Skip to content

SC.L2-3.13.2 Security Engineering

System and Communications Protection 2 of 16 in family

Security by Design.

Build security into your architecture — defense in depth, not bolted on afterward.

The one-liner

If your security is an afterthought layered on top of an insecure architecture, you're building a castle on sand.

Practice names: DoD CIO CMMC Model Overview v2.0 (CC BY 4.0).

3.13.2 — Security by Design

Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

Security must be a deliberate design decision, not something added after the architecture is built. That decision is realized as defense in depth — layered protections so that no single control is your last line of defense and, if one fails, the others still stand. The CMMC standard names developing layered protections as a systems security engineering principle, so it works alongside good architecture, not against it. Those engineering principles trace back to NIST SP 800-160, the source the requirement draws on, and they apply across the whole lifecycle: as legacy components age past the point where they can still meet them, that judgment feeds the decision to replace, upgrade, or re-platform. Engineering Trustworthy Secure Systems frames defense in depth, least privilege, and least functionality as architectural choices made at design time — properties you build into the structure, not operational habits bolted on afterward.

Five layers of defense in a well-designed CUI environment:

  1. Network — segmentation, firewalls, boundary controls
  2. Identity — MFA, least privilege, conditional access
  3. Endpoint — hardened configs, EDR, encryption
  4. Data — DLP, sensitivity labels, encryption at rest
  5. Monitoring — SIEM, alerts, incident response

The assessor isn’t looking for perfect security. They’re looking for evidence that you thought about security architecture and made deliberate decisions — not that things grew organically with security patched in later.

Document your architecture decisions and the rationale behind them.


Your assessor needs a “yes” to every row:

#QuestionWhat “yes” looks like
1Are architectural designs that promote security identified and employed?Architecture documentation names the security design choices (e.g., network segmentation and trust zones) and they’re actually implemented
2Are secure software development techniques identified and employed?Secure coding standards, peer code review, and SAST/DAST in the pipeline — chosen and in active use
3Are systems engineering principles that promote security identified and employed?Security built in at design time and carried through the build — not retrofitted

Documents they’ll review: System and communications protection policy; system security plan; system design documentation; security architecture documentation; system configuration settings

People they’ll talk to: System or network administrators; personnel with information security responsibilities; system developers; enterprise architects

Live demos they’ll ask for: Mechanisms implementing security design principles in the system architecture


These are the actual questions. Have answers ready.

  • “Walk me through your security architecture. What layers of defense do you have?”
  • “If your firewall fails, what other controls protect CUI?”
  • “Was security designed into the architecture or added later?”
  • “Show me your architecture documentation — where are the security decisions documented?”
  • “How do you evaluate security when making architectural changes?”

No architecture documentation. Systems grew organically with no deliberate design. Document your current architecture and the security rationale.

Single point of failure. All security depends on one firewall or one control. If it fails, CUI is exposed.

Security retrofitted. Systems built first, security added later — creating gaps where security doesn’t fit naturally.

No compensating controls. Each control stands alone. If one fails, there’s no backup.



RequirementWhy it matters here
3.13.1 — Guard the BoundariesBoundary protection is one layer of the defense-in-depth architecture
3.13.5 — DMZ for Public SystemsDMZ separation is an architectural decision
3.4.2 — Harden EverythingHardened configs are the endpoint layer of defense in depth