We continue our discussion of the Practices within CMMC, Level 1, with the next Domain, System and Communication Protection (SC). Within this Domain, there are 2 capabilities and 2 practices for Level 1 compliance. System and Communications Protection activities ensure the organization is actively identifying, managing, and controlling all system and communication channels that store or transit controlled, unclassified information. (CUI). The two Capabilities within the System and Communications Protection Domain include: 1. Define security requirements for systems and communications and, 2. Control communications at system boundaries. Both practices within the (SC) Domain fall under the Capability – Control Communications at System Boundaries – (C039).
The first Practice within the System and Communications Protection Domain is, SC.1.175: Monitor, control, and protect organizational communications (i.e., Information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of information systems. The following content comes directly from the CMMC, Appendix B on pages, B-205-206 (Pg. 245-246 in the PDF).
Discussion from Source: NIST SP 800-171, R2
Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces and organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces and organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses.
Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third-party provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. NIST SP 800-41 provides guidance on firewalls and firewall policy. NIST SP 800-125B provides guidance on security for virtualization technologies.
Just as your office or plant has fences and locks for protection from the outside, and uses badges and key cards to keep non-employees out, your company’s IT Network or system has boundaries that must be protected. Many companies use a web proxy and a firewall.
When an employee uses a company computer to go to a website, a web proxy makes the request on the user’s behalf, looks at the web request, and decides if it should let the employee go to the website.
A firewall controls access from the inside and outside, protecting valuable information and resources stored on the company’s network. A firewall stops unwanted traffic on the internet from passing through an outside “fence” to the company’s networks and information systems.
If your company is large enough, you might want to monitor, control, or protect one part of the company enterprise/network from the other. This can also be done with a firewall. You may want to do this to stop adversaries, hackers, or disgruntled employees from entering your network and causing damage.
You are setting up the new network for your company, and want to keep the company’s information and resources safe. You make sure to buy a router – a hardware device that routes data from a local area network (LAN) to another network connection – with a built-in firewall, then configure it to limit access to trustworthy sites. Some of your coworkers complain that they cannot get onto certain websites. You explain that the new network blocks websites that are known for spreading malware.
Our next entry will explore the second Practice within the System and Communications Protection Domain, SC.1.176 – Implement sub-networks for publicly accessible system components that are physically or logically separated from internal networks.
Mark Lupo, MBCP, SMP