Back

Establish, implement, and maintain a Boundary Defense program.


CONTROL ID
00544
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Identify and control all network access controls., CC ID: 00529

This Control has the following implementation support Control(s):
  • Refrain from disclosing private Internet Protocol addresses and routing information, unless necessary., CC ID: 11891
  • Segregate systems in accordance with organizational standards., CC ID: 12546
  • Establish, implement, and maintain a network access control standard., CC ID: 00546
  • Employ centralized management systems to configure and control networks, as necessary., CC ID: 12540
  • Establish, implement, and maintain a firewall and router configuration standard., CC ID: 00541
  • Install and configure firewalls to be enabled on all mobile devices, if possible., CC ID: 00550
  • Configure network access and control points to protect restricted data or restricted information., CC ID: 01284
  • Install and configure application layer firewalls for all key web-facing applications., CC ID: 01450


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • For network devices connected to public lines, the organization should implement management methods, such as monitoring. (O31.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Protecting the enclave boundaries or perimeter (Critical components of information security 24) i. (a), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Protection against growing cyber threats requires multiple layers of defenses, known as defense in depth. As every organization is different, this strategy should therefore be based on a balance between protection, capability, cost, performance, and operational considerations. Defense in depth for m… (Critical components of information security 24) i., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Protecting the computing environment. (Critical components of information security 24) i. (b), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The enclave boundary is the point at which the organization's network interacts with the Internet. To control the flow of traffic through network borders and to police its content looking for attacks and evidence of compromised machines, boundary defenses should be multi-layered, relying on firewall… (Critical components of information security 24) ii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Firewalls should not be relied upon, however, to provide full protection from attacks. Banks should complement firewalls with strong security policies and a range of other controls. In fact, firewalls are potentially vulnerable to attacks including spoofing trusted IP addresses, denial of service by… (Critical components of information security 24) vii. a) ¶ 12, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Establishing a network protection strategy and layered security based on the principle of defense-in-depth is an absolute necessity for banks. This would require suitable measures to address vulnerabilities across the hardware, operating system, middleware, database, network and application layers. … (Critical components of information security 24) viii. ¶ 1 l., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Banks need to follow a defense in depth strategy by applying robust security measures across various technology layers (Critical components of information security g) iv., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • A relevant entity must implement controls at its network perimeter to restrict all unauthorised network traffic. (IV. 4.4 ¶ 1, MAS-201908-Notice 655 Cyber Hygiene)
  • The FI should install network security devices, such as firewalls as well as intrusion detection and prevention systems, at critical junctures of its IT infrastructure to protect the network perimeters. The FI should deploy firewalls, or other similar measures, within internal networks to minimise t… (§ 9.3.4, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should install network security devices such as firewalls to secure the network between the FI and the Internet, as well as connections with third parties. (§ 11.2.1, Technology Risk Management Guidelines, January 2021)
  • Adequate measures should also be taken to minimise exposure of the FI's online financial services to common attack vectors such as code injection attack, cross-site scripting, man-in-the-middle attack (MITMA), domain name system (DNS) hijacking, distributed denial of service (DDoS), malware and spoo… (§ 14.1.3, Technology Risk Management Guidelines, January 2021)
  • Equip networks with defence devices or software. (Annex A1: Computer Network Security 33, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • Check that the database is hardened and not placed in a vulnerable spot within the network. (Annex A1: Database Security 51, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • All connections between security domains implement mechanisms to inspect and filter data flows for the transport and higher layers as defined in the OSI model. (Security Control: 1192; Revision: 2, Australian Government Information Security Manual, March 2021)
  • All systems are protected from systems in other security domains by one or more gateways. (Security Control: 0628; Revision: 5, Australian Government Information Security Manual, March 2021)
  • are managed via a secure path isolated from all connected networks (physically at the gateway or on a dedicated administration network) (Security Control: 0631; Revision: 6; Bullet 3, Australian Government Information Security Manual, March 2021)
  • All system administrators of gateways that process Australian Eyes Only (AUSTEO) or Australian Government Access Only (AGAO) information are Australian nationals. (Security Control: 0613; Revision: 4, Australian Government Information Security Manual, March 2021)
  • When introducing additional connectivity to a CDS, such as adding a new gateway to a common network, the ACSC is consulted on the impact to the security of the CDS; and directions provided by the ACSC are complied with. (Security Control: 0627; Revision: 5, Australian Government Information Security Manual, March 2021)
  • VLANs are not used to separate network traffic between official and classified networks, or networks of different classifications. (Security Control: 0529; Revision: 5, Australian Government Information Security Manual, March 2021)
  • Network access controls are implemented on networks to prevent the connection of unauthorised network devices. (Security Control: 0520; Revision: 6, Australian Government Information Security Manual, March 2021)
  • Network access controls are implemented on networks to prevent the connection of unauthorised network devices. (Control: ISM-0520; Revision: 6, Australian Government Information Security Manual, June 2023)
  • The organization should use Network Access Control to validate that network devices are secure before they are granted Access to the network. (Control: 1307, Australian Government Information Security Manual: Controls)
  • The organization should have separate dedicated Network Interface Cards on the host for Internet Protocol telephony network access and video conferencing, if it uses webcams or softphones. (Control: 1016, Australian Government Information Security Manual: Controls)
  • The organization must ensure gateways are the only communications paths in and out of the internal networks. (Control: 0631 Bullet 1, Australian Government Information Security Manual: Controls)
  • The organization must ensure gateways deny all connections in and out of the network, by default. (Control: 0631 Bullet 2, Australian Government Information Security Manual: Controls)
  • implement multiple layers and types of controls such that if one control fails, other controls limit the impact of an information security compromise. This is typically referred to as the principle of 'defence in depth'; (Attachment A 1(a)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • management of IT security technology solutions that include firewall, anti-malicious software, intrusion detection/prevention, cryptographic systems and monitoring/log analysis tools; (¶ 27(d), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • defence-in-depth and diversity of controls, where multiple layers and types of controls are used to address risks in different ways. Therefore, should one control layer be compromised, other control(s) limit the impact on a regulated institution; (¶ 26(a), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • A firewall should be installed between the organization's network and the Voice over Internet Protocol (VoIP) gateway and should be configured to only allow VoIP traffic. (§ 3.8.72, § 3.10.28, Australian Government ICT Security Manual (ACSI 33))
  • closely managed and monitored security measures (e.g. firewalls, proxy servers, mail relays, antivirus and content scanners) to secure the incoming and outgoing network traffic (e.g. e- mail) and the outward facing network connections through which third parties could break into the internal ICT sys… (Title 3 3.3.4(b) 55.h(ii), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Each network perimeter is controlled by security gateways. The system access authorisation for cross-network access is based on a security assessment on the basis of the customer requirements. (Section 5.9 KOS-03 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Each network perimeter is controlled by redundant and high-availability security gateways. The system access authorisation for cross-network access is based on a security assessment on the basis of the customer requirements. (Section 5.9 KOS-03 Description of additional requirements (confidentiality) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • (§ 4.2.4, OGC ITIL: Security Management)
  • Certified firewalls or use of specific criteria when deciding on a specific firewall are called for. Additionally, it calls for a comprehensive list of what should be allowed through the firewall, and strategic placement of firewalls. A network should be explicitly configured to restrict access for … (§ V, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • The organization should ensure that security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation and intrusion detection) are used to authorize access and control information flows from and to networks. (DS5.10, CobiT, Version 4.1)
  • The organization must employ internal and external firewalls to prevent intrusions from the internet and from within the organization. (§ 1a, American Express Data Security Standard (DSS))
  • How is isolation maintained across different layers, including between virtual machines, physical machines, networks, storage systems (e.g., storage area networks), management networks and support systems? (Appendix D, Appendix A: Bullet 1, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • What defenses are in place to protect against ‘internal’ attacks (originating from CSP’s or other client network) and “external” attacks (originating from the Internet or other public network)? (Appendix D, Regularly Monitor and Test Networks Bullet 9, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Verify that firewall and router configuration standards require review of firewall and router rule sets at least every six months. (§ 1.1.6.a, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Examine the firewall configuration standards and the router configuration standards to verify inbound traffic and outbound traffic needed for the cardholder data environment has been identified. (Testing Procedures § 1.2.1.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Establish a firewall and router configuration standard that includes requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone. (§ 1.1.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify that firewall and router configuration standards require review of firewall and router rule sets at least every six months. (§ 1.1.6.a Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Install and maintain a firewall configuration to protect data and review those rules regularly. (§ 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify the firewall and router rules sets are reviewed at least every 6 months. (§ 1.1.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Install and maintain a firewall configuration to protect data and review those rules regularly. (PCI DSS Requirements § 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. (1.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. (1.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. (1.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Install and maintain a firewall configuration to protect data (Requirement 1:, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows: (1.2, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Are security policies and operational procedures for managing firewalls: - Documented - In use - Known to all affected parties? (1.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows: (1.2, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are security policies and operational procedures for managing firewalls: - Documented - In use - Known to all affected parties? (1.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Do firewall and router configurations restrict connections between untrusted networks and any system in the cardholder data environment as follows: (1.2, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine firewall and router configurations and perform the following to verify that connections are restricted between untrusted networks and system components in the cardholder data environment: (1.2, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • To ensure network security, configuring firewalls to deny unauthorized traffic should be included in the data protection efforts. (§ 5.2 (Network Security), IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • Firewalls should be installed between the Internet and the organization's network. (Pg 12-II-35, Pg 12-IV-24, Protection of Assets Manual, ASIS International)
  • Networks should be designed to perform network traffic prioritization and 'class of service' to reduce network latency. (CF.07.01.06d, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for configuring network devices (e.g., routers, hubs, bridges, concentrators, switches, and firewalls), which covers vulnerability and patch management. (CF.09.01.01e, The Standard of Good Practice for Information Security)
  • Networks should be designed to perform network traffic prioritization and 'class of service' to reduce network latency. (CF.07.01.06d, The Standard of Good Practice for Information Security, 2013)
  • There should be documented standards / procedures for configuring network devices (e.g., routers, hubs, bridges, concentrators, switches, and firewalls), which covers vulnerability and patch management. (CF.09.01.01e, The Standard of Good Practice for Information Security, 2013)
  • Design and implement network perimeters so that all outgoing network traffic to the Internet must pass through at least one application layer filtering proxy server. The proxy should support decrypting network traffic, logging individual TCP sessions, blocking specific URLs, domain names, and IP add… (Control 12.5, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The organization should implement secure configurations for network devices, such as firewalls, routers, and switches. (Critical Control 10, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization should initiate and maintain a boundary defense program. (Critical Control 13, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Detect/prevent/correct the flow of information transferring across networks of different trust levels with a focus on security-damaging data. (CIS Control 12: Boundary Defense, CIS Controls, 7.1)
  • Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise's network infrastructure and user base. (CIS Control 13: Network Monitoring and Defense, CIS Controls, V8)
  • Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points. (CIS Control 12: Network Infrastructure Management, CIS Controls, V8)
  • ¶ 8.2.4(3)(4) Network Management. An organization should implement safeguards to achieve network management, which includes planning, operation and administration of networks. The proper configuration and administration of networks is an effective means to reduce risks. Safeguards in the area of ne… (¶ 8.2.4(3)(4), ¶ 9.2 Table Row "Network Configuration", ¶ 9.2 Table Row "Network Segregation", ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • Boundary protection systems (for example, firewalls, demilitarized zones, intrusion detection or prevention systems, and endpoint detection and response systems) are configured, implemented, and maintained to protect external access points. (CC6.6 ¶ 2 Bullet 4 Implements Boundary Protection Systems, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization's communications and control networks are protected through applying defense-in-depth principles (e.g., network segmentation, firewalls, physical access controls to network equipment, etc.). (PR.PT-4.1, CRI Profile, v1.2)
  • Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. (§ 52.204-21(b)(1)(x), Federal Acquisition Regulation 52.204-21 Basic Safeguarding of Covered Contractor Information Systems)
  • Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. (SC-7c., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; (SC-7a., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. (SC-7c., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; (SC-7a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. (SC-7c., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; (SC-7a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; (SC-7a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. (SC-7c., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization employs boundary protection mechanisms to separate [Assignment: organization-defined information system components] supporting [Assignment: organization-defined missions and/or business functions]. (SC-7(21) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and are monitored to detect such attempts. (CC6.6 Implements Boundary Protection Systems, Trust Services Criteria)
  • Boundary protection systems (for example, firewalls, demilitarized zones, and intrusion detection systems) are implemented to protect external access points from attempts and unauthorized access and are monitored to detect such attempts. (CC6.6 ¶ 2 Bullet 4 Implements Boundary Protection Systems, Trust Services Criteria, (includes March 2020 updates))
  • The organization must implement and monitor the status of firewall controls. (§ 15.i, Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives)
  • Principle: Firms should implement technical controls to protect firm software and hardware that stores and processes data, as well as the data itself. Effective practices include: - implementing a defense-in-depth strategy; - selecting controls appropriate to the firm’s technology and threat envir… (Technical Controls, Report on Cybersecurity Practices)
  • Electronic Security Perimeters (CIP-005) including Interactive Remote Access; (B. R1. 1.1 1.1.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-6, Version 6)
  • Electronic Security Perimeters (CIP-005) including Interactive Remote Access; (B. R1. 1.1 1.1.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • A firewall should be implemented for any system connected to the Internet. (App D-3, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • The organization must use appropriate control interfaces, including, but not limited to, gateways, firewalls, proxies, routers, and encrypted tunnels for any Internet connection or other external network or systems connection. (CSR 10.8.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. (§ 52.204-21 (b)(1)(x), 48 CFR Part 52.204-21, Basic Safeguarding of Covered Contractor Information Systems)
  • Each agency must develop, document, and implement an information security program agency wide that includes policies and procedures that ensure compliance with the minimally acceptable system configuration requirements and other applicable requirements. (§ 3544(b)(2)(D)(iii), Federal Information Security Management Act of 2002, Deprecated)
  • The personal firewall must be configured at least at the "Medium" security level and must include the following: block Internet access, unless permitted by the user; block unused ports in the background; and prompt the user before executing Java Applets and ActiveX controls. (§ 5.2, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
  • Broadband or high-speed connections used for Remote Access, Mobile Access and Telework, introduces a greater risk of an attack compared to dial-up connections since users are connected for much longer periods and these connections often use static IP addresses provided by Internet Service Providers … (§ 2.3, DISA Secure Remote Computing Security Technical Implementation Guide, Version 2, Release 1)
  • § 2.2 (WIR1250) Implement wireless e-mail servers and handheld configuration settings. § 3.11 Configure Enclave and Personal Firewall Architecture ports, protocols and services according to organization's site specific architecture. The Enclave firewall should be configured to allow only the requi… (§ 2.2 (WIR1250), § 3.11, DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2)
  • § 3.7 Configure Enclave and Personal Firewall Architecture ports, protocols and services according to organization's site specific architecture. § 3.12 Good Mobile Messaging provides inherent client side firewall capabilities when the Good Mobile Intranet Server is installed, as follows: • By us… (§ 3.7, § 3.12, DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3)
  • § 2.2 (WIR2250) All required wireless e-mail server and device configuration should be implemented. § 3.8 The Enclave firewall should be configured to only allow the required connections, using the default or standard ports for needed services. Default Port 443 using TCP protocol for the following… (§ 2.2 (WIR2250), § 3.8, App B.3 Row "Enable Firewall", DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4)
  • Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. (SC.1.175, Cybersecurity Maturity Model Certification, Version 1.0, Level 1)
  • Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. (SC.1.175, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. (SC.1.175, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. (SC.1.175, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Employ physical and logical isolation techniques in the system and security architecture and/or where deemed appropriate by the organization. (SC.4.197, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. (SC.1.175, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Employ physical and logical isolation techniques in the system and security architecture and/or where deemed appropriate by the organization. (SC.4.197, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. (SC.L1-3.13.1 Boundary Protection, Cybersecurity Maturity Model Certification, Version 2.0, Level 1)
  • Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. (SC.L1-3.13.1 Boundary Protection, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • When infrastructure has direct Internet access, implement virtual application level firewall and virtual intrusion detection and/or prevention capabilities IAW the applicable DoD SRGs and STIGs to protect the virtual network(s) and interconnected VMs. The Mission Owner and/or their CSSP must be able… (Section 5.10.6 ¶ 1 Bullet 4, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Impact Level 4: DMZ boundary protection requirements (i.e., proxies, firewalls, etc.) will be provided by the Mission Owner in their system/application environment until such time as these protections are provided by the Mission Owner's agency or DISA as an enterprise service. (Section 5.10.6 ¶ 1 Bullet 3 ¶ 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • The organization must implement an effective network device control program. (ECND-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The organization must implement an effective network device control program. (ECND-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The network device control program must include restart procedures; recovery procedures; source code access restrictions; system utility access restrictions; system documentation restrictions; protection from system files and application files being deleted; and a structured process for implementing… (ECND-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The network device control program must include restart procedures; recovery procedures; source code access restrictions; system utility access restrictions; system documentation restrictions; protection from system files and application files being deleted; and a structured process for implementing… (ECND-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The agency shall monitor and control communications at key internal boundaries and at the external boundary of the Information System. (§ 5.10.1.1(2), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Implements security and monitoring throughout the entity's network, analyzes incoming and outgoing data traffic, and alerts authorized personnel if anomalous activity is detected. Additionally, determine whether the following security and monitoring mitigation strategies are in place: (App A Objective 13:3h, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Perimeter protection devices. (App A Objective 14:2d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Protect web or Internet-facing applications through additional controls, including web application firewalls, regular scanning for new or recurring vulnerabilities, mitigation or remediation of common security weaknesses, and network segregation. (App A Objective 6.27.g, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine whether audit procedures for operations consider ▪ The adequacy of security policies, procedures, and practices in all units and at all levels of the financial institution and service providers. ▪ The adequacy of data controls over preparation, input, processing, and output. ▪ The ad… (Exam Tier II Obj C.1, FFIEC IT Examination Handbook - Audit, August 2003)
  • Firewalls should be used by the organization to control external access to the network by enforcing the organization's security policy. (Pg 29, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • The organization should use firewalls to segregate and restrict access to the network and restrict the content of inbound and outbound traffic. (Pg 28, FFIEC IT Examination Handbook - Operations, July 2004)
  • (AC-3.2(E), Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • The organization employs boundary protection mechanisms to separate [Assignment: organization-defined information system components] supporting [Assignment: organization- defined missions and/or business functions]. (SC-7(21) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. (SC-7c. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; (SC-7a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; (SC-7a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. (SC-7c. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. (SC-7c. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; (SC-7a. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. (SC-7c., FedRAMP Security Controls High Baseline, Version 5)
  • Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions]. (SC-7(21) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; (SC-7a., FedRAMP Security Controls High Baseline, Version 5)
  • Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. (SC-7c., FedRAMP Security Controls Low Baseline, Version 5)
  • Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; (SC-7a., FedRAMP Security Controls Low Baseline, Version 5)
  • Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. (SC-7c., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; (SC-7a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. (SC-7c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; (SC-7a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions]. (SC-7(21) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; (SC-7a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. (SC-7c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. (SC-7c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; (SC-7a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system; (SC-7(24) ¶ 1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; (SC-7a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. (SC-7c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; (SC-7a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. (SC-7c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. (SC-7c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; (SC-7a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • There is a need for secure firewalls to block or filter access between two networks, often between a private network and a larger, more public network such as the internet. Secure gateways allow internal users to connect to external networks while protecting internal systems from compromise. (§ 3.12.2, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; (SC-7a. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; (SC-7a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; (SC-7a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. (SC-7c. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. (SC-7c. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. (SC-7c. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization employs boundary protection mechanisms to separate [Assignment: organization-defined information system components] supporting [Assignment: organization-defined missions and/or business functions]. (SC-7(21) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Offers a lot of general information on firewall design. The document discuss different firewalls, how they work and their strengths and weaknesses, making it easier for an organization to choose what is right for their environment. § 2.2 describes packet filter firewalls, concluding they are best … (§ 2.2, § 2.4, § 2.6, § 3.1, § 5.3, § 5.7, Guidelines on Firewalls and Firewall Policy, NIST SP 800-41, January 2002)
  • Employ approved defense-in-depth principles and practices (e.g., defense-in-multiple places, layered defenses, security robustness). (T0262, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. (3.13.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. (3.13.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. (3.13.1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization should prevent the unauthorized release of information outside the system boundary or unauthorized communications through the boundary when the boundary protection mechanism has an operational failure. (App F § SC-7(6), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use automated mechanisms to enforce strict adherence to the protocol format. (App F § SC-7(17), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Employ approved defense-in-depth principles and practices (e.g., defense-in-multiple places, layered defenses, security robustness). (T0262, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The information system does not release information outside of the established system boundary unless the receiving {organizationally documented information system or system component} provides {organizationally documented security safeguards}. (AC-3(9)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system does not release information outside of the established system boundary unless {organizationally documented security safeguards} are used to validate the appropriateness of the information designated for release. (AC-3(9)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. (SC-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. (SC-7c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system enforces adherence to protocol formats. (SC-7(17), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs boundary protection mechanisms to separate {organizationally documented information system components} supporting {organizationally documented missions and/or business functions}. (SC-7(21), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. (SC-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. (SC-7c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization employs boundary protection mechanisms to separate {organizationally documented information system components} supporting {organizationally documented missions and/or business functions}. (SC-7(21), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. (SC-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. (SC-7c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system monitors and controls communications at the external boundary of the system and at key internal boundaries within the system. (SC-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. (SC-7c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; (SC-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. (SC-7c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization employs boundary protection mechanisms to separate [Assignment: organization-defined information system components] supporting [Assignment: organization-defined missions and/or business functions]. (SC-7(21) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. (SC-7c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; (SC-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. (SC-7c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; (SC-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. (SC-7c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; (SC-7a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization employs boundary protection mechanisms to separate [Assignment: organization-defined information system components] supporting [Assignment: organization-defined missions and/or business functions]. (SC-7(21) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. (SC-7c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions]. (SC-7(21) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; (SC-7a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system; (SC-7(24) ¶ 1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. (SC-7c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions]. (SC-7(21) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; (SC-7a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system; (SC-7(24) ¶ 1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; (SC-7a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. (SC-7c., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • MODERNIZE FEDERAL DEFENSES (STRATEGIC OBJECTIVE 1.5, National Cybersecurity Strategy)
  • DEFEND NATIONAL SECURITY SYSTEMS (STRATEGIC OBJECTIVE 1.5 Subsection 3, National Cybersecurity Strategy)
  • MODERNIZE FEDERAL DEFENSES (STRATEGIC OBJECTIVE 1.5, National Cybersecurity Strategy (Condensed))
  • DEFEND NATIONAL SECURITY SYSTEMS (STRATEGIC OBJECTIVE 1.5 Subsection 3, National Cybersecurity Strategy (Condensed))
  • Anyone who stores, licenses, owns, or maintains personal information about a Massachusetts resident and electronically transmits or stores that information must establish and maintain a security system (which must be included in the comprehensive, written information security program) for all comput… (§ 17.04(6), Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts)
  • Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. (SC-7c., TX-RAMP Security Controls Baseline Level 1)
  • Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; (SC-7a., TX-RAMP Security Controls Baseline Level 1)
  • Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture. (SC-7c., TX-RAMP Security Controls Baseline Level 2)
  • Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; (SC-7a., TX-RAMP Security Controls Baseline Level 2)