Skip to main content
NET

Network Security

98 controls

Architect and implement a secure and resilient defense-in-depth methodology that enforces the concept of “least functionality” through restricting network access to systems, applications and services.

SCF # Control Name Weight NIST CSF Frameworks
NET-01 Network Security Controls (NSC) 10 — Critical Govern 114
NET-01.1 Zero Trust Architecture (ZTA) 8 — High Protect 12
NET-02 Layered Network Defenses 9 — Critical Protect 43
NET-02.1 Denial of Service (DoS) Protection 9 — Critical Protect 47
NET-02.2 Guest Networks 6 — Medium Protect 29
NET-02.3 Cross Domain Solution (CDS) 6 — Medium Protect 10
NET-03 Boundary Protection 10 — Critical Protect 89
NET-03.1 Limit Network Connections 9 — Critical Protect 36
NET-03.2 External Telecommunications Services 7 — High Protect 25
NET-03.3 Prevent Discovery of Internal Information 7 — High Protect 11
NET-03.4 Personal Data (PD) 7 — High Protect 3
NET-03.5 Prevent Unauthorized Exfiltration 5 — Medium Protect 20
NET-03.6 Dynamic Isolation & Segregation (Sandboxing) 5 — Medium Protect 10
NET-03.7 Isolation of System Components 5 — Medium Protect 26
NET-03.8 Separate Subnet for Connecting to Different Security Domains 5 — Medium Protect 17
NET-04 Data Flow Enforcement – Access Control Lists (ACLs) 10 — Critical Protect 76
NET-04.1 Deny Traffic by Default & Allow Traffic by Exception 10 — Critical Protect 58
NET-04.2 Object Security Attributes 5 — Medium Protect 4
NET-04.3 Content Check for Encrypted Data 4 — Medium Protect 8
NET-04.4 Embedded Data Types 2 — Low Protect 4
NET-04.5 Metadata 2 — Low Protect 8
NET-04.6 Human Reviews 9 — Critical Detect 12
NET-04.7 Policy Decision Point (PDP) 5 — Medium Protect 16
NET-04.8 Data Type Identifiers 5 — Medium Protect 3
NET-04.9 Decomposition Into Policy-Related Subcomponents 5 — Medium Protect 3
NET-04.10 Detection of Unsanctioned Information 5 — Medium Detect 3
NET-04.11 Approved Solutions 5 — Medium Protect 4
NET-04.12 Cross Domain Authentication 5 — Medium Protect 5
NET-04.13 Metadata Validation 2 — Low Protect 4
NET-04.14 Application Proxy 7 — High Protect 1
NET-05 Interconnection Security Agreements (ISAs) 9 — Critical Protect 48
NET-05.1 External System Connections 8 — High Protect 23
NET-05.2 Internal System Connections 7 — High Protect 40
NET-06 Network Segmentation (macrosegementation) 10 — Critical Protect 77
NET-06.1 Security Management Subnets 9 — Critical Protect 27
NET-06.2 Virtual Local Area Network (VLAN) Separation 9 — Critical Protect 6
NET-06.3 Sensitive / Regulated Data Enclave (Secure Zone) 10 — Critical Protect 16
NET-06.4 Segregation From Enterprise Services 4 — Medium Protect 7
NET-06.5 Direct Internet Access Restrictions 6 — Medium Protect 10
NET-06.6 Microsegmentation 2 — Low Protect 7
NET-06.7 Software Defined Networking (SDN) 5 — Medium Protect 2
NET-07 Network Connection Termination 8 — High Protect 41
NET-08 Network Intrusion Detection / Prevention Systems (NIDS / NIPS) 9 — Critical Protect 37
NET-08.1 DMZ Networks 8 — High Protect 25
NET-08.2 Wireless Intrusion Detection / Prevention Systems (WIDS / WIPS) 8 — High Protect 16
NET-08.3 Host Containment 3 — Low Protect 5
NET-08.4 Resource Containment 3 — Low Protect 5
NET-09 Session Integrity 8 — High Protect 38
NET-09.1 Invalidate Session Identifiers at Logout 5 — Medium Protect 8
NET-09.2 Unique System-Generated Session Identifiers 3 — Low Protect 4
NET-10 Domain Name Service (DNS) Resolution 10 — Critical Protect 46
NET-10.1 Architecture & Provisioning for Name / Address Resolution Service 9 — Critical Protect 36
NET-10.2 Secure Name / Address Resolution Service (Recursive or Caching Resolver) 9 — Critical Protect 41
NET-10.3 Sender Policy Framework (SPF) 8 — High Protect 9
NET-10.4 Domain Registrar Security 9 — Critical Protect 4
NET-11 Out-of-Band Channels 9 — Critical Protect 10
NET-12 Safeguarding Data Over Open Networks 8 — High Protect 35
NET-12.1 Wireless Link Protection 8 — High Protect 18
NET-12.2 End-User Messaging Technologies 9 — Critical Protect 9
NET-13 Electronic Messaging 10 — Critical Protect 27
NET-14 Remote Access 10 — Critical Protect 96
NET-14.1 Automated Monitoring & Control 1 — Low Detect 34
NET-14.2 Protection of Confidentiality / Integrity Using Encryption 9 — Critical Protect 40
NET-14.3 Managed Access Control Points 9 — Critical Protect 39
NET-14.4 Remote Privileged Commands & Sensitive Data Access 8 — High Protect 33
NET-14.5 Work From Anywhere (WFA) - Telecommuting Security 10 — Critical Protect 28
NET-14.6 Third-Party Remote Access Governance 8 — High Protect 13
NET-14.7 Endpoint Security Validation 6 — Medium Protect 11
NET-14.8 Expeditious Disconnect / Disable Capability 8 — High Protect 17
NET-15 Wireless Networking 9 — Critical Protect 67
NET-15.1 Authentication & Encryption 9 — Critical Protect 42
NET-15.2 Disable Wireless Networking 5 — Medium Protect 23
NET-15.3 Restrict Configuration By Users 8 — High Protect 16
NET-15.4 Wireless Boundaries 5 — Medium Protect 14
NET-15.5 Rogue Wireless Detection 8 — High Detect 7
NET-16 Intranets 8 — High Protect 1
NET-17 Data Loss Prevention (DLP) 8 — High Protect 28
NET-18 DNS & Content Filtering 9 — Critical Protect 52
NET-18.1 Route Internal Traffic to Proxy Servers 9 — Critical Protect 32
NET-18.2 Visibility of Encrypted Communications 5 — Medium Detect 11
NET-18.3 Route Privileged Network Access 1 — Low Detect 3
NET-18.4 Protocol Compliance Enforcement 5 — Medium Protect 3
NET-18.5 Domain Name Verification 8 — High Protect 3
NET-18.6 Internet Address Denylisting 8 — High Protect 3
NET-18.7 Bandwidth Control 2 — Low Protect 3
NET-18.8 Authenticated Proxy 3 — Low Protect 3
NET-18.9 Certificate Denylisting 7 — High Protect 3
NET-19 Content Disarm and Reconstruction (CDR) 6 — Medium Protect 3
NET-20 Email Content Protections 10 — Critical Protect 3
NET-20.1 Email Domain Reputation Protections 1 — Low Protect 3
NET-20.2 Sender Denylisting 7 — High Protect 3
NET-20.3 Authenticated Received Chain (ARC) 2 — Low Protect 3
NET-20.4 Domain-Based Message Authentication Reporting and Conformance (DMARC) 3 — Low Protect 6
NET-20.5 User Digital Signatures for Outgoing Email 6 — Medium Protect 3
NET-20.6 Encryption for Outgoing Email 6 — Medium Protect 3
NET-20.7 Adaptive Email Protections 1 — Low Protect 5
NET-20.8 Email Labeling 5 — Medium Protect 3
NET-20.9 User Threat Reporting 1 — Low Protect 3

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage SCF Controls in SCF Connect

Streamline your compliance program with automated control tracking, evidence management, and framework mapping.

Get Started Free