1 1 00:00:00,020 --> 00:00:01,020 In this lesson, 2 2 00:00:01,020 --> 00:00:03,780 we're going to talk about authorization boundaries. 3 3 00:00:03,780 --> 00:00:06,960 Now, authorization boundaries are really important in RMF 4 4 00:00:06,960 --> 00:00:08,910 because they define what will be considered 5 5 00:00:08,910 --> 00:00:12,810 in scope for the RMF process that you're undertaking. 6 6 00:00:12,810 --> 00:00:15,630 An authorization boundary is the set of system elements, 7 7 00:00:15,630 --> 00:00:17,640 comprising the system to be authorized 8 8 00:00:17,640 --> 00:00:19,800 for operation or authorized for use 9 9 00:00:19,800 --> 00:00:21,840 by an authorizing official. 10 10 00:00:21,840 --> 00:00:26,010 For example, we refer to this as the scope of authorization. 11 11 00:00:26,010 --> 00:00:28,680 Now, this authorization boundary is used to establish 12 12 00:00:28,680 --> 00:00:31,650 the scope of protection for an information system. 13 13 00:00:31,650 --> 00:00:34,230 So when this authorization boundary is being stated 14 14 00:00:34,230 --> 00:00:37,380 in the RMF process all the way back in the prepare step 15 15 00:00:37,380 --> 00:00:38,638 and once you get into step six 16 16 00:00:38,638 --> 00:00:40,920 where you're going to the authorization step, 17 17 00:00:40,920 --> 00:00:42,930 that authorization official is going 18 18 00:00:42,930 --> 00:00:45,120 to be making their decision based on the scope 19 19 00:00:45,120 --> 00:00:47,970 and the authorization boundary that you've set-up. 20 20 00:00:47,970 --> 00:00:50,610 This authorization boundary is what the organization 21 21 00:00:50,610 --> 00:00:53,130 is agreeing to protect under its direct management 22 22 00:00:53,130 --> 00:00:55,971 or within the scope of its responsibilities. 23 23 00:00:55,971 --> 00:00:58,518 Now, this authorization boundary can include a lot 24 24 00:00:58,518 --> 00:01:00,720 of different things, including things 25 25 00:01:00,720 --> 00:01:03,960 like people, processes, and information technologies, 26 26 00:01:03,960 --> 00:01:06,600 such as system elements that are going to be considered part 27 27 00:01:06,600 --> 00:01:09,420 of each system that's supporting the organization's missions 28 28 00:01:09,420 --> 00:01:11,160 and business functions. 29 29 00:01:11,160 --> 00:01:13,440 These authorization boundaries should be set 30 30 00:01:13,440 --> 00:01:15,060 to the appropriate size. 31 31 00:01:15,060 --> 00:01:17,389 If they're too small, this means you're going to have a lot 32 32 00:01:17,389 --> 00:01:19,381 of little systems that you're going to have to connect together 33 33 00:01:19,381 --> 00:01:22,140 because each little system is being considered 34 34 00:01:22,140 --> 00:01:24,930 its own authorization boundary and can be approved 35 35 00:01:24,930 --> 00:01:28,080 or denied based on its own individual merits. 36 36 00:01:28,080 --> 00:01:29,880 On the other hand, if you have a really complex 37 37 00:01:29,880 --> 00:01:32,610 or large system, this actually takes a lot more time 38 38 00:01:32,610 --> 00:01:34,530 to get through the RMF process 39 39 00:01:34,530 --> 00:01:36,660 because you have so many more systems there 40 40 00:01:36,660 --> 00:01:38,790 which means there's a lot more risk. 41 41 00:01:38,790 --> 00:01:41,430 So as you're determining what your authorization boundary 42 42 00:01:41,430 --> 00:01:43,500 is going to be, you need to make sure you have it 43 43 00:01:43,500 --> 00:01:47,310 at the right size, not too small and not too large. 44 44 00:01:47,310 --> 00:01:49,740 So you may be wondering how do you determine 45 45 00:01:49,740 --> 00:01:51,540 how large to make it? 46 46 00:01:51,540 --> 00:01:54,300 Well, as I said, if you have it too large, 47 47 00:01:54,300 --> 00:01:55,890 you're going to be spending a lot more time 48 48 00:01:55,890 --> 00:01:58,110 and money going through the RMF process. 49 49 00:01:58,110 --> 00:02:00,090 Conversely though, if you make it too small, 50 50 00:02:00,090 --> 00:02:01,650 you're also going to be running up the cost 51 51 00:02:01,650 --> 00:02:03,283 to your organization because now, 52 52 00:02:03,283 --> 00:02:05,940 you may have 10 different RMF packages 53 53 00:02:05,940 --> 00:02:08,790 for 10 different systems, instead of just having one 54 54 00:02:08,790 --> 00:02:12,053 or maybe two or three for that same 10 systems. 55 55 00:02:12,053 --> 00:02:14,130 To be able to figure out what the right size is, 56 56 00:02:14,130 --> 00:02:16,050 you really have to figure out what should be included 57 57 00:02:16,050 --> 00:02:18,570 inside of your authorization boundary. 58 58 00:02:18,570 --> 00:02:21,360 When you put things inside of your authorization boundary, 59 59 00:02:21,360 --> 00:02:23,460 this is basically going to refer to all the sets 60 60 00:02:23,460 --> 00:02:25,391 of common controls that are going to be authorized 61 61 00:02:25,391 --> 00:02:28,440 for inheritance purposes, and that can be shared 62 62 00:02:28,440 --> 00:02:32,010 by all the systems inside of that single RMF package 63 63 00:02:32,010 --> 00:02:34,830 or this one authorization boundary. 64 64 00:02:34,830 --> 00:02:36,210 For example, if you look 65 65 00:02:36,210 --> 00:02:39,670 in the NIST Special Publication 800-37, Revision 2 66 66 00:02:39,670 --> 00:02:41,370 which is the guiding document 67 67 00:02:41,370 --> 00:02:43,830 for the risk management framework for information systems 68 68 00:02:43,830 --> 00:02:46,170 and organizations, that's put out by NIST. 69 69 00:02:46,170 --> 00:02:50,370 It shows figure five, which is conceptual view of a system. 70 70 00:02:50,370 --> 00:02:52,230 Now notice here, we have a system 71 71 00:02:52,230 --> 00:02:55,560 with its authorization boundary inside of the triangle. 72 72 00:02:55,560 --> 00:02:56,670 Inside of that system, 73 73 00:02:56,670 --> 00:02:58,762 I have three different system elements. 74 74 00:02:58,762 --> 00:03:01,590 For example, let's say I was building a web application 75 75 00:03:01,590 --> 00:03:03,780 for Dion Training that's going to allow you 76 76 00:03:03,780 --> 00:03:06,360 to take practice exams for certifications. 77 77 00:03:06,360 --> 00:03:09,000 In my system, I may have three different components. 78 78 00:03:09,000 --> 00:03:11,430 The first one might be a website that's going to be hosted 79 79 00:03:11,430 --> 00:03:12,750 on a web server. 80 80 00:03:12,750 --> 00:03:14,272 This would be my web front-end. 81 81 00:03:14,272 --> 00:03:17,171 On the back-end, I might have two different databases, 82 82 00:03:17,171 --> 00:03:19,230 one for all of my students and users 83 83 00:03:19,230 --> 00:03:22,170 and another for all the exam questions that are being used. 84 84 00:03:22,170 --> 00:03:23,843 And so, in this simple system, 85 85 00:03:23,843 --> 00:03:26,580 I have a web front-end and two databases. 86 86 00:03:26,580 --> 00:03:28,530 This is my three system elements. 87 87 00:03:28,530 --> 00:03:30,240 All three of them are going to work together 88 88 00:03:30,240 --> 00:03:32,610 and talk to each other during operation. 89 89 00:03:32,610 --> 00:03:34,620 But in addition to that, I have a lot 90 90 00:03:34,620 --> 00:03:36,690 of other enabling systems that are going to be used 91 91 00:03:36,690 --> 00:03:39,180 as part of this web application too. 92 92 00:03:39,180 --> 00:03:41,220 For example, if you're going to be taking one 93 93 00:03:41,220 --> 00:03:42,390 of my practice exams, 94 94 00:03:42,390 --> 00:03:45,210 I need to know which course you've signed up for. 95 95 00:03:45,210 --> 00:03:46,740 So it may reach out 96 96 00:03:46,740 --> 00:03:48,630 and talk to my learning management system 97 97 00:03:48,630 --> 00:03:50,670 which is one of my enabling systems. 98 98 00:03:50,670 --> 00:03:52,800 In addition to that, it may reach out and talk 99 99 00:03:52,800 --> 00:03:55,259 to my e-commerce system to check, did you actually pay 100 100 00:03:55,259 --> 00:03:58,380 and did your credit card payment go through successfully. 101 101 00:03:58,380 --> 00:04:00,419 All these are enabling systems that are outside 102 102 00:04:00,419 --> 00:04:02,910 of my system authorization boundary 103 103 00:04:02,910 --> 00:04:04,410 because I'm only concerned 104 104 00:04:04,410 --> 00:04:07,740 with the web application that runs this exam software. 105 105 00:04:07,740 --> 00:04:10,200 But I do need to talk to those other components 106 106 00:04:10,200 --> 00:04:13,470 outside of this system boundary to get some information. 107 107 00:04:13,470 --> 00:04:15,397 And so this is where we're drawing our line and saying, 108 108 00:04:15,397 --> 00:04:17,580 "These are the three components I'm going to be looking at 109 109 00:04:17,580 --> 00:04:19,380 for this RMF package." 110 110 00:04:19,380 --> 00:04:21,600 Those other systems may already be online 111 111 00:04:21,600 --> 00:04:22,433 because they've gone 112 112 00:04:22,433 --> 00:04:24,360 through their own RMF package previously, 113 113 00:04:24,360 --> 00:04:25,920 such as my learning management system 114 114 00:04:25,920 --> 00:04:27,810 and my e-commerce system. 115 115 00:04:27,810 --> 00:04:31,320 But for this new system I'm going to be doing, I can then say 116 116 00:04:31,320 --> 00:04:34,170 this new system is these three system elements, 117 117 00:04:34,170 --> 00:04:36,099 I put them together and that is what makes up 118 118 00:04:36,099 --> 00:04:38,310 this exam software that I'm going 119 119 00:04:38,310 --> 00:04:40,410 through The RMF process for. 120 120 00:04:40,410 --> 00:04:42,120 This is a good example of how you can set-up 121 121 00:04:42,120 --> 00:04:43,530 your authorization boundary. 122 122 00:04:43,530 --> 00:04:46,470 And you do this based on all the systems working together 123 123 00:04:46,470 --> 00:04:47,850 for a single operation. 124 124 00:04:47,850 --> 00:04:50,970 And in my case, that's delivering practice exams. 125 125 00:04:50,970 --> 00:04:53,490 Now, if you're looking at a simple system like this, 126 126 00:04:53,490 --> 00:04:55,839 this type of a layout works really well, but 127 127 00:04:55,839 --> 00:04:59,430 there's other systems out there that are much more complex. 128 128 00:04:59,430 --> 00:05:01,680 Let's use the example of a more complex version 129 129 00:05:01,680 --> 00:05:03,570 of a learning management system. 130 130 00:05:03,570 --> 00:05:05,070 Now, the learning management system 131 131 00:05:05,070 --> 00:05:06,811 might be the authorization boundary, 132 132 00:05:06,811 --> 00:05:08,940 but inside that learning management system 133 133 00:05:08,940 --> 00:05:12,270 I have multiple different components or subsystems involved. 134 134 00:05:12,270 --> 00:05:14,610 For example, I might have one that is dealing 135 135 00:05:14,610 --> 00:05:17,970 with all of the hands-on labs that I offer on my website. 136 136 00:05:17,970 --> 00:05:20,010 In this case, I have multiple system elements 137 137 00:05:20,010 --> 00:05:22,380 associated with that including virtual machines, 138 138 00:05:22,380 --> 00:05:24,150 hypervisors, and a lot of different code 139 139 00:05:24,150 --> 00:05:26,130 that ties all those things together. 140 140 00:05:26,130 --> 00:05:28,380 So, we'll call that subsystem one. 141 141 00:05:28,380 --> 00:05:30,240 Then we have subsystem two. 142 142 00:05:30,240 --> 00:05:32,130 Subsystem two is focused on our ability 143 143 00:05:32,130 --> 00:05:34,920 to give you the right video and play those videos back. 144 144 00:05:34,920 --> 00:05:36,810 This is going to have additional system elements 145 145 00:05:36,810 --> 00:05:39,830 as part of subsystem two, which includes a web front-end, 146 146 00:05:39,830 --> 00:05:41,910 the code that allows you to play videos, 147 147 00:05:41,910 --> 00:05:45,240 and the video hosting service underlying all of that. 148 148 00:05:45,240 --> 00:05:47,100 Then we might have subsystem three 149 149 00:05:47,100 --> 00:05:49,350 and subsystem three might be a reporting engine 150 150 00:05:49,350 --> 00:05:51,450 as part of this learning management system. 151 151 00:05:51,450 --> 00:05:53,400 So every time you finish a lab 152 152 00:05:53,400 --> 00:05:54,930 or every time you finish a video, 153 153 00:05:54,930 --> 00:05:57,600 I need to be able to mark that as complete in the the system 154 154 00:05:57,600 --> 00:05:59,520 so that if I or one of my other instructors 155 155 00:05:59,520 --> 00:06:00,960 want to look up your progress, 156 156 00:06:00,960 --> 00:06:03,090 we could do that by using subsystem three, 157 157 00:06:03,090 --> 00:06:04,320 which is the reporting part 158 158 00:06:04,320 --> 00:06:06,060 of our learning management system. 159 159 00:06:06,060 --> 00:06:07,320 But you'll notice how all three 160 160 00:06:07,320 --> 00:06:09,300 of these components work together 161 161 00:06:09,300 --> 00:06:11,920 inside of this more complex learning management system. 162 162 00:06:11,920 --> 00:06:14,520 And over time, we can add a lot of other features 163 163 00:06:14,520 --> 00:06:16,710 by adding additional systems and then going through 164 164 00:06:16,710 --> 00:06:19,650 the RMF process to be able to get approval to get them added 165 165 00:06:19,650 --> 00:06:21,720 into this larger learning management system. 166 166 00:06:21,720 --> 00:06:25,110 So we might have labs and videos and reports, but now, 167 167 00:06:25,110 --> 00:06:27,570 we might also add the ability to have a textbook online 168 168 00:06:27,570 --> 00:06:30,600 or to take a quiz online or things like that. 169 169 00:06:30,600 --> 00:06:32,100 All of this allows us to figure out 170 170 00:06:32,100 --> 00:06:34,140 where this authorization is going to be. 171 171 00:06:34,140 --> 00:06:36,150 And it doesn't mean that these systems 172 172 00:06:36,150 --> 00:06:37,350 aren't going to communicate with things 173 173 00:06:37,350 --> 00:06:39,720 outside of their authorization boundary 174 174 00:06:39,720 --> 00:06:42,300 but instead, we are just saying this is the line 175 175 00:06:42,300 --> 00:06:44,160 in the sand that says all the things inside 176 176 00:06:44,160 --> 00:06:47,160 of this line are part of this authorization boundary 177 177 00:06:47,160 --> 00:06:50,640 and therefore, they're going to be part of my RMF package. 178 178 00:06:50,640 --> 00:06:52,290 Now, as I went through this simple example 179 179 00:06:52,290 --> 00:06:53,880 of an authorization boundary, 180 180 00:06:53,880 --> 00:06:56,280 you saw me use a couple of key terms here. 181 181 00:06:56,280 --> 00:06:58,620 First, we talked about authorization boundary 182 182 00:06:58,620 --> 00:07:00,840 and then we talked about having three system elements 183 183 00:07:00,840 --> 00:07:03,810 that make up a single system in our more simplified version 184 184 00:07:03,810 --> 00:07:05,370 of a system, which was going to be used 185 185 00:07:05,370 --> 00:07:07,620 for our practice exam web application. 186 186 00:07:07,620 --> 00:07:08,970 Now, on the other hand, if we are going 187 187 00:07:08,970 --> 00:07:10,980 to the more complex view of a system, 188 188 00:07:10,980 --> 00:07:13,200 we had those same three system elements 189 189 00:07:13,200 --> 00:07:15,360 making up one subsystem 190 190 00:07:15,360 --> 00:07:18,960 and then we had multiple subsystems all working together 191 191 00:07:18,960 --> 00:07:22,350 in order to create a larger and more complex system. 192 192 00:07:22,350 --> 00:07:23,820 Now, in addition to those elements, 193 193 00:07:23,820 --> 00:07:25,563 we also had these enabling systems 194 194 00:07:25,563 --> 00:07:28,350 outside of the system authorization boundary. 195 195 00:07:28,350 --> 00:07:31,320 And you may be wondering, what is an enabling system? 196 196 00:07:31,320 --> 00:07:33,270 Well, an enabling system can provide you 197 197 00:07:33,270 --> 00:07:35,763 with common controls, which we call inherited controls 198 198 00:07:35,763 --> 00:07:39,450 for your system, or it can include any type of service 199 199 00:07:39,450 --> 00:07:42,600 or functionality used by your system that is going to be given 200 200 00:07:42,600 --> 00:07:45,150 to you from some kind of an outside environment 201 201 00:07:45,150 --> 00:07:47,931 such as having identification and authentication services, 202 202 00:07:47,931 --> 00:07:51,750 network services, monitoring functionality, and much more. 203 203 00:07:51,750 --> 00:07:54,120 So when you see the term enabling system, 204 204 00:07:54,120 --> 00:07:55,710 just remember this is something that is 205 205 00:07:55,710 --> 00:07:57,203 outside your authorization boundary 206 206 00:07:57,203 --> 00:08:00,210 but it's already been approved to be able to be used 207 207 00:08:00,210 --> 00:08:01,650 through the RMF process. 208 208 00:08:01,650 --> 00:08:03,270 And so, you're able to take that thing 209 209 00:08:03,270 --> 00:08:06,150 and use it as a connection to your system, and it's already 210 210 00:08:06,150 --> 00:08:08,070 outside of your boundary, so you don't have to get 211 211 00:08:08,070 --> 00:08:10,230 that approved because somebody else is responsible 212 212 00:08:10,230 --> 00:08:12,210 for the controls over that system. 213 213 00:08:12,210 --> 00:08:14,010 But you're still going to be able to get the benefits 214 214 00:08:14,010 --> 00:08:14,940 of using that system 215 215 00:08:14,940 --> 00:08:16,500 because it's already been properly authorized 216 216 00:08:16,500 --> 00:08:18,270 for use on the overall network. 217 217 00:08:18,270 --> 00:08:19,890 And this is one of the really good things 218 218 00:08:19,890 --> 00:08:22,530 about using RMF in a larger organization 219 219 00:08:22,530 --> 00:08:24,450 because a lot of things have already been approved 220 220 00:08:24,450 --> 00:08:26,403 through the RMF process and you could take advantage 221 221 00:08:26,403 --> 00:08:28,762 of those things and then implement their controls 222 222 00:08:28,762 --> 00:08:30,060 as your own. 223 223 00:08:30,060 --> 00:08:32,340 And these become inherited controls. 224 224 00:08:32,340 --> 00:08:34,181 For example, in one of my previous organizations, 225 225 00:08:34,181 --> 00:08:37,860 we had a very large unclassified network. 226 226 00:08:37,860 --> 00:08:40,470 Now I was responsible for that unclassified network 227 227 00:08:40,470 --> 00:08:42,540 but a lot of my customers would want us 228 228 00:08:42,540 --> 00:08:45,270 to host their own services inside of our network too. 229 229 00:08:45,270 --> 00:08:47,550 And the way we did this was we broke up our network 230 230 00:08:47,550 --> 00:08:49,740 into multiple different network segments 231 231 00:08:49,740 --> 00:08:51,390 and each segment had a series 232 232 00:08:51,390 --> 00:08:53,310 of controls that we placed upon them. 233 233 00:08:53,310 --> 00:08:55,290 For example, let's say I had one zone 234 234 00:08:55,290 --> 00:08:56,310 in my network that was set-up 235 235 00:08:56,310 --> 00:08:58,170 for all of my internet of things devices. 236 236 00:08:58,170 --> 00:08:59,820 So if I had things like smart speakers 237 237 00:08:59,820 --> 00:09:02,700 and TVs and security cameras and all that stuff, 238 238 00:09:02,700 --> 00:09:05,700 it was all placed into this IoT area of the network. 239 239 00:09:05,700 --> 00:09:07,530 Now, all the people who wanted to bring a system 240 240 00:09:07,530 --> 00:09:09,510 that was some sort of an IoT thing, 241 241 00:09:09,510 --> 00:09:12,720 they can get approval for their own system through RFM. 242 242 00:09:12,720 --> 00:09:15,210 And once they did, we would allow them to then connect 243 243 00:09:15,210 --> 00:09:17,520 into our IoT area of our network 244 244 00:09:17,520 --> 00:09:19,410 because that area already had a bunch of controls 245 245 00:09:19,410 --> 00:09:21,300 that we put in place so that their systems 246 246 00:09:21,300 --> 00:09:22,740 can essentially go out to the internet 247 247 00:09:22,740 --> 00:09:25,290 and not into any of the other areas of our network. 248 248 00:09:25,290 --> 00:09:27,330 Now, we had another part of our network that was used 249 249 00:09:27,330 --> 00:09:29,312 for our internet, and it had all of our workstations 250 250 00:09:29,312 --> 00:09:31,740 and tablets and phones and things like that. 251 251 00:09:31,740 --> 00:09:33,450 And then we had a third part of our network 252 252 00:09:33,450 --> 00:09:35,520 that was a DMZ or screen subnet. 253 253 00:09:35,520 --> 00:09:37,050 And so if you wanted to host a web server 254 254 00:09:37,050 --> 00:09:38,940 or an email server or something like that, 255 255 00:09:38,940 --> 00:09:41,970 it would get placed into that DMZ or screen subnet. 256 256 00:09:41,970 --> 00:09:44,451 And as you're going through your RMF process, you would know 257 257 00:09:44,451 --> 00:09:47,160 that you are being connected to one of those three areas. 258 258 00:09:47,160 --> 00:09:49,020 And based on that, I could give you a list 259 259 00:09:49,020 --> 00:09:51,400 of all the controls that we do on those areas 260 260 00:09:51,400 --> 00:09:53,370 that you now are able to inherit 261 261 00:09:53,370 --> 00:09:56,070 because you're connecting into our secure, trusted, 262 262 00:09:56,070 --> 00:09:58,980 and already approved network for those areas. 263 263 00:09:58,980 --> 00:10:01,140 For example, if you're going to take a web server 264 264 00:10:01,140 --> 00:10:03,330 and connect it into my network and you're going to host it 265 265 00:10:03,330 --> 00:10:05,580 in my data center, you're not going to be responsible 266 266 00:10:05,580 --> 00:10:06,930 for all the physical security 267 267 00:10:06,930 --> 00:10:09,210 because it's not your building, it's mine. 268 268 00:10:09,210 --> 00:10:10,560 I already have the security guards 269 269 00:10:10,560 --> 00:10:11,910 I already have the security cameras. 270 270 00:10:11,910 --> 00:10:13,560 I already have the two-factor authentication 271 271 00:10:13,560 --> 00:10:15,570 for badging into or out of a room. 272 272 00:10:15,570 --> 00:10:17,190 I have the locks on the server cabinets 273 273 00:10:17,190 --> 00:10:18,540 and all of that stuff. 274 274 00:10:18,540 --> 00:10:20,460 And all of those would be inherited controls 275 275 00:10:20,460 --> 00:10:23,340 for you because you're now, as part of my data center 276 276 00:10:23,340 --> 00:10:25,530 inside of my screen subnet and my DMZ, 277 277 00:10:25,530 --> 00:10:26,731 because we're going to host your web server 278 278 00:10:26,731 --> 00:10:28,680 inside of our data center 279 279 00:10:28,680 --> 00:10:31,047 and therefore, you're going to inherit all of those controls. 280 280 00:10:31,047 --> 00:10:32,310 And so as you're building out 281 281 00:10:32,310 --> 00:10:33,811 your system authorization boundary, 282 282 00:10:33,811 --> 00:10:34,931 you're going to be able to say, 283 283 00:10:34,931 --> 00:10:37,470 I'm not responsible for physical controls 284 284 00:10:37,470 --> 00:10:40,110 because those are all handled by Jason and his team. 285 285 00:10:40,110 --> 00:10:43,170 Instead, I'm only focused on the logical controls. 286 286 00:10:43,170 --> 00:10:45,450 So I'm focused on how people log into my system, 287 287 00:10:45,450 --> 00:10:48,030 how people are going to upgrade security patches on my systems, 288 288 00:10:48,030 --> 00:10:49,680 how we're going to do vulnerability scans 289 289 00:10:49,680 --> 00:10:51,270 on the systems and things like that. 290 290 00:10:51,270 --> 00:10:53,280 Because all those logical controls are inside 291 291 00:10:53,280 --> 00:10:55,380 of your authorization boundary and they're not part 292 292 00:10:55,380 --> 00:10:56,850 of the inherited controls you're getting 293 293 00:10:56,850 --> 00:11:00,683 by being a part of my screen subnet or my DMZ.