Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
(a) Implements a managed interface for each external telecommunication service;
(b) Establishes a traffic flow policy for each managed interface;
(c) Protects the confidentiality and integrity of the information being transmitted across each interface;
(d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and
(e) Reviews exceptions to the traffic flow policy [FedRAMP Assignment: (H) at least every ninety (90) days or whenever there is a change in the threat environment that warrants a review of the exceptions; (M) at least annually] and removes exceptions that are no longer supported by an explicit mission/business need.
NIST 800-53 (r4) Supplemental Guidance:
Related control: SC-8.
NIST 800-53 (r5) Discussion:
External telecommunications services can provide data and/or voice communications services. Examples of control plane traffic include Border Gateway Protocol (BGP) routing, Domain Name System (DNS), and management protocols. See [SP 800-189] for additional information on the use of the resource public key infrastructure (RPKI) to protect BGP routes and detect unauthorized BGP announcements. Related Controls: AC-3, SC-8, SC-20, SC-21, SC-22.
38North Guidance:
Meets Minimum Requirement:
(a) Deploy a managed interface (e.g., Network/Application Load Balancer, Firewall, Router, etc.) for each external telecommunication service. Examples include an F5 Data Center Firewall or Load Balancer, Palo Alto Network Firewall, WAF, etc.
(b) Configure rules (e.g., firewall/NACL inbound/outbound rule sets, routing rules, IDS/IPS rules, etc.) on each managed interface that restrict traffic flows to an approved list of IP addresses, protocols, and services.
(c) Utilize X.509 PKI Certificates to facilitate the use of TLS v1.2 (or better) for all network communications. The TLS handshake establishes confidentiality, integrity, and authentication protections via symmetric/asymmetric encryption, digital signatures, and the PKI CA hierarchy. TLS implementations must use FIPS 140-2 validated cryptographic modules whenever federal data/metadata is involved.
(d) Exceptions to traffic flow policies should be subjected to a change management process where the request is formally documented and tracked via a ticketing system such as Jira. Each exception should be reviewed by relevant Subject Matter Experts (Security, Operations, System Architects, etc.), tested, and approved by a Change Advisory Board (or a similar authoritative body with knowledge of the change). Once approved, update the relevant SSP documentation (e.g., Table 10-1. Ports, Protocols, and Service; CM-7 / CM-7 (1) / SA-4 (9); Firewall Configuration Matrices (if applicable), etc.) to reflect the exception(s).
(e) Security personnel should review exceptions to traffic flow policies for continued relevance and necessity every 90 days or whenever there is a change in the threat environment that warrants a review of the exceptions.
Best Practice:
(a) Deploy a managed interface that provides one or more of the following services: Firewall; DDoS Mitigation; DNS Security; and Intrusion Detection/Protection System.
(b) Implement Layer 7 filtering/monitoring at each managed interface.
(c) See Meets Minimum Requirement section.
(d) See Meets Minimum Requirement section.
(e) Conduct monthly scans (utilizing tools such as Nessus) to enumerate all open ports, protocols, and running services. Assess monthly scan reports against SSP documentation, and the previous months scan report, to identify the presence of unauthorized ports, protocols, and services. Confirm all discrepancies and submit a ticket for each (via a case management tool such as Jira) for remediation.
Unofficial FedRAMP Guidance:
None
Assessment Evidence:
Evidence showing that managed interfaces are employed for each external communication service.
Configuration settings for firewalls, NACLs, Load Balancers, IDS/IPS Systems, etc.
Evidence showing that the confidentiality and integrity of information transmitted across each interface is protected (e.g., TLS certificates and configurations, FIPS mode enable, etc.).
List of documented exceptions (e.g., Jira tickets, etc.) to the traffic flow policy to include:
Supporting mission/business need;
Duration of that need; and
Approvals for that exception.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse