System and Communications Protection 3.13.1 (3.13.1)

Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

Get Full Guidance

What Is This CMMC Control?

This control requires organizations to monitor, control, and protect all data communications at the external boundaries (where your network connects to the internet or other external networks) and at key internal boundaries (between different security zones within your network). This includes implementing firewalls, routers, and other boundary protection devices to inspect and control traffic, preventing unauthorized data transmission, blocking malicious traffic, and ensuring that sensitive information (like CUI) is protected as it moves across network boundaries. Organizations must also restrict or prohibit certain network interfaces and consider security risks when using commercial telecommunications services.

Control Intent

To prevent unauthorized access, data exfiltration, and malicious traffic by establishing monitored and controlled boundaries where organizational systems connect to external networks and between internal security zones.

Who This Control Applies To

  • All systems that process, store, or transmit CUI
  • Network infrastructure components (firewalls, routers, gateways, switches)
  • External network connections (internet connections, partner connections, cloud service connections)
  • Internal network segments containing CUI or systems processing CUI
  • Virtual environments and virtualization infrastructure
  • Remote access solutions (VPN, remote desktop)
  • Wireless access points and wireless networks
  • Cloud-hosted systems and hybrid environments
  • Telecommunications services used for CUI transmission

Not Applicable When

  • The organization has no external network connections (completely air-gapped with no internet, partner, or external connectivity)
  • The organization has no systems that process, store, or transmit CUI
  • The system is a standalone workstation with no network connectivity whatsoever

Key Objectives

  • 1Establish and maintain monitored boundaries at all external network connection points to prevent unauthorized data transmission and malicious traffic ingress.
  • 2Implement controls at key internal boundaries to segment networks and protect sensitive data zones from unauthorized lateral movement.
  • 3Restrict or prohibit network interfaces and communications that could enable unauthorized access or data exfiltration.
  • 4Protect communications traversing boundaries through inspection, filtering, and encryption where appropriate.

Sample Self-Assessment Questions (Partial)

Does your organization have internet connectivity or connections to external networks?

Do you have firewalls or similar devices protecting your network boundaries?

Implementation Approaches (High-Level)

Next-Generation Firewall with Network Segmentation

Deploy next-generation firewalls (NGFW) at all external boundaries and use VLANs or physical segmentation to create internal boundaries, with active monitoring and logging.

Cloud Security Groups and Network ACLs

Use cloud provider security groups, network ACLs, and virtual firewalls to control traffic at external and internal boundaries in cloud environments.

Unified Threat Management (UTM) Appliance

Deploy a unified threat management appliance combining firewall, intrusion prevention, content filtering, and VPN capabilities at network boundaries.

Software-Defined Perimeter (SDP) or Zero Trust Network Access

Implement software-defined perimeter or zero trust network access to create dynamic, identity-based boundaries that hide infrastructure and control access.

Network Access Control (NAC) with Boundary Enforcement

Deploy network access control to enforce boundary protection by controlling which devices can connect to network segments and enforcing security policies at connection time.

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If firewalls are deployed but not actively monitored, create POA&M for implementing log monitoring and analysis process with specific milestones for SIEM deployment or log review procedures If network segmentation is incomplete, create POA&M with phased approach: (1) document current network architecture, (2) design segmentation strategy, (3) implement VLANs or subnets, (4) configure firewall rules between segments, (5) validate segmentation effectiveness If firewall rules are overly permissive, create POA&M for firewall rule review and optimization project with timeline for reviewing and tightening rules If boundary protection is missing for cloud systems, create POA&M for implementing cloud security groups and network ACLs with specific configuration milestones If no intrusion detection/prevention exists, create POA&M for IDS/IPS deployment with timeline for device procurement, installation, and tuning If wireless networks are not segmented, create POA&M for wireless network isolation project with specific technical implementation steps If remote access lacks proper boundary protection, create POA&M for VPN configuration hardening or replacement with more secure solution If logging is insufficient, create POA&M for enhancing logging capabilities with specific log sources, retention periods, and analysis procedures If no firewall rule change management exists, create POA&M for developing and implementing change control process with approval workflow If commercial telecommunications risks are not addressed, create POA&M for contract review and negotiation of security requirements with providers Ensure POA&Ms include specific technical milestones, not just 'implement boundary protection' - assessors need to see concrete progress indicators Consider interim compensating controls while POA&M is in progress, such as enhanced monitoring, restricted access, or additional logging POA&Ms should address both external boundaries (typically higher priority) and internal boundaries (may be phased approach) If multiple boundary protection gaps exist, prioritize POA&Ms based on risk: external boundaries first, then CUI system boundaries, then general internal segmentation

Related CMMC Controls

3.13.53.4.63.4.73.1.33.1.123.3.13.3.23.6.13.12.43.4.33.13.83.13.23.13.6

Frequently Asked Questions

What qualifies as an 'external boundary' versus a 'key internal boundary'?

An external boundary is any point where your network connects to networks outside your control, such as internet connections, partner connections, or cloud service provider networks. A key internal boundary is a point within your network where different security zones meet, such as between a CUI network segment and a general business network, or between production and administrative networks. Key internal boundaries are determined by where CUI is processed or stored and where segmentation is needed to limit unauthorized access or lateral movement.

Do I need a firewall if all my systems are in the cloud?

Yes, boundary protection is still required for cloud systems, but it is implemented differently. Instead of traditional firewalls, you use cloud-native controls like security groups, network ACLs, and virtual firewalls. These controls serve the same purpose of monitoring and controlling traffic at boundaries. You must still identify external boundaries (internet-facing resources) and internal boundaries (between different cloud resources or VPCs) and implement appropriate controls.

How often do I need to review firewall rules and boundary protection configurations?

While CMMC does not prescribe a specific frequency, industry best practice and assessor expectations typically require at least annual reviews of firewall rules and boundary configurations, with more frequent reviews (quarterly or monthly) recommended for environments with frequent changes. Any changes to boundary protection should be reviewed and approved through a change management process before implementation. Evidence of regular reviews is a key assessment verification point.

What level of network segmentation is required to meet this control?

The control requires segmentation at 'key internal boundaries,' which at minimum means separating CUI systems from non-CUI systems. The specific segmentation approach depends on your environment: you might use VLANs, separate physical networks, cloud VPCs, or other methods. The key requirement is that traffic between segments is monitored and controlled, typically through firewall rules or security groups. Flat networks with no segmentation generally do not meet this control's intent.

Can I meet this control with just a basic firewall, or do I need advanced features?

A basic firewall can meet this control if it provides monitoring, control, and protection of communications at boundaries, with logging enabled and reviewed. However, many organizations find that next-generation firewalls (NGFW) with intrusion prevention, application awareness, and advanced logging make compliance easier to demonstrate and maintain. The control does not mandate specific firewall features, but you must be able to show that communications are effectively monitored, controlled, and protected at all required boundaries.

What should I do if I cannot implement full network segmentation immediately?

If full segmentation cannot be implemented immediately, document the gap in a Plan of Action and Milestones (POA&M) with a specific timeline and milestones for implementation. Consider interim compensating controls such as enhanced monitoring, stricter access controls, or additional logging while segmentation is being implemented. Prioritize segmentation that isolates CUI systems from external networks first, then address internal segmentation. Be prepared to demonstrate progress on the POA&M during assessment and show that compensating controls are actively reducing risk.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.