3.13.1 — Guard the Boundaries

The One-Liner

If your CUI network has no firewall between it and the internet — or between it and the rest of your corporate network — stop reading and go fix that now.

What It Says

Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

What It Actually Means

Two types of boundaries, both required:

External boundaries — where your network meets the internet or any network you don’t control. A perimeter firewall with IDS/IPS, configured to default-deny, logging all traffic.

Internal boundaries — where your CUI environment meets your non-CUI corporate network. This is where most companies fall short. A flat network where CUI systems sit on the same segment as general corporate devices is a finding.

For each boundary, the assessor checks three things:

1. Is traffic controlled? — firewall rules restricting what can cross
2. Is traffic monitored? — logging and alerting on boundary crossings
3. Is traffic protected? — encryption where appropriate

The assessor will ask for your network diagram and walk through every boundary. If you can’t show where CUI traffic is separated from general traffic, you have a problem.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are external boundaries of the system defined?	Network diagram shows perimeter with firewall/IDS
2	Are key internal boundaries defined?	CUI zone separated from corporate zone with documented controls
3	Are communications at external boundaries monitored and controlled?	Perimeter firewall rules + traffic logging
4	Are communications at key internal boundaries monitored and controlled?	Internal segmentation with firewall rules + logging

---

What to Have Ready on Assessment Day

Documents they’ll review: System and communications protection policy; procedures addressing boundary protection; system security plan; system design documentation; network diagrams; system configuration settings; system audit logs and records

People they’ll talk to: System or network administrators; personnel with information security responsibilities; system developers

Live demos they’ll ask for: Mechanisms implementing boundary protection; mechanisms for monitoring and controlling communications at boundaries

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Show me your network diagram. Where are the external and internal boundaries?”
• “What controls exist at each boundary? Show me the firewall rules.”
• “Is traffic monitored at both external and internal boundaries?”
• “How is CUI traffic separated from general corporate traffic?”
• “Show me a log entry of traffic crossing an internal boundary.”
• “Are there any paths where CUI traffic can bypass boundary controls?”

Real-World Example

A 50-person contractor has a perimeter firewall with IDS/IPS separating the office from the internet. Inside the network, a second firewall creates a CUI zone — only CUI workstations and the CUI file server sit in this zone. Corporate laptops, printers, and guest Wi-Fi are on the corporate zone. Firewall rules between zones allow only specific ports (RDP to CUI workstations, SMB to the file server) from specific source IPs. All boundary traffic is logged and forwarded to the SIEM. The assessor reviews the network diagram, checks the internal firewall rules, and confirms logs are flowing.

---

Where Companies Trip Up

Flat network. CUI systems on the same subnet as the break room smart TV. Segment your CUI environment with at least a VLAN and firewall rules.

External boundary only. Perimeter firewall exists but CUI and corporate systems share one network internally. Internal boundaries are required too.

Firewall but no monitoring. Rules are configured but nobody logs or reviews boundary traffic. Monitoring is half the requirement.

Network diagram doesn’t match reality. Diagram shows segmentation but a port scan reveals CUI systems are reachable from the corporate zone. Test your boundaries.

---

How to Talk About This

To a CEO or Board

We have firewalls at our network perimeter and between our CUI and corporate segments. All boundary traffic is monitored and logged.

To an Engineering Team

Perimeter: next-gen firewall with IDS/IPS. Internal: firewall between CUI VLAN and corporate VLAN. Rules: default-deny, documented allow list. All boundary traffic logged to SIEM. Network diagram current and tested quarterly.

---

Connected Requirements

Requirement	Why it matters here
3.13.6 — Deny Everything by Default	Default-deny firewall rules at these boundaries
3.13.5 — DMZ for Public Systems	Public-facing systems separated at the boundary
3.1.3 — Where CUI Can Flow	Information flow control enforced at these boundaries
3.14.6 — Watch the Network	Network monitoring at and between boundaries

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: SC.L2-3.13.1 | SPRS Weight: 5 points | POA&M Eligible: No