NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION
SC-7(11) — Restrict Incoming Communications Traffic
Only allow incoming communications from {{ insert: param, sc-07.11_odp.01 }} to be routed to {{ insert: param, sc-07.11_odp.02 }}.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
Supplemental Guidance
General source address validation techniques are applied to restrict the use of illegal and unallocated source addresses as well as source addresses that should only be used within the system. The restriction of incoming communications traffic provides determinations that source and destination address pairs represent authorized or allowed communications. Determinations can be based on several factors, including the presence of such address pairs in the lists of authorized or allowed communications, the absence of such address pairs in lists of unauthorized or disallowed pairs, or meeting more general rules for authorized or allowed source and destination pairs. Strong authentication of network addresses is not possible without the use of explicit security protocols, and thus, addresses can often be spoofed. Further, identity-based incoming traffic restriction methods can be employed, including router access control lists and firewall rules.
Practitioner Notes
Inbound traffic restrictions go beyond basic firewall rules — you only allow incoming communications from authorized sources and for authorized purposes.
Example 1: On your perimeter firewall, create explicit allow rules for each inbound service. Your web server only accepts HTTPS from the CDN. Your VPN gateway only accepts connections from specific IP ranges or with valid certificates. Everything else is denied and logged.
Example 2: Use Azure Network Security Groups or AWS Security Groups to restrict inbound traffic to your cloud workloads. Only allow SSH/RDP from your corporate IP range, HTTPS from your load balancer, and nothing else. Review these rules quarterly.