Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; Implement subnetworks for publicly accessible system components that are {{ insert: param, sc-07_odp }} separated from internal organizational networks; and Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.

Prevent the exfiltration of information; and Conduct exfiltration tests {{ insert: param, sc-07.10_odp }}.

Only allow incoming communications from {{ insert: param, sc-07.11_odp.01 }} to be routed to {{ insert: param, sc-07.11_odp.02 }}.

Implement {{ insert: param, sc-07.12_odp.01 }} at {{ insert: param, sc-07.12_odp.02 }}.

Isolate {{ insert: param, sc-07.13_odp }} from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system.

Protect against unauthorized physical connections at {{ insert: param, sc-07.14_odp }}.

Route networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.

Prevent the discovery of specific system components that represent a managed interface.

Enforce adherence to protocol formats.

Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device.

Block inbound and outbound communications traffic between {{ insert: param, sc-07.19_odp }} that are independently configured by end users and external service providers.

Provide the capability to dynamically isolate {{ insert: param, sc-07.20_odp }} from other system components.

Employ boundary protection mechanisms to isolate {{ insert: param, sc-07.21_odp.01 }} supporting {{ insert: param, sc-07.21_odp.02 }}.

Implement separate network addresses to connect to systems in different security domains.

Disable feedback to senders on protocol format validation failure.

For systems that process personally identifiable information: Apply the following processing rules to data elements of personally identifiable information: {{ insert: param, sc-07.24_odp }}; Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system; Document each processing exception; and Review and remove exceptions that are no longer supported.

Prohibit the direct connection of {{ insert: param, sc-07.25_odp.01 }} to an external network without the use of {{ insert: param, sc-07.25_odp.02 }}.

Prohibit the direct connection of a classified national security system to an external network without the use of {{ insert: param, sc-07.26_odp }}.

Prohibit the direct connection of {{ insert: param, sc-07.27_odp.01 }} to an external network without the use of {{ insert: param, sc-07.27_odp.02 }}.

Prohibit the direct connection of {{ insert: param, sc-07.28_odp }} to a public network.

Implement {{ insert: param, sc-07.29_odp.01 }} separate subnetworks to isolate the following critical system components and functions: {{ insert: param, sc-07.29_odp.02 }}.

Limit the number of external network connections to the system.

Implement a managed interface for each external telecommunication service; Establish a traffic flow policy for each managed interface; Protect the confidentiality and integrity of the information being transmitted across each interface; Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; Review exceptions to the traffic flow policy {{ insert: param, sc-07.04_odp }} and remove exceptions that are no longer supported by an explicit mission or business need; Prevent unauthorized exchange of control plane traffic with external networks; Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and Filter unauthorized control plane traffic from external networks.

Deny network communications traffic by default and allow network communications traffic by exception {{ insert: param, sc-07.05_odp.01 }}.

Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using {{ insert: param, sc-07.07_odp }}.

Route {{ insert: param, sc-07.08_odp.01 }} to {{ insert: param, sc-07.08_odp.02 }} through authenticated proxy servers at managed interfaces.

Detect and deny outgoing communications traffic posing a threat to external systems; and Audit the identity of internal users associated with denied communications.