NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-7(12)Host-based Protection

Implement {{ insert: param, sc-07.12_odp.01 }} at {{ insert: param, sc-07.12_odp.02 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Host-based boundary protection mechanisms include host-based firewalls. System components that employ host-based boundary protection mechanisms include servers, workstations, notebook computers, and mobile devices.

Practitioner Notes

Host-based boundary protection means running firewall and filtering software on individual servers and workstations, not just relying on network firewalls. This provides defense-in-depth.

Example 1: Use GPO to enable and configure Windows Defender Firewall on every domain-joined machine. Define inbound and outbound rules that match your network security policy. Block all inbound connections by default and only allow specific management ports from your admin subnet.

Example 2: Deploy Microsoft Defender for Endpoint or CrowdStrike on every server and workstation. These agents enforce host-level network protection, detect lateral movement attempts, and can isolate compromised machines from the network in seconds.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability