Navigate

SC-7 (9)

SC-7 (9): Restrict Threatening Outgoing Communications Traffic

The information system:

SC-7 (9)(a): Detects and denies outgoing communications traffic posing a threat to external information systems; and

SC-7 (9)(b): Audits the identity of internal users associated with denied communications.

Supplemental

Detecting outgoing communications traffic from internal actions that may pose threats to external information systems is sometimes termed extrusion detection. Extrusion detection at information system boundaries as part of managed interfaces includes the analysis of incoming and outgoing communications traffic searching for indications of internal threats to the security of external systems. Such threats include, for example, traffic indicative of denial of service attacks and traffic containing malicious code.

CIA Levels
Confidentiality	unknown
Integrity	low
Availability	unknown

Overlays
None

Related Controls

The controls below (if any) were marked by NIST as being related to SC-7 (9).

Control	Description
AU-2	The organization: AU-2a.: Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events]; AU-2b.: Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; AU-2c.: Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and AU-2d.: Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].
AU-6	The organization: AU-6a.: Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and AU-6b.: Reports findings to [Assignment: organization-defined personnel or roles].
SC-38	The organization employs [Assignment: organization-defined operations security safeguards] to protect key organizational information throughout the system development life cycle.
SC-44	The organization employs a detonation chamber capability within [Assignment: organization-defined information system, system component, or location].
SI-3	The organization: SI-3a.: Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code; SI-3b.: Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures; SI-3c.: Configures malicious code protection mechanisms to: SI-3c.1.: Perform periodic scans of the information system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and SI-3c.2.: [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action]] in response to malicious code detection; and SI-3d.: Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.
SI-4	The organization: SI-4a.: Monitors the information system to detect: SI-4a.1.: Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and SI-4a.2.: Unauthorized local, network, and remote connections; SI-4b.: Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; SI-4c.: Deploys monitoring devices: SI-4c.1.: Strategically within the information system to collect organization-determined essential information; and SI-4c.2.: At ad hoc locations within the system to track specific types of transactions of interest to the organization; SI-4d.: Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; SI-4e.: Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; SI-4f.: Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and SI-4g.: Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]].

Enhancements

The controls below (if any) add on to the requirements of SC-7 (9).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SC-7 (9).

CCI	Definition
CCI-002398	The information system detects outgoing communications traffic posing a threat to external information systems.
CCI-002399	The information system denies outgoing communications traffic posing a threat to external information systems.
CCI-002400	The information system audits the identity of internal users associated with denied outgoing communications traffic posing a threat to external information systems.