Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system separates information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization- defined required separations by types of information].
NIST 800-53 (r4) Supplemental Guidance:
Enforcing the separation of information flows by type can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths perhaps not otherwise achievable. Types of separable information include, for example, inbound and outbound communications traffic, service requests and responses, and information of differing security categories.
NIST 800-53 (r5) Discussion:
Enforcing the separation of information flows associated with defined types of data can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths that are not otherwise achievable. Types of separable information include inbound and outbound communications traffic, service requests and responses, and information of differing security impact or classification levels.
38North Guidance:
Meets Minimum Requirement:
Segregates information flows logically, or physically using organization-defined mechanisms and/or techniques to accomplish organization-defined required separations by types of information.
Best Practice:
Configure the system to route inbound and outbound traffic through separate channels, i.e., proxy servers. Ensure that all data entering the boundary is not comingled with data of a lower classification or security impact level.
Implement separation of duties so that personnel are not able to do all roles & responsibilities. Utilize role-based access (RBAC) to separate out duties.
Employ FIPS 140-2 validated TLS v1.2 implementations for user session communications.
Unofficial FedRAMP Guidance:
Assessment Evidence:
Screenshots of of edge router ACL's or exports of the inbound & outbound rules for all internal/external boundary protection devices. Verify that explicit Deny-All, Permit-by-exception rules are in place & no any-any rules are at the top of each rule set.
Screenshot of VLAN's or if in AWS VPC's that network traffic is segregated so its not a "flat" network so once access is obtained to the boundary all users cannot access all systems or system components.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse