Skip to main content
NetStable
🛡️ 16 Practices NIST 3.13.1 - 3.13.16

System and Communications Protection Policy

System and Communications Protection Domain (SC)

Overview Why It Matters Requirements Roles Implementation CMMC Mapping Evidence Common Gaps Template Guide

📖 What This Policy Covers

System and Communications Protection is about securing the pipes that data flows through and the walls that separate your network zones. This policy covers network segmentation and boundary protection, encryption for data at rest and in transit, VPN and split tunneling controls, session management, cryptographic key management, DDoS protection, mobile code restrictions, VoIP and collaboration security, and network monitoring with IDS/IPS. With 16 practices, this is the third-largest CMMC domain.

Purpose

This policy ensures CUI is protected during transmission and at rest through encryption, network boundaries are properly defended with segmentation and firewalls, communications are monitored and controlled, and cryptographic mechanisms meet federal standards (FIPS 140-2).

Scope

Applies to all network infrastructure, communications channels, and data transmission paths that process, store, or transmit CUI. Covers wired and wireless networks, VPN connections, email, VoIP, collaborative tools, and public-facing systems.

🎯 Why It Matters

Network-level attacks account for a significant portion of breaches. Unencrypted data in transit can be intercepted, and flat networks allow attackers to move laterally after initial compromise. FIPS 140-2 validated encryption is a hard requirement -- using the wrong algorithm or an unvalidated module is an automatic assessment finding. Proper network segmentation limits blast radius and is one of the most effective controls against ransomware propagation.

🔐 Key Requirements

1. Boundary Protection

SC.L2-3.13.1 SC.L2-3.13.2 SC.L2-3.13.3 SC.L2-3.13.6

Network segmentation, firewall deployment, and default-deny traffic rules.

  • CUI systems in separate VLAN with firewall-controlled inter-segment traffic
  • Firewalls at external, DMZ, and internal boundaries
  • Default-deny rules: only explicitly allowed traffic permitted
  • Firewall rules reviewed quarterly
  • Separate user and system/management network segments

2. Encryption

SC.L2-3.13.8 SC.L2-3.13.11 SC.L2-3.13.15 SC.L2-3.13.16

FIPS 140-2 validated encryption for data at rest and in transit.

  • Data at rest: AES-256 with FIPS 140-2 validated modules, full disk encryption (BitLocker, FileVault), database encryption (TDE)
  • Data in transit: TLS 1.2+ for all external connections, VPN (IPsec or SSL) for remote access
  • Email encryption: S/MIME or TLS transport
  • Cleartext protocols prohibited for CUI: no FTP, Telnet, HTTP

3. VPN & Split Tunneling

SC.L2-3.13.9 SC.L2-3.13.4

VPN controls and session management.

  • Split tunneling disabled for all users accessing CUI -- all traffic through VPN
  • Non-CUI split tunnel exception requires CISO approval + compensating controls
  • Network sessions auto-terminate: 15 minutes idle, 10 hours maximum
  • VPN sessions: 8-hour timeout with re-authentication

4. Cryptographic Key Management

SC.L2-3.13.10

Secure generation, storage, rotation, and destruction of cryptographic keys.

  • Keys stored in HSM or KMS (Azure Key Vault, AWS KMS)
  • Key rotation: annually for data-at-rest, every 90 days for session keys
  • Key access logged and restricted to authorized crypto officers

5. DDoS Protection & Network Monitoring

SC.L2-3.13.5 SC.L2-3.13.6

Protection against denial of service and continuous network monitoring.

  • DDoS mitigation (CloudFlare, AWS Shield, Azure DDoS Protection)
  • Rate limiting on public-facing APIs
  • IDS/IPS at network boundaries with logs forwarded to SIEM
  • Alert response: 1 hour business hours, 4 hours after-hours

6. Mobile Code & Collaboration Security

SC.L2-3.13.7 SC.L2-3.13.12 SC.L2-3.13.13 SC.L2-3.13.14

Controls for mobile code, VoIP, and collaborative computing.

  • JavaScript/ActiveX restricted to approved sites via browser policies
  • Email: block executable attachments (.exe, .scr, .vbs)
  • VoIP encrypted (SRTP for voice, TLS for signaling)
  • Video conferencing: approved platforms only (Teams, Zoom with E2EE)
  • Screen sharing: warn users before sharing CUI content
  • Collaborative tools: MFA required, external sharing restricted

7. Public Access Controls

SC.L2-3.13.5

Controls for public-facing systems and networks.

  • Public WiFi: CUI access prohibited without VPN
  • Public-facing systems: DMZ with restricted internal access
  • Guest network: separate with no CUI access

👥 Roles & Responsibilities

CISO / IT Director

  • Approve network architecture and security controls
  • Approve split tunneling exceptions
  • Review network security metrics monthly
  • Ensure FIPS 140-2 compliance for all cryptographic implementations

Network Engineering / IT Operations

  • Design and maintain network segmentation
  • Configure and maintain firewalls, VPN, IDS/IPS
  • Deploy and manage encryption solutions
  • Review firewall rules quarterly

IT Security / SOC

  • Monitor network security alerts from IDS/IPS and SIEM
  • Respond to DDoS events and network intrusions
  • Conduct network security assessments
  • Manage cryptographic key lifecycle

All Users

  • Use VPN when accessing CUI remotely
  • Report network security concerns
  • Follow approved platform guidelines for collaboration
  • Never transmit CUI over unencrypted channels

🛠️ Implementation Roadmap (8 Weeks)

1

Network Segmentation

Weeks 1-2
  • Design VLAN structure: CUI VLAN, Corporate VLAN, Guest VLAN
  • Configure firewalls with deny-all, allow-by-exception rules
  • Test connectivity and verify CUI systems are isolated
2

Encryption

Weeks 3-4
  • Deploy full disk encryption via BitLocker GPO / Intune policy
  • Enable TLS 1.2+ only (disable TLS 1.0/1.1, SSL)
  • Configure VPN with split tunneling disabled
  • Deploy email encryption (S/MIME certificates or gateway)
3

Monitoring & Protection

Weeks 5-6
  • Deploy IDS/IPS (Snort, Suricata, or cloud-native)
  • Enable DDoS protection service
  • Configure session timeouts
  • Implement cryptographic key management (KMS)
4

Testing & Documentation

Weeks 7-8
  • Penetration test network boundaries
  • Scan for cleartext protocols (verify no unencrypted CUI transmission)
  • Test session timeouts
  • Document network architecture diagram with all zones and firewall rules

Recommended Tools

Palo Alto / Cisco / Fortinet (firewalls)Snort / Suricata (IDS/IPS)CloudFlare / AWS Shield / Azure DDoS ProtectionAzure Key Vault / AWS KMS (key management)BitLocker / FileVault (disk encryption)OpenVPN / Cisco AnyConnect / Palo Alto GlobalProtect (VPN)

📊 CMMC Practice Mapping

Practice ID Requirement Policy Section
SC.L2-3.13.1 Monitor/control communications at boundaries 1
SC.L2-3.13.2 Employ architectural designs for security 1
SC.L2-3.13.3 Separate user/system functionality 1
SC.L2-3.13.4 Prevent unauthorized/unintentional transfer 3
SC.L2-3.13.5 Implement subnetworks for public components 5, 7
SC.L2-3.13.6 Deny network traffic by default 1, 5
SC.L2-3.13.7 Prevent split tunneling 3
SC.L2-3.13.8 Implement cryptographic mechanisms for CUI in transit 2
SC.L2-3.13.9 Terminate network connections at session end 3
SC.L2-3.13.10 Establish/manage cryptographic keys 4
SC.L2-3.13.11 Employ FIPS-validated cryptography 2
SC.L2-3.13.12 Prohibit remote activation of collaborative devices 6
SC.L2-3.13.13 Control mobile code 6
SC.L2-3.13.14 Control VoIP 6
SC.L2-3.13.15 Protect authenticity of communications 2
SC.L2-3.13.16 Protect CUI at rest 2

📋 Evidence Requirements

These are the artifacts a C3PAO assessor will ask for. Start collecting early.

Network Architecture Diagram

Format: Visio/PDF
Frequency: Annual or after changes
Contents: Diagram showing VLANs, firewalls, CUI zones, DMZ, and data flow paths
Tip: Include IP ranges for each zone. Mark CUI boundary clearly. This is one of the first things assessors ask for.

Firewall Rule Export

Format: CSV/PDF
Frequency: Quarterly review
Contents: Complete rule set with review date and approver name
Tip: Include comments on each rule explaining business justification. Remove any 'allow all' rules.

Encryption Configuration Screenshots

Format: PNG/PDF
Frequency: Quarterly
Contents: BitLocker GPO settings, TLS configuration, VPN no-split-tunnel setting
Tip: Show TLS version settings (1.2+ only). Screenshot VPN configuration showing split tunnel is disabled.

VPN Configuration

Format: PDF
Frequency: Quarterly
Contents: VPN server config showing split tunneling disabled and encryption settings
Tip: Include the specific setting name and value that disables split tunneling.

IDS/IPS Alert Summary

Format: PDF/CSV
Frequency: Monthly
Contents: Last 30 days of alerts with response actions taken
Tip: Show that alerts are being reviewed and acted upon, not just generated.

Encryption Validation Scan

Format: PDF
Frequency: Quarterly
Contents: Scan results confirming no cleartext protocols in use for CUI data
Tip: Use tools like Nmap or sslyze to verify TLS versions and cipher suites. Document any findings.

⚠️ Common Gaps (What Assessors Flag)

1. Flat network with no CUI segmentation

Why this happens: Network was designed before CMMC requirements. Everything is on one subnet.
How to close the gap: Create a CUI VLAN. Move CUI systems to the new segment. Implement firewall rules between zones. Start with the highest-risk systems.

2. TLS 1.0/1.1 still enabled

Why this happens: Legacy applications or devices require older TLS versions.
How to close the gap: Inventory systems using TLS 1.0/1.1. Upgrade or replace where possible. For remaining legacy, document as POA&M with compensating controls (VPN-only access).

3. VPN split tunneling enabled

Why this happens: Performance complaints from users -- all traffic through VPN is slow.
How to close the gap: Disable split tunneling for CUI access. If performance is an issue, upgrade VPN concentrator capacity or use a cloud-based SASE solution.

4. Non-FIPS validated encryption in use

Why this happens: Used standard encryption libraries without checking FIPS validation status.
How to close the gap: Verify FIPS 140-2 validation for all cryptographic modules. Enable FIPS mode in Windows (via GPO). Use FIPS-validated cloud services.

📝 Template Customization Guide

When filling in the downloadable template for this policy, replace these placeholders with your organization's specifics:

[COMPANY NAME]

Your organization's legal name

Example: Acme Defense Systems, LLC

[CISO Name]

Name of your CISO

Example: Jane Smith

[MM/DD/YYYY]

Policy dates

Example: 03/01/2026

Customization Tips

  • 💡 Include your actual IP ranges and VLAN IDs in the network segmentation section
  • 💡 Document your specific VPN product and its split tunneling configuration setting name
  • 💡 Verify FIPS 140-2 validation status of your specific encryption products and document the validation certificate numbers
  • 💡 If you use a SASE/zero-trust solution instead of traditional VPN, describe your architecture and how it meets the same requirements
  • 💡 List your specific approved collaboration platforms and their security configurations

📚 Related Policies

Access Control Policy Audit and Accountability Policy Configuration Management Policy Identification and Authentication Policy Media Protection Policy
Previous
RE Policy
All Policies
Next
SI Policy