Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization employs boundary protection mechanisms to separate [Assignment: organization-defined information system components] supporting [Assignment: organization-defined mission and/or business functions].
NIST 800-53 (r4) Supplemental Guidance:
Organizations can isolate information system components performing different missions and/or business functions. Such isolation limits unauthorized information flows among system components and also provides the opportunity to deploy greater levels of protection for selected components. Separating system components with boundary protection mechanisms provides the capability for increased protection of individual components and to more effectively control information flows between those components. This type of enhanced protection limits the potential harm from cyber attacks and errors. The degree of separation provided varies depending upon the mechanisms chosen. Boundary protection mechanisms include, for example, routers, gateways, and firewalls separating system components into physically separate networks or subnetworks, cross-domain devices separating subnetworks, virtualization techniques, and encrypting information flows among system components using distinct encryption keys. Related controls: CA-9, SC-3.
NIST 800-53 (r5) Discussion:
Organizations can isolate system components that perform different mission or business functions. Such isolation limits unauthorized information flows among system components and provides the opportunity to deploy greater levels of protection for selected system components. Isolating system components with boundary protection mechanisms provides the capability for increased protection of individual system components and to more effectively control information flows between those components. Isolating system components provides enhanced protection that limits the potential harm from hostile cyberattacks and errors. The degree of isolation varies depending upon the mechanisms chosen. Boundary protection mechanisms include routers, gateways, and firewalls that separate system components into physically separate networks or subnetworks; cross-domain devices that separate subnetworks; virtualization techniques; and the encryption of information flows among system components using distinct encryption keys.
38North Guidance:
Meets Minimum Requirement:
Isolate system components that perform different mission or business functions into separate virtual private networks and private/public subnets.
Enforce isolation between virtual networks via routing rules, load balancers, firewalls, NACLs, and RBAC.
Minimally, isolate security and management functionality from non-privileged functions, and the Customer environment from the entire Cloud Service Offering (CSO).
Best Practice:
Deploy hardened bastion hosts inside each virtual network to preclude direct access to system components. All administrative/privileged remote access should connect to a hardened bastion host; and all administrative/privileged internal access should originate from a hardened bastion host.
Unofficial FedRAMP Guidance:
None
Assessment Evidence:
Configuration settings for a sample of boundary protection devices associated with networks and subnets.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse