Back to Control Explorer



Control Acronym



System And Communications Protection

CMMC Level


800-171 Control #


CMMC Description

Employ organizationally defined and tailored boundary protections in addition to commercially available solutions.

CMMC Clarification

Organizations shall tailor the configuration and function of one or more of their boundary protection systems so it will mitigate (protect or detect) attack activities in some manner not typical of commercial security solutions. This can range from an internally developed security solution to just custom configurations and signatures. Example 1 You manage the organization’s Intrusion Prevention System (IPS) system. You analyzed several phishing emails containing malware scripts and noticed similarities between them. You create a custom rule in the IPS to monitor for and block emails that matched this signature. Example 2 You are the network security manager for the company. You are responsible for checking the vendor signatures on the IPS and checking that sandboxing appliances are being updated automatically. You write custom rules to alert on zero-day vulnerabilities the ND-ISAC has reported.

800-171 Description

800-171 Discussion


Other Source Discussion

CMMC Advanced adversaries study and analyze standard commercial security solutions and standard configurations of those systems. They develop and test attack techniques that will not be mitigated by those solutions. Tailoring protections forces the adversary to confront a security solution or configuration that they have not seen anywhere else. They will not have developed a way around it.

CIS Control References

NIST 800-53 Control Ref.

CMMC Derived


NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15