SC-7(4)—External Telecommunications Services
>Control Description
a. Implement a managed interface for each external telecommunication service; b. Establish a traffic flow policy for each managed interface; c. Protect the confidentiality and integrity of the information being transmitted across each interface; d. Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; e. Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need; f. Prevent unauthorized exchange of control plane traffic with external networks; g. Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and h. Filter unauthorized control plane traffic from external networks.
>Supplemental Guidance
External telecommunications services can provide data and/or voice communications services. Examples of control plane traffic include Border Gateway Protocol (BGP) routing, Domain Name System (DNS), and management protocols. See SP 800-189 for additional information on the use of the resource public key infrastructure (RPKI) to protect BGP routes and detect unauthorized BGP announcements.