Back to Control Explorer



Control Acronym



System And Communications Protection

CMMC Level


800-171 Control #


CMMC Description

Isolate administration of organizationally defined high-value critical network infrastructure components and servers.

CMMC Clarification

Where the organization has identified high value critical network infrastructure used in the processing and management of CUI data, they will physically or logically isolate management these systems from their production network, such as through the use of an Out-of-Band network. Access controls are implemented to prevent non-authorized users from accessing the management network and changing the configuration of an infrastructure component processing CUI information. Example 1 You are responsible for security architecture and are asked to build and secure a network enclave to support a large project processing CUI data from two facilities in your organization. The architecture you designed to support this project has a workgroup switch in each location connected to a firewall to the Internet. The management interfaces on the two switches and the firewall are all connected to the Out-of-Band (OOB) management network that is air-gapped from the rest of the company and the Internet. Example 2 You have created VLANs that are used to access the management interface of all the network switches and the servers in the data center. These VLANs are isolated from the rest of the organization’s network so only the network engineers and server administrators can manage these devices from their offices or a Bastion Host server you set up.

800-171 Description

800-171 Discussion


Other Source Discussion

CMMC Organizations apply systems security engineering concepts and principles to identify the high value critical network infrastructure components in their network. High value critical systems are those that if compromised could lead to unauthorized access, use, modification or destruction of large amounts of CUI. Examples include boundary protection systems (e.g., routers, firewalls, intrusion protection and detection systems), critical infrastructure servers (e.g., domain, policy, certificate) and key servers processing CUI (e.g., file, mail, collaboration applications) Securing administration, the ability to alter the configuration of these components, includes delineating physical and logical security boundaries between the data and management interfaces such as through the use of an Out-of-Band network. NIST Special Publication 800-160 provides guidance on systems security engineering.

CIS Control References

CIS Controls v7.1 11.7, 14.1

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 SA-8

CMMC Derived

NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference


CERT RMM Reference

Modification of NIST 800-171B Reference

CMMC modification of NIST SP 800-171 Rev 1 3.13.2

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15