NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-7(25)Unclassified National Security System Connections

Prohibit the direct connection of {{ insert: param, sc-07.25_odp.01 }} to an external network without the use of {{ insert: param, sc-07.25_odp.02 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

A direct connection is a dedicated physical or virtual connection between two or more systems. Organizations typically do not have complete control over external networks, including the Internet. Boundary protection devices (e.g., firewalls, gateways, and routers) mediate communications and information flows between unclassified national security systems and external networks.

Practitioner Notes

Connections between unclassified national security systems require special approval and protection measures beyond standard network connections.

Example 1: Document all connections between your unclassified NSS and other networks in an Interconnection Security Agreement (ISA). Specify the encryption, firewall rules, and monitoring required for each connection. Get the authorizing official to approve each ISA.

Example 2: Deploy dedicated firewall rules and IDS monitoring for NSS interconnections. Log all traffic crossing these boundaries and review logs monthly for unauthorized access patterns or policy violations.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability