Boundary Protection
Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
What an assessor scores, the objectives
SC.L2-3.13.1 is met only when every one of these 8 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.
- a.the external system boundary is defined
- b.key internal system boundaries are defined
- c.communications are monitored at the external system boundary
- d.communications are monitored at key internal boundaries
- e.communications are controlled at the external system boundary
- f.communications are controlled at key internal boundaries
- g.communications are protected at the external system boundary
- h.communications are protected at key internal boundaries
How a C3PAO checks it
NIST SP 800-171A defines three assessment methods. For SC.L2-3.13.1, an assessor uses these:
System and communications protection policy; procedures addressing boundary protection; system security plan; list of key internal boundaries of the system; system design documentation; boundary protection hardware and software; enterprise security architecture documentation; system audit logs and records; system configuration settings and associated documentation; other relevant documents or records
System or network administrators; personnel with information security responsibilities; system developers; personnel with boundary protection responsibilities
Mechanisms implementing boundary protection capability
What it means, in context
Communications can be monitored, controlled, and protected at boundary components and by restricting or prohibiting interfaces in organizational sy stems. Boundary components include gateways, routers, firewalls, guards, network -based malicious code analysis and virtualization systems, or encrypted tunnels implemented within a system security architecture (e.g., routers protecting firewalls or application gateways residing on protected subnetworks). Restricting or prohibiting interfaces in organizational systems includes restricting external web communications traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications services in the implementation of security requirements associated with the use of such services . Commercial telecommunications services are commonly based on network components and consolidated management systems shared by all attached commercial customers and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security provisions . NIST SP 800-41 provides guidance on firewalls and firewall policy . NIST SP 800-125B provides guidance on security for virtualization technologies.
Fences, locks, badges, and key cards help keep non-employees out of your physical facilities. Similarly, your company ’s IT network or system has boundaries that must be protected . Many companies use a web proxy and a firewall. When an employee uses a company computer to go to a website, a web proxy makes the request on the user ’s behalf, looks at the web request, and decides if it should let the employee go to the website. A firewall controls access from the inside and outside, protecting valuable information and resources stored on the company’s network. A firewall stops unwanted traffic on the internet from passing through an outside “fence” to the company ’s networks and information systems. Internal boundaries determine where data can flow, for instance a software development environment may have its own boundary controlling , monitoring, and protecting the data that can leave that boundary. It may be wise to monitor, control, or protect one part of the company network from another. This can also be accomplished with a firewall and limits the ability of attackers and disgruntled employees from entering sensitive parts of your internal network and causing damage. Example You are setting up the new network and want to keep your company’s information and resources safe. You start by sketching out a simple diagram that identifies the external boundary of your network and any internal boundaries that are needed [a,b]. The first piece of equipment you install is the firewall, a device to separate your internal network from the internet. The firewall also has a feature that allows you to block access to potentially malicious websites, and you configure that service as well [a,c,e,g]. Some of your coworkers complain that they cannot get onto certain websites [c,e,g]. You explain that the new network blocks websites that are known for spreading malware. The firewall sends you a daily digest of blocked activity so that you can monitor the system for attack trends [c,d]. Potential Assessment Considerations • What are the external system boundary components that make up the entry and exit points for data flow (e.g., firewalls, gateways, cloud service boundaries), behind which all system components that handle regulated data are contained? What are the supporting system components necessary for the protection of regulated data [a]? • What are the internal system boundary components that make up the entry and exit points for key internal data flow (e.g., internal firewalls, routers, any devices that can bridge the connection between one segment of the system and another) that separate segments of the internal network – including devices that separate internal network segments such as development and production networks as well as a traditional Demilitarized Zone (DMZ) at the edge of the network [b]? • Is data flowing in and out of the external and key internal system boundaries monitored (e.g., connections are logged and able to be reviewed, suspicious traffic generates alerts) [c,d]? • Is data traversing the external and internal system boundaries controlled such that connections are denied by default and only authorized connections are allowed [e,f]? • Is data flowing in and out of the external and key internal system boundar ies protected (e.g., applying encryption when required or prudent, tunneling traffic as needed) [g,h]?
What passing evidence looks like
The boundary defended at its edges: firewall rules, the network diagram showing boundary points, and the monitoring on those points (firewall logs, cloud sign in monitoring), together.
Common ways contractors fail SC.L2-3.13.1
- !Eight objectives across monitor, control, and protect at external AND key internal boundaries. Your step 3 diagram is the external boundary map; the firewall config plus its logging answers monitor and control at it.
- !Key internal boundaries matter when the enclave is separated from the rest of the shop: show the VLAN or firewall rule that does it.
The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.
Prove SC.L2-3.13.1, and the other 109
The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.
No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.
SC.L2-3.13.1 questions, answered
How many points is CMMC requirement SC.L2-3.13.1 worth?+
SC.L2-3.13.1 is worth 5 points in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 5 from your total of 110.
Can SC.L2-3.13.1 be placed on a POA&M?+
No. SC.L2-3.13.1 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.
What family does SC.L2-3.13.1 belong to?+
SC.L2-3.13.1 is in the System & Communications Protection (SC) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.
- NIST SP 800-171 Rev. 2 3.13.1
- FAR Clause 52.204-21 b.1.x