Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >SP 800-53
  3. >System And Communications Protection
  4. >SP800-53-SC-7
SP800-53-SC-7Active

Boundary Protection

Statement

Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; Implement subnetworks for publicly accessible system components that are physically; logically separated from internal organizational networks; and Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.

Location

Control Family
System and Communications Protection

Control Details

Identifier
SP800-53-SC-7
Family
SC

Organisation-Defined Parameters

sc-07_odp
physically; logically

Supplemental Guidance

Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. SP 800-189 provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary).

Assessment Objective

communications at external managed interfaces to the system are monitored; communications at external managed interfaces to the system are controlled; communications at key internal managed interfaces within the system are monitored; communications at key internal managed interfaces within the system are controlled; subnetworks for publicly accessible system components are physically; logically separated from internal organizational networks; external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.

ATTACK
ATTACK-T1020.001relatedvia ctid-attack-to-sp800-53
ATTACK-T1021.001relatedvia ctid-attack-to-sp800-53
ATTACK-T1095relatedvia ctid-attack-to-sp800-53
ATTACK-T1098relatedvia ctid-attack-to-sp800-53
ATTACK-T1098.001relatedvia ctid-attack-to-sp800-53
View in graphReport an issue
← Back to System and Communications Protection
System and Communications Protection162 controls
SP800-53-SC-1Policy and ProceduresSP800-53-SC-2Separation of System and User FunctionalitySP800-53-SC-2(1)Interfaces for Non-privileged UsersSP800-53-SC-2(2)DisassociabilitySP800-53-SC-3Security Function IsolationSP800-53-SC-3(1)Hardware SeparationSP800-53-SC-3(2)Access and Flow Control FunctionsSP800-53-SC-3(3)Minimize Nonsecurity FunctionalitySP800-53-SC-3(4)Module Coupling and CohesivenessSP800-53-SC-3(5)Layered StructuresSP800-53-SC-4Information in Shared System ResourcesSP800-53-SC-4(1)Security LevelsSP800-53-SC-4(2)Multilevel or Periods ProcessingSP800-53-SC-5Denial-of-service ProtectionSP800-53-SC-5(1)Restrict Ability to Attack Other SystemsSP800-53-SC-5(2)Capacity, Bandwidth, and RedundancySP800-53-SC-5(3)Detection and MonitoringSP800-53-SC-6Resource AvailabilitySP800-53-SC-7Boundary ProtectionSP800-53-SC-7(1)Physically Separated SubnetworksSP800-53-SC-7(2)Public AccessSP800-53-SC-7(3)Access PointsSP800-53-SC-7(4)External Telecommunications ServicesSP800-53-SC-7(5)Deny by Default — Allow by ExceptionSP800-53-SC-7(6)Response to Recognized FailuresSP800-53-SC-7(7)Split Tunneling for Remote DevicesSP800-53-SC-7(8)Route Traffic to Authenticated Proxy ServersSP800-53-SC-7(9)Restrict Threatening Outgoing Communications TrafficSP800-53-SC-7(10)Prevent ExfiltrationSP800-53-SC-7(11)Restrict Incoming Communications TrafficSP800-53-SC-7(12)Host-based ProtectionSP800-53-SC-7(13)Isolation of Security Tools, Mechanisms, and Support ComponentsSP800-53-SC-7(14)Protect Against Unauthorized Physical ConnectionsSP800-53-SC-7(15)Networked Privileged AccessesSP800-53-SC-7(16)Prevent Discovery of System ComponentsSP800-53-SC-7(17)Automated Enforcement of Protocol FormatsSP800-53-SC-7(18)Fail SecureSP800-53-SC-7(19)Block Communication from Non-organizationally Configured HostsSP800-53-SC-7(20)Dynamic Isolation and SegregationSP800-53-SC-7(21)Isolation of System ComponentsSP800-53-SC-7(22)Separate Subnets for Connecting to Different Security DomainsSP800-53-SC-7(23)Disable Sender Feedback on Protocol Validation FailureSP800-53-SC-7(24)Personally Identifiable InformationSP800-53-SC-7(25)Unclassified National Security System ConnectionsSP800-53-SC-7(26)Classified National Security System ConnectionsSP800-53-SC-7(27)Unclassified Non-national Security System ConnectionsSP800-53-SC-7(28)Connections to Public NetworksSP800-53-SC-7(29)Separate Subnets to Isolate FunctionsSP800-53-SC-8Transmission Confidentiality and IntegritySP800-53-SC-8(1)Cryptographic ProtectionSP800-53-SC-8(2)Pre- and Post-transmission HandlingSP800-53-SC-8(3)Cryptographic Protection for Message ExternalsSP800-53-SC-8(4)Conceal or Randomize CommunicationsSP800-53-SC-8(5)Protected Distribution SystemSP800-53-SC-9Transmission ConfidentialitySP800-53-SC-10Network DisconnectSP800-53-SC-11Trusted PathSP800-53-SC-11(1)Irrefutable Communications PathSP800-53-SC-12Cryptographic Key Establishment and ManagementSP800-53-SC-12(1)AvailabilitySP800-53-SC-12(2)Symmetric KeysSP800-53-SC-12(3)Asymmetric KeysSP800-53-SC-12(4)PKI CertificatesSP800-53-SC-12(5)PKI Certificates / Hardware TokensSP800-53-SC-12(6)Physical Control of KeysSP800-53-SC-13Cryptographic ProtectionSP800-53-SC-13(1)FIPS-validated CryptographySP800-53-SC-13(2)NSA-approved CryptographySP800-53-SC-13(3)Individuals Without Formal Access ApprovalsSP800-53-SC-13(4)Digital SignaturesSP800-53-SC-14Public Access ProtectionsSP800-53-SC-15Collaborative Computing Devices and ApplicationsSP800-53-SC-15(1)Physical or Logical DisconnectSP800-53-SC-15(2)Blocking Inbound and Outbound Communications TrafficSP800-53-SC-15(3)Disabling and Removal in Secure Work AreasSP800-53-SC-15(4)Explicitly Indicate Current ParticipantsSP800-53-SC-16Transmission of Security and Privacy AttributesSP800-53-SC-16(1)Integrity VerificationSP800-53-SC-16(2)Anti-spoofing MechanismsSP800-53-SC-16(3)Cryptographic BindingSP800-53-SC-17Public Key Infrastructure CertificatesSP800-53-SC-18Mobile CodeSP800-53-SC-18(1)Identify Unacceptable Code and Take Corrective ActionsSP800-53-SC-18(2)Acquisition, Development, and UseSP800-53-SC-18(3)Prevent Downloading and ExecutionSP800-53-SC-18(4)Prevent Automatic ExecutionSP800-53-SC-18(5)Allow Execution Only in Confined EnvironmentsSP800-53-SC-19Voice Over Internet ProtocolSP800-53-SC-20Secure Name/Address Resolution Service (Authoritative Source)SP800-53-SC-20(1)Child SubspacesSP800-53-SC-20(2)Data Origin and IntegritySP800-53-SC-21Secure Name/Address Resolution Service (Recursive or Caching Resolver)SP800-53-SC-21(1)Data Origin and IntegritySP800-53-SC-22Architecture and Provisioning for Name/Address Resolution ServiceSP800-53-SC-23Session AuthenticitySP800-53-SC-23(1)Invalidate Session Identifiers at LogoutSP800-53-SC-23(2)User-initiated Logouts and Message DisplaysSP800-53-SC-23(3)Unique System-generated Session IdentifiersSP800-53-SC-23(4)Unique Session Identifiers with RandomizationSP800-53-SC-23(5)Allowed Certificate AuthoritiesSP800-53-SC-24Fail in Known StateSP800-53-SC-25Thin NodesSP800-53-SC-26DecoysSP800-53-SC-26(1)Detection of Malicious CodeSP800-53-SC-27Platform-independent ApplicationsSP800-53-SC-28Protection of Information at RestSP800-53-SC-28(1)Cryptographic ProtectionSP800-53-SC-28(2)Offline StorageSP800-53-SC-28(3)Cryptographic KeysSP800-53-SC-29HeterogeneitySP800-53-SC-29(1)Virtualization TechniquesSP800-53-SC-30Concealment and MisdirectionSP800-53-SC-30(1)Virtualization TechniquesSP800-53-SC-30(2)RandomnessSP800-53-SC-30(3)Change Processing and Storage LocationsSP800-53-SC-30(4)Misleading InformationSP800-53-SC-30(5)Concealment of System ComponentsSP800-53-SC-31Covert Channel AnalysisSP800-53-SC-31(1)Test Covert Channels for ExploitabilitySP800-53-SC-31(2)Maximum BandwidthSP800-53-SC-31(3)Measure Bandwidth in Operational EnvironmentsSP800-53-SC-32System PartitioningSP800-53-SC-32(1)Separate Physical Domains for Privileged FunctionsSP800-53-SC-33Transmission Preparation IntegritySP800-53-SC-34Non-modifiable Executable ProgramsSP800-53-SC-34(1)No Writable StorageSP800-53-SC-34(2)Integrity Protection on Read-only MediaSP800-53-SC-34(3)Hardware-based ProtectionSP800-53-SC-35External Malicious Code IdentificationSP800-53-SC-36Distributed Processing and StorageSP800-53-SC-36(1)Polling TechniquesSP800-53-SC-36(2)SynchronizationSP800-53-SC-37Out-of-band ChannelsSP800-53-SC-37(1)Ensure Delivery and TransmissionSP800-53-SC-38Operations SecuritySP800-53-SC-39Process IsolationSP800-53-SC-39(1)Hardware SeparationSP800-53-SC-39(2)Separate Execution Domain Per ThreadSP800-53-SC-40Wireless Link ProtectionSP800-53-SC-40(1)Electromagnetic InterferenceSP800-53-SC-40(2)Reduce Detection PotentialSP800-53-SC-40(3)Imitative or Manipulative Communications DeceptionSP800-53-SC-40(4)Signal Parameter IdentificationSP800-53-SC-41Port and I/O Device AccessSP800-53-SC-42Sensor Capability and DataSP800-53-SC-42(1)Reporting to Authorized Individuals or RolesSP800-53-SC-42(2)Authorized UseSP800-53-SC-42(3)Prohibit Use of DevicesSP800-53-SC-42(4)Notice of CollectionSP800-53-SC-42(5)Collection MinimizationSP800-53-SC-43Usage RestrictionsSP800-53-SC-44Detonation ChambersSP800-53-SC-45System Time SynchronizationSP800-53-SC-45(1)Synchronization with Authoritative Time SourceSP800-53-SC-45(2)Secondary Authoritative Time SourceSP800-53-SC-46Cross Domain Policy EnforcementSP800-53-SC-47Alternate Communications PathsSP800-53-SC-48Sensor RelocationSP800-53-SC-48(1)Dynamic Relocation of Sensors or Monitoring CapabilitiesSP800-53-SC-49Hardware-enforced Separation and Policy EnforcementSP800-53-SC-50Software-enforced Separation and Policy EnforcementSP800-53-SC-51Hardware-based Protection