SC-7(16)—Prevent Discovery Of System Components
>Control Description
Prevent the discovery of specific system components that represent a managed interface.
>Cross-Framework Mappings
>Supplemental Guidance
Preventing the discovery of system components representing a managed interface helps protect network addresses of those components from discovery through common tools and techniques used to identify devices on networks. Network addresses are not available for discovery and require prior knowledge for access. Preventing the discovery of components and devices can be accomplished by not publishing network addresses, using network address translation, or not entering the addresses in domain name systems.
Another prevention technique is to periodically change network addresses.
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern the implementation of prevent discovery of system components?
- •How are system and communications protection requirements defined and maintained?
- •Who is responsible for configuring and maintaining the security controls specified in SC-7(16)?
Technical Implementation:
- •How is prevent discovery of system components technically implemented in your environment?
- •What systems, tools, or configurations enforce this protection requirement?
- •How do you ensure that prevent discovery of system components remains effective as the system evolves?
- •What network boundary protections are in place (firewalls, gateways, etc.)?
Evidence & Documentation:
- •What documentation demonstrates the implementation of SC-7(16)?
- •Can you provide configuration evidence or system diagrams showing this protection control?
- •What logs or monitoring data verify that this control is functioning correctly?
- •Can you provide network architecture diagrams and firewall rulesets?
Ask AI
Configure your API key to use AI features.