>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

SC-7(11)Boundary Protection | Restrict Incoming Communications Traffic

IL5
IL6

>Control Description

Only allow incoming communications from organization-defined authorized sources to be routed to organization-defined authorized destinations.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

General source address validation techniques are applied to restrict the use of illegal and unallocated source addresses as well as source addresses that should only be used within the system. The restriction of incoming communications traffic provides determinations that source and destination address pairs represent authorized or allowed communications. Determinations can be based on several factors, including the presence of such address pairs in the lists of authorized or allowed communications, the absence of such address pairs in lists of unauthorized or disallowed pairs, or meeting more general rules for authorized or allowed source and destination pairs.

Strong authentication of network addresses is not possible without the use of explicit security protocols, and thus, addresses can often be spoofed. Further, identity-based incoming traffic restriction methods can be employed, including router access control lists and firewall rules.

>Related Controls

AC-3

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of restrict incoming communications traffic?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-7(11)?

Technical Implementation:

  • How is restrict incoming communications traffic technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that restrict incoming communications traffic remains effective as the system evolves?
  • What network boundary protections are in place (firewalls, gateways, etc.)?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-7(11)?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?
  • Can you provide network architecture diagrams and firewall rulesets?

Ask AI

Configure your API key to use AI features.