>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.13.1System and Communications Protection - Basic

Basic Requirement

>Control Description

Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

>Discussion

Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses.

Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. [SP 800-41] provides guidance on firewalls and firewall policy. [SP 800-125B] provides guidance on security for virtualization technologies. [28] There is no prescribed format or specified level of detail for system security plans.

However, organizations ensure that the required information in 3.12.4 is conveyed in those plans.

>Cross-Framework Mappings

CMMC

SC.L1-3.13.1
Compare

SCF

NET-01
Compare
NET-02.2
Compare
NET-03
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern monitoring communications at system boundaries?
  • What procedures define boundary monitoring activities?
  • Who is responsible for network boundary monitoring?
  • How often are boundary monitoring capabilities reviewed?
  • What governance ensures adequate communication monitoring?

Technical Implementation:

  • What network monitoring tools are deployed at boundaries?
  • How do you implement intrusion detection/prevention systems?
  • What firewalls and network security appliances monitor traffic?
  • What SIEM aggregates boundary monitoring data?
  • What alerting identifies suspicious communications?

Evidence & Documentation:

  • Can you show network diagrams with monitoring points?
  • What logs demonstrate boundary communication monitoring?
  • Can you provide IDS/IPS alert reports?
  • What evidence shows monitored boundaries cover all entry/exit points?
  • What audit findings verify boundary monitoring compliance?

Ask AI

Configure your API key to use AI features.