>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SC-7(4)Boundary Protection | External Telecommunications Services

IL4 Mod
IL4 High
IL5
IL6

>Control Description

(a) Implement a managed interface for each external telecommunication service; (b) Establish a traffic flow policy for each managed interface; (c) Protect the confidentiality and integrity of the information being transmitted across each interface; (d) Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; (e) Review exceptions to the traffic flow policy organization-defined frequency and remove exceptions that are no longer supported by an explicit mission or business need; (f) Prevent unauthorized exchange of control plane traffic with external networks; (g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and (h) Filter unauthorized control plane traffic from external networks.

>DoD Impact Level Requirements

FedRAMP Parameter Values

SC-7 (4) (e) [at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions]

>Discussion

External telecommunications services can provide data and/or voice communications services. Examples of control plane traffic include Border Gateway Protocol (BGP) routing, Domain Name System (DNS), and management protocols. See SP 800-189 for additional information on the use of the resource public key infrastructure (RPKI) to protect BGP routes and detect unauthorized BGP announcements.

>Programmatic Queries

Beta

Related Services

AWS Direct Connect
VPN
AWS PrivateLink

CLI Commands

Create AWS Direct Connect connection for secure telecommunications
aws directconnect create-connection --location LOCATION --bandwidth 10Gbps --connection-name secure-telecom-connection
Setup VPN connection for encrypted external telecommunications
aws ec2 create-vpn-connection --type ipsec.1 --customer-gateway-id cgw-12345678 --vpn-gateway-id vgw-87654321
Enable AWS PrivateLink for secure service access over external networks
aws ec2 create-vpc-endpoint --vpc-id vpc-12345678 --service-name com.amazonaws.us-east-1.s3 --route-table-ids rtb-12345678
Configure VPN connection monitoring and logging
aws ec2 create-flow-logs --resource-type VpnConnection --resource-ids vpn-12345678 --traffic-type ALL --log-destination-type cloud-watch-logs --log-group-name /aws/vpn/logs
Open AWS ConsoleDocumentation

>Related Controls

AC-3
SC-8
SC-20
SC-21
SC-22

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of external telecommunications services?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-7(4)?

Technical Implementation:

  • How is external telecommunications services technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that external telecommunications services remains effective as the system evolves?
  • What network boundary protections are in place (firewalls, gateways, etc.)?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-7(4)?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?
  • Can you provide network architecture diagrams and firewall rulesets?

Ask AI

Configure your API key to use AI features.