Navigate

CCI-001106

CCI-001106 Definition

The organization reviews exceptions to the traffic flow policy on an organization-defined frequency for each external telecommunication service.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed implements a process to review exceptions to the traffic flow policy every 180 days for each external telecommunication service. The organization must maintain an audit trail of reviews. DoD has defined the frequency as every 180 days.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the audit trail of reviews to ensure the organization being inspected/assessed reviews exceptions to the traffic flow policy every 180 days for each external telecommunication service. DoD has defined the frequency as every 180 days.

Compelling Evidence

1.) Signed and dated traffic flow policy. 2.) Process documentation that reviews exceptions to the traffic flow policy.

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001106.

Control	Description
SC-7 (4)	The organization: SC-7 (4)(a): Implements a managed interface for each external telecommunication service; SC-7 (4)(b): Establishes a traffic flow policy for each managed interface; SC-7 (4)(c): Protects the confidentiality and integrity of the information being transmitted across each interface; SC-7 (4)(d): Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and SC-7 (4)(e): Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need.

Control

Description

SC-7 (4)

The organization:

SC-7 (4)(a): Implements a managed interface for each external telecommunication service;

SC-7 (4)(b): Establishes a traffic flow policy for each managed interface;

SC-7 (4)(c): Protects the confidentiality and integrity of the information being transmitted across each interface;

SC-7 (4)(d): Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and

SC-7 (4)(e): Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need.