| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
SC-7(4) |
FedRAMP_High_R4_SC-7(4) |
FedRAMP High SC-7 (4) |
System And Communications Protection |
External Telecommunications Services |
Shared |
n/a |
The organization:
(a) Implements a managed interface for each external telecommunication service;
(b) Establishes a traffic flow policy for each managed interface;
(c) Protects the confidentiality and integrity of the information being transmitted across each interface;
(d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and
(e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need.
Supplemental Guidance: Related control: SC-8. |
link |
3 |
| FedRAMP_Moderate_R4 |
SC-7(4) |
FedRAMP_Moderate_R4_SC-7(4) |
FedRAMP Moderate SC-7 (4) |
System And Communications Protection |
External Telecommunications Services |
Shared |
n/a |
The organization:
(a) Implements a managed interface for each external telecommunication service;
(b) Establishes a traffic flow policy for each managed interface;
(c) Protects the confidentiality and integrity of the information being transmitted across each interface;
(d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and
(e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need.
Supplemental Guidance: Related control: SC-8. |
link |
3 |
| hipaa |
0809.01n2Organizational.1234-01.n |
hipaa-0809.01n2Organizational.1234-01.n |
0809.01n2Organizational.1234-01.n |
08 Network Protection |
0809.01n2Organizational.1234-01.n 01.04 Network Access Control |
Shared |
n/a |
Network traffic is controlled in accordance with the organization’s access control policy through firewall and other network-related restrictions for each network access point or external telecommunication service's managed interface. |
|
18 |
| hipaa |
0811.01n2Organizational.6-01.n |
hipaa-0811.01n2Organizational.6-01.n |
0811.01n2Organizational.6-01.n |
08 Network Protection |
0811.01n2Organizational.6-01.n 01.04 Network Access Control |
Shared |
n/a |
Exceptions to the traffic flow policy are documented with a supporting mission/business need, duration of the exception, and reviewed at least annually; traffic flow policy exceptions are removed when no longer supported by an explicit mission/business need. |
|
24 |
| hipaa |
0822.09m2Organizational.4-09.m |
hipaa-0822.09m2Organizational.4-09.m |
0822.09m2Organizational.4-09.m |
08 Network Protection |
0822.09m2Organizational.4-09.m 09.06 Network Security Management |
Shared |
n/a |
Firewalls restrict inbound and outbound traffic to the minimum necessary. |
|
7 |
| hipaa |
0826.09m3Organizational.45-09.m |
hipaa-0826.09m3Organizational.45-09.m |
0826.09m3Organizational.45-09.m |
08 Network Protection |
0826.09m3Organizational.45-09.m 09.06 Network Security Management |
Shared |
n/a |
Firewall and router configuration standards are defined and implemented, and are reviewed every six months. |
|
3 |
| hipaa |
0829.09m3Organizational.911-09.m |
hipaa-0829.09m3Organizational.911-09.m |
0829.09m3Organizational.911-09.m |
08 Network Protection |
0829.09m3Organizational.911-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization utilizes firewalls from at least two different vendors that employ stateful packet inspection (also known as dynamic packet filtering). |
|
2 |
| hipaa |
0830.09m3Organizational.1012-09.m |
hipaa-0830.09m3Organizational.1012-09.m |
0830.09m3Organizational.1012-09.m |
08 Network Protection |
0830.09m3Organizational.1012-09.m 09.06 Network Security Management |
Shared |
n/a |
A DMZ is established with all database(s), servers, and other system components storing or processing covered information placed behind it to limit external network traffic to the internal network. |
|
8 |
| hipaa |
0860.09m1Organizational.9-09.m |
hipaa-0860.09m1Organizational.9-09.m |
0860.09m1Organizational.9-09.m |
08 Network Protection |
0860.09m1Organizational.9-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization formally manages equipment on the network, including equipment in user areas. |
|
5 |
| hipaa |
0868.09m3Organizational.18-09.m |
hipaa-0868.09m3Organizational.18-09.m |
0868.09m3Organizational.18-09.m |
08 Network Protection |
0868.09m3Organizational.18-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization builds a firewall configuration to restrict inbound and outbound traffic to that which is necessary for the covered data environment. |
|
5 |
| hipaa |
0870.09m3Organizational.20-09.m |
hipaa-0870.09m3Organizational.20-09.m |
0870.09m3Organizational.20-09.m |
08 Network Protection |
0870.09m3Organizational.20-09.m 09.06 Network Security Management |
Shared |
n/a |
Access to all proxies is denied, except for those hosts, ports, and services that are explicitly required. |
|
8 |
| ISO27001-2013 |
A.13.1.1 |
ISO27001-2013_A.13.1.1 |
ISO 27001:2013 A.13.1.1 |
Communications Security |
Network controls |
Shared |
n/a |
Networks shall be managed and controlled to protect information in systems and applications. |
link |
40 |
| ISO27001-2013 |
A.13.1.3 |
ISO27001-2013_A.13.1.3 |
ISO 27001:2013 A.13.1.3 |
Communications Security |
Segregation of networks |
Shared |
n/a |
Groups of information services, users, and information systems shall be segregated on networks. |
link |
17 |
| ISO27001-2013 |
A.13.2.1 |
ISO27001-2013_A.13.2.1 |
ISO 27001:2013 A.13.2.1 |
Communications Security |
Information transfer policies and procedures |
Shared |
n/a |
Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. |
link |
32 |
| NIST_SP_800-53_R4 |
SC-7(4) |
NIST_SP_800-53_R4_SC-7(4) |
NIST SP 800-53 Rev. 4 SC-7 (4) |
System And Communications Protection |
External Telecommunications Services |
Shared |
n/a |
The organization:
(a) Implements a managed interface for each external telecommunication service;
(b) Establishes a traffic flow policy for each managed interface;
(c) Protects the confidentiality and integrity of the information being transmitted across each interface;
(d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and
(e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need.
Supplemental Guidance: Related control: SC-8. |
link |
3 |
| NIST_SP_800-53_R5 |
SC-7(4) |
NIST_SP_800-53_R5_SC-7(4) |
NIST SP 800-53 Rev. 5 SC-7 (4) |
System and Communications Protection |
External Telecommunications Services |
Shared |
n/a |
(a) Implement a managed interface for each external telecommunication service;
(b) Establish a traffic flow policy for each managed interface;
(c) Protect the confidentiality and integrity of the information being transmitted across each interface;
(d) Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;
(e) Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need;
(f) Prevent unauthorized exchange of control plane traffic with external networks;
(g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and
(h) Filter unauthorized control plane traffic from external networks. |
link |
3 |
| PCI_DSS_v4.0 |
1.4.1 |
PCI_DSS_v4.0_1.4.1 |
PCI DSS v4.0 1.4.1 |
Requirement 01: Install and Maintain Network Security Controls |
Network connections between trusted and untrusted networks are controlled |
Shared |
n/a |
NSCs are implemented between trusted and untrusted networks. |
link |
5 |
| PCI_DSS_v4.0 |
1.4.2 |
PCI_DSS_v4.0_1.4.2 |
PCI DSS v4.0 1.4.2 |
Requirement 01: Install and Maintain Network Security Controls |
Network connections between trusted and untrusted networks are controlled |
Shared |
n/a |
Inbound traffic from untrusted networks to trusted networks is restricted to:
• Communications with system components that are authorized to provide publicly accessible services, protocols, and ports.
• Stateful responses to communications initiated by system components in a trusted network.
• All other traffic is denied. |
link |
7 |
| SWIFT_CSCF_v2022 |
1.5A |
SWIFT_CSCF_v2022_1.5A |
SWIFT CSCF v2022 1.5A |
1. Restrict Internet Access & Protect Critical Systems from General IT Environment |
Ensure the protection of the customer’s connectivity infrastructure from external environment and potentially compromised elements of the general IT environment. |
Shared |
n/a |
A separated secure zone safeguards the customer's infrastructure used for external connectivity from external environments and compromises or attacks on the broader enterprise environment. |
link |
26 |