Family 3.13 16 requirements Network protection
System and Communications Protection.
Boundaries. Encryption. Trusted paths.
The big picture
SC is where the network meets the standard — boundary control, encryption, mobile code, VoIP. Cloud platforms cover much of it; you still own configuration and proof.
Most boundary and encryption controls are platform-managed — see what your cloud handles vs what you own.
Boundary and isolation.
3.13.1 — 3.13.5Monitoring at boundaries, designing for security, denying by default, splitting public-facing systems, and preventing unauthorised information transfer.
- 3.13.1 Guard the Boundaries. SC.L1-3.13.1 · Boundary Protection Firewalls at the perimeter and between internal security zones. Monitor everything crossing each boundary. 3.13.2 Security by Design. SC.L2-3.13.2 · Security Engineering Build security into your architecture — defense in depth, not bolted on afterward. 3.13.3 Separate Admin from User. SC.L2-3.13.3 · Role Separation Management interfaces isolated from regular user traffic and access. 3.13.4 No Data Leaks Through Shared Resources. SC.L2-3.13.4 · Shared Resource Control Prevent CUI from leaking between users through temp files, clipboard, shared memory, or system resources. 3.13.5 DMZ for Public Systems. SC.L1-3.13.5 · Public-Access System Separation Public-facing systems sit in a DMZ, logically or physically separated from internal CUI networks.
Sessions and encryption.
3.13.6 — 3.13.11Default-deny network communications, terminating sessions, key management, and FIPS-validated cryptography for CUI.
- 3.13.6 Deny Everything by Default. SC.L2-3.13.6 · Network Communication by Exception Default firewall rule is DENY ALL. Only explicitly approved traffic is permitted. 3.13.7 Block Split Tunneling. SC.L2-3.13.7 · Split Tunneling When on VPN, all traffic goes through the tunnel. No internet traffic bypasses your security controls. 3.13.8 Encrypt in Transit. SC.L2-3.13.8 · Data in Transit All CUI must be encrypted during transmission. TLS, VPN, encrypted email. No clear text anywhere. 3.13.9 Kill Idle Network Connections. SC.L2-3.13.9 · Connections Termination Network sessions timeout and disconnect after inactivity. No persistent idle connections. 3.13.10 Manage Your Keys. SC.L2-3.13.10 · Key Management Cryptographic key lifecycle — generation, storage, rotation, revocation, destruction. 3.13.11 FIPS or It Doesn't Count. SC.L2-3.13.11 · CUI Encryption Encryption modules must be FIPS 140-2/140-3 validated. The module, not just the algorithm. Cannot be on POA&M.
Collaborative and mobile code.
3.13.12 — 3.13.14Controlling collaborative computing devices, posting CUI to public systems, and VoIP technology use.
- 3.13.12 Control Cameras and Mics. SC.L2-3.13.12 · Collaborative Device Control Webcams and microphones can't be remotely activated without visible indication to people in the room. 3.13.13 Control Mobile Code. SC.L2-3.13.13 · Mobile Code Manage JavaScript, ActiveX, and other executable content. Block untrusted code execution. 3.13.14 Secure Your VoIP. SC.L2-3.13.14 · Voice over Internet Protocol If using VoIP, apply the same security controls as your data networks.
Authenticity and CUI at rest.
3.13.15 — 3.13.16Protecting communications session authenticity and protecting CUI at rest with cryptographic mechanisms.
- 3.13.15 Protect Session Integrity. SC.L2-3.13.15 · Communications Authenticity Prevent session hijacking and man-in-the-middle attacks on communications. 3.13.16 Encrypt CUI at Rest. SC.L2-3.13.16 · Data at Rest Encrypt CUI on every storage location — workstations, servers, databases, backups. FIPS-validated.