GRCWatch
Sign inStart free trial

SOC 2 CC6.6: External Threat Protection

External threats are among the most common attack vectors for SMBs. CC6.6 requires you to implement logical access security measures that prevent unauthorized access from outside your system boundaries. This control is critical for demonstrating to auditors and customers that you've hardened your infrastructure against common breach scenarios.

What this means

CC6.6 mandates that your organization deploy logical access controls specifically designed to repel threats originating from external sources—attackers outside your network, compromised third-party systems, or untrusted internet traffic. This includes firewalls, intrusion detection systems, authentication mechanisms, and network segmentation that collectively create a security perimeter. The control acknowledges that while you cannot eliminate external threats entirely, you must implement proven defensive layers to minimize unauthorized access attempts and contain potential breaches.

How to comply

  1. 1.Deploy and maintain a firewall that filters inbound and outbound traffic based on defined security policies
  2. 2.Implement multi-factor authentication (MFA) for all external access points, including VPNs, remote desktop, and web applications
  3. 3.Enable intrusion detection and prevention systems (IDS/IPS) to monitor and block suspicious network activity
  4. 4.Segment your network to isolate critical systems and limit lateral movement if perimeter defenses are compromised
  5. 5.Maintain an inventory of all external-facing systems and services, with regular vulnerability scanning and patching
  6. 6.Configure logging and alerting to detect unauthorized access attempts and anomalous external connections
  7. 7.Document your external threat protection architecture and review it quarterly for effectiveness

Evidence auditors look for

  • Firewall configuration documentation and rule change logs showing active threat filtering
  • MFA enrollment reports and authentication logs demonstrating external users are challenged
  • IDS/IPS signatures and alert records showing active threat detection over the past 12 months
  • Network segmentation diagrams with supporting ACL (access control list) configurations
  • Vulnerability scan reports for external-facing assets with remediation timelines
  • System access logs showing failed authentication attempts from external IPs
  • Incident response records documenting how external threats were detected and mitigated
  • Third-party penetration test or security assessment results validating external defenses

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically inventories your external-facing assets, monitors firewall and authentication logs for anomalies, and generates SOC 2 CC6.6 evidence reports so you skip manual log collection before your audit.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CC6.1 - Logical and Physical Access Controls (Authentication)CC6.2 - Access Restrictions (Authorization)CC7.2 - System Monitoring (Intrusion Detection)CC9.1 - Change Management (Firewall Rule Updates)