Back to Control Explorer



Control Acronym



System And Communications Protection

CMMC Level


800-171 Control #


CMMC Description

Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

CMMC Clarification

Just as your office or plant has fences and locks for protection from the outside, and uses badges and keycards to keep non-employees out, your company’s IT network or system has boundaries that must be protected. Many companies use a web proxy and a firewall. Web Proxy: When an employee uses a company computer to go to a website, a web proxy makes the request on the user’s behalf, looks at the web request, and decides if it should let the employee go to the website. Firewall: A firewall controls access from the inside and outside, protecting valuable information and resources stored on the company’s network. A firewall stops unwanted traffic on the internet from passing through an outside “fence” to the company’s networks and information systems. If your company is large enough, you might want to monitor, control, or protect one part of the company enterprise/network from the other. This can also be done with a firewall. You may want to do this to stop adversaries, hackers, or disgruntled employees from entering your network and causing damage. Cybersecurity Example You are setting up the new network for your company, and want to keep the company’s information and resources safe. You make sure to buy a router—a hardware device that routes data from a local area network (LAN) to another network connection—with a builtin firewall, then configure it to limit access to trustworthy sites. Some of your coworkers complain that they cannot get onto to certain websites. You explain that the new network blocks websites that are known for spreading malware.

800-171 Description

Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

800-171 Discussion

Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. [SP 800-41] provides guidance on firewalls and firewall policy. [SP 800-125B] provides guidance on security for virtualization technologies.

Other Source Discussion


CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 SC-7

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.13.1

Applicable FAR Clause

FAR Clause 52.204-21 b.1.x

NIST CSF Control Reference


CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

UK NCSC Cyber Essentials

AS ACSC Reference


Assessment Sub-Criteria 1

SC.1.175.[a] the external system boundary is defined;

Assessment Sub-Criteria 2

SC.1.175.[b] key internal system boundaries are defined;

Assessment Sub-Criteria 3

SC.1.175.[c] communications are monitored at the external system boundary;

Assessment Sub-Criteria 4

SC.1.175.[d] communications are monitored at key internal boundaries;

Assessment Sub-Criteria 5

SC.1.175.[e] communications are controlled at the external system boundary;

Assessment Sub-Criteria 6

SC.1.175.[f] communications are controlled at key internal boundaries;

Assessment Sub-Criteria 7

SC.1.175.[g] communications are protected at the external system boundary; and

Assessment Sub-Criteria 8

SC.1.175.[h] communications are protected at key internal boundaries.

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15