NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-7(26)Classified National Security System Connections

Prohibit the direct connection of a classified national security system to an external network without the use of {{ insert: param, sc-07.26_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

A direct connection is a dedicated physical or virtual connection between two or more systems. Organizations typically do not have complete control over external networks, including the Internet. Boundary protection devices (e.g., firewalls, gateways, and routers) mediate communications and information flows between classified national security systems and external networks. In addition, approved boundary protection devices (typically managed interface or cross-domain systems) provide information flow enforcement from systems to external networks.

Practitioner Notes

Connections involving classified national security systems have the strictest requirements — typically requiring NSA-approved encryption and cross-domain solutions.

Example 1: Use an NSA-approved cross-domain solution (CDS) for any data exchange between classified and unclassified networks. The CDS inspects and sanitizes all data transfers according to content filtering rules approved by the designated approving authority.

Example 2: Classified network connections must use NSA Type 1 encryption devices. Document these connections in your System Security Plan and get explicit authorization from the appropriate government authority before establishing any new connection.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability