Monitor, control, and protect organizational communications at the external boundaries
📖 What This Means
This practice means your organization must actively watch, manage, and secure all incoming and outgoing network traffic where your systems connect to external networks (like the internet). Think of it like installing security cameras and checkpoints at all the doors of your building. You're looking for suspicious activity, blocking unauthorized access, and ensuring only approved communications enter or leave. For example: 1) A small defense contractor sets up a firewall to block unauthorized access attempts from the internet. 2) A manufacturer monitors email attachments leaving their network to prevent accidental data leaks.
🎯 Why It Matters
Unprotected network boundaries are the #1 entry point for cyberattacks. The 2023 Verizon DBIR found 85% of breaches involved external actors exploiting weak perimeter controls. For defense contractors, this could mean: - Loss of Controlled Unclassified Information (CUI) - Compromised bid proposals costing $250k+ in rework - Failing CMMC audits and losing contracts. The DoD specifically requires this control because adversaries constantly scan contractor networks for vulnerabilities. A real-world example: In 2022, a small aerospace contractor had their FTP server hacked because they weren't monitoring external connections, resulting in stolen blueprints.
✅ How to Implement
- 1. Enable AWS Shield Standard or Azure DDoS Protection on all VPCs/vNets
- 2. Configure NSGs (Azure) or Security Groups (AWS) to allow only necessary ports (e.g., block all inbound except 443)
- 3. Set up VPC Flow Logs (AWS) or NSG Flow Logs (Azure) sent to a SIEM like Azure Sentinel
- 4. Deploy a cloud firewall like AWS Network Firewall or Azure Firewall with threat intelligence feeds
- 5. Enable logging for all perimeter services (API Gateways, Load Balancers)
📋 Evidence Examples
Firewall Rule Configuration
Blocked Traffic Logs
Network Diagram
Firewall Change Request Form
📝 SSP Guidance
Use this guidance when writing the System Security Plan (SSP) narrative for this control.
How to Write the SSP Narrative
For SC.L1-3.13.1 ("Monitor, control, and protect organizational communications at the external boundaries"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your network security architecture, including segmentation, encryption standards, VPN configuration, session management, key management, and monitoring capabilities. Be specific -- name your actual products, settings, and responsible personnel.
Example SSP Narratives
"SC.L1-3.13.1 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to monitor, control, and protect organizational communications at the external boun.... The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."
"SC.L1-3.13.1 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to monitor, control, and protect organizational communications at the external boun.... Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."
"SC.L1-3.13.1 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."
System Boundary Considerations
- • Document network architecture with CUI boundary clearly marked
- • Identify all encryption mechanisms (at rest and in transit)
- • Specify network monitoring and IDS/IPS deployment
- • Ensure this control covers all systems within your defined CUI boundary where monitor, control, and protect organizational communications at the external boundaries applies
- • Document any systems where this control is not applicable and explain why
Key Documentation to Reference in SSP
- 📄 System and Communications Protection Policy
- 📄 Network architecture diagram
- 📄 Firewall rule documentation
- 📄 Encryption configuration documentation
- 📄 Evidence artifacts specific to SC.L1-3.13.1
- 📄 POA&M entry if control is not fully implemented
What the Assessor Looks For
The assessor will review network diagrams for proper segmentation, test encryption settings, verify VPN split tunneling is disabled, and check FIPS 140-2 validation of cryptographic modules.
💬 Self-Assessment Questions
Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.
Question 1: Do we have a firewall or equivalent protecting all external network connections?
Question 2: Are default firewall rules set to 'deny all' with specific allow rules for required traffic?
Question 3: Are logs being kept for all blocked inbound/outbound connection attempts?
Question 4: Is someone reviewing security alerts from perimeter devices at least weekly?
Question 5: Have all unnecessary ports (e.g., Telnet, SMB) been closed at the perimeter?
⚠️ Common Mistakes (What Auditors Flag)
1. Firewall allows 'any/any' rules for convenience
2. No logging enabled or logs not retained
3. Missing documentation for allowed traffic
4. Not monitoring cloud service perimeter (e.g., S3 buckets)
📚 Parent Policy
This practice is governed by the System and Communications Protection Policy