Navigate

CCI-004869

CCI-004869 Definition

Prevent unauthorized exchange of control plane traffic with external networks.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if unauthorized exchanges of control plan traffic with external networks are prevented.

Validation Procedures

Examine: [SELECT FROM: System and communications protection policy; traffic flow policy; information flow control policy; procedures addressing boundary protection; system security architecture; system design documentation; boundary protection hardware and software; system architecture and configuration documentation; system configuration settings and associated documentation; records of traffic flow policy exceptions; system audit records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; organizational personnel with boundary protection responsibilities]. Test: [SELECT FROM: Organizational processes for documenting and reviewing exceptions to the traffic flow policy; organizational processes for removing exceptions to the traffic flow policy; mechanisms implementing boundary protection capabilities; managed interfaces implementing traffic flow policy].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-004869.

Control	Description
SC-7(4)	(a): Implement a managed interface for each external telecommunication service; (b): Establish a traffic flow policy for each managed interface; (c): Protect the confidentiality and integrity of the information being transmitted across each interface; (d): Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; (e): Review exceptions to the traffic flow policy [the frequency at which to review exceptions to traffic flow policy is defined;] and remove exceptions that are no longer supported by an explicit mission or business need; (f): Prevent unauthorized exchange of control plane traffic with external networks; (g): Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and (h): Filter unauthorized control plane traffic from external networks.

Control

Description

SC-7(4)

(a): Implement a managed interface for each external telecommunication service;

(b): Establish a traffic flow policy for each managed interface;

(c): Protect the confidentiality and integrity of the information being transmitted across each interface;

(d): Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;

(e): Review exceptions to the traffic flow policy [the frequency at which to review exceptions to traffic flow policy is defined;] and remove exceptions that are no longer supported by an explicit mission or business need;

(f): Prevent unauthorized exchange of control plane traffic with external networks;

(g): Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and

(h): Filter unauthorized control plane traffic from external networks.