AC-4 / CM-7 / SC-7 NIST SP 800-53 Rev 5

Rule base reviewed at least annually

Demonstrate that the organization conducts and documents formal reviews of network and security device rule bases at least annually, ensuring rules remain justified, accurate, and aligned with security policy.

Description

What this control does

Firewall, network access control lists (ACLs), router rules, and similar packet-filtering rule bases must be formally reviewed at least annually to ensure they remain aligned with current business needs, security policies, and threat landscape. Over time, rule sets accumulate obsolete, overly permissive, or conflicting entries that expand attack surface and hinder troubleshooting. This control requires documented evidence of periodic reviews by authorized personnel who assess each rule's continued necessity, accuracy, and compliance with least-privilege principles.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Accumulation of obsolete or orphaned rules allowing unauthorized network access to decommissioned systems or services
Overly permissive rules enabling lateral movement by attackers who compromise a single host
Conflicting or shadowed rules that negate intended security controls without detection
Unauthorized rule changes persisting undetected due to lack of baseline validation
Compliance violations from rules that contradict regulatory requirements or internal policies
Exposure of sensitive services to broader network segments than necessary, violating segmentation requirements
Inability to enforce least-privilege network access due to unmanaged rule sprawl

Testing procedure

How an auditor verifies this control

Obtain the organization's network security policy and rule review procedure documentation, noting required frequency and responsible parties.
Request a complete inventory of in-scope network security devices (firewalls, routers, switches with ACLs, cloud security groups) that enforce traffic filtering rules.
For each device or device class, obtain evidence of the most recent rule base review, including review date, reviewers, and scope of review.
Examine review documentation to verify it includes assessment of each rule or rule group for business justification, accuracy, and compliance with least-privilege principles.
Verify that the review was completed within the past 12 months from the audit date.
Cross-reference documented review findings with remediation records or change tickets to confirm identified issues (obsolete rules, overly broad permissions) were addressed.
Select a sample of 10-20 rules from current production rule bases and interview responsible personnel to validate they can articulate the business purpose and owner for each sampled rule.
Review approval records and change management tickets to confirm rule base changes resulting from the annual review were authorized and implemented according to change control procedures.

Evidence required Auditors should collect rule review reports or checklists documenting the date, scope, reviewers, and findings of the most recent annual review; firewall or ACL configuration exports or rule inventory lists showing rules in scope; change management tickets or remediation logs demonstrating action on review findings; and network security policy or procedure documents specifying review requirements and methodology.

Pass criteria The control passes if documented evidence confirms a comprehensive rule base review was conducted within the past 12 months for all in-scope network security devices, performed by authorized personnel, with findings appropriately remediated through the change management process.

Where this control is tested

Audit programs including this control

Firewall Rule Hygiene

Are your firewall rules documented, reviewed and free of any-any? A 7-question hygiene audit for perimeter + segmentation…