CMMC Level 2: System Protection & Integrity

System and Communications Protection along with System and Information Integrity represent the technical heart of CMMC. These 24 practices cover network security, encryption, boundary defense, malware protection, and maintaining system integrity against threats.

System and Communications Protection (SC) - 16 Practices

System and Communications Protection from NIST SP 800-171 section 3.13 focuses on protecting network communications, implementing encryption, and establishing secure boundaries. This is one of the most technically demanding domains.

Boundary Protection (3.13.1 - 3.13.2)

• 3.13.1: Monitor, control, and protect communications at external and key internal boundaries
• 3.13.2: Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security

Implementation guidance:

• Deploy next-generation firewalls at network perimeters
• Implement network segmentation between different trust zones
• Use intrusion detection/prevention systems (IDS/IPS)
• Create a DMZ for public-facing services
• Filter both inbound and outbound traffic
• Document network architecture with security boundaries
• Apply defense in depth with multiple layers of security controls

Network Segmentation (3.13.3 - 3.13.5)

• 3.13.3: Separate user functionality from system management functionality
• 3.13.4: Prevent unauthorized and unintended information transfer via shared system resources
• 3.13.5: Implement subnetworks for publicly accessible system components that are separated from internal networks

Implementation guidance:

• Separate management interfaces (admin consoles, BMC/iLO) onto dedicated networks
• Use VLANs to segment different departments or data classifications
• Place all public-facing servers in a DMZ
• Implement microsegmentation for sensitive workloads
• Control traffic between segments with firewall rules
• Prevent covert channels through shared resources (memory, storage)

Denial of Service Protection (3.13.6)

3.13.6: Deny network communications traffic by default and allow by exception (deny all, permit by exception).

Implementation:

• Configure firewalls with default-deny rules
• Only open ports and protocols explicitly required
• Document business justification for each allowed connection
• Review and remove unnecessary firewall rules quarterly
• Implement rate limiting and connection limits

Cryptographic Protection (3.13.7 - 3.13.11)

Encryption requirements are critical for protecting CUI:

• 3.13.7: Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and connections to other external networks (split tunneling)
• 3.13.8: Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards
• 3.13.9: Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity
• 3.13.10: Establish and manage cryptographic keys for cryptography employed in organizational systems
• 3.13.11: Employ FIPS-validated cryptography when used to protect the confidentiality of CUI

Encryption implementation guidance:

• Data in transit: TLS 1.2 or higher for all CUI transmissions
• Data at rest: AES-256 encryption for stored CUI
• VPN: Disable split tunneling so all traffic routes through corporate network
• Session management: Terminate idle connections after 30 minutes
• Key management: Document key generation, distribution, storage, rotation, and destruction procedures
• Enable FIPS mode on Windows systems processing CUI

Session Authenticity (3.13.12)

3.13.12: Protect the authenticity of communications sessions.

Implementation: Prevent session hijacking and man-in-the-middle attacks through:

• Use TLS for all web applications
• Implement secure session tokens with proper expiration
• Use HTTP Strict Transport Security (HSTS)
• Implement certificate pinning for critical applications
• Validate server certificates properly

Mobile Code and VoIP (3.13.13 - 3.13.14)

• 3.13.13: Control and monitor the use of mobile code (JavaScript, ActiveX, Flash, etc.)
• 3.13.14: Control and monitor the use of Voice over Internet Protocol (VoIP) technologies

Implementation:

• Disable unnecessary browser plugins and extensions
• Block Flash, Java applets, and ActiveX where not needed
• Use browser security policies to control script execution
• Segment VoIP systems from data networks
• Encrypt VoIP traffic (SRTP)
• Document VoIP security configuration

DNS Protection (3.13.15 - 3.13.16)

• 3.13.15: Protect the authenticity of communications sessions by using techniques such as DNSSEC
• 3.13.16: Implement Domain Name System (DNS) filtering services

Implementation:

• Use protective DNS services (Cisco Umbrella, Cloudflare Gateway, Quad9)
• Block known malicious domains
• Consider implementing DNSSEC for your domains
• Log DNS queries for security monitoring

System and Information Integrity (SI) - 8 Practices

System and Information Integrity from NIST 800-171 section 3.14 focuses on detecting, preventing, and responding to threats to system and data integrity. This includes malware protection, patching, and monitoring.

Flaw Remediation (3.14.1)

3.14.1: Identify, report, and correct system flaws in a timely manner.

Patch management implementation:

• Subscribe to vendor security bulletins and advisories
• Establish patch testing and deployment procedures
• Deploy critical/emergency patches within 15-30 days
• Deploy high-severity patches within 30-60 days
• Track patch status across all systems
• Document exceptions and compensating controls
• Use automated patch management tools (WSUS, SCCM, Intune)

Malware Protection (3.14.2 - 3.14.5)

• 3.14.2: Provide protection from malicious code at designated locations
• 3.14.3: Monitor system security alerts and advisories and take action in response
• 3.14.4: Update malicious code protection mechanisms when new releases are available
• 3.14.5: Perform periodic and real-time scans for malicious code

Implementation guidance:

• Deploy endpoint protection on all workstations and servers
• Enable real-time scanning and behavior-based detection
• Configure automatic signature updates (at least daily)
• Perform full system scans weekly
• Implement email gateway filtering for malicious attachments
• Use web filtering to block known malicious sites
• Consider EDR (Endpoint Detection and Response) solutions for advanced threat detection
• Subscribe to threat intelligence feeds
• Establish procedures for responding to malware alerts

Security Monitoring (3.14.6 - 3.14.7)

• 3.14.6: Monitor organizational systems, including inbound and outbound communications, to detect attacks and indicators of potential attacks
• 3.14.7: Identify unauthorized use of organizational systems

Implementation guidance:

• Deploy SIEM for centralized log analysis and correlation
• Implement network monitoring (NetFlow, packet capture)
• Configure alerts for suspicious activities:
  • Multiple failed login attempts
  • Access outside normal hours
  • Large data transfers
  • Connections to known-bad IPs
  • Privilege escalation attempts
• Establish a security operations process to review alerts
• Document and investigate anomalies

Input Validation (3.14.8)

3.14.8: (For organizations developing software) Implement input validation and error handling to prevent malicious input from causing system compromise.

Implementation (if developing software):

• Validate all user input (type, length, format, range)
• Use parameterized queries to prevent SQL injection
• Encode output to prevent XSS
• Implement proper error handling that doesn't leak information
• Use secure coding standards (OWASP guidelines)
• Conduct code reviews and security testing

Evidence for Assessment

Prepare the following for your C3PAO assessment:

• Network architecture diagrams showing security boundaries
• Firewall rule sets and change documentation
• IDS/IPS configuration and alert samples
• Encryption configurations (TLS settings, VPN configs)
• FIPS validation certificates for cryptographic modules
• Key management procedures
• Endpoint protection deployment reports
• Patch management reports and schedules
• SIEM dashboards and alert configuration
• Security monitoring procedures
• Vulnerability scan results
• Incident response to malware detection examples

Key Takeaways

• Implement defense in depth with multiple security layers
• Segment networks to contain breaches and control CUI access
• Use FIPS-validated encryption for all CUI in transit and at rest
• Maintain malware protection with real-time and scheduled scanning
• Patch systems promptly since most breaches exploit known vulnerabilities
• Monitor systems continuously for signs of attack or compromise

Next in the Series

Continue to CMMC Level 2: Incident Response & Training for the final article covering incident handling and security awareness requirements.

Need help implementing these technical controls? Get early access to Pretorin and let AI guide your CMMC implementation.