NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-7(18)Fail Secure

Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Fail secure is a condition achieved by employing mechanisms to ensure that in the event of operational failures of boundary protection devices at managed interfaces, systems do not enter into unsecure states where intended security properties no longer hold. Managed interfaces include routers, firewalls, and application gateways that reside on protected subnetworks (commonly referred to as demilitarized zones). Failures of boundary protection devices cannot lead to or cause information external to the devices to enter the devices nor can failures permit unauthorized information releases.

Practitioner Notes

When a boundary protection device fails, it must default to a secure state — blocking all traffic rather than allowing everything through. This is "fail secure" or "fail closed."

Example 1: Configure your firewall in fail-closed mode so that if the inspection engine crashes, all traffic is blocked rather than passed through uninspected. Pair this with a high-availability setup so the standby firewall takes over within seconds.

Example 2: Test your fail-secure configuration regularly. During a maintenance window, simulate a firewall process crash and verify that traffic stops flowing (fail-closed) rather than being passed through (fail-open). Document the test results.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability