Every perimeter firewall in production, by vendor. Multi-vendor postures are common — record each. Empty selection is a hard finding (a documented perimeter firewall is the bedrock of CIPA compliance — see NET-CF F2 for the enforcement-point pairing).

HA posture for the perimeter. A single firewall with no failover is a hard finding — outage equals full instructional-day internet loss, including state-mandated testing windows. Active/Passive is the standard floor; Active/Active and ZTNA-fronted designs are the upper tiers.

Distinct from which inspection features are enabled (see F6) — this asks whether the hardware/license can support what's enabled (and more) without performance impact. “Over capacity — features disabled” is a hard finding: the firewall isn't enforcing what it's licensed for.

How traffic between district sites is carried. No hard finding here — each option is a defensible architecture; the field surfaces the design choice for context. SD-WAN overlays are the modern default; private transport (MPLS) is common for districts with long-running ISP contracts.

How often the firewall rule base is reviewed for relevance, scope, and orphan rules, and when the last review ran. Stale rules accumulate — orphaned permit rules outlive the systems they protected, and scope drift turns specific allows into effective any-any. “Ad-hoc only” and “Never reviewed” are hard findings. Continuous (tool-driven) postures use rule-analyzer pipelines in lieu of scheduled reviews.

Combined IPS + TLS decryption maturity. Endpoint-based filtering (see NET-CF F1) can partially compensate when edge TLS decryption is limited — the upper tiers here are still the target for districts not relying primarily on endpoint inspection. “No deep inspection” reduces the firewall to Layer 4 stateful only and is a hard finding.

What outbound traffic is filtered, beyond the default-allow stateful response that comes free with any firewall. DNS-layer egress (cross-ref NET-IPS F10 — forwarder choice) handles part of this; Layer 4/7 egress at the firewall handles the rest. Default-permit outbound (“No egress filtering”) is a hard finding — C2 callbacks, exfiltration, and credential harvesting all rely on outbound paths.

How privileged remote access is established. MFA on client VPN is the minimum bar now — IPsec/L2TP without MFA is a hard finding. ZTNA (per-application, identity-driven) is the modern replacement for client VPN; many districts run a mixed posture during transition. See legacy-cyber IAM for the auth-posture side of this question (when that sub-domain comes online).

Additional ingress hardening applied on top of default-deny — geo-blocking on published services (VPN concentrator, optional school-website) and threat-intel reputation feeds. No hard finding here; default-deny + NAT genuinely is a defensible baseline for districts publishing few services. The ladder surfaces the maturity choice.

How volumetric attacks are mitigated. Many K-12 districts rely on ISP-level upstream scrubbing alone (typical via regional service-center networks in Texas), which is acceptable given their published-service footprint. No hard finding — each option is defensible at the right scale.