Family 3.13 16 requirements Network protection
System & Network Protection.
Boundaries. Encryption. Trusted paths.
The big picture
SC is where the network meets the standard — boundary control, encryption, mobile code, VoIP. Cloud platforms cover much of it; you still own configuration and proof.
Most boundary and encryption controls are platform-managed — see what your cloud handles vs what you own.
Boundary and isolation.
3.13.1 — 3.13.5Monitoring at boundaries, designing for security, denying by default, splitting public-facing systems, and preventing unauthorised information transfer.
- 3.13.1 Guard the Boundaries. Firewalls at the perimeter and between internal security zones. Monitor everything crossing each boundary. 3.13.2 Security by Design. Build security into your architecture — defense in depth, not bolted on afterward. 3.13.3 Separate Admin from User. Management interfaces isolated from regular user traffic and access. 3.13.4 No Data Leaks Through Shared Resources. Prevent CUI from leaking between users through temp files, clipboard, shared memory, or system resources. 3.13.5 DMZ for Public Systems. Public-facing systems sit in a DMZ, logically or physically separated from internal CUI networks.
Sessions and encryption.
3.13.6 — 3.13.11Default-deny network communications, terminating sessions, key management, and FIPS-validated cryptography for CUI.
- 3.13.6 Deny Everything by Default. Default firewall rule is DENY ALL. Only explicitly approved traffic is permitted. 3.13.7 Block Split Tunneling. When on VPN, all traffic goes through the tunnel. No internet traffic bypasses your security controls. 3.13.8 Encrypt in Transit. All CUI must be encrypted during transmission. TLS, VPN, encrypted email. No clear text anywhere. 3.13.9 Kill Idle Network Connections. Network sessions timeout and disconnect after inactivity. No persistent idle connections. 3.13.10 Manage Your Keys. Cryptographic key lifecycle — generation, storage, rotation, revocation, destruction. 3.13.11 FIPS or It Doesn't Count. Encryption modules must be FIPS 140-2/140-3 validated. The module, not just the algorithm. Cannot be on POA&M.
Collaborative and mobile code.
3.13.12 — 3.13.14Controlling collaborative computing devices, posting CUI to public systems, and VoIP technology use.
- 3.13.12 Control Cameras and Mics. Webcams and microphones can't be remotely activated without visible indication to people in the room. 3.13.13 Control Mobile Code. Manage JavaScript, ActiveX, and other executable content. Block untrusted code execution. 3.13.14 Secure Your VoIP. If using VoIP, apply the same security controls as your data networks.
Authenticity and CUI at rest.
3.13.15 — 3.13.16Protecting communications session authenticity and protecting CUI at rest with cryptographic mechanisms.