SC-46 Cross Domain Policy Enforcement

System and Communications Protection

New in Rev 5

Description

Implement a policy enforcement mechanism [Assignment: organization-defined parameters] between the physical and/or network interfaces for the connecting security domains.

Supplemental Guidance

For logical policy enforcement mechanisms, organizations avoid creating a logical path between interfaces to prevent the ability to bypass the policy enforcement mechanism. For physical policy enforcement mechanisms, the robustness of physical isolation afforded by the physical implementation of policy enforcement to preclude the presence of logical covert channels penetrating the security domain may be needed. Contact [ncdsmo@nsa.gov](mailto:ncdsmo@nsa.gov) for more information.

Changes from Rev 4

New control in Rev 5.

MITRE ATT&CK Techniques (27)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Initial Access 3 Execution 1 Persistence 4 Privilege Escalation 1 Defense Evasion 1 Credential Access 5 Discovery 3 Lateral Movement 7 Collection 4 Exfiltration 3 Impact 3

Compliance Mappings

ISO 27002:2022

5.14

FINOS CCC

CCC-C09

IEC 62443

3-3 SR 5.13-3 SR 5.2

BSI IT-Grundschutz

NET.1.1

ANSSI

Hygiene.17Hygiene.23SecNumCloud.14.1

FINMA Circular 2023/1

IV.B.d(59)IV.C(62)

EU DORA

Art.9(4)(a)

BIO2

5.14

RBI CSF

Annex1.4

FISC Security Guidelines

FISC.T13FISC.T3

HKMA TM-E-1

TME1.7.3

NCA ECC

2-55-1

Qatar NIA

BoM CTRM

3.2

IOSCO Cyber Resilience

PROT-2

10 CFR 73.54

73.54(c)(2)RG5.71-A-SC

TSA Pipeline SD

SD-2 Sec A

DOE C2M2 v2.1

ARCHITECTURE

API 1164

Sec 5

AWIA

AWWA Sec 4

IAEA NSS 17-T

Sec 5.1

Solvency II

EIOPA-ICT-4.6

Lloyd's Minimum Standards

MS8.9

ISO 27799

13.1H.2