Implementing 3.13.5 from NIST SP 800-171 Rev 2

Some organizations may have system components accessible to the public. These components present an elevated risk of compromise. To mitigate this risk, organizations should identify and document these components. This may include Web servers and VPN gateways. Construct a security architecture to separate these components from the internal system. NIST describes several approaches on how organizations can establish a demilitarized zone (DMZ). This blog will discuss the following topics around NIST SP 800-171 practice 3.13.5: 

• A Brief History
• Practice Statement
• Assessment Objectives
• NIST SP 800-53 Objectives
• Analysis of Discussion
• DoD Criticality
• Scope of Applicability
• Inheritance
• Implementation
• Continuous Monitoring Tasks
• Policy Statements
• Proposed Rev 3 Changes

In 2015, NIST introduced special publication (SP) 800-171. NIST kept the practice number of 3.13.5 through the first and second revisions. NIST SP 800-171 Revision 3 incorporates this practice into 03.13.01.

The cybersecurity maturity model certification (CMMC) rule will verify SP 800-171 Rev 2. CMMC 1.02 numbered this practice SC.1.176 then SC.L1-3.13.5 under CMMC 2.0. This practice applies to organizations seeking compliance within any level of CMMC.

As of December 2023, CMMC 2.1 created two numbers for this practice:

• CMMC Level 1 uses the label SC.L1-B.1.X. Section b(xi) references the Federal Acquisition Regulation (FAR) clause 52.204-21.

• CMMC Level 2 uses the label SC.L2-3.13.1. SC identifies the system and communications protection domain. L2 identifies the applicability to CMMC Level 2. 3.13.1 references the original number from NIST SP 800-171 Rev 2.

NIST derived 3.15.5 from SC-7 within NIST SP 800-53 Rev 4. Below is the original language from SC-7:

Part (B) of SC-7 became 3.13.5:

NIST SP 800-171A provides assessment procedures for each practice. Procedures apply one of three assessment methods to objects. These methods include examining artifacts, interviewing personnel, and testing mechanisms. An assessor checks each practice part to determine a finding. Satisfied findings identify acceptable implementations. Other than satisfied findings identify one or more anomalies.

The assessment objectives for 3.13.5 contains two parts:

Appendix D maps SP 800-171 requirements to controls from SP 800-53 Rev 4. This mapping relates 3.13.5 to SC-7. 

We mapped these eight objectives to the closest SP 800-53A Rev 5 objectives. NIST IR 8477 guidance helped define the nature and strength of the relationships. The findings indicated that:

• SC.L1-3.13.1(a) subset of SC-07b. (strong relationship)
• SC.L1-3.13.1(b) equal to SC-07b.

The CMMC Assessment Guide includes supplemental guidance from SP 800-53 Rev 4. 

Boundary Protection

The CMMC guide derived much of the discussion from the supplemental guidance from SC-7. 

The CMMC Assessment Guide also provides a further discussion. This narrative provides an analogy and actionable steps:

‍Separate systems accessible to the public from the internal protected systems. Do not place internal systems on the same network as systems accessible to the public. Block access by default from DMZ to internal networks.

‍One method of accomplishing this is to create a DMZ network. This provides access to public resources and prevents connections to the internal network. Contractors may also use a separated cloud computing environment.

The CMMC Assessment Guide also provides an example:

‍The head of recruiting at your company wants to launch a website to post job openings. This would allow the public to download an application form [a]. After some discussion, your team realizes it needs to use a firewall to create a perimeter network to do this [b]. You separate the host the server from the company’s internal network. Make sure to isolate the network on which it resides with the proper firewall rules [b].

The NIST SP 800-171 DoD Assessment Methodology Version 1.2.1 assigns a 5-point value to this practice. Failing this practice may lead to data exfiltration or exploitation of the network. CMMC section 170.21(ii) removed this practice's eligibility for a limited deficiency. This practice aligns to the basic cybersecurity safeguards requirements of 52.204-21.

NIST SP 800-53 Rev 5 appendix C discusses three implementation approaches:

• (S) implemented by an information system through technical means
• (O) implemented by an individual through nontechnical means
• (O/S) implemented by an organization, system, or combination of the two

NIST defines the SC-7 as implemented through technical means. The crosswalk suggests that 3.13.1 is a technical control. This practice may only apply to components that provide the relevant security capabilities. Consider boundary protection devices including:

• Gateways
• Routers
• Firewalls
• Encrypted Tunnels
• Proxies
• Load Balancers
• Network Access Control systems
• Demilitarized Zone (DMZ) components
• Remote Access Systems
• Cloud Access Security Brokers
• Wireless Access Points (WAPs)
• Software-Defined Networking (SDNs)

Some shared responsibility matrices identify practice-level inheritance for 3.13.5. Using a cloud-hosted enclave creates separation from self-hosted systems. 

Managed service providers (MSPs) may assist in configuring a DMZ for self-hosted environments. The inheritance may depend on the services provided by the MSP. 

Other external service providers may share less responsibility for this practice. For example, organizations using PreVeil must identify their systems accessible to the public.

Depict system components accessible to the public on the network diagram

What are systems accessible to the public?  They are external facing and don’t use identification or authentication. Your website would be an example cited in AC.L1-3.1.22. The potential assessment consideration under 3.13.5 also cite the following examples:

• Internet-facing web servers
• VPN Gateways
• Cloud services accessible to the public

This next question you might ask is - do you operate systems accessible to the public?

If not, the CMMC assessment guide uses 3.13.5 as an example of a not applicable practice.

Isolate system components accessible to the public

We found several NIST publications discussing isolating Web servers and VPN gateways.

Internet-facing Web servers

Organizations may outsource the hosting of their Web servers to a third party (e.g., an ISP or Web hosting service). In this case, the Web server is not located on the organization’s network. The hosting service network would have a dedicated network to host their Web servers. Outsourcing often makes sense for smaller organizations. It may also be appropriate for larger organizations that do not wish to host their own Web servers. 

Organizations hosting a Web server may use logical or physical separation techniques. Physical separation involves managing systems on a separate network. This is also known as a management network. Management networks isolate Web servers and other important management components. This requires network interfaces to restrict traffic between management and other network interfaces. Logical separation involves establishing a demilitarized zone (DMZ). Creating a DMZ requires a firewall between a border router and the internal network. This creates a network segment only reachable through the DMZ. NIST SP 800-44 discusses three potential DMZ configurations.

A single-firewall DMZ is a low-cost approach. The organization adds a firewall and uses its existing border router to protect the DMZ. It is usually appropriate only for small organizations that face a minimal threat. The router protects against network attacks. But it cannot protect against application layer attacks. In some configurations, the border router itself may act as a basic firewall. The figure below illustrates a DMZ using a router to restrict types of network traffic to and from the DMZ. 

A superior approach is to add a second firewall between the Internet and the DMZ. A two-firewall DMZ configuration improves protection over a router-firewall DMZ. The dedicated firewalls can have more complex and powerful security rule sets. A firewall is often able to analyze HTTP traffic. This enables defenses against application layer attacks. This type of DMZ may result in some performance degradation. The level of degradation depends on the firewall rule sets and the level of traffic the DMZ receives.

Another option exists called the “service leg” DMZ. In this configuration, the firewall has three (or more) network interfaces. One network interface attaches to the border router. Another interface attaches to the internal network. A third network interface connects to the DMZ. This delivers the security of the two-firewall DMZ without having two firewalls.

Protection offered by the DMZ depends in large part on the firewall configuration. Several types of firewalls exist. Basic firewalls use stateless inspection, which provides access control for IP packets. Packet filtering can block all access to the Web server except from necessary ports. This includes internet traffic through TCP ports 80 (HTTP) and 443 (HTTPS). A network/transport layer firewall can provide filtering based on:

• Source IP address 
• Destination IP address
• Traffic type
• TCP/UDP port number and state.

Stateful firewalls add access control based on TCP and User Datagram Protocol (UDP) as well as IP. Stateful inspection firewalls incorporate “awareness” of the state of a TCP connection. Stateful inspection firewalls maintain internal information. This includes the state of the connections and the contents of the data streams. This allows better and more specific rule sets and filtering.

The most secure firewalls are application layer or proxy firewalls. They are able to understand and filter Web content. Application layer firewalls are sometimes called application-proxy gateway firewalls. They combine network and transport layer access control with application layer functionality. Application layer firewalls prevent direct traffic between the Internet and the internal network. They have many advantages over packet filtering routers and stateful inspection firewalls.

Reverse proxies are devices that sit between a Web server and the server’s clients. The term “reverse proxy” indicates the data flow is the reverse of a traditional (forward) proxy. Proxies also obfuscate a Web server’s configuration, type, location, and other details. The term reverse proxy can include some or all the following functionality:

• Encryption accelerators, which off-load the processing required for initiating SSL/TLS connections.
• A security gateway monitors HTTP traffic to and from the Web server.  They can take action as necessary, acting in essence as an application level firewall.
• A content filter monitors traffic to and from the Web server. They can identify sensitive or inappropriate data and take action as necessary.
• Authentication gateways authenticate users via a variety of mechanisms. They control access to URLs hosted on the Web server itself.

‍VPN Gateways 

Virtual Private Networks (VPNs) provide secure communications over public or private networks. VPNs often use open standards called Internet Protocol Security (IPsec) to encrypt traffic. NIST SP 800-77 discusses a four primary VPN architectures: 

• Gateway-to-gateway connects two specific networks. An example would include connecting a main office to a branch office. Organizations may place a VPN gateways onto each network to establish the connection. The VPN gateway may be a dedicated device or part of another network device such as a firewall or router. A single IPsec connection supports all encrypted communications between the two networks. Different IPsec connections can each protect different types or classes of traffic. Gateway-to-gateway VPNS do not provide full protection for data throughout its transit. It only protects data between the two gateways. 

• Host-to-gateway connects one or more individual hosts to a specific network. An example would include remote works connecting to the main office. This architecture may also enhance security for connections made through the corporate WiFi. Users authenticate their identity before establishing the IPsec connection. The VPN gateway can perform the authentication or consult a dedicated authentication server.

• Host-to-host connects two specific computers. An administrator may need to connect to a system that only accepts VPN connections. An organization may configure a server to provide VPN services. Some users’ machines may act as VPN clients. The VPN clients establish IPsec communications to the remote server.  

• Mesh encryption connects many hosts within one or a few networks to each other. An example would include encrypting all communications within a network, cloud, or datacenter. Hosts communicating with other hosts in the network first establish an IPsec connection.  In this model, each host has responsibility for its own protection. This model does not need IPsec gateways. It is possible to combine mesh encryption with gateway-to-gateway architecture. This would extend the mesh to more than one network.

NIST recommends enabling firewalls and intrusion detection software to examine unencrypted traffic. Out of the options presented in NIST SP 800-113 there are two that meet the requirements of 3.13.5:

• Placing the VPN device within the DMZ. This design protects traffic between the gateway and internal hosts. It also protects the gateway from external attacks. NIST recommends a firewall between the VPN and the internal network. This prevents full access to the internal network through the VPN device. The firewall allows some traffic through ports for the VPN to communicate. Attackers may still have access to the internal network through these holes.

• Configuring a VPN gateway within the DMZ with two interfaces. Remote users use an external interface to connect to the device. Traffic destined for the internal network would traverse the internal interface. This internal interface may connect to another firewall. It may also connect to another interface on the same firewall. This protects unencrypted traffic headed for internal hosts. Compromised DMZ hosts cannot use the internal interface unless they compromise the VPN.

A continuous monitoring task verifies that controls produce their desired outcome(s). The practice 3.13.5 has two desired outcomes:

• Identify system components with public access
• Separate system components with public access from internal networks

Update your network diagram at least once per year. Ensure that Web servers and VPN gates are within a DMZ network.

Other tasks might include:

‍Review firewall rule-sets on an annual basis to ensure compliance with existing policies.

Perform tests on boundary protection devices each year to ensure compliance with policies.

Schedule Change Advisory Board meeting on a monthly basis to review requested changes.

Boundary Protection

• IT hosts Web servers and VPN gateways within a DMZ network

Acceptable Use

• Remote users may only access internal systems using a VPN connection
• Devices on the wireless network may only access internal systems using a VPN

NIST SP 800-171 Rev 3 aligns 03.13.01 with SC-7 from SP 800-53 Rev 5. NIST combined the two parts from 3.13.5 into part (B) of 03.13.01. 03.13.01 There are six parts of 03.13.01: 

• A[01] - Monitoring communications at external managed interfaces to the system.
• A[02] - Controlling communications at external managed interfaces to the system.  
• A[03] - Monitoring communications at key internal managed interfaces within the system.
• A[04] - Controlling communications at key internal managed interfaces within the system.
• B - Use physical or logical separation for system components accessible to the public.
• C - Limit external system connections through boundary protection devices.

Conclusion

Identify system components that are accessible to the public. This may include web servers or virtual private network (VPN) gateways. Use separation techniques to isolate these components from the internal system. For logical separation, NIST recommends establishing a demilitarized zone (DMZ). Ensure firewalls and intrusion detection software may examine unencrypted traffic within the DMZ. Depict the boundary protection devices around the DMZ on a network diagram.