Policies and procedures for System and Communications Protection should adhere to applicable Federal laws, Executive Orders, standards and guidance. This area focuses on the exchange of information within a system or a network.  

Monitor, Control, Protect

3.13.1Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

Inbound and outbound traffic flow in organizational systems can be controlled in the following ways:

  • Routers, Gateways and ACLs (Access Control Lists);
  • Firewalls with physical WAN and LAN ports segregated;
  • Customization of ingress and egress traffic with proper NAT (Network Address Translation);
  • Firewall intrusion detection and intrusion prevention;
  • Geographical internet protocol restrictions;
  • Security suite subscription through an OEM;
  • Blacklisting unnecessary content filtering rules.

Effective Security

3.13.2Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

Systems security and engineering principles to systems being developed or undergoing upgrades are crucial to any organizational information security infrastructure.  One crucial aspect to achieving continual system security is consistent updating and application of security patches to address the perpetual change in digital technologies.

Separation of Functionality

3.13.3Separate user functionality from system management functionality.

The separation of system management functionality and user functionality must be maintained. System administrators should not have global admin access, but rather permission escalation within a privileged user account. Proper group policy should be implemented within organizational units to containerize user accounts from admin accounts, employing the principle of least privilege, segregation of admin duties, and password policy.

Residual Information Transfer

3.13.4Prevent unauthorized and unintended information transfer via shared system resources.

File and folder sharing permissions for read, write, or execute group policies should be examined routinely to prevent the transfer of information from one process to another and from one user to another. System resources such as cache, memory, hard disks, registers or main memory must be configured in an operating system to contain or eliminate residual information.


3.13.5Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

Organizational devices such as routers, gateway firewalls, virtualization, or cloud-based systems are connected directly to the Internet Service Provider. These devices must be configured to create subnetworks that are physically (Firewall) or logically (VLAN separation) separated from internal or trusted networks. These subnetworks are referred to as Demilitarized Zones (DMZ). The DMZ adds an extra layer of security to an organization’s internal trusted local area network (LAN).

 Deny All, Permit by Exception

3.13.6Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

The Security Technical Information Guide (STIG) promotes a deny-by-default security posture at the network parameter to block all inter-zone traffic by default, with a custom ruleset for ingress and egress services approval. Processes involved include:

  • PPSM – Ports, Protocols and Services Management
  • CAL – Category Assurance List
  • VA – Vulnerability Assessment

Remote Devices

3.13.7Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).

Split tunneling allows a remote user to route traffic through an encrypted VPN, while other applications or devices have direct access to the Internet. This leaves the system vulnerable to malicious activity through an open unencrypted connection on the public network. As a mitigation strategy, split tunneling settings must be disabled on all devices so all traffic flows through the organization’s encrypted VPN tunnel.

Cryptographic Controls

3.13.8Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
3.13.10Establish and manage cryptographic keys for cryptography employed in organizational systems.
3.13.11Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

When data is transferred across a network, there is always a risk of data integrity attack. Protection mechanisms include data labels, security parameters, and metadata.  Certain custom solutions provide a file transfer capability with integrity checks for incoming and outgoing data flow. Examples include:

  • Hashing / digital signature and cyclic redundancy checks (CRCs)
  • TLS or SSL for point-to-point sessions
  • Packet encryption
  • Protected Distribution System (PDS)

Cryptographic keys must be protected and managed. They may be stored securely in a “vault” or secure service, or tied to Active Directory objects (for example, Bit Locker).

FIPS (Federal Information Processing Standards) are a set of standards that describe document processing, encryption algorithms and other IT standards. A FIPS-validated cryptographic module is validated by the Cryptographic Module Validation Program (CMVP) to meet requirements specified in FIPS Publication 140-3. Basically, FIPS compliant algorithms are used for encryption, hashing, and signing.

More information on cryptographic modules can be found on the NIST CSRC website.

Session Termination

3.13.9Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.

Terminating network connections and VPN sessions is achieved by configuring session timeout due to no activity, deallocating associated TCP/IP address or port pairs at the operating system or application level.

Remote Activation

3.13.12Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.

Collaborative computing devices include web cameras and microphones, and are used in video conferencing. To ensure remote activation is disabled, each device’s settings must be scrutinized.

Notification that a device is in use can include an indicator light, or text window on a screen. If technology is not available, alerts such as paper notices outside of a meeting room, or locked entryways should be employed.

Mobile Code

3.13.13Control and monitor the use of mobile code.

Mobile code is a software that is transmitted from a remote host to be executed on a local host, typically without the user’s explicit instruction. Mobile code technologies include Java, JavaScript, ActiveX, PDF, Flash animations, and VBScript. There is a potential for the code to cause damage to the systems if used maliciously.

Mobile code can be controlled by deploying additional security settings to web browser applications or by deploying additional security settings to Adobe and Microsoft Office.

Further information on mobile code can be found on, SC-18.


3.13.14Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.

VoIP services include In-house, hosted, and hybrid. These services can pose significant risks to an already existing data network. Mitigation tools include:

  • Separate VLANs and separate DHCP servers for voice and data
  • TLS and SRTP for call encryption
  • Change of default passwords
  • Firewall NAT features for LAN IPs
  • Disable phone web interface
  • Close port 80 on the firewall for the VoIP VLAN
  • Disable international calling
  • Monitor call detail record (CDR)

Session Authenticity

3.13.15Protect the authenticity of communications sessions.

Authentication protects against risks such as man-in-the-middle attacks, session hijacking, and false information insertion.

A Certificate Authority (CA) is a trusted entity that issues digital certificates, or data files, used to cryptographically link an entity with a Public Key (a large numerical value that is used to encrypt data). These certificates establish protected sessions between web clients and web servers.

CUI at Rest

3.13.16Protect the confidentiality of CUI at rest.

CUI at rest refers to the state of information when not in process or in transit and is located on some storage as a system component. Use of a Full Disk Encryption (FDE) product is one option for achieving security of digital CUI at rest. Restricted access storage options can be used for hard copy CUI.

Need Help?

If you are an Organization Seeking Certification (OSC) and are overwhelmed by the enormity and complexity of CMMC, consider professional services to help you plan, implement, and maintain compliance and ensure uninterrupted eligibility for DoD work.

FoxGuard Solutions delivers reliable, secure and configurable solutions to solve technology and compliance challenges faced by critical infrastructure entities.  With over four decades of experience, our team focuses on delivering customized cybersecurity and compliance solutions.

Our services will help guide your organization through the Discovery, Planning, Execution and Maintenance phases necessary to allow your organization to attain Cybersecurity Maturity Model Certification (CMMC).  Our team of experts will partner with you to review existing policies, processes, procedures, and technical controls to identify any gaps with CMMC requirements.  An execution plan will be created that aligns with your needs, budget and timeline, and which outlines a recommended approach to attain CMMC.

As a Microsoft Gold Certified Partner, FoxGuard Solutions has experience in delivering both on premise as well as cloud-based solutions to assist you with your compliance needs.

FoxGuard Solutions is ISO 9001 and ISO 27001 certified, and is a CMMC Registered Provider Organization

Please visit for more information.