← Custodia
Practice 10 of 15·FAR 52.204-21(b)(1)(x)·SCSystem & Communications Protection

SC.L1-b.1.x

Protect the boundary of your network

Monitor, control, and protect what crosses the edges of your network. In practice for a small shop: keep a firewall on, don't expose internal systems to the public internet, and don't let inbound connections reach the FCI machine from anywhere on the open web.

Official text

Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

FAR 52.204-21(b)(1)(x), CMMC Level 1 v2.13 Assessment Guide

What evidence satisfies this

Any one of these, by itself, won't satisfy the practice — but showing a few of them together is what an assessor or a prime contractor expects to see:

  • The office / shop firewall (router with built-in firewall, or pfSense / Sophos / Meraki) configured and screenshot of the rules.
  • No inbound port-forwarding to FCI machines from the public internet.
  • Microsoft Defender Firewall enabled on every Windows laptop.
  • VPN configuration for remote access, instead of exposing RDP / SSH directly to the internet.
  • A simple network diagram: ISP → firewall → internal LAN → FCI systems.

Common ways small shops fail this

  • Consumer-grade router with default admin password ("admin / admin").
  • RDP exposed directly to the public internet so the owner can remote in from home.
  • Firewall turned off on individual laptops "because it broke something."
  • Guest Wi-Fi on the same network as the FCI file server.
  • Old port-forwarding rules from a project five years ago still active.

How to fix it in a weekend

  1. 1Log into the firewall / router. Change the admin password. Disable any inbound rules you don't recognize.
  2. 2Turn off direct RDP / SSH exposure. Stand up a VPN (built-in M365 / Workspace, OpenVPN, Tailscale, Twingate) and require it for remote access.
  3. 3Separate Guest Wi-Fi from the company LAN (almost all business routers can do this).
  4. 4Turn on Defender Firewall (or equivalent) on every laptop. Confirm in Settings.
  5. 5Sketch a one-page network diagram and keep it with your boundary doc.

FAQ

Do I need an enterprise firewall at Level 1?+

No. A modern business-grade router with firewall capability (Ubiquiti, Meraki Go, Sophos XGS Home, even a current Netgear / TP-Link business model) is fine for L1. What matters is that it's configured, the admin password is changed, and inbound rules to FCI machines are off.

Related references

Clause

FAR 52.204-21Basic Safeguarding of Covered Contractor Information Systems

Glossary

FAR 52.204-21

Doing all 15 yourself? Use the checklist.

Custodia's free CMMC Level 1 checklist walks the same 15 requirements with a self-assessment workflow, generates your SSP and affirmation memo, and posts your SPRS score for you.

Open the checklist →
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)