03.13.01: Boundary Protection

Control Familly: System and Communications Protection

SPRS: N/A

Top Ten Failed Requirement: N/A

Supporting Publications:

  • SP 800-41 [64]

  • SP 800-125B [65]

  • SP 800-160-1 [11]

  • SP 800-189 [67]

  • SP 800-207 [66]

Referenced in: N/A

Control Type: N/A

CPCSC Level 2: 03.13.01

CMMC Level(s): N/A

Derived From: NIST SP 800-53r5

  • SC-07

a. Monitor and control communications at external managed interfaces to the system and key internal managed interfaces within the system.

b. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

c. Connect to external systems only through managed interfaces that consist of boundary protection devices arranged in accordance with an organizational security architecture.

Discussion:

Managed interfaces include gateways, routers, firewalls, network-based malicious code analysis, virtualization systems, and encrypted tunnels implemented within a security architecture. Subnetworks that are either physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses.

Assessment Methods and Objectives

Examine [SELECT FROM: system and communications protection policy and procedures; procedures for boundary protection; list of key internal boundaries within the system; boundary protection hardware and software; system configuration settings; security architecture; system audit records; system design documentation; system security plan; other relevant documents or records]

Interview [SELECT FROM: personnel with boundary protection responsibilities; personnel with information security responsibilities; system developers; system administrators]

Test [SELECT FROM: mechanisms for implementing boundary protection capabilities]

NIST SP 800-171A r3 Determining Statements Determine if:

A.03.13.01.a[01]: communications at external managed interfaces to the system are monitored.

A.03.13.01.a[02]: communications at external managed interfaces to the system are controlled.

A.03.13.01.a[03]: communications at key internal managed interfaces within the system are monitored.

A.03.13.01.a[04]: communications at key internal managed interfaces within the system are controlled.

A.03.13.01.b: subnetworks are implemented for publicly accessible system components that are physically or logically separated from internal networks.

A.03.13.01.c: external system connections are only made through managed interfaces that consist of boundary protection devices arranged in accordance with an organizational security architecture.