zydronium/manage.get.gov
1
0
Fork 0
mirror of https://github.com/cisagov/manage.get.gov.git synced 2025-08-03 16:32:15 +02:00
Code Issues Projects Releases Packages Wiki Activity
manage.get.gov/docs/compliance/dist/system-security-plans/ato/sc-7.md
Logan McDonald 1d3dfdb8d5
Add compliance documentation to source control (#116) 
* add initial setup of compliance-trestle
2022-09-14 08:46:43 -04:00

3.5 KiB
Raw Blame History

implementation-status control-origination
c-not-implemented
c-inherited-cloud-gov
c-inherited-cisa
c-common-control
c-system-specific-control

sc-7 - [catalog] Boundary Protection

Control Statement

  • [a] Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;

  • [b] Implement subnetworks for publicly accessible system components that are No value found separated from internal organizational networks; and

  • [c] Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.

Control guidance

Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. SP 800-189 provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary).

Control assessment-objective

communications at external managed interfaces to the system are monitored; communications at external managed interfaces to the system are controlled; communications at key internal managed interfaces within the system are monitored; communications at key internal managed interfaces within the system are controlled; subnetworks for publicly accessible system components are No value found separated from internal organizational networks; external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.

What is the solution and how is it implemented?

Implementation a.

Add control implementation description here for item sc-7_smt.a

Implementation b.

Add control implementation description here for item sc-7_smt.b

Implementation c.

Add control implementation description here for item sc-7_smt.c