GRCWatch
Sign inStart free trial

Network Integrity Protection (NIST PR.AC-5)

Network integrity protection is a foundational security control that prevents unauthorized access and lateral movement across your infrastructure. NIST Cybersecurity Framework's PR.AC-5 requires organizations to implement network segregation and segmentation to isolate critical systems and limit exposure. For SMBs, this means building the right architectural controls without over-engineering your compliance posture.

What this means

Network integrity protection ensures that your network architecture prevents unauthorized communication between systems and protects the confidentiality and availability of critical assets. This is accomplished through network segregation (physically separating networks) and network segmentation (logically dividing a single network into multiple subnets). These controls restrict lateral movement, contain breaches to specific network zones, and enforce principle-of-least-privilege access at the network level.

How to comply

  1. 1.Map your network architecture and identify critical assets, sensitive data repositories, and high-risk systems that require isolation
  2. 2.Implement network segmentation using VLANs, subnets, or software-defined perimeters to separate user networks from administrative networks and production from development environments
  3. 3.Deploy firewalls and access control lists (ACLs) at network boundaries to enforce rules that restrict traffic between segments based on business need
  4. 4.Monitor and log inter-segment traffic to detect unauthorized communication attempts and maintain audit trails for compliance verification
  5. 5.Document your network topology, segmentation strategy, and access policies with business justification for each segment
  6. 6.Regularly test network controls through penetration testing and vulnerability assessments to validate segregation effectiveness

Evidence auditors look for

  • Network topology diagrams showing segregation of DMZ, internal networks, and isolated systems
  • Firewall rule sets and access control lists (ACLs) with documented business justifications
  • VLAN configuration documentation and subnet allocation records
  • Network access policy documentation defining allowed traffic flows between segments
  • Penetration test reports validating network segmentation effectiveness and unauthorized access prevention
  • Change logs and configuration management records for network infrastructure updates
  • Network monitoring and traffic analysis logs showing enforcement of segment restrictions

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates network segmentation documentation and control evidence collection, helping you maintain audit-ready network topology records and access policy inventories without manual spreadsheets.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PR.AC-1 (Identities and Credentials)PR.AC-3 (Access Enforcement)PR.PT-4 (Communications Protection)