NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-7(3)Access Points

Limit the number of external network connections to the system.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection [DHS TIC](#4f42ee6e-86cc-403b-a51f-76c2b4f81b54) initiative is an example of a federal guideline that requires limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system.

Practitioner Notes

Limit the number of network access points — every connection into your network is a door that needs to be guarded. Fewer doors mean fewer opportunities for attackers and easier monitoring.

Example 1: Consolidate your internet connections to a single, well-monitored point with a next-gen firewall, IDS/IPS, and full packet logging. Eliminate any rogue internet connections that departments may have set up on their own, such as personal hotspots or unauthorized cable modems.

Example 2: For remote access, funnel all VPN connections through a single VPN gateway (like Cisco AnyConnect or GlobalProtect) rather than having multiple VPN entry points. This gives you one place to enforce MFA, monitor sessions, and apply security policies.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability