SC-7—Boundary Protection
>Control Description
Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;
Implement subnetworks for publicly accessible system components that are ☑physically; logically separated from internal organizational networks; and
Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.
>FedRAMP Baseline Requirements
Additional Requirements and Guidance
SC-7 (b) Guidance: SC-7 (b) MAY be met by using any technical capability or complement of capabilities that ensures logical separation between publicly accessible components and internal networks by preventing traversal without inspection and authorization; traffic may not flow unrestricted from publicly accessible components to internal networks.
>Discussion
Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses.
SP 800-189 provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements.
Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary).
>Cross-Framework Mappings
>Programmatic Queries
Related Services
CLI Commands
aws ec2 describe-vpcs && aws ec2 describe-subnetsaws ec2 describe-internet-gatewaysaws wafv2 list-web-acls --scope REGIONALaws network-firewall list-firewalls>Relevant Technologies
Technology-specific guidance with authoritative sources and verification commands.
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern the implementation of boundary protection?
- •How are system and communications protection requirements defined and maintained?
- •Who is responsible for configuring and maintaining the security controls specified in SC-7?
- •What is your cryptographic key management policy?
Technical Implementation:
- •How is boundary protection technically implemented in your environment?
- •What systems, tools, or configurations enforce this protection requirement?
- •How do you ensure that boundary protection remains effective as the system evolves?
- •What network boundary protections are in place (firewalls, gateways, etc.)?
- •What encryption mechanisms and algorithms are used to protect data?
Evidence & Documentation:
- •What documentation demonstrates the implementation of SC-7?
- •Can you provide configuration evidence or system diagrams showing this protection control?
- •What logs or monitoring data verify that this control is functioning correctly?
- •Can you provide network architecture diagrams and firewall rulesets?
- •Can you demonstrate that FIPS 140-2 validated cryptography is used?
Ask AI
Configure your API key to use AI features.