Navigate

CCI-001106

CCI-001106 Definition

Review exceptions to the traffic flow policy on an organization-defined frequency for each external telecommunication service.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if: - exceptions to the traffic flow policy are reviewed [SC-07(04)_ODP; the frequency at which to review exceptions to traffic flow policy is defined]. - exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed.

Validation Procedures

Examine: [SELECT FROM: System and communications protection policy; traffic flow policy; information flow control policy; procedures addressing boundary protection; system security architecture; system design documentation; boundary protection hardware and software; system architecture and configuration documentation; system configuration settings and associated documentation; records of traffic flow policy exceptions; system audit records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with boundary protection responsibilities]. Test: [SELECT FROM: Organizational processes for documenting and reviewing exceptions to the traffic flow policy; organizational processes for removing exceptions to the traffic flow policy; mechanisms implementing boundary protection capabilities; managed interfaces implementing traffic flow policy].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001106.

Control	Description
SC-7(4)	(a): Implement a managed interface for each external telecommunication service; (b): Establish a traffic flow policy for each managed interface; (c): Protect the confidentiality and integrity of the information being transmitted across each interface; (d): Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; (e): Review exceptions to the traffic flow policy [the frequency at which to review exceptions to traffic flow policy is defined;] and remove exceptions that are no longer supported by an explicit mission or business need; (f): Prevent unauthorized exchange of control plane traffic with external networks; (g): Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and (h): Filter unauthorized control plane traffic from external networks.

Control

Description

SC-7(4)

(a): Implement a managed interface for each external telecommunication service;

(b): Establish a traffic flow policy for each managed interface;

(c): Protect the confidentiality and integrity of the information being transmitted across each interface;

(d): Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;

(e): Review exceptions to the traffic flow policy [the frequency at which to review exceptions to traffic flow policy is defined;] and remove exceptions that are no longer supported by an explicit mission or business need;

(f): Prevent unauthorized exchange of control plane traffic with external networks;

(g): Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and

(h): Filter unauthorized control plane traffic from external networks.