SC-7(22)—Separate Subnets For Connecting To Different Security Domains
>Control Description
Implement separate network addresses to connect to systems in different security domains.
>Cross-Framework Mappings
>Supplemental Guidance
The decomposition of systems into subnetworks (i.e., subnets) helps to provide the appropriate level of protection for network connections to different security domains that contain information with different security categories or classification levels.
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern the implementation of separate subnets for connecting to different security domains?
- •How are system and communications protection requirements defined and maintained?
- •Who is responsible for configuring and maintaining the security controls specified in SC-7(22)?
Technical Implementation:
- •How is separate subnets for connecting to different security domains technically implemented in your environment?
- •What systems, tools, or configurations enforce this protection requirement?
- •How do you ensure that separate subnets for connecting to different security domains remains effective as the system evolves?
- •What network boundary protections are in place (firewalls, gateways, etc.)?
- •How is separation of duties or partitioning technically enforced?
Evidence & Documentation:
- •What documentation demonstrates the implementation of SC-7(22)?
- •Can you provide configuration evidence or system diagrams showing this protection control?
- •What logs or monitoring data verify that this control is functioning correctly?
- •Can you provide network architecture diagrams and firewall rulesets?
Ask AI
Configure your API key to use AI features.