>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SC-7 (08)Boundary Protection | Route Traffic to Authenticated Proxy Servers

Moderate
High

>Control Description

Route organization-defined internal communications traffic to organization-defined external networks through authenticated proxy servers at managed interfaces.

>FedRAMP Baseline Requirements

No FedRAMP-specific parameter values or requirements for this baseline.

>Discussion

External networks are networks outside of organizational control. A proxy server is a server (i.e., system or application) that acts as an intermediary for clients requesting system resources from non-organizational or other organizational servers. System resources that may be requested include files, connections, web pages, or services.

Client requests established through a connection to a proxy server are assessed to manage complexity and provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers that provide access to the Internet. Proxy servers can support the logging of Transmission Control Protocol sessions and the blocking of specific Uniform Resource Locators, Internet Protocol addresses, and domain names.

Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Note that proxy servers may inhibit the use of virtual private networks (VPNs) and create the potential for man-in-the-middle attacks (depending on the implementation).

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of route traffic to authenticated proxy servers?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-7(8)?

Technical Implementation:

  • How is route traffic to authenticated proxy servers technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that route traffic to authenticated proxy servers remains effective as the system evolves?
  • What network boundary protections are in place (firewalls, gateways, etc.)?
  • How are session timeouts and termination controls configured?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-7(8)?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?
  • Can you provide network architecture diagrams and firewall rulesets?
  • Can you show session management configuration settings?

Ask AI

Configure your API key to use AI features.