SC-7: Boundary Protection

An OSCAL Control

Statement

a.
Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;
b.
Implement subnetworks for publicly accessible system components that are separated from internal organizational networks; and
c.
Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.
- (b) Guidance:
  SC-7 (b) should be met by subnet isolation. A subnetwork (subnet) is a physically or logically segmented section of a larger network defined at TCP/IP Layer 3, to both minimize traffic and, important for a FedRAMP Authorization, add a crucial layer of network isolation. Subnets are distinct from VLANs (Layer 2), security groups, and VPCs and are specifically required to satisfy SC-7 part b and other controls. See the FedRAMP Subnets White Paper (https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf) for additional information.