myctrl.tools
Compare

SC-7(3)Access Points

MODERATE
HIGH

>Control Description

Limit the number of external network connections to the system.

>Cross-Framework Mappings

SCF

NET-03.1
Compare

>Programmatic Queries

Beta

Related Services

VPC
Network ACLs
Security Groups

CLI Commands

Create VPC with controlled network access points
aws ec2 create-vpc --cidr-block 10.0.0.0/16
Configure network ACL to restrict boundary access to defined entry/exit points
aws ec2 create-network-acl --vpc-id vpc-12345678 --tag-specifications 'ResourceType=network-acl,Tags=[{Key=Name,Value=boundary-acl}]'
Create security groups to control traffic at access points
aws ec2 create-security-group --group-name boundary-sg --description 'Boundary protection security group' --vpc-id vpc-12345678
Enable VPC Flow Logs to monitor all boundary access points
aws ec2 create-flow-logs --resource-type VPC --resource-ids vpc-12345678 --traffic-type ALL --log-destination-type cloud-watch-logs --log-group-name /aws/vpc/boundary-logs
Open AWS ConsoleDocumentation

>Supplemental Guidance

Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection DHS TIC initiative is an example of a federal guideline that requires limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).

Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern the implementation of access points?
  • How are system and communications protection requirements defined and maintained?
  • Who is responsible for configuring and maintaining the security controls specified in SC-7(3)?

Technical Implementation:

  • How is access points technically implemented in your environment?
  • What systems, tools, or configurations enforce this protection requirement?
  • How do you ensure that access points remains effective as the system evolves?
  • What network boundary protections are in place (firewalls, gateways, etc.)?

Evidence & Documentation:

  • What documentation demonstrates the implementation of SC-7(3)?
  • Can you provide configuration evidence or system diagrams showing this protection control?
  • What logs or monitoring data verify that this control is functioning correctly?
  • Can you provide network architecture diagrams and firewall rulesets?

Ask AI

Configure your API key to use AI features.