SC-07 Boundary Protection

System and Communications Protection

Low Moderate High

Description

The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system.

Supplemental Guidance

Any connections to the Internet, or other external networks or information systems, occur through managed interfaces consisting of appropriate boundary protection devices (e.g., proxies, gateways, routers, firewalls, guards, encrypted tunnels) arranged in an effective architecture (e.g., routers protecting firewalls and application gateways residing on a protected subnetwork commonly referred to as a demilitarized zone or DMZ). Information system boundary protections at any designated alternate processing sites provide the same levels of protection as that of the primary site. As part of a defense-in-depth protection strategy, the organization considers partitioning higher- impact information systems into separate physical domains (or environments) and applying the concepts of managed interfaces described above to restrict or prohibit network access in accordance with an organizational assessment of risk. FIPS 199 security categorization guides the selection of appropriate candidates for domain partitioning. The organization carefully considers the intrinsically shared nature of commercial telecommunications services in the implementation of security controls associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may include third party provided access lines and other service elements. Consequently, such interconnecting transmission services may represent sources of increased risk despite contract security provisions. Therefore, when this situation occurs, the organization either implements appropriate compensating security controls or explicitly accepts the additional risk. NIST Special Publication 800-77 provides guidance on virtual private networks. Related security controls: MP- 4, RA-02.

Changes from Rev 4

Control text changes 'boundary' to 'managed interfaces; adds 'and privacy' in reference to organizational security architecture

MITRE ATT&CK Techniques (156)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Reconnaissance 5 Initial Access 10 Execution 12 Persistence 15 Privilege Escalation 17 Defense Evasion 30 Credential Access 12 Discovery 4 Lateral Movement 11 Collection 13 Command & Control 36 Exfiltration 14 Impact 12

Show all 156 techniques grouped by tactic

Compliance Mappings

ISO 27001:2022

A.5.14A.5.23A.8.12A.8.20A.8.21A.8.22A.8.23A.8.27

ISO 27002:2022

5.145.238.128.208.218.228.238.27

COBIT 2019

DSS05

CIS Controls v8

CIS 12CIS 12.2CIS 12.8CIS 13CIS 13.10CIS 13.3CIS 13.4CIS 13.8CIS 13.9CIS 3.12CIS 3.13CIS 4CIS 4.2CIS 4.4CIS 4.5CIS 9CIS 9.2CIS 9.3CIS 9.6

NIST CSF 2.0

DE.CM-01ID.AM-03PR.IR-01RS.MI-01

SOC 2 TSC

CC6.1CC6.1-POF5CC6.6CC6.6-POF1CC6.6-POF3CC6.8

PCI DSS v4.0.1

1.11.21.2.11.2.51.31.41.55.46.4

CSA CCM v4

IVS-03IVS-05IVS-06IVS-08IVS-09UEM-10UEM-11

CSA AICM v1

AIS-08I&S-03I&S-05I&S-06I&S-08I&S-09IAM-17UEM-10UEM-11

FINOS CCC

CCC-C05CCC-C09

IEC 62443

3-3 SR 5.13-3 SR 5.2

PRA Operational Resilience

SS2/21-14.1

MAS TRM

111415

APRA CPS 234

Para 22-23

ASD Essential Eight

E8-5 ML2

BSI IT-Grundschutz

APP.3.1NET.1.1NET.1.2NET.3.1

ANSSI

Hygiene.22Hygiene.23Hygiene.27SecNumCloud.14.1SecNumCloud.14.4

FINMA Circular 2023/1

IV.B.d(59)IV.C(62)IV.C(63)

OSFI B-13

B-13.3.2

EU GDPR

Art.32(1)(a)Art.32(1)(b)Art.5(1)(f)

EU DORA

Art.9(4)(a)

BIO2

5.145.238.128.208.218.228.238.27

RBI CSF

Annex1.4Annex1.15ITGRCA.19

FISC Security Guidelines

FISC.T10FISC.T11FISC.T13FISC.T3FISC.T8FISC.T9

LGPD + BCB 4893

BCB.Art.13BCB.Art.3BCB.OpenFinanceBCB.PIXLGPD.Art.46

HKMA TM-E-1

TME1.10.1TME1.10.3TME1.12.4TME1.7.3

MLPS 2.0

8.1.2.18.1.3.18.1.3.28.1.3.38.28.38.5

DNB Good Practice

DNB.18.1DNB.18.4DNB.20.1

EU CRA

CRA.I.2iCRA.I.2j

SWIFT CSCF

SWIFT.1.1SWIFT.1.3SWIFT.1.4SWIFT.1.5SWIFT.2.3SWIFT.6.5A

SAMA CSF

2.13.34.3

NCA ECC

2-142-32-42-54-25-1

UAE IA

CBB TM

TM-8

Qatar NIA

CBUAE

CR-7

CBE CSF

CRM-2CTO-11CTO-5CTO-6CTO-8

SA JS2

JS2-7.2JS2-7.6

CBN CSF

Part3.1Part3.3Part5.1Part5.2

BoG CISD

CISD-IXCISD-VICISD-VIIICISD-XICISD-XIICISD-XIII

POPIA

s19s72

BoM CTRM

3.133.2

IOSCO Cyber Resilience

DET-4PFMI-20PROT-2

BCBS 239

Principle 2

CPMI-IOSCO PFMI

CG.DECG.PRPFMI.P17PFMI.P22

FFIEC IS

II.C.12II.C.16II.C.2II.C.6II.C.9

NYDFS 500

500.14500.2

HIPAA Security Rule

§164.308(a)(4)(ii)(A)§164.312(e)(1)§164.314(b)(1)§164.314(b)(2)

ECB CROE

CROE.2.3.5CROE.2.4

EBA ICT Guidelines

3.4.4

SEBI CSCRF

EMAIL-SECPR.CSPR.NS

BOT Cyber Resilience

Ch2.4Ch5.2Ch8.2Ch9.1

CMMC 2.0

NERC CIP

CIP-002-7CIP-005-7CIP-015-1

10 CFR 73.54

73.54(c)(1)73.54(c)(2)RG5.71-A-SC

TSA Pipeline SD

SD-2 Sec ASD-2 Sec F

IEEE 1686-2022

5.6

FERC CIP Orders

Order 881Order 887Order 2222

DOE C2M2 v2.1

ARCHITECTURE

API 1164

Sec 5

AWIA

AWWA Sec 4

IAEA NSS 17-T

Sec 5.1Sec 5.6

PCI PTS v6

FIPS 140-3

FIPS 140-3 §7.3

CBEST

CBEST.5

Common Criteria

CC Part 2 — FDPCC Part 2 — FPT

ISAE 3402

Clause 4

Solvency II

EIOPA-ICT-4.6

Lloyd's Minimum Standards

MS8.9

NAIC Insurance Data Security

44-monitoring4B

PRA SS1/23

P-IT.3

FCA SYSC 13

SYSC 13.7.3

HITRUST CSF v11

01.b01.d05.c09.e

FDA 21 CFR Part 11

§11.30

FDA Cybersecurity Guidance

PU-3TM-2

ISO 27799

13.1H.2H.3

NHS DSPT

NDG-9.2NDG-9.4NDG-9.5

OWASP MASVS v2.1

MASVS-NETWORK-1MASVS-PLATFORM-1MASVS-PLATFORM-2

MiCA

Art.68(1)Art.62(5)

Basel SCO60

SCO60.21SCO60.41SCO60.51SCO60.64SCO60.65

BSSC Standards

NOS-04TIS-04

SEC Custody (Digital Assets)

SEC-CD-09

ISO 17799 (legacy)

11.4.6

COBIT 4.1 (legacy)

DS5.10