Skip to content
Documentation
ADRs
PLATFORM
NIST Controls

NIST Controls

Andi Lamprecht Andi Lamprecht ·· 3 min read· Accepted
ADR-0019 · Author: Sybil Melton · Date: 2025-02-07 · Products: platform
Originally 0036_nist-controls (v4) · Source on Confluence ↗
Security FunctionControlNIST 800-53 Control
DetectSYSTEM MONITORING
INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC		SI-4
SI-4(4)
    Monitor the system to detect:
  1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives:
    • [Assignment: organization-defined monitoring objectives];
  2. Unauthorized local, network, and remote connections
    • Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic;
    • Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignment: organization-defined unusual or unauthorized activities or conditions].
DetectSYSTEM MONITORING - ANALYZE TRAFFIC AND COVERT EXFILTRATIONSI-4(18)Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information:
  1. [Assignment: organization-defined interior points within the system].
DetectSYSTEM MONITORING - UNAUTHORIZED NETWORK SERVICESSI-4(22)
  1. Detect network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes]
  2. [Selection (one or more): Audit; Alert [Assignment: organization-defined personnel or roles]] when detected.
ProtectDENIAL-OF-SERVICE PROTECTION - RESTRICT ABILITY TO ATTACK OTHER SYSTEMSSC-5(1)
  1. Restrict the ability of individuals to launch the following denial-of-service attacks against other systems:
    • [Assignment: organization-defined denial-of-service attacks]
  2. Protection against individuals having the ability to launch denial-of-service attacks may be implemented on specific systems or boundary devices that prohibit egress to potential target systems.
ProtectBOUNDARY PROTECTION - ACCESS POINTSSC-7(3)Limit the number of external network connections to the system.
ProtectBOUNDARY PROTECTION - DENY BY DEFAULT — ALLOW BY EXCEPTIONSC-7(5)Deny network communications traffic by default and allow network communications traffic by exception [Selection (one or more): at managed interfaces; for [Assignment: organization-defined systems]].
ProtectBOUNDARY PROTECTION - ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERSSC-7(8)Route [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces.
ProtectBOUNDARY PROTECTION - RESTRICT THREATENING OUTGOING COMMUNICATIONS TRAFFICSC-7(9)
  1. Detect and deny outgoing communications traffic posing a threat to external systems
  2. Audit the identity of internal users associated with denied communications.
ProtectBOUNDARY PROTECTION - PREVENT EXFILTRATIONSC-7(10)
  1. Prevent the exfiltration of information
Devices that enforce strict adherence to protocol formats include deep packet inspection firewalls and Extensible Markup Language (XML) gateways.
ProtectBOUNDARY PROTECTION - RESTRICT INCOMING COMMUNICATIONS TRAFFICSC-7(11)Only allow incoming communications from [Assignment: organization-defined authorized sources] to be routed to [Assignment: organization-defined authorized destinations]
ProtectBOUNDARY PROTECTION - AUTOMATED ENFORCEMENT OF PROTOCOL FORMATSSC-7(17)System components that enforce protocol formats include deep packet inspection firewalls and XML gateways. The components verify adherence to protocol formats and specifications at the application layer and identify vulnerabilities that cannot be detected by devices operating at the network or transport layers.
ProtectBOUNDARY PROTECTION - FAIL SECURESC-7(18)Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device.
ProtectBOUNDARY PROTECTION - CONNECTIONS TO PUBLIC NETWORKSSC-7(28)Prohibit the direct connection of [Assignment: organization-defined system] to a public network.
Last updated on
GCP Non GKE SubnetsGCP Shared VPC IDS IPS