System & Communications Protection
System and Communications Protection is about defending the boundaries and the data in motion: network separation, encryption, and controlling how information enters and leaves your environment. FIPS-validated cryptography lives here.
The 16 System & Communications Protection requirements
41 assessment objectives across this family.
- 3.13.1Boundary ProtectionMonitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.5 pt✕ POA&M
- 3.13.2Security EngineeringEmploy architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.5 pt✕ POA&M
- 3.13.3Role SeparationSeparate user functionality from system management functionality.1 pt
- 3.13.4Shared Resource ControlPrevent unauthorized and unintended information transfer via shared system resources.1 pt
- 3.13.5Public-access System SeparationImplement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.5 pt✕ POA&M
- 3.13.6Network Communication By ExceptionDeny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).5 pt✕ POA&M
- 3.13.7Split TunnelingPrevent remote devices from simultaneously establishing non- remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).1 pt
- 3.13.8Data In TransitImplement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.3 pt✕ POA&M
- 3.13.9Connections TerminationTerminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.1 pt
- 3.13.10Key ManagementEstablish and manage cryptographic keys for cryptography employed in organizational systems.1 pt
- 3.13.11CUI EncryptionEmploy FIPS-validated cryptography when used to protect the confidentiality of CUI.5 pt✕ POA&M
- 3.13.12Collaborative Device ControlProhibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.1 pt
- 3.13.13Mobile CodeControl and monitor the use of mobile code.1 pt
- 3.13.14Voice Over Internet ProtocolControl and monitor the use of Voice over Internet Protocol (VoIP) technologies.1 pt
- 3.13.15Communications AuthenticityProtect the authenticity of communications sessions.5 pt✕ POA&M
- 3.13.16Data At RestProtect the confidentiality of CUI at rest.1 pt
Build System & Communications Protection, and all 14 families, with an officer
The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.
No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.
Questions, answered
How many CMMC Level 2 requirements are in System & Communications Protection?+
The System & Communications Protection family (SC) has 16 of the 110 CMMC Level 2 requirements, assessed against 41 objectives from NIST SP 800-171A.
What is the System & Communications Protection family about?+
System and Communications Protection is about defending the boundaries and the data in motion: network separation, encryption, and controlling how information enters and leaves your environment. FIPS-validated cryptography lives here.