NIST 800-171 3.13.1: Network Boundary Protection
Network Boundary Protection (3.13.1) requires your organization to actively monitor, control, and protect all communications entering and leaving your systems—both at external perimeters and critical internal demarcation points. This control is essential for detecting unauthorized access attempts and preventing data exfiltration in regulated environments.
What this means
This control mandates continuous monitoring and enforcement of security policies at all system boundaries where organizational networks connect to external networks or untrusted systems. It includes external internet gateways as well as internal boundaries between networks of different trust levels. Organizations must implement mechanisms to inspect, filter, and log all boundary traffic to identify and block unauthorized communications while maintaining visibility of legitimate traffic flows.
How to comply
- 1.Deploy firewalls and intrusion detection/prevention systems at all external network boundaries
- 2.Implement demilitarized zones (DMZs) to isolate publicly accessible systems from internal networks
- 3.Configure network access control lists (ACLs) to enforce explicit deny-by-default policies
- 4.Establish internal network segmentation separating systems by trust level and security criticality
- 5.Enable logging and monitoring of all inbound and outbound traffic at boundary points
- 6.Conduct regular reviews of firewall rules and network policies to remove obsolete or overly permissive entries
- 7.Document all authorized boundary connections and maintain current network topology diagrams
- 8.Implement egress filtering to prevent unauthorized outbound communications and data exfiltration
Evidence auditors look for
- Firewall configurations showing default-deny rules and explicit allow policies for authorized traffic
- Network diagrams identifying external boundaries, DMZs, and internal network segments
- Firewall and IDS/IPS logs demonstrating continuous monitoring and blocked unauthorized attempts
- Access control lists (ACLs) with dates of last review and approval by authorized personnel
- Network segmentation documentation showing trust levels and security zones
- Boundary protection policy documents specifying monitoring and control requirements
- Change management records for firewall rule modifications
- Traffic analysis reports showing anomalies detected and remediation actions taken
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates boundary protection monitoring by centralizing firewall logs, rule documentation, and access control lists in one platform, eliminating manual tracking and ensuring your boundary controls remain visible to auditors without requiring external security tools integration.
See how GRCWatch handles this control automatically
Start free trial