Skip to main content

NET-03: Boundary Protection

NET 10 — Critical Protect

Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.

Control Question: Does the organization monitor and control communications at the external network boundary and at key internal boundaries within the network?

General (46)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC6.1 CC6.1-POF5 CC6.6 CC6.6-POF1 CC6.6-POF3 CC6.6-POF4 CC6.8
CIS CSC 8.1 13.5 9.6
CIS CSC 8.1 IG2 13.5
CIS CSC 8.1 IG3 13.5
CSA IoT SCF 2 IOT-10
GovRAMP Core SC-07
GovRAMP Low SC-07
GovRAMP Low+ SC-07
GovRAMP Moderate SC-07
GovRAMP High SC-07
IEC 62443-4-2 2019 CR 5.2 (9.4) NDR 5.2 (15.12.1) NDR 5.2 (15.12.3(1)) NDR 5.2 (15.12.3(2)) NDR 5.2 (15.12.3(3))
ISO 27002 2022 8.20 8.21
ISO 27017 2015 13.1.1 13.1.2
MITRE ATT&CK 10 T1001, T1001.001, T1001.002, T1001.003, T1008, T1020.001, T1021.001, T1021.002, T1021.003, T1021.005, T1021.006, T1029, T1030, T1041, T1046, T1048, T1048.001, T1048.002, T1048.003, T1055, T1055.001, T1055.002, T1055.003, T1055.004, T1055.005, T1055.008, T1055.009, T1055.011, T1055.012, T1055.013, T1055.014, T1068, T1071, T1071.001, T1071.002, T1071.003, T1071.004, T1072, T1080, T1090, T1090.001, T1090.002, T1090.003, T1095, T1098, T1098.001, T1102, T1102.001, T1102.002, T1102.003, T1104, T1105, T1114, T1114.003, T1132, T1132.001, T1132.002, T1133, T1136, T1136.002, T1136.003, T1176, T1187, T1189, T1190, T1197, T1199, T1203, T1204, T1204.001, T1204.002, T1204.003, T1205, T1205.001, T1210, T1211, T1212, T1218.012, T1219, T1221, T1482, T1489, T1498, T1498.001, T1498.002, T1499, T1499.001, T1499.002, T1499.003, T1499.004, T1505.004, T1530, T1537, T1542, T1542.004, T1542.005, T1552, T1552.001, T1552.004, T1552.005, T1552.007, T1557, T1557.001, T1557.002, T1559, T1559.001, T1559.002, T1560, T1560.001, T1563, T1563.002, T1565, T1565.001, T1565.003, T1566, T1566.001, T1566.002, T1566.003, T1567, T1567.001, T1567.002, T1568, T1568.002, T1570, T1571, T1572, T1573, T1573.001, T1573.002, T1598, T1598.001, T1598.002, T1598.003, T1599, T1599.001, T1602, T1602.001, T1602.002, T1609, T1610, T1611, T1612, T1613
MPA Content Security Program 5.1 TS-2.0 TS-2.4
NIST 800-53 R4 SC-7 SC-7(9) SC-7(11)
NIST 800-53 R4 (low) SC-7
NIST 800-53 R4 (moderate) SC-7
NIST 800-53 R4 (high) SC-7
NIST 800-53 R5 (source) SC-7 SC-7(9) SC-7(11)
NIST 800-53B R5 (moderate) (source) SC-7
NIST 800-53B R5 (high) (source) SC-7
NIST 800-53 R5 (NOC) (source) SC-7(9) SC-7(11)
NIST 800-82 R3 MODERATE OT Overlay SC-7
NIST 800-82 R3 HIGH OT Overlay SC-7
NIST 800-161 R1 SC-7
NIST 800-161 R1 C-SCRM Baseline SC-7
NIST 800-161 R1 Flow Down SC-7
NIST 800-161 R1 Level 2 SC-7
NIST 800-171 R2 (source) 3.13.1
NIST 800-171A (source) 3.13.1[a] 3.13.1[b] 3.13.1[c] 3.13.1[d] 3.13.1[e] 3.13.1[f] 3.13.1[g] 3.13.1[h]
NIST 800-171 R3 (source) 03.01.12.a 03.13.01.a 03.13.01.b 03.13.01.c
NIST 800-171A R3 (source) A.03.01.18.a[03] A.03.13.01.a[02] A.03.13.01.a[04] A.03.13.01.c
PCI DSS 4.0.1 (source) 1.3.3 1.4 1.4.1 1.4.2 11.5.1
PCI DSS 4.0.1 SAQ A-EP (source) 1.3.3 1.4.1 1.4.2 11.5.1
PCI DSS 4.0.1 SAQ B-IP (source) 1.3.3
PCI DSS 4.0.1 SAQ C (source) 1.3.3
PCI DSS 4.0.1 SAQ C-VT (source) 1.3.3
PCI DSS 4.0.1 SAQ D Merchant (source) 1.3.3 1.4.1 1.4.2 11.5.1
PCI DSS 4.0.1 SAQ D Service Provider (source) 1.3.3 1.4.1 1.4.2 11.5.1
SWIFT CSF 2023 1.1 1.4
SCF CORE Fundamentals NET-03
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) NET-03
SCF CORE ESP Level 1 Foundational NET-03
SCF CORE ESP Level 2 Critical Infrastructure NET-03
SCF CORE ESP Level 3 Advanced Threats NET-03
US (30)
Framework Mapping Values
US C2M2 2.1 ARCHITECTURE-2.F.MIL2
US CJIS Security Policy 5.9.3 (source) 5.10.1.1
US CMMC 2.0 Level 1 (source) SC.L1-B.1.X
US CMMC 2.0 Level 1 AOs (source) SC.L1-B.1.X[a] SC.L1-B.1.X[b] SC.L1-B.1.X[c] SC.L1-B.1.X[d] SC.L1-B.1.X[e] SC.L1-B.1.X[f] SC.L1-B.1.X[g] SC.L1-B.1.X[h]
US CMMC 2.0 Level 2 (source) SC.L2-3.13.1
US CMMC 2.0 Level 3 (source) SC.L2-3.13.1
US CMS MARS-E 2.0 SC-7
US FAR 52.204-21 52.204-21(b)(1)(x)
US FedRAMP R4 SC-7
US FedRAMP R4 (low) SC-7
US FedRAMP R4 (moderate) SC-7
US FedRAMP R4 (high) SC-7
US FedRAMP R4 (LI-SaaS) SC-7
US FedRAMP R5 (source) SC-7
US FedRAMP R5 (low) (source) SC-7
US FedRAMP R5 (moderate) (source) SC-7
US FedRAMP R5 (high) (source) SC-7
US FedRAMP R5 (LI-SaaS) (source) SC-7
US HIPAA HICP Medium Practice 6.M.A 6.M.B
US HIPAA HICP Large Practice 6.M.D
US IRS 1075 3.3.6 SC-7 SC-7(9) SC-7(11)
US NERC CIP 2024 (source) CIP-005-7 1.5
US NISPOM 2020 8-701
US NNPI (unclass) 16.1
US NSTC NSPM-33 6.8
US TSA / DHS 1580/82-2022-01 III.B.1.c
US - CA CCPA 2025 7123(c)(5)(B) 7123(c)(8)(A)
US - TX DIR Control Standards 2.0 SC-7
US - TX TX-RAMP Level 1 SC-7
US - TX TX-RAMP Level 2 SC-7
EMEA (7)
Framework Mapping Values
EMEA Germany C5 2020 COS-04 PSS-10
EMEA Israel CDMO 1.0 9.3 9.18 9.23 10.9 11.8 16.4
EMEA Saudi Arabia IoT CGIoT-1 2024 2-4-5
EMEA Saudi Arabia OTCC-1 2022 2-3-1-1 2-4-1-2 2-4-1-6
EMEA Saudi Arabia SACS-002 TPC-76
EMEA UK Cyber Essentials 1
EMEA UK DEFSTAN 05-138 2427
APAC (5)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-0611 ISM-0612 ISM-0613 ISM-0616 ISM-0619 ISM-0622 ISM-0628 ISM-0629 ISM-0631 ISM-0634 ISM-0637 ISM-0639 ISM-1037 ISM-1192 ISM-1284 ISM-1286 ISM-1287 ISM-1288 ISM-1289 ISM-1293 ISM-1389 ISM-1427 ISM-1520 ISM-1521 ISM-1522 ISM-1528
APAC Japan ISMAP 13.1.1 13.1.2
APAC New Zealand NZISM 3.6 19.1.10.C.01 19.1.11.C.01 19.1.11.C.02 19.1.12.C.01 19.1.13.C.01 19.1.14.C.01 19.1.14.C.02 19.1.15.C.01 19.1.16.C.01 19.1.16.C.02 19.1.17.C.01 19.1.17.C.02 19.1.18.C.01 19.1.18.C.02 19.1.19.C.01 19.1.19.C.02 19.1.19.C.03 19.1.19.C.04 19.1.19.C.05 19.1.20.C.01 19.1.20.C.02 19.1.20.C.03 19.1.21.C.01 19.1.22.C.01 19.1.22.C.02 19.1.22.C.03 19.1.23.C.01 19.3.8.C.01 19.3.8.C.02 19.3.8.C.03 19.3.8.C.04 19.3.9.C.01 19.3.9.C.02 19.3.9.C.03 19.4.4.C.01 19.4.5.C.01 19.4.5.C.02 19.4.5.C.03 19.4.6.C.01 19.5.24.C.01 19.5.24.C.02 19.5.24.C.03 19.5.24.C.04 19.5.24.C.05 19.5.24.C.06 19.5.24.C.07 19.5.24.C.08 19.5.25.C.01 19.5.26.C.01 19.5.26.C.02 19.5.26.C.03 19.5.26.C.04 19.5.26.C.05 19.5.26.C.06 19.5.26.C.07 19.5.26.C.08 19.5.26.C.09 19.5.26.C.10 19.5.26.C.11 19.5.26.C.12 19.5.27.C.01 19.5.27.C.02 19.5.27.C.03 19.5.27.C.04 19.5.27.C.05 19.5.27.C.06 19.5.28.C.01 19.5.28.C.02 19.5.28.C.03 19.5.28.C.04 19.5.28.C.05 19.5.28.C.06 19.5.28.C.07 19.5.29.C.01
APAC Singapore Cyber Hygiene Practice 4.4
APAC Singapore MAS TRM 2021 11.2.5 11.2.6
Americas (1)
Framework Mapping Values
Americas Canada ITSP-10-171 03.01.12.A 03.13.01.A 03.13.01.B 03.13.01.C

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to monitor and control communications at the external network boundary and at key internal boundaries within the network.

Level 1 — Performed Informally

Network Security (NET) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • IT personnel use an informal process to design, build and maintain secure networks for test, development, staging and production environments, including the implementation of appropriate cybersecurity and data protection controls.
  • Administrative processes are used to configure boundary devices (e.g., firewalls, routers, etc.) to deny network traffic by default and allow network traffic by exception (e.g., deny all, permit by exception).
  • Network monitoring is primarily reactive in nature.
Level 2 — Planned & Tracked

Network Security (NET) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Network security management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for network security management.
  • IT personnel define secure networking practices to protect the confidentiality, integrity, availability and safety of the organization's technology assets, data and network(s).
  • Administrative processes and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
  • Administrative processes are used to configure boundary devices (e.g., firewalls, routers, etc.) to deny network traffic by default and allow network traffic by exception (e.g., deny all, permit by exception).
  • Network segmentation exists to implement separate network addresses (e.g., different subnets) to connect systems in different security domains (e.g., sensitive/regulated data environments).
  • Boundary protection technologies monitor and control communications at the external network boundary and at key internal boundaries within the network.
Level 3 — Well Defined

Network Security (NET) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • A Technology Infrastructure team, or similar function, defines centrally-managed network security controls for implementation across the enterprise.
  • Secure engineering principles are used to design and implement network security controls (e.g., industry-recognized secure practices) to enforce the concepts of least privilege and least functionality at the network level.
  • IT/cybersecurity architects work with the Technology Infrastructure team to implement a “layered defense” network architecture that provides a defense-in-depth approach for redundancy and risk reduction for network-based security controls, including wired and wireless networking.
  • Administrative processes and technologies configure boundary devices (e.g., firewalls, routers, etc.) to deny network traffic by default and allow network traffic by exception (e.g., deny all, permit by exception).
  • Technologies automate the Access Control Lists (ACLs) and similar rulesets review process to identify security issues and/ or misconfigurations.
  • Network segmentation exists to implement separate network addresses (e.g., different subnets) to connect systems in different security domains (e.g., sensitive/regulated data environments).
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to monitor and control communications at the external network boundary and at key internal boundaries within the network.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to monitor and control communications at the external network boundary and at key internal boundaries within the network.

Assessment Objectives

  1. NET-03_A01 the external system boundary is defined.
  2. NET-03_A02 key internal system boundaries are defined.
  3. NET-03_A03 communications are protected at the external system boundary.
  4. NET-03_A04 communications are protected at key internal boundaries.
  5. NET-03_A05 communications are monitored at the external system boundary.
  6. NET-03_A06 communications are controlled at the external system boundary.
  7. NET-03_A07 communications are monitored at key internal boundaries.
  8. NET-03_A08 communications are controlled at key internal boundaries.
  9. NET-03_A09 subnetworks for publicly accessible system components are selected per organization-defined values separated from internal organizational networks.
  10. NET-03_A10 external networks or systems are only connected to through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational cybersecurity / data privacy architecture.
  11. NET-03_A11 outgoing communications traffic posing a threat to external systems is detected.
  12. NET-03_A12 outgoing communications traffic posing a threat to external systems is denied.
  13. NET-03_A13 the identity of internal users associated with denied communications is audited.
  14. NET-03_A14 authorized sources of incoming communications to be routed are defined.
  15. NET-03_A15 authorized destinations to which incoming communications from authorized sources may be routed are defined.
  16. NET-03_A16 only incoming communications from authorized sources are allowed to be routed to authorized destinations.
  17. NET-03_A17 one or more of the following is/are selected: physical isolation techniques. logical isolation techniques.
  18. NET-03_A18 physical isolation techniques are defined.
  19. NET-03_A19 logical isolation techniques are defined.
  20. NET-03_A20 physical isolation techniques and/or organization-defined logical isolation techniques are employed in organizational systems and system components.
  21. NET-03_A21 connection requirements are established for mobile devices.
  22. NET-03_A22 external system connections are only made through managed interfaces that consist of boundary protection devices arranged in accordance with an organizational security architecture.
  23. NET-03_A23 communications at external managed interfaces to the system are controlled.
  24. NET-03_A24 communications at key internal managed interfaces within the system are controlled.

Evidence Requirements

E-NET-08 Internal Boundaries

Documented evidence of key internal boundaries.

Network Security

Technology Recommendations

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free