|
2 |
| hipaa |
1218.09ab3System.47-09.ab |
hipaa-1218.09ab3System.47-09.ab |
1218.09ab3System.47-09.ab |
12 Audit Logging & Monitoring |
1218.09ab3System.47-09.ab 09.10 Monitoring |
Shared |
n/a |
Automated systems support near real-time analysis and alerting of events (e.g., malicious code, potential intrusions) and integrate intrusion detection into access and flow control mechanisms. |
|
7 |
| hipaa |
1220.09ab3System.56-09.ab |
hipaa-1220.09ab3System.56-09.ab |
1220.09ab3System.56-09.ab |
12 Audit Logging & Monitoring |
1220.09ab3System.56-09.ab 09.10 Monitoring |
Shared |
n/a |
Monitoring includes inbound and outbound communications and file integrity monitoring. |
|
4 |
| hipaa |
1411.09f1System.1-09.f |
hipaa-1411.09f1System.1-09.f |
1411.09f1System.1-09.f |
14 Third Party Assurance |
1411.09f1System.1-09.f 09.02 Control Third Party Service Delivery |
Shared |
n/a |
The results of monitoring activities of third-party services are compared against the Service Level Agreements or contracts at least annually. |
|
9 |
| ISO27001-2013 |
A.12.4.1 |
ISO27001-2013_A.12.4.1 |
ISO 27001:2013 A.12.4.1 |
Operations Security |
Event Logging |
Shared |
n/a |
Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. |
link |
53 |
| ISO27001-2013 |
A.12.4.3 |
ISO27001-2013_A.12.4.3 |
ISO 27001:2013 A.12.4.3 |
Operations Security |
Administrator and operator logs |
Shared |
n/a |
System administrator and system operator activities shall be logged and the logs protected and regularly reviewed. |
link |
29 |
| ISO27001-2013 |
A.13.1.2 |
ISO27001-2013_A.13.1.2 |
ISO 27001:2013 A.13.1.2 |
Communications Security |
Security of network services |
Shared |
n/a |
Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced. |
link |
16 |
| ISO27001-2013 |
A.9.1.2 |
ISO27001-2013_A.9.1.2 |
ISO 27001:2013 A.9.1.2 |
Access Control |
Access to networks and network services |
Shared |
n/a |
Users shall only be provided with access to the network and network services that they have been specifically authorized to use. |
link |
29 |
| ISO27001-2013 |
A.9.4.2 |
ISO27001-2013_A.9.4.2 |
ISO 27001:2013 A.9.4.2 |
Access Control |
Secure log-on procedures |
Shared |
n/a |
Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure. |
link |
17 |
|
mp.com.1 Secure perimeter |
mp.com.1 Secure perimeter |
404 not found |
|
|
|
n/a |
n/a |
|
49 |
|
mp.com.2 Protection of confidentiality |
mp.com.2 Protection of confidentiality |
404 not found |
|
|
|
n/a |
n/a |
|
55 |
|
mp.com.3 Protection of integrity and authenticity |
mp.com.3 Protection of integrity and authenticity |
404 not found |
|
|
|
n/a |
n/a |
|
62 |
|
mp.com.4 Separation of information flows on the network |
mp.com.4 Separation of information flows on the network |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
| NIST_SP_800-171_R2_3 |
.1.14 |
NIST_SP_800-171_R2_3.1.14 |
NIST SP 800-171 R2 3.1.14 |
Access Control |
Route remote access via managed access control points. |
Shared |
The customer is responsible for implementing this requirement. |
Routing remote access through managed access control points enhances explicit, organizational control over such connections, reducing the susceptibility to unauthorized access to organizational systems resulting in the unauthorized disclosure of CUI. |
link |
30 |
| NIST_SP_800-53_R4 |
AC-17(3) |
NIST_SP_800-53_R4_AC-17(3) |
NIST SP 800-53 Rev. 4 AC-17 (3) |
Access Control |
Managed Access Control Points |
Shared |
n/a |
The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points.
Supplemental Guidance: Limiting the number of access control points for remote accesses reduces the attack surface for organizations. Organizations consider the Trusted Internet Connections (TIC) initiative requirements for external network connections. Related control: SC-7. |
link |
1 |
| NIST_SP_800-53_R4 |
SI-4(4) |
NIST_SP_800-53_R4_SI-4(4) |
NIST SP 800-53 Rev. 4 SI-4 (4) |
System And Information Integrity |
Inbound And Outbound Communications Traffic |
Shared |
n/a |
The information system monitors inbound and outbound communications traffic [Assignment: organization-defined frequency] for unusual or unauthorized activities or conditions.
Supplemental Guidance: Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components. |
link |
4 |
| NIST_SP_800-53_R5 |
AC-17(3) |
NIST_SP_800-53_R5_AC-17(3) |
NIST SP 800-53 Rev. 5 AC-17 (3) |
Access Control |
Managed Access Control Points |
Shared |
n/a |
Route remote accesses through authorized and managed network access control points. |
link |
1 |
| NIST_SP_800-53_R5 |
SI-4(4) |
NIST_SP_800-53_R5_SI-4(4) |
NIST SP 800-53 Rev. 5 SI-4 (4) |
System and Information Integrity |
Inbound and Outbound Communications Traffic |
Shared |
n/a |
(a) Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic;
(b) Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignment: organization-defined unusual or unauthorized activities or conditions]. |
link |
4 |
|
op.acc.2 Access requirements |
op.acc.2 Access requirements |
404 not found |
|
|
|
n/a |
n/a |
|
64 |
|
op.acc.5 Authentication mechanism (external users) |
op.acc.5 Authentication mechanism (external users) |
404 not found |
|
|
|
n/a |
n/a |
|
72 |
|
op.acc.6 Authentication mechanism (organization users) |
op.acc.6 Authentication mechanism (organization users) |
404 not found |
|
|
|
n/a |
n/a |
|
78 |
|
op.exp.2 Security configuration |
op.exp.2 Security configuration |
404 not found |
|
|
|
n/a |
n/a |
|
112 |
|
op.exp.3 Security configuration management |
op.exp.3 Security configuration management |
404 not found |
|
|
|
n/a |
n/a |
|
123 |
|
op.exp.8 Recording of the activity |
op.exp.8 Recording of the activity |
404 not found |
|
|
|
n/a |
n/a |
|
67 |
|
op.ext.4 Interconnection of systems |
op.ext.4 Interconnection of systems |
404 not found |
|
|
|
n/a |
n/a |
|
68 |
|
org.4 Authorization process |
org.4 Authorization process |
404 not found |
|
|
|
n/a |
n/a |
|
126 |
| SWIFT_CSCF_v2022 |
2.9 |
SWIFT_CSCF_v2022_2.9 |
SWIFT CSCF v2022 2.9 |
2. Reduce Attack Surface and Vulnerabilities |
Ensure outbound transaction activity within the expected bounds of normal business. |
Shared |
n/a |
Implement transaction detection, prevention, and validation controls to ensure outbound transaction activity within the expected bounds of normal business. |
link |
7 |
| SWIFT_CSCF_v2022 |
6.5A |
SWIFT_CSCF_v2022_6.5A |
SWIFT CSCF v2022 6.5A |
6. Detect Anomalous Activity to Systems or Transaction Records |
Detect and contain anomalous network activity into and within the local or remote SWIFT environment. |
Shared |
n/a |
Intrusion detection is implemented to detect unauthorised network access and anomalous activity. |
link |
17 |
| SWIFT_CSCF_v2022 |
9.4 |
SWIFT_CSCF_v2022_9.4 |
SWIFT CSCF v2022 9.4 |
9. Ensure Availability through Resilience |
Providers' availability and quality of service is ensured through usage of the recommended SWIFT connectivity packs and the appropriate line bandwidth |
Shared |
n/a |
Providers' availability and quality of service is ensured through usage of the recommended SWIFT connectivity packs and the appropriate line bandwidth |
link |
5 |