System & Communications Protection
System & Communications Protection is the network and encryption layer. It governs how CUI moves between systems, how networks are segmented, and how data is protected both in transit and at rest.
The Four Themes
Section titled “The Four Themes”Boundary Controls (3.13.1–3.13.6) — Guard external and internal boundaries, subnets for public-facing systems, manage connections to external networks, DMZ for public systems, and deny-by-default firewall rules.
Network Architecture (3.13.7–3.13.9) — Prevent split tunneling on VPN, encrypt CUI in transit, and terminate network connections after sessions end.
Cryptography & Key Management (3.13.10–3.13.11) — FIPS-validated cryptography for CUI protection. Encrypt CUI at rest on all systems.
Advanced Protections (3.13.12–3.13.16) — DNS filtering, code execution protection, voice/video/instant messaging encryption, session authenticity, and CUI system isolation from general networks.
All 16 Requirements
Section titled “All 16 Requirements”| Ref | Short Name | What It Covers |
|---|---|---|
| 3.13.1 | Guard the Boundaries | Firewall at perimeter and between internal zones |
| 3.13.2 | Architect for Security | Security design principles in system architecture |
| 3.13.3 | Separate Users from Admins | User and management network separation |
| 3.13.4 | Separate Duties by Design | Enforce separation of duties through architecture |
| 3.13.5 | DMZ for Public Systems | Public-facing systems in a subnetwork |
| 3.13.6 | Deny Everything by Default | Default-deny firewall rules |
| 3.13.7 | No Split Tunneling | Prevent routing CUI through non-secure paths |
| 3.13.8 | Encrypt in Transit | FIPS-validated encryption for CUI in transit |
| 3.13.9 | Kill Idle Connections | Terminate network connections at session end |
| 3.13.10 | FIPS Crypto Only | FIPS-validated cryptographic mechanisms |
| 3.13.11 | Encrypt CUI at Rest | Encryption at rest on all CUI storage |
| 3.13.12 | Block Malicious Code at Boundaries | DNS filtering and code execution prevention |
| 3.13.13 | Control Mobile Code | Restrict active content in emails and downloads |
| 3.13.14 | Secure Voice and Video | Encrypt real-time communications |
| 3.13.15 | Protect Session Authenticity | Prevent session hijacking |
| 3.13.16 | Isolate CUI Systems | CUI environment separated from general networks |