KSI-CNA-ULN—Using Logical Networking
Formerly KSI-CNA-03
>Control Description
>NIST 800-53 Controls
>Trust Center Components3
Ways to express your implementation of this indicator — approaches vary by organization size, complexity, and data sensitivity.
From the field: Mature implementations express software lifecycle management through SBOM-driven inventories — automated component scanning identifying EOL software, with lifecycle dashboards showing version currency across the stack. Software inventory is derived from build manifests and runtime discovery rather than manually maintained spreadsheets.
SBOM (Software Bill of Materials)
Machine-readable SBOM expressing software components, versions, and known vulnerabilities — generated from build pipelines
Software Inventory and Lifecycle Status
Inventory of major software components with support status and planned upgrades — derived from SBOM analysis
End-of-Life Software Policy
Human-readable policy for managing unsupported and end-of-life software components
>Programmatic Queries
CLI Commands
aws ec2 describe-vpcs --query "Vpcs[].{VpcId:VpcId,CIDR:CidrBlock,Name:Tags[?Key=='Name'].Value | [0]}" --output tableaws ec2 describe-subnets --query "Subnets[].{SubnetId:SubnetId,VPC:VpcId,AZ:AvailabilityZone,CIDR:CidrBlock,Public:MapPublicIpOnLaunch}" --output table>20x Assessment Focus Areas
Aligned with FedRAMP 20x Phase Two assessment methodology
Completeness & Coverage:
- •Does your logical networking enforce traffic flow controls across all tiers — public-facing, application, data, management, and CI/CD networks?
- •Are traffic flow controls applied to multi-cloud or hybrid scenarios, or only within a single cloud provider?
- •How do you ensure east-west traffic between services is controlled with the same rigor as north-south (ingress/egress) traffic?
- •Are there network segments where traffic flow controls are relaxed for operational reasons, and how are those exceptions documented?
Automation & Validation:
- •What automated tools validate that logical network configurations (VPCs, subnets, security groups, network policies) match intended traffic flow definitions?
- •How do you detect unauthorized traffic flows — do you analyze flow logs for connections that violate defined policies?
- •What happens if a network configuration change inadvertently allows unauthorized traffic between segments — how quickly is it detected and reverted?
- •Do you run automated reachability analysis or network path testing to confirm traffic can only flow along approved paths?
Inventory & Integration:
- •What logical networking constructs (VPCs, VNets, security groups, network policies, service mesh) compose your traffic flow enforcement, and how are they inventoried?
- •How do network-layer and application-layer traffic controls (service mesh, API gateways) integrate to provide defense in depth?
- •Are traffic flow policies defined as code (Terraform, Kubernetes NetworkPolicies, cloud provider IaC) and version-controlled?
- •How do flow logs from different networking layers integrate into your SIEM for traffic analysis?
Continuous Evidence & Schedules:
- •How do you demonstrate that traffic flow controls have been consistently enforced and validated over the past 90 days?
- •Is network flow data and policy compliance status available via API or dashboard for assessor review?
- •How do you detect when traffic flow controls degrade — for example, when a security group rule is added that weakens segmentation?
- •What evidence shows flow log analysis is performed continuously to identify unauthorized or anomalous traffic patterns?
Update History
Ask AI
Configure your API key to use AI features.