CMMC Practice SC.1.175

Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of information systems.

Source

CMMC Version 1.02, pg. 245

Bold Coast Security Guidance

For Level 1 compliance your organization must have border security infrastructure, such as a firewall. Firewall capabilities vary greatly, but all of them do the basic job of creating a hard barrier between networks or network segments. For most organizations that's going to mean between the internal network and the Internet. Create a policy for Level 2 compliance noting that the organization monitors, controls, and protects organizational communications at the external boundaries and key internal boundaries of information systems. The security plan for Level 3 will document what perimeter devices are in use, who manages the devices, and any annual costs for maintenance of the devices. The effectiveness of your devices can be measured by conducting regular penetration tests.

Discussion From Source

DRAFT NIST SP 800-171 R2 Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network -based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. NIST SP 800-41 provides guidance on firewalls and firewall policy. SP 800-125B provides guidance on security for virtualization technologies.

References

  • FAR Clause 52.204-21 b.1.x
  • NIST SP 800-171 Rev 1 3.13.1
  • NIST CSF v1.1 PR.PT-4
  • NIST SP 800-53 Rev 4 SC-7
  • UK NCSC Cyber Essentials