See below all the 16 controls
← or go back to the NIST SP 800-171 R2 GuideGot questions? Contact our team today for a free CMMC Consultation
Monitor, control, and protect communications ( (e.g., transmitted/received data) at both external and key internal system boundaries to prevent unauthorized transmission or exposure.
More details Less details
+ —SC-7: Monitor and control communications at system boundaries
SC-8: Protect communications (in transit) using secure protocols and cryptographic methods
Microsoft 365 E5 (or GCC High E5 for CUI) — Enforces boundary protections through Defender for Endpoint, Microsoft Purview Information Protection, and Transport Layer Security (TLS) with Microsoft Exchange and Teams.
Apply system architecture and engineering principles (e.g., layered defense, least privilege, modularity) to strengthen information security within the system environment.
More details Less details
+ —SC-7: Monitor and control communications at external boundaries and key internal boundaries
SA-8: Establish baseline security configurations and ensure use of secure coding practices and validated cryptographic methods
Microsoft 365 E5 (or GCC High E5 for CUI) — includes Microsoft Defender for Endpoint, Entra ID Conditional Access, and secure network perimeter configurations via Microsoft 365 security and compliance center.
Architect systems to separate user functionalities (e.g., email, web browsing) from administrative or system management functions, reducing attack surfaces and limiting access exposure.
More details Less details
+ —SC-2: Separate system components based and functions by role and access need (e.g., least privilege, separation of duties).
Microsoft 365 E5 (or GCC High E5 for CUI), with Defender for Endpoint and role-based access policies in Microsoft Entra ID (formerly Azure AD).
Implement safeguards to prevent unauthorized or unintended information transfer via shared resources such as memory, buffers, network interfaces, and storage.
More details Less details
+ —SC-4: System must prevent information leakage via shared system resources between different users, processes, or tenants.
Microsoft 365 E5 (or GCC High E5 for CUI) with Microsoft Defender for Endpoint, Microsoft Purview Information Protection, and optionally Intune/Endpoint Manager to enforce policy isolation.
Implement boundary protection by deploying subnetworks (DMZs or screened subnets) for publicly accessible system components, isolating them logically or physically from internal networks.
More details Less details
+ —SC-7: Boundary Protection — Monitor and control communications at external and key internal boundaries.
Microsoft 365 E5 (or GCC High E5 for CUI) with Microsoft Defender for Cloud and Azure Firewall/NVA enforcement for isolation.
Configure systems to deny network communications traffic by default and explicitly authorize only necessary traffic (i.e., apply default deny, permit by exception policy at boundary protection devices).
More details Less details
+ —SC-7(5): Deny all network traffic by default and allow only explicitly authorized flows.
Microsoft 365 E5 or GCC High E5 for CUI. Enforced through Microsoft Defender for Endpoint, Microsoft Defender for Cloud, and Microsoft Intune (Network Protection + Application Control).
Prevent remote devices from concurrently connecting to organizational systems and external networks (i.e., prohibit split tunneling), unless explicitly authorized and protected by security policy and compensating controls.
More details Less details
+ —SC-7 (7): Precent split tunneling to protect data from exposure via unsecured connections
Microsoft 365 E5 or GCC High E5 for CUI. Recommended components include Microsoft Intune (VPN and conditional access configuration), Defender for Endpoint (VPN enforcement), and Azure AD Conditional Access (device-based controls).
Employ cryptographic mechanisms to protect the confidentiality of CUI during transmission, unless it is protected by alternative physical safeguards.
More details Less details
+ —SC-12: Cryptographic Key Establishment
SC-13: Cryptographic Protection
SC-17: Public Key Infrastructure (PKI) Certificates
SC-28: Protection of Information at Rest
SC-28(1): Use of FIPS-validated cryptography
SC-12 & SC-13 replace the outdated SA-8 reference from older mappings
Microsoft 365 E5 (or GCC High E5 for CUI), including support for TLS 1.2/1.3 encryption, Microsoft Purview Message Encryption, and FIPS 140-2 validated components in GCC High environments.
Terminate network connections associated with communications sessions either upon session completion or after a defined period of organizationally specified inactivity.
More details Less details
+ —SC-10: Network Disconnect
SC-10(1): Terminate sessions after a configurable period of inactivity to prevent unauthorized access or misuse.
Microsoft 365 E5 (or GCC High E5 for CUI), with Conditional Access Policies and session control features in Microsoft Defender for Cloud Apps.
Establish and manage cryptographic keys for cryptographic protections used in organizational systems, in accordance with key management policies and procedures.
More details Less details
+ —SC-12: Cryptographic Key Establishment
SC-12(1): Use of Approved Key Management Standards
SC-12(2): Protection of Key Establishment Parameters
Microsoft 365 E5 (or GCC High E5 for CUI), including Microsoft Purview Information Protection and Azure Key Vault for cryptographic key management.
Use cryptographic methods that are FIPS 140-3 (or 140-2) validated when protecting the confidentiality of Controlled Unclassified Information (CUI).
More details Less details
+ —SC-12: Cryptographic Key Establishment
SC-13: Cryptographic Protection
SC-28: Protection of Information at Rest
SC-12(3): Use of FIPS-validated cryptography
Microsoft 365 E5 (or GCC High E5 for CUI), with Microsoft Purview Information Protection and BitLocker enabled for endpoint encryption.
Restrict remote activation of collaborative computing devices (e.g., microphones, webcams) and ensure users are notified when such devices are in use.
More details Less details
+ —SC-15: Collaborative Computing Devices
Microsoft 365 E5 (or GCC High E5 for CUI), including Microsoft Defender for Endpoint and Microsoft Intune to manage device control and enforce user presence verification.
Control and monitor the use of mobile code
More details Less details
+ —SC-18: Establish security measures for executing mobile code (e.g., JavaScript, ActiveX, Flash)
Microsoft 365 E5 (or GCC High E5 for CUI) with Microsoft Defender for Endpoint and Microsoft Defender for Cloud Apps to apply application control and script execution governance.
Control and monitor the use of Voice over Internet Protocol (VoIP) technologies
More details Less details
+ —No direct mapping in Rev. 5. SC-19 was removed.
However, SC-7: Boundary Protection and SC-12: Cryptographic Key Establishment may provide partial alignment for secure VoIP implementations.
Microsoft 365 E5 (or GCC High E5 for CUI) with Microsoft Defender for Identity, Defender for Endpoint, and Microsoft Teams with configured compliance boundaries (e.g., Conditional Access, MCAS session policies).
Protect the authenticity of communications sessions
More details Less details
+ —SC-23: Session Authenticity
Microsoft 365 E5 with Defender for Endpoint (Plan 2) + Microsoft Purview for audit capability and session integrity. For CUI, GCC High E5 is valid.
Protect the confidentiality of CUI at rest
More details Less details
+ —SC-28: Protect data at rest using encryption and access controls
Microsoft 365 E5 (or GCC High E5 for CUI)
See how Agile IT's MSP for CMMC can strengthen your data security and allow your team to focus on your business's objectives and success.
Schedule a FREE