| Network Security Controls (NSC) | Mechanisms exist to develop, govern & update procedures to facilitate the implementation of Network Security Controls (NSC). | |
| Zero Trust Architecture (ZTA) | Mechanisms exist to treat all users and devices as potential threats and prevent access to data and resources until the users can be properly authenticated and their access authorized. | |
| Layered Network Defenses | Mechanisms exist to implement security functions as a layered structure that minimizes interactions between layers of the design and avoids any dependence by lower layers on the functionality or correctness of higher layers. | |
| Boundary Protection | Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network. | |
| Limit Network Connections | Mechanisms exist to limit the number of concurrent external network connections to its systems. | |
| Prevent Discovery of Internal Information | Mechanisms exist to prevent the public disclosure of internal network information. | |
| Prevent Unauthorized Exfiltration | Automated mechanisms exist to prevent the unauthorized exfiltration of sensitive/regulated data across managed interfaces. | |
| Data Flow Enforcement – Access Control Lists (ACLs) | Mechanisms exist to implement and govern Access Control Lists (ACLs) to provide data flow enforcement that explicitly restrict network traffic to only what is authorized. | |
| Deny Traffic by Default & Allow Traffic by Exception | Mechanisms exist to configure firewall and router configurations to deny network traffic by default and allow network traffic by exception (e.g., deny all, permit by exception). | |
| External System Connections | Mechanisms exist to prohibit the direct connection of a sensitive system to an external network without the use of an organization-defined boundary protection device. | |
| Network Segmentation (macrosegementation) | Mechanisms exist to ensure network architecture utilizes network segmentation to isolate systems, applications and services to protect from other network resources. | |
| Security Management Subnets | Mechanisms exist to implement security management subnets to isolate security tools and support components from other internal system components by implementing separate subnetworks with managed interfaces to other components of the system. | |
| Network Intrusion Detection / Prevention Systems (NIDS / NIPS) | Mechanisms exist to employ Network Intrusion Detection / Prevention Systems (NIDS/NIPS) to detect and/or prevent intrusions into the network. | |
| DMZ Networks | Mechanisms exist to monitor De-Militarized Zone (DMZ) network segments to separate untrusted networks from trusted networks. | |
| Domain Name Service (DNS) Resolution | Mechanisms exist to ensure Domain Name Service (DNS) resolution is designed, implemented and managed to protect the security of name / address resolution. | |
| Sender Policy Framework (SPF) | Mechanisms exist to validate the legitimacy of email communications through configuring a Domain Naming Service (DNS) Sender Policy Framework (SPF) record to specify the IP addresses and/or hostnames that are authorized to send email from the specified domain. | |
| Safeguarding Data Over Open Networks | Cryptographic mechanisms exist to implement strong cryptography and security protocols to safeguard sensitive/regulated data during transmission over open, public networks. | |
| Wireless Link Protection | Mechanisms exist to protect external and internal wireless links from signal parameter attacks through monitoring for unauthorized wireless connections, including scanning for unauthorized wireless access points and taking appropriate action, if an unauthorized connection is discovered. | |
| End-User Messaging Technologies | Mechanisms exist to prohibit the transmission of unprotected sensitive/regulated data by end-user messaging technologies. | |
| Electronic Messaging | Mechanisms exist to protect the confidentiality, integrity and availability of electronic messaging communications. | |
| Remote Access | Mechanisms exist to define, control and review organization-approved, secure remote access methods. | |
| Automated Monitoring & Control | Automated mechanisms exist to monitor and control remote access sessions. | |
| Protection of Confidentiality / Integrity Using Encryption | Cryptographic mechanisms exist to protect the confidentiality and integrity of remote access sessions (e.g., VPN). | |
| Managed Access Control Points | Mechanisms exist to route all remote accesses through managed network access control points (e.g., VPN concentrator). | |
| Work From Anywhere (WFA) - Telecommuting Security | Mechanisms exist to define secure telecommuting practices and govern remote access to systems and data for remote workers. | |
| Endpoint Security Validation | Automated mechanisms exist to validate the security posture of the endpoint devices (e.g., software versions, patch levels, etc.) prior to allowing devices to connect to organizational technology assets. | |
| Wireless Networking | Mechanisms exist to control authorized wireless usage and monitor for unauthorized wireless access. | |
| Data Loss Prevention (DLP) | Automated mechanisms exist to implement Data Loss Prevention (DLP) to protect sensitive information as it is stored, transmitted and processed. | |
| DNS & Content Filtering | Mechanisms exist to force Internet-bound network traffic through a proxy device (e.g., Policy Enforcement Point (PEP)) for URL content filtering and DNS filtering to limit a user's ability to connect to dangerous or prohibited Internet sites. | |
| Route Internal Traffic to Proxy Servers | Mechanisms exist to route internal communications traffic to external networks through organization-approved proxy servers at managed interfaces. | |