Are you prepared to continue to progress on yourCyber security Maturity Model Certification (CMMC) journey? The fifth domain in the CMMC Level 1 requirements is System and Communications ProtectionThe primary focus of this practice is to control communications at system boundaries. In this post, we will build on our knowledge of the domains and practices of Level 1, with a focus on the first practice in System and communication protection, SC.1.175. 

What is a CMMC Assessment? 

A CMMC assessment is the methodology to certify that a contractor is compliant with the CMMC standard. CMMC Third Party Assessment Organizations (C3PAOs) carry out this methodology and evaluate your company’s unclassified networks. The CMMC evaluation process gives contractors guidance for a specific CMMC level (1-5); if you pass this process, the C3PAO issues the appropriate CMMC certificate. Passing a level 1 assessment, for example, confirms that you’re meeting the basic safeguarding requirements for Federal Contract Information (FCI). FCI is information not marked as public or for public release (specified in FAR Clause 52.204-21). 

What is System and communication Protection – SC.1.175? 

Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of information systems. Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational systems. Boundary components include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, or encrypted tunnels implemented within system security architecture (e.g., routers protecting firewalls or application gateways residing on protected sub networks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services. Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions. NIST SP 800-41 provides guidance on firewalls and firewall policy. SP 800-125B provides guidance on security for virtualization technologies. 

What are the SC.1.175 Assessment Objectives and Objects? 

Assessment procedures consist of an objective and a set of objects. The assessment objective includes a determination statement related to the CMMC practice content to ensure traceability of assessment results to requirements. These results determine if a practice is satisfied. Assessmentobjects specify the specific items that a C3PAO assesses (e.g., mechanisms, activities, and individuals). 

SC.1.175 assessment objectives: The external system boundary is definedKey internal system boundaries are definedCommunications are monitored at the external system boundaryCommunications are monitored at key internal boundariesCommunications are controlled at the external system boundaryCommunications are controlled at key internal boundariesCommunications are protected at the external system boundary​.Communications are protected at key internal boundaries. 

SC.1.175 assessment objects:A C3PAO can assess document-based artifacts associated with your system, hardware, software, or firmware safeguards, protection-related actions supporting your system that involves people, and any other personnel related to these elements. 

What are the Assessment Methods forSC.1.175? 

Assessment methods define the nature and extent of assessors’ actions (e.g., examining, interviewing, and testing). They are outlined below for SC.1.175 

Examine: This method refers to reviewing, inspecting, observing, studying, or analyzing assessment objects. In regards  to SC.1.175 a C3PAO may examineSystem and Communications protection policy. List of key internal boundaries of the system. System design documentation. Boundary protection hardware and software​Enterprise security Architecturedocumentation​. System audit logs and records​. System configuration settings and associated documentation. Other relevant documents or records. 

Interview: This method refers to the process of holding discussions with individuals or   groups to facilitate understanding,  achieve clarification, or obtain evidence. A C3PAO may interview System or network administrators. Personnel with information security responsibilities. System developers​. Personnel with boundary protection responsibilities. 

Inspect: This method is the process of exercising assessment objects under specified conditions to compare actual behavior  with expected behavior. All assessment objects that a C3PAO can examine for SC. 1.175 are mechanisms implementing boundary protection capability. 

How Do I know if I’m Complying to the SC.1.175 Practice? 

System and Communications Protection is a domain that builds upon the concepts of Access Control, and establishes some more specifics that require attention. You may already have made progress and set measures in place to ensure that you are working towards complying with this practice and its requirements, but you might be wary of what C3PAO’s might assess and how you would stand in an assessment. If this is the case, taking a free CMMC self-assessment can help you gauge where you are in the CMMC compliance process for this domain. Taking this next step can help you better your standing towards compliance, and take you one step closer in achieving CMMC Level 1 certification.