CMMC SC.1.175 – Monitor and Control Communications
Requirement text:
SC.1.175: Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of information systems.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses.
Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. NIST SP 800-41 provides guidance on firewalls and firewall policy. SP 800-125B provides guidance on security for virtualization technologies.
CMMC CLARIFICATION
Just as your office or plant has fences and locks for protection from the outside, and uses badges and keycards to keep non-employees out, your company’s IT network or system has boundaries that must be protected. Many companies use a web proxy and a firewall.
Web Proxy
When an employee uses a company computer to go to a website, a web proxy makes the request on the user’s behalf, looks at the web request, and decides if it should let the employee go to the website.
Firewall
A firewall controls access from the inside and outside, protecting valuable information and resources stored on the company’s network. A firewall stops unwanted traffic on the internet from passing through an outside “fence” to the company’s networks and information systems. If your company is large enough, you might want to monitor, control, or protect one part of the company enterprise/network from the other. This can also be done with a firewall. You may want to do this to stop adversaries, hackers, or disgruntled employees from entering your network and causing damage.
Example
You are setting up the new network for your company, and want to keep the company’s information and resources safe. You make sure to buy a router—a hardware device that routes data from a local area network (LAN) to another network connection—with a built-in firewall, then configure it to limit access to trustworthy sites. Some of your coworkers complain that they cannot get onto to certain websites. You explain that the new network blocks websites that are known for spreading malware.
Get Audit Ready
How to pass?
Just like parts of your facility are “private”, you should treat your
company network as private. For very small businesses, the private
network is connected to the LAN ports on your internet router. Make sure
your firewall stops all traffic from the internet by default, so that
internet attacks can’t reach your computers.
How to fail? Posting the WI-FI password to your internal network in an area that non-employees can see. Not using a firewall.
Reference
• FAR Clause 52.204-21 b.1.x
• NIST SP 800-171 Rev 1 3.13.1
• NIST CSF v1.1 PR.PT-4
• NIST SP 800-53 Rev 4 SC-7
• UK NCSC Cyber Essentials
Related Articles
Systems and Communications Protection: SP 800-171 Security Family 3.13
System and communications protection requirements provide an array of safeguards for the system. Some of the requirements in this family address the confidentiality information at rest and in transit. The protection of confidentiality can be provided ...CMMC SC.3.189 - Control and Monitor use of VOIP Technologies
Requirement text: SC.3.189: Control and monitor the use of Voice over Internet Protocol (VoIP) technologies. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 VoIP has different requirements, features, functionality, availability, and service ...Access Control: SP 800-171 Security Family 3.1
Access is the ability to make use of any system resource. Access control is the process of granting or denying requests to: • use information, • use information processing services, and • enter company facilities. System-based ...CMMC SI.2.216 - Monitor Systems Communications Traffic
Requirement text: SI.2.216: Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 System monitoring includes ...CMMC Level 1 Overview - Basic Cyber Hygiene
CMMC Level 1 l focuses on Federal Contract Information (FCI), which is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the ...