3.13.1

Requirement

a. Monitor and control communications at external managed interfaces to the system and key internal managed interfaces within the system.
b. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
c. Connect to external systems only through managed interfaces that consist of boundary protection devices arranged in accordance with an organizational security architecture.

Discussion

Managed interfaces include gateways, routers, firewalls, network-based malicious code analysis, virtualization systems, and encrypted tunnels implemented within a security architecture. Subnetworks that are either physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses.

NIST 800-171A r3 Assessment Guidance

Examine

[SELECT FROM: system and communications protection policy and procedures; procedures for boundary protection; list of key internal boundaries within the system; boundary protection hardware and software; system configuration settings; security architecture; system audit records; system design documentation; system security plan; other relevant documents or records]
Interview

[SELECT FROM: mechanisms for implementing boundary protection capabilities]
Test

[SELECT FROM: personnel with boundary protection responsibilities; personnel with information security responsibilities; system developers; system administrators]

ID	Assessment Objectives
A.03.13.01.a[01]	communications at external managed interfaces to the system are monitored.
A.03.13.01.a[02]	communications at external managed interfaces to the system are controlled.
A.03.13.01.a[03]	communications at key internal managed interfaces within the system are monitored.
A.03.13.01.a[04]	communications at key internal managed interfaces within the system are controlled.
A.03.13.01.b	subnetworks are implemented for publicly accessible system components that are physically or logically separated from internal networks.
A.03.13.01.c	external system connections are only made through managed interfaces that consist of boundary protection devices arranged in accordance with an organizational security architecture.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!