Navigate

CCI-001103

CCI-001103 Definition

The organization establishes a traffic flow policy for each managed interface for each external telecommunication service.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed defines and documents a traffic flow policy for each managed interface for each external telecommunication service.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented traffic flow policy to ensure the organization being inspected/assessed establishes a traffic flow policy for each managed interface for each external telecommunication service.

Compelling Evidence

1.) Signed and dated traffic flow policy document for managed interfaces for each external telecommunication service. 2.) Data flow diagram.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001103.

Control	Description
SC-7 (4)	The organization: SC-7 (4)(a): Implements a managed interface for each external telecommunication service; SC-7 (4)(b): Establishes a traffic flow policy for each managed interface; SC-7 (4)(c): Protects the confidentiality and integrity of the information being transmitted across each interface; SC-7 (4)(d): Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and SC-7 (4)(e): Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need.

Control

Description

SC-7 (4)

The organization:

SC-7 (4)(a): Implements a managed interface for each external telecommunication service;

SC-7 (4)(b): Establishes a traffic flow policy for each managed interface;

SC-7 (4)(c): Protects the confidentiality and integrity of the information being transmitted across each interface;

SC-7 (4)(d): Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and

SC-7 (4)(e): Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need.