System and Communications Protection
CMMC Assessment with IntelComp
IntelComp is an independent compliance management platform designed to support businesses in navigating and preparing for cybersecurity frameworks, including CMMC 2.0. While not affiliated with or endorsed by the U.S. Department of Defense (DoD), CMMC-AB, or NIST, IntelComp offers tools and guidance aligned with standards such as NIST SP 800-171A to help organizations strengthen security posture and readiness. All references to government standards are for informational purposes only. IntelComp does not provide certification but empowers you with the resources to pursue compliance confidently and effectively.
CMMC System and Communications Protection (SC) Overview
The System and Communications Protection (SC) domain in CMMC focuses on safeguarding data as it is transmitted or processed within and between systems, especially Controlled Unclassified Information (CUI).
Key objectives include:
-
• Protecting data in transit using encryption and secure protocols
• Separating system components to reduce risk (e.g., network segmentation)
• Monitoring communications for unauthorized activity
• Controlling and limiting public and external system connections
• Preventing data leaks through secure system architecture and controls
These practices ensure that sensitive data remains confidential and secure across systems and networks, supporting compliance with CMMC 2.0 and reducing exposure to external threats.
CMMC System and Communications Protection (SC) Overview
The System and Communications Protection (SC) domain in CMMC focuses on safeguarding data as it is transmitted or processed within and between systems, especially Controlled Unclassified Information (CUI).
Key objectives include:
-
• Protecting data in transit using encryption and secure protocols
• Separating system components to reduce risk (e.g., network segmentation)
• Monitoring communications for unauthorized activity
• Controlling and limiting public and external system connections
• Preventing data leaks through secure system architecture and controls
These practices ensure that sensitive data remains confidential and secure across systems and networks, supporting compliance with CMMC 2.0 and reducing exposure to external threats.
P - Programs, Policies, Procedures (SOPs) | A - Artifacts/Records | T - Training Materials/Comprehension Quiz
| Control ID | PAT | Security Requirement |
|---|---|---|
| 03.13.01 | P | Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. |
| 03.13.02 | P | Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. |
| 03.13.03 | P | Separate user functionality from system management functionality. |
| 03.13.04 | P | Prevent unauthorized and unintended information transfer via shared system resources. |
| 03.13.05 | P | Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. |
| 03.13.05.a | P | Publicly Accessible System Components Are Identified Policy |
| 03.13.05.b | P | Subnetworks for Publicly Accessible System Components Are Physically or Logically Separated from Internal Networks Policy |
| 03.13.06 | P | Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). |
| 03.13.07 | P | Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling). |
| 03.13.08 | P | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. |
| 03.13.09 | P | Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. |
| 03.13.10 | P | Establish and manage cryptographic keys for cryptography employed in organizational systems. |
| 03.13.11 | P | Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. |
| 03.13.13 | P | Control and monitor the use of mobile code. |
| 03.13.14 | P | Control and monitor the use of Voice over Internet Protocol (VoIP) technologies |
| 03.13.15 | P | Protect the authenticity of communications sessions |
| 03.13.16 | P | Protect the confidentiality of CUI at rest. |