Protective technology controls sit at the core of SACS-002 compliance. Under TPC-6 and related controls, Aramco requires every vendor to deploy firewalls, anti-virus protection, DDoS mitigation, and -- for web-facing systems -- web application firewalls. These are not suggestions or best practices; they are mandatory controls with specific configuration requirements and evidence demands that auditors will verify during the CCC assessment. This guide breaks down each requirement, the evidence you must produce, and how a managed security platform eliminates the configuration burden.
TPC-6: The Protective Technology Mandate
SACS-002 TPC-6 (Protective Technology): Firewalls must be configured and enabled on all endpoints. Anti-virus software must be installed on all systems with daily signature updates and bi-weekly full system scans. DDoS protection is required for internet-facing systems.
TPC-6 is a compound control -- it bundles multiple protective technologies into a single requirement. Each sub-component has its own configuration specifications and evidence requirements. Let us examine each one in detail.
Firewall Requirements
SACS-002 requires that firewalls are "configured and enabled" on all endpoints. This is not limited to network perimeter firewalls -- it includes host-based firewalls on every workstation and server in your environment.
What "Configured and Enabled" Means
Simply having a firewall installed is not sufficient. The auditor will look for evidence that the firewall is:
- Actively running on every endpoint (not just installed but disabled)
- Configured with explicit rules that follow the principle of least privilege -- only ports and services that are business-necessary should be open
- Blocking by default -- the default policy should deny all inbound traffic and only allow explicitly permitted services
- Logging enabled -- firewall logs must capture blocked and allowed connections for audit trail purposes
- Centrally managed (for organizations with multiple endpoints) -- individual users should not be able to disable the firewall or modify rules without authorization
Host-Based vs. Network Firewalls
For CCC compliance, you typically need both layers:
- Network firewall (perimeter): Protects your network boundary. This can be a hardware appliance, a virtual appliance on your cloud infrastructure, or a cloud-based firewall service. It controls traffic between your network and the internet.
- Host-based firewall: Runs on each individual server and workstation. On Windows, this is Windows Defender Firewall or a third-party solution. On Linux, this is
iptables,nftables, orfirewalld. Host-based firewalls protect against lateral movement within your network.
The auditor expects to see both: a perimeter firewall controlling ingress/egress traffic, and host-based firewalls on individual systems. Each must have documented rule sets that can be exported and reviewed.
Firewall Evidence Requirements
During the CCC audit, you will need to provide:
- Firewall configuration export showing active rules, default deny policy, and enabled logging
- Screenshot or report showing the firewall is active on each endpoint in your asset inventory
- Change management records for any firewall rule modifications (who changed what, when, and why)
- Network diagram showing where firewalls are positioned in your infrastructure
Anti-Virus and Endpoint Protection
SACS-002 mandates anti-virus (AV) software on all systems with two specific operational requirements: daily signature updates and bi-weekly full system scans.
Daily Signature Updates
The anti-virus solution must update its malware signature database at least once per day. This means:
- Automatic updates must be configured (manual updates are unreliable and non-compliant)
- The AV management console must show update timestamps for each endpoint
- If an endpoint fails to update for more than 24 hours, it should be flagged and remediated
- The auditor will ask for a report showing update history across all endpoints for the past 30-90 days
Bi-Weekly Full System Scans
A full system scan (not a quick scan) must run on every endpoint at least every two weeks. This means:
- Scheduled scans must be configured centrally -- relying on individual users to run manual scans is not compliant
- Scan results must be logged and accessible from the AV management console
- Any detections must be documented with the action taken (quarantine, removal, false positive determination)
- The auditor will request scan history reports showing dates, coverage, and results
Key point: Standalone AV installations on individual machines (without a central management console) are extremely difficult to make compliant. You cannot produce the update history reports or scan logs the auditor requires without centralized management. Invest in an endpoint protection platform with a management console, not individual AV licenses.
What Counts as "Anti-Virus"
Modern endpoint protection platforms (EPP) and endpoint detection and response (EDR) solutions satisfy the anti-virus requirement, provided they include signature-based detection (for daily updates) and full-scan capability (for bi-weekly scans). Examples include:
- CrowdStrike Falcon, SentinelOne, or Carbon Black (EDR with AV capabilities)
- Microsoft Defender for Endpoint (with centralized management via Intune or Defender portal)
- Bitdefender GravityZone, ESET PROTECT, or Kaspersky Endpoint Security (traditional EPP with central console)
Windows Defender (the free, built-in version without centralized management) is a common audit failure point. While it provides real-time protection, it does not offer the centralized reporting and management required for audit evidence without Microsoft Defender for Endpoint or an equivalent management layer.
DDoS Protection
SACS-002 requires DDoS protection for internet-facing systems. If your company operates any services accessible from the internet -- a website, email server, VPN endpoint, API, or client portal -- those services must be protected against distributed denial-of-service attacks.
DDoS protection can be implemented at multiple levels:
- Network-level (Layer 3/4): Protects against volumetric attacks (UDP floods, SYN floods, amplification attacks). Typically provided by your hosting provider or a dedicated DDoS mitigation service.
- Application-level (Layer 7): Protects against HTTP floods, slowloris attacks, and application-layer exploits. Requires a Web Application Firewall (WAF) or application-level DDoS mitigation.
For the CCC audit, you need to demonstrate that DDoS protection is active and covers your internet-facing assets. Evidence includes the DDoS protection service configuration, any mitigation reports from past incidents, and documentation of the protection scope (which IPs or services are covered).
Web Application Firewall (WAF)
For vendors operating web-facing applications -- client portals, web APIs, e-commerce platforms, or any custom web application used in Aramco business -- a WAF provides an additional security layer beyond the network firewall. While SACS-002 does not always explicitly mandate a WAF for all vendors, it is considered a best practice under TPC-6 for web-facing systems, and auditors may flag the absence of a WAF for CCC+ vendors.
A WAF protects against:
- SQL injection attacks
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- File inclusion vulnerabilities
- API abuse and bot traffic
WAF rule sets should be kept current, and any custom rules should be documented. WAF logs and blocked-request reports are valuable audit evidence demonstrating active protection of web-facing assets.
Requirements Mapped to Solutions
The following table maps each protective technology requirement to its TPC reference, the evidence the auditor needs, and the MassiveGRID package component that satisfies it.
| Requirement | TPC Reference | Evidence Needed | MassiveGRID Solution |
|---|---|---|---|
| Firewall on all endpoints | TPC-6 | Firewall configuration export, active status screenshot per endpoint, default deny policy, rule change logs | Managed firewall with pre-configured rules, centralized management, exportable configuration for audit |
| Anti-virus with daily updates | TPC-6 | AV management console showing daily update timestamps for each endpoint over 30-90 day period | Endpoint protection with centralized console, automatic daily updates, update history reports |
| Bi-weekly full system scans | TPC-6 | Scan history report showing full scan dates, coverage percentage, and detection/remediation results | Scheduled full scans every 14 days, scan reports accessible from management console |
| DDoS protection | TPC-6 | DDoS protection service configuration, scope documentation (which assets are covered), mitigation capacity details | Network-level DDoS protection included for all internet-facing services, mitigation reports available on demand |
| WAF for web-facing systems | TPC-6 (best practice) | WAF configuration, active rule sets, blocked request logs, custom rule documentation | Web Application Firewall with managed rule sets, logging enabled, dashboard access for evidence export |
| Centralized management | TPC-6 (implied) | Management console access showing all endpoints, their protection status, and policy compliance | Single management dashboard for firewall, AV, and DDoS status across all package components |
The Evidence Problem: Why Managed Beats Self-Managed
The most underestimated aspect of TPC-6 compliance is not the technology itself -- it is the evidence production. Deploying a firewall and installing anti-virus is straightforward. Producing audit-ready evidence that proves continuous compliance over time is where most vendors struggle.
Consider the evidence burden for a self-managed environment with 30 endpoints:
- You need to export firewall configurations from 30 machines and a network firewall
- You need AV update history for 30 endpoints showing daily updates over 90 days -- that is 2,700 update records
- You need scan reports showing bi-weekly full scans across 30 endpoints over 90 days -- 180 scan records
- You need DDoS protection documentation for every internet-facing IP
- All of this must be compiled, organized, and cross-referenced with your asset inventory
A managed security platform with a centralized console reduces this to a few report exports. The platform maintains the evidence continuously, and when the auditor asks for proof, you generate a report rather than scrambling to compile data from 30 individual machines.
Common Audit Failures in Protective Technology
These are the patterns we see most frequently in CCC audit findings related to TPC-6:
- Firewall disabled on workstations: Employees disable the firewall to resolve connectivity issues and never re-enable it. Without centralized policy enforcement, this goes undetected.
- AV signatures outdated: Laptops that were offline or disconnected from the corporate network for extended periods have outdated signatures. The management console shows gaps in the update timeline.
- No full scan evidence: Quick scans are running, but no full system scan has been performed in months. Auditors specifically ask for full scan results.
- Standalone AV without management: Each machine has AV installed individually, but there is no centralized console to pull reports from. The vendor cannot produce the required evidence.
- No DDoS protection documentation: The vendor assumes their ISP provides DDoS protection but has no service agreement or documentation to prove it.
- Firewall rules too permissive: The firewall is on, but the rules allow all traffic on all ports. The auditor flags this as "configured" in name only.
Building a Compliant Security Stack
A CCC-compliant protective technology stack requires coordination between multiple components. The firewall must work with the VPN (to allow encrypted remote access while blocking everything else). The AV must cover servers and workstations alike. DDoS protection must cover the VPN endpoint, email server, and any web services. And all of it must produce evidence that can be compiled for the auditor.
For a complete overview of how these protective technologies fit into the broader SACS-002 requirements -- including encryption, email security, and access control -- see our comprehensive Aramco CCC guide.
Get Audit-Ready Firewall and Endpoint Protection
MassiveGRID's Aramco CCC-Compliant Infrastructure Package includes managed firewall, endpoint protection with centralized management, DDoS protection, and WAF -- all pre-configured with SACS-002 specifications and evidence documentation ready for your assessor. No self-managed configuration, no evidence scramble, no audit surprises.