Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization isolates [FedRAMP Assignment: (M) (H) See SC-7 (13) additional FedRAMP Requirements and Guidance] from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system.
SC-7 (13) Additional FedRAMP Requirements and Guidance:
Requirement: (M) (H) The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets.
Guidance: (H) Examples include: information security tools, mechanisms, and support components such as, but not limited to public key infrastructure (PKI), patching infrastructure, cyber defense tools, special purpose gateway, vulnerability tracking systems, internet access points (IAPs); network element and data center administrative/management traffic; demilitarized zones (DMZs), Server farms/computing centers, centralized audit log servers, etc.
NIST 800-53 (r4) Supplemental Guidance:
Physically separate subnetworks with managed interfaces are useful, for example, in isolating computer network defenses from critical operational processing networks to prevent adversaries from discovering the analysis and forensics techniques of organizations. Related controls: SA-8, SC-2, SC-3.
NIST 800-53 (r5) Discussion:
Physically separate subnetworks with managed interfaces are useful in isolating computer network defenses from critical operational processing networks to prevent adversaries from discovering the analysis and forensics techniques employed by organizations.
38North Guidance:
Meets Minimum Requirement:
Define key information security tools, mechanisms, and support components associated with system and security administration.
Deploy those tools, mechanisms, and support components inside a private subnet within a virtual network (i.e., Security/Management Network) separate from other internal system components.
Establish a single ingress network path to the Security/Management Network that routes through a WAF, application load balancer, and/or a hardened bastion host deployed inside a public subnet (i.e., DMZ) logically positioned in front of the Security/Management Network.
Implement NACLs and firewalls to control ingress/egress traffic within the Security/Management Network at the subnet and instance levels, respectively.
Restrict egress traffic destined for the internet to a subset of identified tools, mechanisms, and support components that require internet access to function (e.g., antivirus tools pulling the latest signature definition files, etc.). Route internet-bound traffic through a reverse web proxy to prevent requests originating from the internet from entering the Security/Management Network.
Establish internal peering connections (e.g., AWS VPC Peering, Azure VNet peering, etc.) between the Security/Management Network and other system networks to enable administrative traffic and communications between deployed software agents and management servers hosted inside the Security/Management Network. Configure network devices to prevent communications originating in customer environments from entering the Security/Management Network.
Best Practice:
Implement RBAC.
Establish a dedicated VPN enabling remote access to the Security/Management Network. Enable device/IP address restrictions and MFA .
All access to, and activities conducted within the Security/Management Network should be fully logged and audited, with full-text logging of privileged commands.
Deploy security tools possessing different access restrictions into separate private subnets.
Unofficial FedRAMP Guidance:
None
Assessment Evidence:
Evidence to show that organization-defined security tools are either physically or logically isolated and limited personnel have access (e.g., screenshots of deployed VLAN and subnet architecture, network device configuration settings, etc.)
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse