StateRAMP, Subnetworks, and Boundary Security

stateramp subnetworks featured

StateRAMP guidelines include network security standards from NIST 800-53, with specific requirements for implementing those guidelines based on the application and data processing. Implementing boundary controls is one of the more relevant and sometimes challenging aspects of compliance network security. Here, we will dig into how StateRAMP (and FedRAMP, to some extent) approach subnetworks and boundary security.


Do StateRAMP-Compliant CSPs Need to Use Subnetworks?

The short answer is yes. Any cloud offering provider seeing StateRAMP Authorization must practice specific boundary protection processes for their networks, including using logical or physical subnetworks to separate specific computing areas. 

A “subnetwork” is a logical (software or hardware separated) or physical (hardware or air gap separated) section of a broader network such that internet traffic from external or other internal subnetworks must pass through unique security requirements (if access is permitted at all). 

An excellent example of a subnetwork is comprehensive Wi-Fi in a public location. This Wi-Fi network may support business operations and management while offering customers guest access. The operational and consumer networks leverage the same network infrastructure but are separated so guests cannot access business systems.

Crucial to the concept of boundary protection and subnetworks are the definitions of key terms:

  • Boundaries: A network boundary is a point at which a local area network begins and ends. Logically, this means delineating between the collection of devices authorized for a specific network and other devices outside that network. 
  • Public Access: Depending on the context, public access to a network can mean several things. The definition used by FedRAMP (the source standard for StateRAMP) states that the first compute instance (or the first interface or system) accessible from public networks outside the LAN is the first publicly accessible network component. This often includes systems for authentication or secure data delivery.
  • Network Devices: While a system might be the first publicly accessible system outside a boundary, it doesn’t mean it is the first one overall. Other devices, like proxy servers or firewalls, may exist between public and private systems.

Boundary controls for StateRAMP will address the need for cloud providers to provide boundary security from both outside access and internal access between StateRAMP-compliant subnetworks.


What Are NIST Special Publication 800-53 and Boundary Protection (SC-7) Controls?

stateramp subnetworks

The backbone of StateRAMP (and FedRAMP) requirements are found in NIST Special Publication 800-53. More specifically, both standards derive their network and boundary controls from the System and Communications Protection (SC) control family subsection SC-7.

This section includes three primary requirements that all CSPs must adhere to:

  • Monitoring: Externally- and internally-managed interfaces must be monitored and network traffic controlled. 
  • Implementing Subnetworks: Internal organizational networks must be separated from publicly accessible components (specifically, user-allocated cloud services) via subnetworks.
  • Managed Interfaces: Connections to external networks must operate through managed interfaces that adhere to boundary security controls.


StateRAMP and SC-7 Requirements

All StateRAMP Impact Levels must implement some of the components of SC-17:

Low Impact

Cloud providers meeting StateRAMP Low Impact requirements will implement those baseline guidelines (i.e., those listed above). This means controlled interfaces and subnetwork separation between user-accessible resources and operational systems.

Low+ Impact

There’s a significant jump up from Low to Low+ Impact. Not only do CSPs have to meet the minimum core requirements of SC-7, but four additional capabilities:

  • Deny by Default: This requirement specifies that network traffic should, across all interfaces, be denied by default. Allowed network traffic should be the exception rather than the rule. This means using exclusive whitelists of selective access rather than blacklists of selective access denial.
  • Split Tunneling for Remote Devices: Split tunneling is the process that allows remote devices to connect to local resources through non-remote standards (such as a VPN) while also using non-encrypted or insecure network standards. Such practices can render otherwise secure networks or subnetworks vulnerable to external access, and as such, organizations should prevent this with properly-configured network access technology. 
  • Host-Based Protection: Organizations should implement host-based (as opposed to network-based) protections on relevant systems, like servers, firewalls, or workstations.
  • Isolation of Tools and Components: Organizations should implement subnetworks (with managed interfaces) to separate security and defensive infrastructure from operational infrastructure. This prevents attackers from conducting forensic analysis of system defenses through hacked production technology.

Moderate Impact

Along with baseline SC-7 guidelines and additional Low+ guidelines, StateRAMP Moderate Impact also includes four additional requirements:

  • Access Point Security: Organizations should attempt to limit the number of external connections to the system.
  • External Telecommunications: Organizations must also implement managed interfaces to handle external telecommunications (data and protocol communications) services. This means establishing traffic flow policies, protecting the confidentiality and integrity of data passing through such interfaces, documenting policy exceptions, and other control requirements.
  • Routing and Proxy Servers: Organizations must designate specific forms of network traffic to route through proxy networks. Such rerouting allows the organization to handle better requests for system resources from external devices. 
  • Fail Secure: If a system encounters an operational failure, there must be safeguards to ensure this failure does not allow the system to enter an unsecured state. This may include configurations that, for example, do not allow traffic to enter internal network resources if a firewall fails.


Maintain Network Security Under StateRAMP. Trust Continuum GRC

Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

  • FedRAMP
  • StateRAMP
  • NIST 800-53
  • FARS NIST 800-171
  • CMMC
  • SOC 1, SOC 2
  • PCI DSS 4.0
  • IRS 1075
  • ISO 27000 Series
  • ISO 9000 Series

And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

Continuum GRC