NIST 800-171 • LEVEL 2 • SYSTEM AND COMMUNICATIONS PROTECTION

3.13.1Boundary Protection

Monitor and control communications at external managed interfaces to the system and key internal managed interfaces within the system. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Connect to external systems only through managed interfaces that consist of boundary protection devices arranged in accordance with an organizational security architecture.

CMMC Practice Mapping

NIST 800-53 Controls

SC-7

Assessment Objectives

  • communications at external managed interfaces to the system are monitored.
  • communications at external managed interfaces to the system are controlled.
  • communications at key internal managed interfaces within the system are monitored.
  • communications at key internal managed interfaces within the system are controlled.
  • subnetworks are implemented for publicly accessible system components that are physically or logically separated from internal networks.
  • external system connections are only made through managed interfaces that consist of boundary protection devices arranged in accordance with an organizational security architecture.

Practitioner Notes

Boundary protection is about controlling what traffic flows in and out of your network -- and monitoring the key choke points inside it. Your firewall is the most obvious example, but it also includes internal segmentation between sensitive and non-sensitive zones.

Example 1: Configure your perimeter firewall (Palo Alto, SonicWall, pfSense, etc.) with a default-deny outbound rule, then add explicit allow rules only for required traffic: HTTPS (443), DNS (53 to your approved DNS servers only), and your VPN ports. Log all denied traffic and review weekly.

Example 2: Enable Windows Defender Firewall with Advanced Security via GPO (Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall) on all endpoints. Set the domain, private, and public profiles to block inbound connections by default. Create inbound rules only for approved management traffic like RDP from your admin VLAN.

Think of boundary protection as layers -- your perimeter firewall is the outer wall, host-based firewalls are the inner doors, and network segmentation creates separate rooms.

Related NIST 800-171 Requirements

3.13.2 Employ Architectural Designs, Software Development Techniques, and Systems Engineering Principles That Promote Effective Information Security 3.13.3 Separate User Functionality from System Management Functionality 3.13.4 Information in Shared System Resources 3.13.5 Implement Subnetworks for Publicly Accessible System Components That Are Physically or Logically Separated from Internal Networks