AuditRubric
cmmc-sc-1 Critical priority System & Comms Protection / Boundary Protection

Monitor, control, and protect communications at network boundaries

Network communications entering and leaving your environment must be monitored and controlled. Without boundary protection, any internet-connected device can attempt to communicate with your internal systems, and malware or attackers that gain a foothold can communicate freely with external command-and-control infrastructure. Firewalls, intrusion detection systems, and network monitoring at the perimeter are the primary mechanisms for boundary protection.

8h estimated effort
network-security firewall monitoring boundary-protection

Implementation steps

  1. 1

    Deploy and configure a perimeter firewall

    Implement a stateful firewall at every point where your network connects to the internet or untrusted external networks. Configure a default-deny posture: block all traffic that is not explicitly permitted. Permit only the inbound and outbound traffic required for business operations. Document the rationale for each permitted rule.

    palo-alto cisco-asa fortinet aws-security-groups azure-firewall
  2. 2

    Monitor traffic at boundaries

    Configure logging for firewall events: allowed connections, denied connections, and anomalous traffic. Send logs to a central logging system. Consider deploying an intrusion detection or prevention system to identify attack patterns in network traffic. Review boundary logs regularly for signs of reconnaissance, unusual outbound connections, or lateral movement.

    splunk datadog elastic aws-guardduty palo-alto
  3. 3

    Restrict outbound communications

    Do not allow unrestricted outbound internet access from systems handling FCI. Define permitted outbound destinations and block all others. Proxy outbound web traffic through an inspecting proxy to identify and block connections to malicious domains. This limits the ability of malware to phone home and reduces data exfiltration risk.

    zscaler cisco-umbrella palo-alto bluecoat
  4. 4

    Periodically review and clean up firewall rules

    Firewall rule sets accumulate stale rules over time. Conduct periodic reviews (at least annually) to identify and remove rules that are no longer needed, overly permissive rules, and rules without documented justification. Stale rules expand your attack surface without providing business value.

    algosec firemon tufin

Evidence required

Firewall configuration

Evidence of a perimeter firewall with a default-deny rule set.

  • - Firewall rule export showing default deny
  • - Network security group configuration
  • - Firewall architecture diagram

Boundary monitoring configuration

Evidence that traffic at network boundaries is logged and monitored.

  • - Firewall log configuration showing log destination
  • - IDS/IPS deployment evidence
  • - Security monitoring dashboard

Network diagram

A current diagram showing network boundaries and where boundary protection controls are deployed.

  • - Network architecture diagram
  • - Data flow diagram with firewall placement

Related controls

cmmc-sc-2

Implement subnetworks for publicly accessible system components

Network Segmentation

cmmc-ac-3

Verify and control connections to external information systems

External Connections