• Ignyte CMMC Specialist


Communication protection has to do with controlling the flow of information and protecting the flow of information. Like everything else within NIST guidance - it requires experience and interpretation. NIST often refers to "communication control points" as network infrastructures such as routers, switches, firewalls, and IDSes.

Communication protection also expands its scope into not only the network but also software that is normally installed on any computer (server OS and/or desktops). The requirements mention "separating the user from from management" - this refers to basically separating out administration level privileges from that of a normal user for all software including server OS, desktops and even network OS such as Cisco IOS. For example, Cisco calls this concept of "user plane".

Family Name: System and Communications Protection

3.13.1 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

Boundary components include

  • Gateways

  • Routers

  • Firewalls

  • Guards

  • Network-based malicious code analysis

  • Virtualization systems

  • Encrypted tunnels implemented within a system security architecture.

Restrict external web traffic to designated web servers within managed interfaces and prohibit external traffic that appears to be spoofing internal addresses.

NIST Special Publication 800-41 provides guidance on firewalls and firewall policy.

NIST Special Publication 800-125 provides guidance on security for virtualization technologies.

3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems

Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades.

For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible

  • Establishing security policies, architecture, and controls as the foundation for design

  • Incorporating security requirements into the system development life cycle

  • Delineating physical and logical security boundaries

  • Ensuring that developers are trained on how to build secure software

  • Performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk

NIST Special Publication 800-160 provides guidance on systems security engineering.

3.13.3 Separate user functionality from information system management functionality.

The separation of user functionality from system management functionality is physical or logical.

Organizations can implement separation of system management functionality from user functionality by:

  • Using different computers

  • Different central processing units

  • Different instances of operating systems

  • Different network addresses, virtualization techniques, combinations of these or other methods

Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls.

3.13.4 Prevent unauthorized and unintended information transfer via shared system resources.

This prevents information produced by the actions of prior users or roles from being available to any current users or roles that obtain access to shared system resources

This requirement also applies to encrypted representations of information.

The control of information in shared system resources is also commonly referred to as object reuse and residual information protection.

3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs.

DMZs are typically implemented with boundary control devices and techniques

NIST Special Publication 800-41 provides guidance on firewalls and firewall policy.

NIST Special Publication 800-125 provides guidance on security for virtualization technologies

3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

This requirement applies to inbound and outbound network communications traffic, both at the system boundary and at identified points within the system.

A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.

3.13.7 Prevent remote devices from simultaneously establishing non-remote connections with the information system and communicating via some other connection to resources in external networks.

This requirement is implemented in remote devices through configuration settings to:

  • Disable split tunneling in those devices

  • Prevent configuration settings from being readily configurable by users.

Split tunneling might be desirable by remote users to communicate with local system resources

However, split tunneling would allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information

3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

This requirement applies to internal and external networks and any system components that can transmit information.

Communication paths outside the physical protection of a controlled boundary are susceptible to interception and modification.

An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted.

See NIST Cryptographic Standards

3.13.9 Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.

Terminating network connections associated with communications sessions include

  • De-allocating associated TCP/IP address or port pairs at the operating system level

  • De-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection.

Time periods of user inactivity may be established by organizations.

3.13.10 Establish and manage cryptographic keys for cryptography employed in the information system.

Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures.

Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores.

NIST Special Publications 800-56 and 800-57 provide guidance on cryptographic key maintenance

3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

The Federal Information Processing Standard or just FIPS is a set of publications ( Publication 140-2, (FIPSPUB140-2), is a government security standard used for all cryptography. CUI and all government data need to be encrypted using algorithms that are FIPS-approved.

NIST maintains all of the FIPS-approved software programs through its Cryptographic Module Validation Program

Vendors must submit their software to a lab for it to be certified as a FIPS-approved software package.

When complying with DFARs, CMMC, NIST-171 and FedRAMP, ISSOs and security officers much check all software that uses crypto to ensure algorithms are certified and approved through the FIPS validation program.

This includes any encryption such as database encryption at rest, HTTPS for in transit and even hashing modules used within the software for basic tasks such as random number generation.

See NIST Cryptographic Standards

See NIST Cryptographic Algorithm Validation Program

3.13.12 Prohibit remote activation of collaborative computing devices and provide an indication of devices in use to users present at the device.

Collaborative computing devices include networked white boards, cameras, and microphones.

Dedicated video conferencing systems, which rely on one of the participants calling or connecting to the other party to activate the video conference, are excluded.

3.13.13 Control and monitor the use of mobile code.

Decisions regarding the use of mobile code in organizational systems are based on the potential for the code to cause damage to the systems if used maliciously.

Mobile code technologies include

  • Java

  • JavaScript

  • ActiveX

  • Postscript

  • PDF

  • Shockwave movies

  • Flash animations

  • VBScript

NIST Special Publication 800-28 provides guidance on mobile code.

3.13.14 Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.

To address the threats associated with VoIP, usage restrictions and implementation guidelines are based on the potential for the VoIP technology to cause damage to the system if it is used maliciously.

NIST Special Publication 800-58 provides guidance on Voice Over IP Systems

3.13.15 Protect the authenticity of communications sessions.

This requirement addresses communications protection at the session versus packet level and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted.

  • Protecting against man-in -the-middle attacks

  • Session hijacking

  • Insertion of false information into sessions

NIST Special Publications 800-52, 800-77, 800-95, and 800-113 provide guidance on secure communications sessions.

3.13.16 Protect the confidentiality of CUI at rest.

This requirement addresses the confidentiality of information at rest.

Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems.

Organizations can use different mechanisms to achieve confidentiality protections

  • Cryptographic mechanisms

  • File share scanning

See NIST Cryptographic Standards

For further Information and Demo, please contact us:

  • LinkedIn
  • Facebook
  • Twitter
  • Instagram
  • YouTube
  • Pinterest | 1.833.IGNYTE1 


Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Generic disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner is a registered trademark and service mark of Gartner, Inc. and/or of its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved

Igntye © 2020 All Rights Reserved. Ignyte Assurance Platform, Privacy Policy and Terms of Service.