Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization limits the number external network connections to the information system.
NIST 800-53 (r4) Supplemental Guidance:
Limiting the number of external network connections facilitates more comprehensive monitoring of inbound and outbound communications traffic. The Trusted Internet Connection (TIC) initiative is an example of limiting the number of external network connections.
NIST 800-53 (r5) Discussion:
Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection [DHS TIC] initiative is an example of a federal guideline that requires limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system.
38North Guidance:
Meets Minimum Requirement:
Limit the number of ingress/egress network connections to the information system.
Best Practice:
For ingress administrative traffic, utilize a VPN and restrict network access to specific IP addresses (e.g., corporate network, etc.) and protocols (e.g., SSH, RDP, etc.). Terminate the VPN on a hardened bastion host deployed inside a management network within the authorization boundary. Prohibit privileged users from connecting to external networks (out-of-boundary) from within the management network. For cloud resources that require a connection to the internet (e.g., to fetch software updates, etc.), route egress traffic through a web proxy configured with URL/domain whitelisting.
Force customers to access their environment through a single entry point.
Control and manage access to public API endpoints for customer use.
For DoD customers, only allow connections from a DISA Cloud Access Point.
Create and enforce an acceptable use and data ingress/egress traffic enforcement policy including a list of approved internet-accessible services, and guidelines for accessing and handling sensitive data.
Unofficial FedRAMP Guidance:
None
Assessment Evidence:
Configuration settings for firewalls, NACLs, web proxies (IP/URL whitelists), bastion hosts, and VPN connections
Acceptable use and data ingress/egress traffic enforcement policies.
Demonstration of users connecting to the system via approved access points and network paths.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse