NIST 800-53 r5 · Controls catalogue · Family SC
SC-7Boundary Protection
Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; Implement subnetworks for publicly accessible system components that are {{ insert: param, sc-07_odp }} separated from internal organizational networks; and Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (4)
- aws-config-rds-instance-public-access-check RDS instances are not publicly accessible AWS::RDS::DBInstance partial
- aws-config-ec2-imdsv2-check EC2 instances require IMDSv2 AWS::EC2::Instance partial
- aws-config-incoming-ssh-disabled Security groups disallow unrestricted SSH ingress AWS::EC2::SecurityGroup mostly
- aws-config-restricted-common-ports Security groups disallow unrestricted common-port ingress AWS::EC2::SecurityGroup mostly
ATT&CK techniques this control mitigates (156)
- T1001 Data Obfuscation Command And Control
- T1001.001 Junk Data Command And Control
- T1001.002 Steganography Command And Control
- T1001.003 Protocol or Service Impersonation Command And Control
- T1008 Fallback Channels Command And Control
- T1020.001 Traffic Duplication Exfiltration
- T1021.001 Remote Desktop Protocol Lateral Movement
- T1021.002 SMB/Windows Admin Shares Lateral Movement
- T1021.003 Distributed Component Object Model Lateral Movement
- T1021.005 VNC Lateral Movement
- T1021.006 Windows Remote Management Lateral Movement
- T1029 Scheduled Transfer Exfiltration
- T1030 Data Transfer Size Limits Exfiltration
- T1036.008 Masquerade File Type Stealth
- T1041 Exfiltration Over C2 Channel Exfiltration
- T1046 Network Service Discovery Discovery
- T1048 Exfiltration Over Alternative Protocol Exfiltration
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
- T1055 Process Injection Stealth, Privilege Escalation
- T1055.001 Dynamic-link Library Injection Stealth, Privilege Escalation
- T1055.002 Portable Executable Injection Stealth, Privilege Escalation
- T1055.003 Thread Execution Hijacking Stealth, Privilege Escalation
- T1055.004 Asynchronous Procedure Call Stealth, Privilege Escalation
- T1055.005 Thread Local Storage Stealth, Privilege Escalation
- T1055.008 Ptrace System Calls Stealth, Privilege Escalation
- T1055.009 Proc Memory Stealth, Privilege Escalation
- T1055.011 Extra Window Memory Injection Stealth, Privilege Escalation
- T1055.012 Process Hollowing Stealth, Privilege Escalation
- T1055.013 Process Doppelgänging Stealth, Privilege Escalation
- T1055.014 VDSO Hijacking Stealth, Privilege Escalation
- T1068 Exploitation for Privilege Escalation Privilege Escalation
- T1071 Application Layer Protocol Command And Control
- T1071.001 Web Protocols Command And Control
- T1071.002 File Transfer Protocols Command And Control
- T1071.003 Mail Protocols Command And Control
- T1071.004 DNS Command And Control
- T1071.005 Publish/Subscribe Protocols Command And Control
- T1072 Software Deployment Tools Execution, Lateral Movement
- T1078 Valid Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1080 Taint Shared Content Lateral Movement
- T1090 Proxy Command And Control
- T1090.001 Internal Proxy Command And Control
- T1090.002 External Proxy Command And Control
- T1090.003 Multi-hop Proxy Command And Control
- T1095 Non-Application Layer Protocol Command And Control
- T1098 Account Manipulation Persistence, Privilege Escalation
- T1098.001 Additional Cloud Credentials Persistence, Privilege Escalation
- T1102 Web Service Command And Control
Weaknesses this control addresses (8)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 8,680 | Missing authorization for internal functions is mitigated by requiring all external access to traverse managed boundaries. |
CWE-284 | Improper Access Control | 4,832 | Boundary devices and interface controls directly enforce network-level access restrictions between spheres. |
CWE-863 | Incorrect Authorization | 3,234 | Incorrect authorization decisions are enforced or detected at external and key internal managed interfaces. |
CWE-918 | Server-Side Request Forgery (SSRF) | 2,872 | Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact. |
CWE-306 | Missing Authentication for Critical Function | 2,567 | Public components are isolated in separate subnetworks and critical internal functions are reachable only via controlled interfaces. |
CWE-285 | Improper Authorization | 1,230 | Communications are authorized only through managed boundary devices and segmented subnetworks. |
CWE-668 | Exposure of Resource to Wrong Sphere | 779 | Internal resources are kept in separate network spheres from externally accessible components. |
CWE-923 | Improper Restriction of Communication Channel to Intended Endpoints | 57 | The control explicitly requires that all external connections use managed boundary devices that restrict channels to intended endpoints. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-0108 KEV | 9.5 | 9.1 | 0.9412 | good |
CVE-2025-34221 | 2.2 | 9.8 | 0.0365 | good |
CVE-2025-7206 | 2.1 | 9.8 | 0.0295 | good |
CVE-2025-35051 | 2.0 | 9.8 | 0.0024 | good |
CVE-2025-54304 | 2.0 | 9.8 | 0.0008 | good |
CVE-2026-23767 | 2.0 | 9.8 | 0.0007 | good |
CVE-2025-64123 | 2.0 | 9.8 | 0.0008 | good |
CVE-2025-34218 | 2.0 | 9.8 | 0.0073 | good |
CVE-2026-34205 | 1.9 | 9.6 | 0.0005 | good |
CVE-2021-4477 | 1.8 | 9.1 | 0.0000 | good |
CVE-2026-4475 | 1.8 | 8.8 | 0.0003 | good |
CVE-2025-34202 | 1.8 | 8.8 | 0.0050 | good |
CVE-2026-27466 | 1.5 | 7.2 | 0.0018 | good |
CVE-2024-50954 | 1.5 | 7.5 | 0.0031 | good |
CVE-2025-2747 KEV | 9.4 | 9.8 | 0.9126 | good |
CVE-2025-61882 KEV | 9.3 | 9.8 | 0.8938 | partial |
CVE-2025-53770 KEV | 9.3 | 9.8 | 0.8854 | good |
CVE-2025-1974 | 7.4 | 9.8 | 0.9113 | good |
CVE-2025-29927 | 7.3 | 9.1 | 0.9206 | good |
CVE-2026-35616 KEV | 6.6 | 9.8 | 0.4321 | good |
CVE-2024-54085 KEV | 6.5 | 9.8 | 0.4297 | good |
CVE-2024-48457 | 5.2 | 7.5 | 0.6162 | partial |
CVE-2025-12548 | 4.4 | 9.0 | 0.4368 | good |
CVE-2025-61932 KEV | 4.1 | 9.8 | 0.0196 | good |
CVE-2025-0111 KEV | 3.5 | 6.5 | 0.0369 | good |