Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family SC

SC-7Boundary Protection

Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; Implement subnetworks for publicly accessible system components that are {{ insert: param, sc-07_odp }} separated from internal organizational networks; and Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 14 mapping(s) from 2 framework(s): ASVS 5.0 11 (partial) · CSF 2.0 3 (mostly)

See the full cumulative-coverage rollup →

Implementations targeting this control (27)

ATT&CK techniques this control mitigates (156)

Weaknesses this control addresses (8)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-862Missing Authorization9,346Missing authorization for internal functions is mitigated by requiring all external access to traverse managed boundaries.
CWE-284Improper Access Control5,367Boundary devices and interface controls directly enforce network-level access restrictions between spheres.
CWE-863Incorrect Authorization3,515Incorrect authorization decisions are enforced or detected at external and key internal managed interfaces.
CWE-918Server-Side Request Forgery (SSRF)3,202Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
CWE-306Missing Authentication for Critical Function2,820Public components are isolated in separate subnetworks and critical internal functions are reachable only via controlled interfaces.
CWE-285Improper Authorization1,356Communications are authorized only through managed boundary devices and segmented subnetworks.
CWE-668Exposure of Resource to Wrong Sphere797Internal resources are kept in separate network spheres from externally accessible components.
CWE-923Improper Restriction of Communication Channel to Intended Endpoints61The control explicitly requires that all external connections use managed boundary devices that restrict channels to intended endpoints.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2025-0108 KEV10.09.10.9834good
CVE-2025-0111 KEV10.06.50.0186good
CVE-2025-34291 KEV10.08.80.7889good
CVE-2024-37079 KEV10.09.80.2238good
CVE-2024-0012 KEV10.09.80.9970good
CVE-2021-26855 KEV10.09.11.0000good
CVE-2021-22175 KEV10.06.80.5337good
CVE-2020-1938 KEV10.09.80.9927good
CVE-2020-0796 KEV10.010.00.9981good
CVE-2017-6740 KEV10.08.80.1079good
CVE-2017-12235 KEV10.07.50.0694good
CVE-2016-8735 KEV10.09.80.9034good
CVE-2025-299278.09.10.9962good
CVE-2025-19748.09.80.9910good
CVE-2023-497858.09.10.8316good
CVE-2022-32188.09.80.7348good
CVE-2023-208648.09.80.7165good
CVE-2024-471768.05.30.5017good
CVE-2025-265077.09.80.0086good
CVE-2025-350517.09.80.0077good
CVE-2025-297837.09.00.0082good
CVE-2025-543047.09.80.0044good
CVE-2026-342057.09.60.0026good
CVE-2021-44777.09.10.0032good
CVE-2026-237677.09.80.0045good

Other controls in family SC

SC-1 SC-10 SC-11 SC-12 SC-13 SC-14 SC-15 SC-16 SC-17 SC-18 SC-19 SC-2 SC-20 SC-21 SC-22 SC-23 SC-24 SC-25 SC-26 SC-27 SC-28 SC-29 SC-3 SC-30 SC-31 SC-32 SC-33 SC-34 SC-35 SC-36 SC-37 SC-38 SC-39 SC-4 SC-40 SC-41 SC-42 SC-43 SC-44 SC-45 SC-46 SC-47 SC-48 SC-49 SC-5 SC-50 SC-51 SC-6 SC-8 SC-9