SC.L1-3.13.1/b.1.xi Boundary Protection
Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
Source: FAR Clause 52.204-21 b.1.x, NIST SP 800-171 Rev 2 3.13.1
Discussion: Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. [SP 800-41] provides guidance on firewalls and firewall policy. [SP 800-125B] provides guidance on security for virtualization technologies. [28] There is no prescribed format or specified level of detail for system security plans. However, organizations ensure that the required information in 3.12.4 is conveyed in those plans.
Assessment Objectives:
Determine if:
- [a] the external system boundary is defined;
- [b] key internal system boundaries are defined;
- [c] communications are monitored at the external system boundary;
- [d] communications are monitored at key internal boundaries;
- [e] communications are controlled at the external system boundary;
- [f] communications are controlled at key internal boundaries;
- [g] communications are protected at the external system boundary; and
- [h] communications are protected at key internal boundaries.
Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; security plan; list of key internal boundaries of the system; system design documentation; boundary protection hardware and software; enterprise security architecture documentation; system audit logs and records; system configuration settings and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer; personnel with boundary protection responsibilities].
Test: [SELECT FROM: Mechanisms implementing boundary protection capability].
SPRS Score: 5
POA&M Allowed: No