Navigate

SC-7(4)

SC-7(4): External Telecommunications Services

(a): Implement a managed interface for each external telecommunication service;

(b): Establish a traffic flow policy for each managed interface;

(c): Protect the confidentiality and integrity of the information being transmitted across each interface;

(d): Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;

(e): Review exceptions to the traffic flow policy [the frequency at which to review exceptions to traffic flow policy is defined;] and remove exceptions that are no longer supported by an explicit mission or business need;

(f): Prevent unauthorized exchange of control plane traffic with external networks;

(g): Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and

(h): Filter unauthorized control plane traffic from external networks.

Supplemental

External telecommunications services can provide data and/or voice communications services. Examples of control plane traffic include Border Gateway Protocol (BGP) routing, Domain Name System (DNS), and management protocols. See [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) for additional information on the use of the resource public key infrastructure (RPKI) to protect BGP routes and detect unauthorized BGP announcements.

CIA Levels
Confidentiality	low
Integrity	low
Availability	unknown

Overlays
DAF Baseline

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to SC-7(4).

Control	Description
AC-3	Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
SC-8	Protect the [one or more of "confidentiality"/"integrity"] of transmitted information.
SC-20	a: Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and b: Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.
SC-21	Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.
SC-22	Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.

Enhancements

The controls below (if any) add on to the requirements of SC-7(4).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SC-7(4).

CCI	Definition
CCI-001102	Implement a managed interface for each external telecommunication service.
CCI-001103	Establish a traffic flow policy for each managed interface for each external telecommunication service.
CCI-001105	Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need.
CCI-001106	Review exceptions to the traffic flow policy on an organization-defined frequency for each external telecommunication service.
CCI-001107	Defines a frequency for the review of exceptions to the traffic flow policy for each external telecommunication service.
CCI-001108	Remove traffic flow policy exceptions that are no longer supported by an explicit mission or business need for each external telecommunication service.
CCI-002396	Protect the confidentiality and integrity of the information being transmitted across each interface for each external telecommunication service.
CCI-004869	Prevent unauthorized exchange of control plane traffic with external networks.
CCI-004870	Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks.
CCI-004871	Filter unauthorized control plane traffic from external networks.