NIST SP 800-171 practice 3.13.1 requires organizations to monitor, control, and protect organizational communications at the external boundaries and key internal boundaries of their information systems. External boundaries are the logical and physical demarcations between an organization's system and outside networks, including the internet and partner networks. Key internal boundaries separate network segments of differing trust levels, such as CUI-processing subnets from general enterprise networks. The practice demands active monitoring for anomalous or unauthorized traffic, enforcement of allow/deny policies at boundary devices, and protective mechanisms such as encryption and filtering to prevent unauthorized disclosure or manipulation of data in transit. This practice is the architectural cornerstone of the System and Communications Protection domain, enabling all downstream SC practices.
Where it stops · what it isn't
- —Does not specify the encryption algorithms or protocols required for data-in-transit protection — that is addressed by sc-l2-3.13.8
- —Does not address endpoint-level host firewalls or host-based intrusion detection — boundary protection focuses on network-level devices
- —Does not govern access control policy decisions for users or sessions — those are covered under the Access Control domain (AC)
- —Does not require specific incident response procedures when boundary violations are detected — that is the responsibility of the IR domain
- —Does not address wireless network segmentation and cryptographic protections specifically — those are covered by sc-l2-3.13.5 and sc-l2-3.13.9
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/system-and-communications-protection