STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← SC-7 (29) — Boundary Protection

CCI-004891

Definition

Implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.

Parent Control

SC-7 (29)Boundary ProtectionSystem and Communications Protection

Linked STIG Checks (58)

V-263542CAT IIThe ALG must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.Application Layer Gateway Security Requirements Guide V-255980CAT IIThe Arista MLS layer 2 switch must have all disabled switch ports assigned to an unused VLAN.Arista MLS EOS 4.X L2S Security Technical Implementation Guide V-255981CAT IIThe Arista MLS layer 2 switch must not have the default VLAN assigned to any host-facing switch ports.Arista MLS EOS 4.X L2S Security Technical Implementation Guide V-255982CAT IIThe Arista MLS layer 2 switch must have the default VLAN pruned from all trunk ports that do not require it.Arista MLS EOS 4.X L2S Security Technical Implementation Guide V-255984CAT IIThe Arista MLS layer 2 switch must have all user-facing or untrusted ports configured as access switch ports.Arista MLS EOS 4.X L2S Security Technical Implementation Guide V-255985CAT IIThe Arista MLS layer 2 switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.Arista MLS EOS 4.X L2S Security Technical Implementation Guide V-255986CAT IIIThe Arista MLS layer 2 switch must not have any switch ports assigned to the native VLAN.Arista MLS EOS 4.X L2S Security Technical Implementation Guide V-272061CAT IIThe Cisco ACI must be configured to enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.Cisco ACI Router Security Technical Implementation Guide V-239865CAT IIThe Cisco ASA must be configured to filter inbound traffic on all external interfaces.Cisco ASA Firewall Security Technical Implementation Guide V-239866CAT IIThe Cisco ASA must be configured to filter outbound traffic on all internal interfaces.Cisco ASA Firewall Security Technical Implementation Guide V-216588CAT IIThe Cisco out-of-band management (OOBM) gateway router must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.Cisco IOS Router RTR Security Technical Implementation Guide V-220641CAT IIThe Cisco switch must have all disabled switch ports assigned to an unused VLAN.Cisco IOS Switch L2S Security Technical Implementation Guide V-220642CAT IIThe Cisco switch must not have the default VLAN assigned to any host-facing switch ports.Cisco IOS Switch L2S Security Technical Implementation Guide V-220643CAT IIThe Cisco switch must have the default VLAN pruned from all trunk ports that do not require it.Cisco IOS Switch L2S Security Technical Implementation Guide V-220645CAT IIThe Cisco switch must have all user-facing or untrusted ports configured as access switch ports.Cisco IOS Switch L2S Security Technical Implementation Guide V-220646CAT IIThe Cisco switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.Cisco IOS Switch L2S Security Technical Implementation Guide V-220647CAT IIIThe Cisco switch must not have any switchports assigned to the native VLAN.Cisco IOS Switch L2S Security Technical Implementation Guide V-220453CAT IIThe Cisco switch must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.Cisco IOS Switch RTR Security Technical Implementation Guide V-216678CAT IIThe Cisco out-of-band management (OOBM) gateway router must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.Cisco IOS XE Router RTR Security Technical Implementation Guide V-220667CAT IIThe Cisco switch must have all disabled switch ports assigned to an unused VLAN.Cisco IOS XE Switch L2S Security Technical Implementation Guide V-220668CAT IIThe Cisco switch must not have the default VLAN assigned to any host-facing switch ports.Cisco IOS XE Switch L2S Security Technical Implementation Guide V-220669CAT IIThe Cisco switch must have the default VLAN pruned from all trunk ports that do not require it.Cisco IOS XE Switch L2S Security Technical Implementation Guide V-220671CAT IIThe Cisco switch must have all user-facing or untrusted ports configured as access switch ports.Cisco IOS XE Switch L2S Security Technical Implementation Guide V-220672CAT IIThe Cisco switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.Cisco IOS XE Switch L2S Security Technical Implementation Guide V-220673CAT IIIThe Cisco switch must not have any switchports assigned to the native VLAN.Cisco IOS XE Switch L2S Security Technical Implementation Guide V-221020CAT IIThe Cisco switch must be configured to only permit management traffic that ingresses and egresses the out-of-band management (OOBM) interface.Cisco IOS XE Switch RTR Security Technical Implementation Guide V-216768CAT IIThe Cisco out-of-band management (OOBM) gateway router must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.Cisco IOS XR Router RTR Security Technical Implementation Guide V-220690CAT IIThe Cisco switch must have all disabled switch ports assigned to an unused VLAN.Cisco NX OS Switch L2S Security Technical Implementation Guide V-220691CAT IIThe Cisco switch must not have the default VLAN assigned to any host-facing switch ports.Cisco NX OS Switch L2S Security Technical Implementation Guide V-220692CAT IIThe Cisco switch must have the default VLAN pruned from all trunk ports that do not require it.Cisco NX OS Switch L2S Security Technical Implementation Guide V-220694CAT IIThe Cisco switch must have all user-facing or untrusted ports configured as access switch ports.Cisco NX OS Switch L2S Security Technical Implementation Guide V-220695CAT IIThe Cisco switch must have the native VLAN assigned to an ID other than the default VLAN for all 802.1q trunk links.Cisco NX OS Switch L2S Security Technical Implementation Guide V-220696CAT IIIThe Cisco switch must not have any switchports assigned to the native VLAN.Cisco NX OS Switch L2S Security Technical Implementation Guide V-269972CAT IIThe Dell OS10 Switch must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.Dell OS10 Switch Layer 2 Switch Security Technical Implementation Guide V-263648CAT IIThe firewall must be configured to implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.Firewall Security Requirements Guide V-263664CAT IIThe IDPS must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.Intrusion Detection and Prevention Systems Security Requirements Guide V-258586CAT IThe ICS must be configured to use TLS 1.2, at a minimum.Ivanti Connect Secure VPN Security Technical Implementation Guide V-253966CAT IIThe Juniper EX switch must be configured to assign all explicitly disabled access interfaces to an unused VLAN.Juniper EX Series Switches Layer 2 Switch Security Technical Implementation Guide V-253967CAT IIThe Juniper EX switch must not be configured with VLANs used for L2 control traffic assigned to any host-facing access interface.Juniper EX Series Switches Layer 2 Switch Security Technical Implementation Guide V-253969CAT IIThe Juniper EX switch must not use the default VLAN for management traffic.Juniper EX Series Switches Layer 2 Switch Security Technical Implementation Guide V-254018CAT IIThe Juniper out-of-band management (OOBM) gateway must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.Juniper EX Series Switches Router Security Technical Implementation Guide V-254021CAT IIThe Juniper router must be configured to only permit management traffic that ingresses and egresses the OOBM interface.Juniper EX Series Switches Router Security Technical Implementation Guide V-254064CAT IThe Juniper PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance bound to the appropriate physical or logical interfaces to maintain traffic separation between all MPLS L3VPNs.Juniper EX Series Switches Router Security Technical Implementation Guide V-254065CAT IThe Juniper PE router must be configured to have each Virtual Routing and Forwarding (VRF) instance with the appropriate Route Target (RT).Juniper EX Series Switches Router Security Technical Implementation Guide V-254068CAT IThe Juniper PE router providing Virtual Private LAN Services (VPLS) must be configured to have all attachment circuits defined to the virtual forwarding instance (VFI) with the globally unique VPN ID assigned for each customer VLAN.Juniper EX Series Switches Router Security Technical Implementation Guide V-217044CAT IIThe Juniper out-of-band management (OOBM) gateway router must be configured to transport management traffic to the Network Operations Center (NOC) via dedicated circuit, MPLS/VPN service, or IPsec tunnel.Juniper Router RTR Security Technical Implementation Guide V-214518CAT IIFor User Role Firewalls, the Juniper SRX Services Gateway Firewall must employ user attribute-based security policies to enforce approved authorizations for logical access to information and system resources.Juniper SRX Services Gateway ALG Security Technical Implementation Guide V-214533CAT IIThe Juniper SRX Services Gateway Firewall must only allow inbound communications from organization-defined authorized sources routed to organization-defined authorized destinations.Juniper SRX Services Gateway ALG Security Technical Implementation Guide V-214672CAT IThe Juniper SRX Services Gateway VPN must use AES256 for the IPsec proposal to protect the confidentiality of remote access sessions.Juniper SRX Services Gateway VPN Security Technical Implementation Guide V-214673CAT IThe Juniper SRX Services Gateway VPN must use AES256 encryption for the Internet Key Exchange (IKE) proposal to protect the confidentiality of remote access sessions.Juniper SRX Services Gateway VPN Security Technical Implementation Guide V-214674CAT IThe Juniper SRX Services Gateway VPN must be configured to use Diffie-Hellman (DH) group 15 or higher.Juniper SRX Services Gateway VPN Security Technical Implementation Guide V-263667CAT IIThe layer 2 switch must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.Layer 2 Switch Security Requirements Guide V-228862CAT IIThe Palo Alto Networks security platform must only allow incoming communications from organization-defined authorized sources forwarded to organization-defined authorized destinations.Palo Alto Networks ALG Security Technical Implementation Guide V-273696CAT IIThe RUCKUS ICX switch must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.RUCKUS ICX Layer 2 Switch Security Technical Implementation Guide V-273670CAT IIThe RUCKUS ICX router must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.RUCKUS ICX Router Security Technical Implementation Guide V-264310CAT IIThe router must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.Router Security Requirements Guide V-264313CAT IIThe SDN controller must be configured to implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.SDN Controller Security Requirements Guide V-264329CAT IIThe VPN Gateway must implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.Virtual Private Network (VPN) Security Requirements Guide