System & Communication Protection (SC): Securing Networks & Data Transfers

See below all the 16 controls

← or go back to the NIST SP 800-171 R2 Guide

Got questions? Contact our team today for a free CMMC Consultation

3.13.1

Monitor, control, and protect communications ( (e.g., transmitted/received data) at both external and key internal system boundaries to prevent unauthorized transmission or exposure.

More details

+
NIST 800-171 Control Identifier: 3.13.1
CMMC Control Identifier: SC.L1-3.13.1
Control CMMC Level: 1
Basic or Derived Security: Basic

Relevant NIST SP 800-53 R5

SC-7: Monitor and control communications at system boundaries

SC-8: Protect communications (in transit) using secure protocols and cryptographic methods

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI) — Enforces boundary protections through Defender for Endpoint, Microsoft Purview Information Protection, and Transport Layer Security (TLS) with Microsoft Exchange and Teams.

3.13.2

Apply system architecture and engineering principles (e.g., layered defense, least privilege, modularity) to strengthen information security within the system environment.

More details

+
NIST 800-171 Control Identifier: 3.13.2
CMMC Control Identifier: SC.L2-3.13.2
Control CMMC Level: 2
Basic or Derived Security: Basic

Relevant NIST SP 800-53 R5

SC-7: Monitor and control communications at external boundaries and key internal boundaries

SA-8: Establish baseline security configurations and ensure use of secure coding practices and validated cryptographic methods

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI) — includes Microsoft Defender for Endpoint, Entra ID Conditional Access, and secure network perimeter configurations via Microsoft 365 security and compliance center.

3.13.3

Architect systems to separate user functionalities (e.g., email, web browsing) from administrative or system management functions, reducing attack surfaces and limiting access exposure.

More details

+
NIST 800-171 Control Identifier: 3.13.3
CMMC Control Identifier: SC.L2-3.13.3
Control CMMC Level: 2
Basic or Derived Security: Derived

Relevant NIST SP 800-53 R5

SC-2: Separate system components based and functions by role and access need (e.g., least privilege, separation of duties).

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI), with Defender for Endpoint and role-based access policies in Microsoft Entra ID (formerly Azure AD).

3.13.4

Implement safeguards to prevent unauthorized or unintended information transfer via shared resources such as memory, buffers, network interfaces, and storage.

More details

+
NIST 800-171 Control Identifier: 3.13.4
CMMC Control Identifier: SC.L2-3.13.4
Control CMMC Level: 2
Basic or Derived Security: Derived

Relevant NIST SP 800-53 R5

SC-4: System must prevent information leakage via shared system resources between different users, processes, or tenants.

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI) with Microsoft Defender for Endpoint, Microsoft Purview Information Protection, and optionally Intune/Endpoint Manager to enforce policy isolation.

3.13.5

Implement boundary protection by deploying subnetworks (DMZs or screened subnets) for publicly accessible system components, isolating them logically or physically from internal networks.

More details

+
NIST 800-171 Control Identifier: 3.13.5
CMMC Control Identifier: SC.L2-3.13.5
Control CMMC Level: 2
Basic or Derived Security: Derived

Relevant NIST SP 800-53 R5

SC-7: Boundary Protection — Monitor and control communications at external and key internal boundaries.

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI) with Microsoft Defender for Cloud and Azure Firewall/NVA enforcement for isolation.

3.13.6

Configure systems to deny network communications traffic by default and explicitly authorize only necessary traffic (i.e., apply default deny, permit by exception policy at boundary protection devices).

More details

+
NIST 800-171 Control Identifier: 3.13.6
CMMC Control Identifier: SC.L2-3.13.6
Control CMMC Level: 2
Basic or Derived Security: Derived

Relevant NIST SP 800-53 R5

SC-7(5): Deny all network traffic by default and allow only explicitly authorized flows.

Recommended Microsoft Licensing

Microsoft 365 E5 or GCC High E5 for CUI. Enforced through Microsoft Defender for Endpoint, Microsoft Defender for Cloud, and Microsoft Intune (Network Protection + Application Control).

3.13.7

Prevent remote devices from concurrently connecting to organizational systems and external networks (i.e., prohibit split tunneling), unless explicitly authorized and protected by security policy and compensating controls.

More details

+
NIST 800-171 Control Identifier: 3.13.7
CMMC Control Identifier: SC.L2-3.13.7
Control CMMC Level: 2
Basic or Derived Security: Derived

Relevant NIST SP 800-53 R5

SC-7 (7): Precent split tunneling to protect data from exposure via unsecured connections

Recommended Microsoft Licensing

Microsoft 365 E5 or GCC High E5 for CUI. Recommended components include Microsoft Intune (VPN and conditional access configuration), Defender for Endpoint (VPN enforcement), and Azure AD Conditional Access (device-based controls).

3.13.8

Employ cryptographic mechanisms to protect the confidentiality of CUI during transmission, unless it is protected by alternative physical safeguards.

More details

+
NIST 800-171 Control Identifier: 3.13.8
CMMC Control Identifier: SC.L2-3.13.8
Control CMMC Level: 2
Basic or Derived Security: Derived

Relevant NIST SP 800-53 R5

SC-12: Cryptographic Key Establishment

SC-13: Cryptographic Protection

SC-17: Public Key Infrastructure (PKI) Certificates

SC-28: Protection of Information at Rest

SC-28(1): Use of FIPS-validated cryptography

SC-12 & SC-13 replace the outdated SA-8 reference from older mappings

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI), including support for TLS 1.2/1.3 encryption, Microsoft Purview Message Encryption, and FIPS 140-2 validated components in GCC High environments.

3.13.9

Terminate network connections associated with communications sessions either upon session completion or after a defined period of organizationally specified inactivity.

More details

+
NIST 800-171 Control Identifier: 3.13.9
CMMC Control Identifier: SC.L2-3.13.9
Control CMMC Level: 2
Basic or Derived Security: Derived

Relevant NIST SP 800-53 R5

SC-10: Network Disconnect

SC-10(1): Terminate sessions after a configurable period of inactivity to prevent unauthorized access or misuse.

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI), with Conditional Access Policies and session control features in Microsoft Defender for Cloud Apps.

3.13.10

Establish and manage cryptographic keys for cryptographic protections used in organizational systems, in accordance with key management policies and procedures.

More details

+
NIST 800-171 Control Identifier: 3.13.10
CMMC Control Identifier: SC.L2-3.13.10
Control CMMC Level: 2
Basic or Derived Security: Derived

Relevant NIST SP 800-53 R5

SC-12: Cryptographic Key Establishment

SC-12(1): Use of Approved Key Management Standards

SC-12(2): Protection of Key Establishment Parameters

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI), including Microsoft Purview Information Protection and Azure Key Vault for cryptographic key management.

3.13.11

Use cryptographic methods that are FIPS 140-3 (or 140-2) validated when protecting the confidentiality of Controlled Unclassified Information (CUI).

More details

+
NIST 800-171 Control Identifier: 3.13.11
CMMC Control Identifier: SC.L2-3.13.11
Control CMMC Level: 2
Basic or Derived Security: Derived

Relevant NIST SP 800-53 R5

SC-12: Cryptographic Key Establishment

SC-13: Cryptographic Protection

SC-28: Protection of Information at Rest

SC-12(3): Use of FIPS-validated cryptography

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI), with Microsoft Purview Information Protection and BitLocker enabled for endpoint encryption.

3.13.12

Restrict remote activation of collaborative computing devices (e.g., microphones, webcams) and ensure users are notified when such devices are in use.

More details

+
NIST 800-171 Control Identifier: 3.13.12
CMMC Control Identifier: SC.L2-3.13.12
Control CMMC Level: 2
Basic or Derived Security: Derived

Relevant NIST SP 800-53 R5

SC-15: Collaborative Computing Devices

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI), including Microsoft Defender for Endpoint and Microsoft Intune to manage device control and enforce user presence verification.

3.13.13

Control and monitor the use of mobile code

More details

+
NIST 800-171 Control Identifier: 3.13.13
CMMC Control Identifier: SC.L2-3.13.13
Control CMMC Level: 2
Basic or Derived Security: Derived

Relevant NIST SP 800-53 R5

SC-18: Establish security measures for executing mobile code (e.g., JavaScript, ActiveX, Flash)

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI) with Microsoft Defender for Endpoint and Microsoft Defender for Cloud Apps to apply application control and script execution governance.

3.13.14

Control and monitor the use of Voice over Internet Protocol (VoIP) technologies

More details

+
NIST 800-171 Control Identifier: 3.13.14
CMMC Control Identifier: SC.L2-3.13.14
Control CMMC Level: 2
Basic or Derived Security: Derived

Relevant NIST SP 800-53 R5

No direct mapping in Rev. 5. SC-19 was removed.

However, SC-7: Boundary Protection and SC-12: Cryptographic Key Establishment may provide partial alignment for secure VoIP implementations.

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI) with Microsoft Defender for Identity, Defender for Endpoint, and Microsoft Teams with configured compliance boundaries (e.g., Conditional Access, MCAS session policies).

3.13.15

Protect the authenticity of communications sessions

More details

+
NIST 800-171 Control Identifier: 3.13.15
CMMC Control Identifier: SC.L2-3.13.15
Control CMMC Level: 2
Basic or Derived Security: Derived

Relevant NIST SP 800-53 R5

SC-23: Session Authenticity

Recommended Microsoft Licensing

Microsoft 365 E5 with Defender for Endpoint (Plan 2) + Microsoft Purview for audit capability and session integrity. For CUI, GCC High E5 is valid.

3.13.16

Protect the confidentiality of CUI at rest

More details

+
NIST 800-171 Control Identifier: 3.13.16
CMMC Control Identifier: SC.L2-3.13.16
Control CMMC Level: 2
Basic or Derived Security: Derived

Relevant NIST SP 800-53 R5

SC-28: Protect data at rest using encryption and access controls

Recommended Microsoft Licensing

Microsoft 365 E5 (or GCC High E5 for CUI)

Microsoft Cloud for CMMC Compliance

Contact our team today

See how Agile IT's MSP for CMMC can strengthen your data security and allow your team to focus on your business's objectives and success.

Schedule a FREE
consultation