NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-7(4) — External Telecommunications Services

Implement a managed interface for each external telecommunication service; Establish a traffic flow policy for each managed interface; Protect the confidentiality and integrity of the information being transmitted across each interface; Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; Review exceptions to the traffic flow policy {{ insert: param, sc-07.04_odp }} and remove exceptions that are no longer supported by an explicit mission or business need; Prevent unauthorized exchange of control plane traffic with external networks; Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and Filter unauthorized control plane traffic from external networks.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

External telecommunications services can provide data and/or voice communications services. Examples of control plane traffic include Border Gateway Protocol (BGP) routing, Domain Name System (DNS), and management protocols. See [SP 800-189](#f5edfe51-d1f2-422e-9b27-5d0e90b49c72) for additional information on the use of the resource public key infrastructure (RPKI) to protect BGP routes and detect unauthorized BGP announcements.

Practitioner Notes

When you use external telecom services (internet, leased lines, MPLS), you need a documented plan for how those connections are protected and what happens if the provider is compromised.

Example 1: Document all your ISP and telecom provider connections in a network diagram. For each connection, specify the encryption used (IPsec VPN, TLS), the firewall rules applied, and the provider's SLA for uptime and security incident notification.

Example 2: If you use an MPLS circuit from a telecom provider, layer your own encryption (IPsec tunnel) on top of it rather than trusting the provider's network security. This way, even if the provider's infrastructure is compromised, your data remains encrypted.