CMMC SC.L2-3.13.1: Boundary Protection Controls
Boundary protection is critical to preventing unauthorized access to your organization's information systems at external and key internal entry points. SC.L2-3.13.1 requires you to actively monitor, control, and protect all organizational communications crossing system perimeters. This control directly reduces your attack surface and demonstrates defense-in-depth capabilities to auditors.
What this means
This control requires you to implement and maintain protective measures at your system boundaries—both where your network connects to external networks (internet, partner systems) and at critical internal checkpoints. You must actively monitor traffic, detect unauthorized communication attempts, and enforce security policies that allow only authorized information flows. This includes deploying firewalls, intrusion detection systems, content filters, and other boundary protection mechanisms, then continuously reviewing their effectiveness.
How to comply
- 1.Deploy firewalls at external network boundaries and configure them to restrict inbound and outbound traffic to approved connections only
- 2.Implement intrusion detection or prevention systems (IDS/IPS) to monitor and alert on suspicious traffic patterns at boundaries
- 3.Establish and document policies defining which communications are allowed at each boundary
- 4.Configure logging and monitoring to capture boundary traffic for audit and incident investigation purposes
- 5.Conduct regular reviews (at least annually) of boundary protection rules and logs to identify and remove obsolete rules
- 6.Segment internal networks with additional boundary protections at critical checkpoints (DMZs, sensitive data zones)
- 7.Test boundary controls quarterly to verify they block unauthorized traffic and allow authorized traffic
- 8.Document all boundary protection mechanisms, rules, and exceptions in your system security plan
Evidence auditors look for
- Firewall configuration documentation with approved inbound/outbound rules
- IDS/IPS logs showing detection and prevention of unauthorized access attempts
- Network boundary diagrams identifying all external and internal boundaries
- Monthly or quarterly boundary protection review reports and updates
- Penetration test results demonstrating boundary control effectiveness
- Change control records for firewall and security appliance rule updates
- Network segmentation architecture with documented trust boundaries
- Alert logs from content filtering or data loss prevention systems at boundaries
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates boundary protection monitoring by correlating firewall and IDS logs, detecting unapproved traffic flows, and generating evidence artifacts for your CMMC assessment—eliminating manual log reviews and rule documentation.
See how GRCWatch handles this control automatically
Start free trial