|
controlSC-7
Boundary Protection (SC-7)
Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; Implement subnetworks for publicly accessible system components that are [organization-defined] separated from internal organizational networks; and Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.
Security Baselines
LOWMODERATEHIGH
communicationsencryptionboundary-protectionnetwork
Why These Connect
Baselined In3
This control is included in the linked security baseline (LOW, MODERATE, or HIGH).
Supports85
These related controls work together — a change to one may affect the others.
Mitigates23
This control helps defend against or reduce the risk of the linked threat technique.
Enhances29
These enhancements add specific capabilities or refinements to the base control.
Related Controls(48)
AC-2Account Management (AC-2)
LMH
AC-4Information Flow Enforcement (AC-4)MH
AC-19Access Control for Mobile Devices (AC-19)LMH
AC-20Use of External Systems (AC-20)LMH
AU-2Event Logging (AU-2)LMH
AU-6Audit Record Review, Analysis, and Reporting (AU-6)LMH
AU-13Monitoring for Information Disclosure (AU-13)CA-3Information Exchange (CA-3)LMH
CA-7Continuous Monitoring (CA-7)LMH
CA-9Internal System Connections (CA-9)LMH
CM-7Least Functionality (CM-7)LMH
CM-10Software Usage Restrictions (CM-10)LMH
CP-2Contingency Plan (CP-2)LMH
CP-8Telecommunications Services (CP-8)MH
IR-4Incident Handling (IR-4)LMH
IR-5Incident Monitoring (IR-5)LMH
MA-4Nonlocal Maintenance (MA-4)LMH
PE-4Access Control for Transmission (PE-4)MH
PL-8Security and Privacy Architectures (PL-8)MH
PM-12Insider Threat Program (PM-12)PM-31Continuous Monitoring Strategy (PM-31)RA-2Security Categorization (RA-2)LMH
SA-17Developer Security and Privacy Architecture and Design (SA-17)H
SA-24Design For Cyber Resiliency (SA-24)SC-2Separation of System and User Functionality (SC-2)MH
SC-3Security Function Isolation (SC-3)H
SC-5Denial-of-service Protection (SC-5)LMH
AC-17Remote Access (AC-17)LMH
AC-18Wireless Access (AC-18)LMH
CM-2Baseline Configuration (CM-2)LMH
CM-4Impact Analyses (CM-4)LMH
CP-10System Recovery and Reconstitution (CP-10)LMH
PE-3Physical Access Control (PE-3)LMH
SA-8Security and Privacy Engineering Principles (SA-8)LMH
SC-26Decoys (SC-26)SC-32System Partitioning (SC-32)SC-35External Malicious Code Identification (SC-35)SC-43Usage Restrictions (SC-43)SC-8Transmission Confidentiality and Integrity (SC-8)MH
SC-24Fail in Known State (SC-24)H
SC-38Operations Security (SC-38)SC-44Detonation Chambers (SC-44)SC-46Cross Domain Policy Enforcement (SC-46)SC-48Sensor Relocation (SC-48)SI-3Malicious Code Protection (SI-3)LMH
SI-4System Monitoring (SI-4)LMH
SI-8Spam Protection (SI-8)MH
SR-3Supply Chain Controls and Processes (SR-3)LMH
Threat Coverage(23 ATT&CK techniques)
T1566PhishingT1190Exploit Public-Facing ApplicationT1133External Remote ServicesT1199Trusted RelationshipT1203Exploitation for Client ExecutionT1068Exploitation for Privilege EscalationT1046Network Service DiscoveryT1018Remote System DiscoveryT1021Remote ServicesT1570Lateral Tool TransferT1114Email CollectionT1071Application Layer ProtocolT1573Encrypted ChannelT1105Ingress Tool TransferT1041Exfiltration Over C2 ChannelT1567Exfiltration Over Web ServiceT1048Exfiltration Over Alternative ProtocolT1499Endpoint Denial of ServiceT1498Network Denial of ServiceT1595Active ScanningT1589Gather Victim Identity InformationT1598Phishing for InformationT1583Acquire Infrastructure
Control Enhancements(29)
SC-7(1)Physically Separated Subnetworks (SC-7(1))WSC-7(2)Public Access (SC-7(2))WSC-7(3)Access Points (SC-7(3))
MH
SC-7(4)External Telecommunications Services (SC-7(4))MH
SC-7(5)Deny by Default — Allow by Exception (SC-7(5))MH
SC-7(6)Response to Recognized Failures (SC-7(6))WSC-7(7)Split Tunneling for Remote Devices (SC-7(7))MH
SC-7(8)Route Traffic to Authenticated Proxy Servers (SC-7(8))MH
SC-7(9)Restrict Threatening Outgoing Communications Traffic (SC-7(9))SC-7(10)Prevent Exfiltration (SC-7(10))SC-7(11)Restrict Incoming Communications Traffic (SC-7(11))SC-7(12)Host-based Protection (SC-7(12))SC-7(13)Isolation of Security Tools, Mechanisms, and Support Components (SC-7(13))SC-7(14)Protect Against Unauthorized Physical Connections (SC-7(14))SC-7(15)Networked Privileged Accesses (SC-7(15))SC-7(16)Prevent Discovery of System Components (SC-7(16))SC-7(17)Automated Enforcement of Protocol Formats (SC-7(17))SC-7(18)Fail Secure (SC-7(18))H
SC-7(19)Block Communication from Non-organizationally Configured Hosts (SC-7(19))SC-7(20)Dynamic Isolation and Segregation (SC-7(20))SC-7(21)Isolation of System Components (SC-7(21))H
SC-7(22)Separate Subnets for Connecting to Different Security Domains (SC-7(22))SC-7(23)Disable Sender Feedback on Protocol Validation Failure (SC-7(23))SC-7(24)Personally Identifiable Information (SC-7(24))SC-7(25)Unclassified National Security System Connections (SC-7(25))SC-7(26)Classified National Security System Connections (SC-7(26))SC-7(27)Unclassified Non-national Security System Connections (SC-7(27))SC-7(28)Connections to Public Networks (SC-7(28))SC-7(29)Separate Subnets to Isolate Functions (SC-7(29))