Overview:
Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
Action Items:
3.13.1[a]
Determine if: the external system boundary is defined.
3.13.1[b]
Determine if: key internal system boundaries are defined.
3.13.1[c]
Determine if: communications are monitored at the external system boundary.
3.13.1[d]
Determine if: communications are monitored at key internal boundaries.
3.13.1[e]
Determine if: communications are controlled at the external system boundary.
3.13.1[f]
Determine if: communications are controlled at key internal boundaries.
3.13.1[g]
Determine if: communications are protected at the external system boundary.
3.13.1[h]
Determine if: communications are protected at key internal boundaries.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
1
Examine: System and communications protection policy; procedures addressing boundary protection; system security plan; list of key internal boundaries of the system; system design documentation; boundary protection hardware and software; enterprise security architecture documentation; system audit logs and records; system configuration settings and associated documentation; other relevant documents or records].
2
Interview: System or network administrators; personnel with information security responsibilities; system developer; personnel with boundary protection responsibilities].
3
Test: Mechanisms implementing boundary protection capability].
Related Documents (document name and content will vary by organization):
1) System and communications protection policy
2) procedures addressing boundary protection
3) system security plan
4) list of key internal boundaries of the system
5) system design documentation
6) boundary protection hardware and software
7) enterprise security architecture documentation
8) system audit logs and records
9) system configuration settings and associated documentation
10) other relevant documents or records
Additional Guidance:
Boundary components include, for example, gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes, for example, restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses.
Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. NIST Special Publication 800-41 provides guidance on firewalls and firewall policy. NIST Special Publication 800-125 provides guidance on security for virtualization technologies.
Article ID: 193
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/nist-800-171-boundary-protection-3-13-1-193.html