Welcome to our comprehensive guide to System & Communications Protection (SC) for CMMC Level 2.0. This guide is tailored for small to medium-sized businesses and DoD contractors. In this guide, you’ll find practical insights and easy instructions on how to secure your IT systems and communications, ensuring compliance with CMMC Level 2.0 requirements and safeguarding Controlled Unclassified Information (CUI) vital to your operations.
From boundary protection in CMMC frameworks to enforcing network communication by exception, we break down the complexities of CMMC encryption requirements into clear, actionable steps. These measures are integral to achieving robust security controls, protecting both your business and your clients.
If you need tailored support on System & Communications Protection compliance for DoD or any other CMMC requirement, book a free consultation with our experts Now.
“Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.”
Level Of Effort: Medium
In typical companies, protections for various boundaries are set up as follows:
Network: Configured with firewalls according to recommendations in our CMMC guides.
Computers: Set up in line with guidance from other sections of our guides.
Cloud systems: Configured following advice from this guide.
Email: Secure email systems with:
Inbound spam filtering.
Sandbox for unknown attachments or URLs (like in Microsoft 365 Defender).
Outbound spam filtering.
Anti-spoofing protection. This includes SPF, DKIM, and DMARC.
SC.L1-3.13.5 – PUBLIC-ACCESS SYSTEM SEPARATION
“Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.”
Level Of Effort: Medium
This section is only if you have systems on the Internet that handle CUI. For instance, you might have a client or vendor portal sharing CUI. Or, you could have a system that lets people outside your office (like employees on their cell phones) access CUI systems while traveling.
If this is relevant to you, this control is about making sure your public systems, like apps with CUI or your email server (if you host it), are separate from your internal network. It's important that no attacker can access these public servers and then move through your company's systems.
Recommendations:
Talk to I.T. About Keeping Systems Apart: Work with your I.T. team to figure out the best ways to keep systems with CUI safe from public internet access. This can be done in a few ways:
Physical separation: Use different network equipment for the public-facing servers (like your website) and your internal servers (like your company's main systems).
Logical separation: Set up separate areas (called VLANs) in your network for public servers.
Create a DMZ (Demilitarized Zone): Make a special protected area in your network (called a DMZ) that keeps your public servers isolated and controls any access to your main network.
Evidence:
Network diagram: Have a diagram that shows how your public network (like your website) is kept separate from your main company network.
List of subnetworks/VLANs: Keep a list of all subnets or VLANs you have and the rules about how they're kept apart.
DMZ settings screenshots: Save pictures of your DMZ settings, showing how it helps keep your public and internal networks separate.
SC.L2-3.13.2 – SECURITY ENGINEERING
“Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.”
Level Of Effort: Medium
This control is about ensuring your organization includes strong security from the start in all its systems. When you're making new systems or updating old ones, use secure design methods. These methods make your I.T. setup tough against hackers.
Does your company make any software? If so, you need a written process to check the security architecture of your software and hardware.
“Prevent unauthorized and unintended information transfer via shared system resources.”
Level Of Effort: None
If you are using a modern operating system (e.g., Windows 10 or 11, macOS 12 or 13), this requirement should be automatically addressed.
SC.L2-3.13.6 – NETWORK COMMUNICATION BY EXCEPTION
“Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).”
Level Of Effort: High
This control is about keeping your network safe by blocking all network traffic (both coming in and going out) unless it's allowed. It's like having a strict rule where only certain, approved types of communication can happen. This helps prevent unwanted or unsafe internet traffic from getting into or out of your network.
Recommendations:
Set up your firewall with IT: Work with your I.T. team to configure your firewall correctly.
Default to 'deny all' rule: Make sure your firewall is set to block all traffic by default, both coming in and going out. Setting up the block for outbound traffic might be a bit tricky, so work carefully on this.
Evidence:
Firewall configuration proof: Keep screenshots of your firewall settings that show the 'Deny All' rule and any allowed exceptions, along with system logs.
External network scan results: Periodically scan your network from outside to confirm your firewall is correctly blocking everything by default.
Pro Tip:When blocking outbound traffic, it can be tricky. Ask your I.T. team if they have tools to check which outbound ports have been used lately. If not, you might need to block ports bit by bit (like 5,000 - 10,000 at a time) and watch to see if it causes any problems.
SC.L2-3.13.7 – SPLIT TUNNELING
“Prevent remote devices from simultaneously establishing non-remote connections with the information system and communicating via some other connection to resources in external networks.”
Level Of Effort: Low
This control is about making sure devices like laptops and phones don’t connect to your CUI and the public Internet at the same time. This matters because your company's network has safety features like firewalls, but direct Internet connections might not.
Recommendations:
Adjust VPN settings to stop split tunneling: Work with your I.T. team to set up your VPN (Virtual Private Network) so it doesn’t allow devices to access both your network and the Internet at the same time.
Evidence:
VPN configuration screenshots: Keep screenshots of your VPN settings that show split tunneling is disabled. This is your proof that you've configured the network to prevent this dual access.
SC.L2-3.13.8 – DATA IN TRANSIT
“Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.”
Level Of Effort: Low
This section says you need to use encryption or strong physical protection to keep Controlled Unclassified Information (CUI) safe when sending it somewhere.
Here are some common examples of this:
If sending CUI by email, use a secure email service with end-to-end encryption, which is typically built into Microsoft 365.
If using an FTP client for CUI, only use Secure FTP (SFTP).
If sharing CUI through a file-sharing site, ensure it's approved for CUI. Options include Preveil or CocoonData, which cost around $15 per user each month.
If shipping CUI, use methods to prevent and spot tampering, like locked boxes, shipping logs, tracking, and tamper-proof packaging.
“Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.”
Level Of Effort: Low
To keep your company's network safe, it's important to set up automatic disconnection for network connections. This should happen when someone finishes using them or if they've been inactive for some time. This prevents a computer that's not being used or left alone from staying connected to the network, which can be risky.
Recommendations:
Set up remote access to turn off by itself: Adjust your remote access, which is part of AC.L2-3.1.12 – CONTROL REMOTE ACCESS, to log off after no one’s been using it for a set time.
Computers should log off when not in use: Your computers should also disconnect from the network if they’re not active for a certain amount of time. This is part of setting up your computer’s basic security settings, mentioned in CM.L2-3.4.1 – SYSTEM BASELINING.
Evidence:
Remote access settings screenshots: Keep screenshots of the settings that show how the remote access will log off by itself after not being used.
Computer security settings document: Have a document that lists your computer security settings, including the auto log-off feature for when they’re not being used.
SC.L2-3.13.10 – KEY MANAGEMENT
“Establish and manage cryptographic keys for cryptography employed in organizational systems.”
Level Of Effort: Medium
This section is about making sure cryptographic keys are made, stored, and handled securely.
For many businesses, this is automatically done by their service providers. For example, Microsoft 365 takes care of its encryption keys for things like email, OneDrive, and SharePoint, so you don't need to do anything extra.
But, some companies will need their I.T. teams to do things like:
Create a secure process for making cryptographic keys. Keep the whole process safe from unauthorized access to ensure the keys stay confidential and intact.
Make an inventory of all encryption keys. For instance, you might use them on your RADIUS server for Wi-Fi login or push them to computers for easy login. You could also have custom apps with your encryption keys. Remember to list both self-signed keys and those from a Certificate Authority.
Don't forget about backup encryption keys, which many companies make themselves.
Think about using a secret management tool. CyberArk, Delinea, and Azure Key Vault (for Azure customers) are options for safely storing encryption keys.
For Microsoft 365 users with higher tier plans, consider the "Customer Key" feature. This lets you use your own encryption keys instead of relying on Microsoft.
This control will need a lot of help from your I.T. team, and possibly a senior engineer, as it can get pretty complex.
SC.L2-3.13.11 – CUI ENCRYPTION
“Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.”
Level Of Effort: Low
When protecting CUI, your business needs special encryption that meets certain standards. The tools and methods should follow Federal Information Processing Standard (FIPS) 140-1 or FIPS 140-2 standards. This is crucial because these standards ensure that the encryption is strong and trustworthy. Note that FIPS 140-2 validated firewall and network equipment can be quite expensive, often starting at over $1,000, and you may need to pay your I.T. company for upgrades.
Recommendations:
FIPS 140-2 validation for networking gear: All your network equipment, like firewalls and routers, should meet the FIPS 140-2 standards. You can confirm this by checking on the NIST website.
Check encryption algorithms for FIPS 140-2 compliance: Consult with your development team to ensure that all encryption algorithms you use (identified in your SC.L2-3.13.10 – KEY MANAGEMENT inventory) are also FIPS 140-2 validated.
Evidence:
Update your System Security Plan (SSP): Keep your SSP up to date with details about your FIPS 140-2 validated network gear.
Screenshots of FIPS validations: Save screenshots as proof that your networking equipment and encryption algorithms are FIPS 140-2 validated.
SC.L2-3.13.12 – COLLABORATIVE DEVICE CONTROL
“Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.”
Level Of Effort: Low
In this section, we focus on two major security actions. First is preventing devices like network cameras and microphones from being remotely activated. The second is making sure users know when these devices are active, e.g. notification light or on-screen notification.
Recommendations:
Notify Users When Cameras or Microphones are Active:
Set up devices so that they show an indicator light or on-screen notification when a camera or microphone is in use. For example, you can configure this setting on Windows computers, which is available as a Group Policy Object (GPO).
Put up paper notices in areas where cameras or microphones are installed.
Lock access to areas where these devices are operating.
Disable Remote Activation for Conference Room Cameras and Microphones:
If you have cameras or microphones in conference rooms, configure them so they can’t be turned on remotely. This step might not be necessary if you don’t use such devices in your conference rooms.
Evidence:
Device Configuration Screenshots: Keep screenshots of the settings you've configured to show when cameras or microphones are in use and to disable remote activation.
Photos of Notices and Locked Areas: Have photos showing the paper notifications and any areas that are locked to control access to these devices.
"Mobile code" isn't just about smartphones. It's about apps that let programs work on different systems. Examples include Java, ActiveX, Adobe Flash, Adobe Shockwave, and Adobe Air. You should only have these on your computers if they're needed for your business. NIST offers detailed advice on managing them, but the main point is to handle these programs with care.
Recommendations:
Find and review mobile code use: Check your systems for mobile code applications. Remove them unless there are legitimate business reasons for allowing the code.
Set up approval for mobile code: Create a clear process for when it’s okay to use these types of software. They should only be allowed for valid business reasons.
Block unneeded mobile code: Work with your I.T. team to find the best way to stop mobile code from running if it's not authorized. This depends on your existing systems.
Enable Microsoft attack surface reduction on Windows: This feature reduces the risk of scripts like Javascript and VBScript causing harm.
Evidence:
Software inventory and scan reports: Keep a list of the software on your systems and reports from vulnerability scans. These show what mobile code is installed and that any unauthorized code isn’t running.
Documentation of approval process: Have a written policy for how exceptions to mobile code restrictions are approved.
Configuration screenshots: Save screenshots of your settings that block mobile code and of the Microsoft Attack Surface Reduction, if you use Windows.
SC.L2-3.13.14 – VOICE OVER INTERNET PROTOCOL
“Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.”
Level Of Effort: Medium
This rule is about managing and keeping an eye on how VoIP (Voice over Internet Protocol) tech is used in a company. The goal is to reduce dangers like people listening in or pretending to be someone else. This is done by setting rules for using VoIP and always watching how it's used.
Recommendations:
Secure your VoIP system: Ensure your VoIP system uses good encryption for all voice calls and control signals.
Use extra security for admins: Anyone who has administrative access to your VoIP system should use MFA. This adds another step to make sure they’re the right person.
Regularly update your VoIP software: Have a schedule for updating your VoIP system to get the latest security updates.
Record VoIP activity: Make sure all records of VoIP use are sent to MDR solutions, as required by AU.L2-3.3.1 – SYSTEM AUDITING.
Evidence:
VoIP configuration screenshots: Keep pictures of your VoIP settings that show you have the right security features like encryption and MFA.
Check VoIP security guidelines: It's a good idea to make sure your I.T. team or whoever provides your VoIP service knows about and follows the official guidelines for keeping VoIP systems safe.
SC.L2-3.13.15 – COMMUNICATIONS AUTHENTICITY
“Protect the authenticity of communications sessions.”
Level Of Effort: Medium
This control is about making sure all the communication in your company, like emails or file sharing, is real and secure. It's to stop risks like someone getting into your communications or putting fake information in them. This ensures that when two systems or people are talking to each other, they can trust it's safe and real.
Recommendations:
Ensure secure communication settings with I.T. team: Work with your IT team to set up secure communication on all systems or networks that handle CUI.
This includes:
Using SMBv3 for file server traffic
VPN traffic is encrypted.
Securing network traffic with SMBv3.
Protecting command lines with SSH.
Using HTTPS/TLS for all web traffic.
Keeping WiFi safe with WPA2 or WPA3.
Transferring files with SFTP or SCP.
Using Kerberos for authentication.
Note: SMBv3 stands for Server Message Block 3.0, which is how your network communicates with itself. SMBv3 specifically includes security features like end-to-end encryption.
Evidence:
Screenshots of secure settings: Keep pictures of your computer settings that show these security measures.
Vulnerability scanner confirmations: Use a scanner to check things like if you're using the right SMB version (SMBv3). This helps confirm your network is communicating securely.
