Organizations handling sensitive information must define the external boundary of their system. Establishing internal boundaries helps create a multi-layer defense. Enable monitoring, control traffic and protect communications at each boundary. We pulled relevant guidance from 5 NIST publications to detail implementation guidance. This blog will discuss the following topics around NIST SP 800-171 practice 3.13.1:
NIST introduced special publication (SP) 800-171 in 2015. NIST kept the practice number of 3.13.1 through the first and second revisions. NIST SP 800-171 Revision 3 has changed this requirement's number to 03.13.01.
The cybersecurity maturity model certification (CMMC) rule will verify SP 800-171 Rev 2. CMMC 1.02 numbered this practice SC.1.175 then SC.L1-3.13.1 under CMMC 2.0. This practice applies to organizations seeking compliance within any level of CMMC.
As of December 2023, CMMC 2.1 created two numbers for this practice:
CMMC Level 1 uses the label SC.L1-B.1.X. Section b(x) references the Federal Acquisition Regulation (FAR) clause 52.204-21.
CMMC Level 2 uses the label SC.L2-3.13.1. SC identifies the system and communications protection domain. L2 identifies the applicability to CMMC Level 2. 3.13.1 references the original number from NIST SP 800-171 Rev 2.
Practice Statement
NIST derived the SP 800-171 basic security requirements from FIPS 200. Below is the original language from FIPS 200:
NIST SP 800-171A provides assessment procedures for each practice. These procedures apply assessment methods to objects. Assessment methods include examining artifacts, interviewing personnel, and testing mechanisms. An assessor checks each part to determine a finding. Satisfied findings are acceptable implementations. Other than satisfied findings identify one or more anomalies.
The assessment objectives for 3.13.1 contains eight parts:
Appendix D maps SP 800-171 requirements to controls from SP 800-53 Rev 4. This mapping relates 3.13.1 to SC-7 and SA-8. The mapping also suggests the same relationship exists for 3.13.2. Mapping this practice to SP 800-53 is more challenging since NIST derived it from FIPS 200.
We mapped these eight objectives to the closest SP 800-53A Rev 5 objectives. NIST IR 8477 guidance helped define the nature and strength of the relationships. The findings indicated that:
SC.L1-3.13.1(a) intersects with SC-07a.[01] (moderate strength)
SC.L1-3.13.1(b) intersects with SC-07a.[03] (moderate strength)
SC.L1-3.13.1(c) is equal to SC-07a.[01]
SC.L1-3.13.1(d) is equal to SC-07a.[03]
SC.L1-3.13.1(e) is equal to SC-07a.[02]
SC.L1-3.13.1(f) is equal to SC-07a.[04]
SC.L1-3.13.1(g) intersects with SC-07c. (strong relationship)
SC.L1-3.13.1(h) intersects with SC-07b. (strong relationship)
The CMMC assessment guide added a new sentence to begin the discussion:
Restrict or prohibit interfaces at boundary components for monitoring, controlling, and protecting communications.
The CMMC Assessment Guide also provides a further discussion. This narrative provides an analogy and actionable steps:
Fences, locks, badges, and key cards help keep non-employees out of your facilities. Likewise, you must protect your company’s IT network or system boundaries. Many companies use a web proxy and a firewall.
When an employee uses a company computer to go to a website, a web proxy makes the request on the user’s behalf. It looks at the web request, and decides if it should let the employee go to the website.
A firewall controls access from the inside and outside. This protects valuable information and resources stored on the company’s network. A firewall stops unwanted traffic from passing through to the company’s network. Internal boundaries determine where data can flow. For instance, a software development environment may have its own boundary. This boundary controls, monitors, and protects the data that can leave that boundary.
You may want monitoring, traffic control, or protection on isolated networks. A firewall limits the ability of attackers from entering your network.
The CMMC Assessment Guide also provides an example:
You are setting up the new network and want to keep your company’s information and resources safe. You start by sketching out a simple diagram that identifies the external boundary [a]. It also identifies any internal boundaries [b]. The first piece of equipment you install is the firewall. This is a device to separate your internal network from the internet. The firewall also has a feature that allows you to block access to malicious websites. You configure that service as well [a,c,e,g]. Some of your coworkers complain that they cannot get onto certain websites [c,e,g]. You explain that the network blocks websites known for spreading malware. The firewall sends you a daily digest of blocked activity for monitoring attack trends [c,d].
DoD Criticality
The NIST SP 800-171 DoD Assessment Methodology Version 1.2.1 assigns a 5-point value to this practice. Failing this practice may lead to data exfiltration or exploitation of the network. CMMC section 170.21(ii) removed this practice's eligibility for a limited deficiency. This practice aligns to the basic cybersecurity safeguards requirements of 52.204-21.
(S) implemented by an information system through technical means
(O) implemented by an individual through nontechnical means
(O/S) implemented by an organization, system, or combination of the two
NIST defines the SC-7 as implemented through technical means. The crosswalk suggests that 3.13.1 is a technical control. This practice may only apply to components that provide the relevant security capabilities. Consider components monitoring, controlling, or protecting communications at internal or external boundaries. Potential system components include:
Gateways
Routers
Firewalls
Encrypted Tunnels
Security Incident Event Management (SIEM) systems
Intrusion Detection Systems (IDS)
Intrusion Prevention Systems (IPS)
Proxies
Load Balancers
Network Access Control (NAC) systems
Data Loss Prevention (DLP) systems
Unified Threat Management (UTM) devices
Demilitarized Zone (DMZ) components
Remote Access Systems
Cloud Access Security Brokers
Wireless Access Points (WAPs)
Mobile Device Management (MDM) systems
Software-Defined Networking (SDNs)
Malicious code protection software
Scanning tools
Inheritance
It is possible to inherit or share this practice with an external service provider. For example, the KTL 360 secure enclave lists 3.13.1 as an inherited practice:
Depict external boundaries on your network diagram
Elements under an organization’s direct management comprise a system. These elements generally support the same mission or business function. They likely have similar security requirements. Organizations may have separate system boundaries for CMMC Level 1 and Level 2.
The CMMC Scoping Guide Level 1 incorporates components handling federal contract information (FCI). Handling includes processing, storing, or transmitting information. Components that do not handle FCI are not part of the assessment scope. Level 1 also excludes specialized assets. This excludes the following components:
Assets processing, storing, or transmitting controlled unclassified information (CUI Assets).
Assets that provide security protection capabilities to the system (Security Protection Assets).
Assets within the authorization boundary that don't handle CUI (Contract Risk Managed Assets).
Specialize Assets (see list above).
Create a data flow diagram to identify components that handle sensitive information. Data flow diagrams enable the creation of relevant network diagrams. Depict the external system boundary using the network diagram.
Depict key internal boundaries on your network diagram
Organizations may use specific system components to handle sensitive information. Isolating components in a separate security domain may limit the scope of requirements. Security domains may use physical separation, logical separation, or both.
Use distinct components to create physical separation. House separated components in distinct operating environments. The degree of separation may range from separate rooms to separated facilities. Boundary protection devices prohibit access and information flow among partitioned system components.
Architectural and design concepts may achieve logical isolation. NIST SP 800-82 recommends approaches to segmenting and isolating portions of a network:
Firewalls limit traffic based on a variety of data characteristics.
Unidirectional Gateways only allow data transmission in a single direction. Organizations may use a unidirectional gateway between an operational network and enterprise network. A unidirectional gateways may only allow traffic to leave the operational network.
Virtual Local Area Networks (VLAN) separate traffic based on network switching equipment. For example, you may configure an 8-port switch to separate traffic into two VLANs. The first VLAN would use ports 1 through 4. The second VLAN would use ports 5 through 8.
Software-Defined Networking (SDN) routes traffic using a centralized controller. SDNs make it easier to manage the whole network without having to adjust each switch.
Enable monitoring capabilities on boundary protection devices
Monitoring activities may include observing audit activities in real time. The discussion from NIST SP 800-53 SI-4 identifies several common monitoring platforms:
Intrusion detection systems (IDS)
Intrusion prevention systems (IPS)
Malicious code protection software
Scanning tools
Audit record monitoring software
Network monitoring technologies
Enable real-time network monitoring using a Security Information and Event Management (SIEM) platform. These components collect logs through a variety of sensors placed within a network. A central database stores logs for real-time threat detection analysis.
NIST SP 800-61 recommends taking the following actions when monitoring boundary components:
Profile Network and Systems to measure characteristics of expected activity to identify changes. Track bandwidth usage to determine average and peak usage levels. Run file integrity checking software on boundary protection devices.
Understand Normal Behaviors by reviewing log entries and security alerts. Filter logs to condense them to a reasonable size. Conduct frequent log reviews to enable identification of trends and changes over time.
What to do after identification of suspicious activity
How to protect log analysis in storage and transit
How to handle inadvertent disclosures of sensitive log data
Perform Event Correlation - compare log events from relevant sources.
Define information flow control and firewall policies
Information flow control policies define where information can travel within and between systems. Develop a list of the types of traffic needed by the organization. Identify how to secure them. The discussion from NIST SP 800-53 AC-4 provide a few examples of flow restrictions:
Keep export-controlled information from transmitting in the clear to the Internet
Block outside traffic that claims it is from within the organization
Restrict web requests to the internal that are not from the internal web proxy server
Limit information transfers between organizations based on data structures and content
Firewall policies are a type of information flow policy. They focus on controlling inbound and outbound traffic. NIST SP 800-41 provides examples of firewall policies:
Permit only necessary Internet Protocol (IP) protocols to pass
Ensure use of correct source and destination IP addresses
Restrict access to specific Transmission Control Protocol (TCP) ports
Restrict access to specific User Datagram Protocol (UDP) ports
Allow only certain Internet Control Message Protocol (ICMP) types and codes.
Block all inbound and outbound traffic not permitted by the firewall
Enable real-time log and alert monitoring to identify threats
Use a change management control process when changing firewall rule-sets and policies
Review rule-sets and perform tests to ensure compliance with existing policies
Patch firewall software as vendors provide updates to address vulnerabilities
Control communications at external and key internal system boundaries
Firewalls control the flow of network traffic between networks with differing security postures. Networks may use firewalls at the external or key internal system boundaries. When implementing boundary protection devices, consider information flow and firewall policies.
Firewalls can control communications traffic using data from one or more layers. There are four Transmission Control Protocol/Internet Protocol (TCP/IP) layers:
Application Layer sends and receives data for applications. Firewalls can use data from the application layer as the basis for policy decisions. Protocols include domain name system, hypertext transfer protocol, and simple mail transfer protocol. The application layer has layers of protocols within it. For example:
SMTP encapsulates
Request for Comments (RFC) 2822 message syntax, which encapsulates
Multipurpose Internet Mail Extensions (MIME), which can encapsulate
Hypertext Markup Language (HTML)
Transport Layer identifies network applications and communications sessions. A session is the combination of the source IP address and port with destination IP address and port. A destination port number identifies a service listening on the destination host. A source port number on the host identifies where the destination host should reply to. Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) have ports. Other transport protocols do not.
Network Layer (IP Layer) defines IP addresses. This layer routes packets across networks. Protocols include:
Internet Protocol version 4 (IPv4)
Internet Protocol version 6 (IPv6)
Internet Control Message Protocol (ICMP)
Internet Group Management Protocol (IGMP)
Data Link Layer (Hardware Layer) uses network interface media access control (MAC) addresses. Firewall policies rarely use the data link layer.
Basic firewalls operate on one or a few layers. More advanced firewalls examine all the layers. Examining more layers enables more granular and thorough examinations. We extracted relevant controlling capabilities from NIST SP 800-41:
Network address translation (NAT) - routes traffic to private addresses on the inside. NATs assign a single public address on the outside. This can prevent an outside host from initiating contact with a host behind it. NATs are not security features by themselves. They can interact with firewall’s security policies. When using a NAT, ensure it reports the private address in the logs instead of the public address. Otherwise, logs will identify many hosts by the same public address.
Stateless inspection (packet filtering) controls traffic by inspecting the network or transport layer. This provides access control functionality for host addresses and communication sessions. Packet filters are not concerned about the content of the packet. A set of directives, called a rule-set, governs access control functionality. The most common example of a packet filtering is a router that employs access control lists.
Stateful inspection improves on packet filtering by incorporating awareness of the transport layer. They incorporate memory of past connections by keeping track of each in a state table. This includes source and destination IP addresses, port numbers, and connection state information. TCP connection states include connection establishment, usage, and termination. UDP connections do not establish a state at the transport layer. Inspection of UDP connections only includes source and destination IP addresses and ports. Stateful inspection block packets that deviate from the expected state.
Stateful protocol analysis(deep packet inspection) adds basic intrusion detection technology. Intrusion detection uses an inspection engine to analyze protocols at the application layer. This involves comparing profiles of benign activity against observed events to identify deviations. Stateful protocol inspection incorporates this analysis to allow or deny access. This enables the following capabilities:
Blocking an email message that contains a type of attachment not permitted
Blocking connections with specific actions like writing files to a FTP server
Blocking web pages that contain active content, such as Java or ActiveX
Blocking web pages signed by a compromised or revoked certificate authority
Blocking repeated commands or commands not preceded by another
Protect communications at external and key internal system boundaries
We extracted relevant protection capabilities from NIST SP 800-41:
Application-proxy gateways combine lower-layer access control with upper-layer functionality. A proxy agent acts as an intermediary between the hosts attempting to communicate. The proxy agent never allows a direct connection between hosts. This prevents the outside world from seeing internal IP addresses. The proxy agent interfaces with the firewall rule-set to filter transiting traffic. Some proxy agents have the ability to authenticate each network user. Some proxy gateways can decrypt packets and examine them. Proxy agents re-encrypt the packets before sending them to the destination. Full packet awareness takes longer and may not suit real-time applications.
Dedicated proxy servers - act intermediaries to control traffic. They have limited capabilities to block traffic so they are often behind firewalls. Dedicated proxy servers are often application-specific (e.g. an email or HTTP proxy). They are generally used to conduct specialized filtering and logging. Use of inbound proxy servers has decreased as their features are now built into servers. Most proxy servers now in use are outbound, with the most common being HTTP proxies.
Virtual private networking requires firewalls to encrypt and decrypt traffic flows. There are two common choices for VPNs. These include IPsec and Secure Sockets Layer (SSL)/Transport Layer Security (TLS). Both use gateway-to-gateway or host-to-gateway architectures. A gateway is part of another network device such as a firewall or router. Gateway-to-gateway connects fixed sites over public lines. Host-to-gateway provides secure connections to remote users. The host is a client on the user’s machine. The VPN is often part of the firewall itself so that it can inspect the unencrypted traffic. Host-to-gateway VPNs allow administrators to control user access to network resources. VPNs rely on authentication protocols. One common example is Remote Authentication Dial In User Service (RADIUS). Another example is Lightweight Directory Access Protocol (LDAP).
Network Access Control (NACs) incorporate a health check on the user’s computer. Health checks use software on the user’s system controlled by the firewall. Users may only gain limited access to the network if their device does not pass the health check. Health checks consist of verifying:
Latest updates to anti-malware and personal firewall software
Configuration settings for anti-malware and personal firewall software
Elapsed time since the previous malware scan
Patch level of the operating system and selected applications
Security configuration of the operating system and selected applications
Unified Threat Management (UTM) - combines more than one feature into a single system. UTMs may include a firewall, malware detection, and blocking of suspicious network probes.
Web Application Firewalls (WAFs) protect web servers. They detect attacks exploiting the HTTP protocol. NIST SP 800-215 provides guidance on the capabilities of WAFs. Advanced Uniform Resource Location (URL) filtering detects traffic from malicious URLs. They receive real-time data analyzed by machine learning algorithms. Content delivery networks use them to prevent distributed denial-of-service (DDoS) attacks. Other features include:
Ability to specific an allowed list of services (application level)
Traffic matches the intent of allowed ports
Filtering of some unwanted protocols
Inspecting threat vectors for:
SQL Injection
Operating System (OS) command injections
Cross-site scripting attacks
Continuous Monitoring Tasks
A continuous monitoring task verifies that controls produce their desired outcome(s). The practice 3.13.1 has four desired outcomes:
Defining external and key internal system boundaries
Monitoring communications at external and key internal boundaries
Controlling communications at external and key internal boundaries
Protecting communications at external and key internal boundaries
Update your network diagram at least once per year. Depict the external system boundary and key internal boundaries.
Other tasks might include:
Reviewing log data on a weekly basis. Analyze log records for unusual or suspicious activity.
Review log event types on an annual basis. This may also occur in response to changes in the threat environment.
Review firewall rule-sets on an annual basis to ensure compliance with existing policies.
Perform testson boundary protection devices each year to ensure compliance with policies.
Schedule Change Advisory Board meeting on a monthly basis to review requested changes.
Policy Statements
Log Management
IT reviews logged event types each year or when the threat environment changes
IT protects log data while in transit and storage
IT analyzes log data in real-time for unusual or suspicious activity
IT retains 12 months of active logs and 18 months of cold data storage
IT maintains a baseline of device access and internal network services.
Boundary Protection
IT maintains a firewall that blocks all traffic not permitted by policy.
IT uses a change management control process when changing firewall rulesets and policies.
IT reviews rule-sets and performs tests to ensure compliance with existing policies.
IT tests and patches firewall software as vendors provide updates to address vulnerabilities.
IT maintains malicious code protection on all boundary protection devices.
Proposed Rev 3 Changes
NIST SP 800-171 Rev 3 aligns 03.13.01 with SC-7 from SP 800-53 Rev 5. Revision 3 no longer requires defining the external and key internal system boundaries. We rolled this into the monitoring requirements as prerequisites to meeting those parts. NIST also combined the two parts from 3.13.5 into 03.13.01. 03.13.01 consolidates the eight parts of 3.13.1 and two parts of 3.13.5 into six parts:
A[01] - Monitoring communications at external managed interfaces to the system.
A[02] - Controlling communications at external managed interfaces to the system.
A[03] - Monitoring communications at key internal managed interfaces within the system.
A[04] - Controlling communications at key internal managed interfaces within the system.
B - Use physical or logical separation for system components accessible to the public.
C - Limit external system connections through boundary protection devices.
All ten existing parts of the Rev 2 requirements are present in Rev 3. The crosswalk below shows the mapping of these requirements back to related parts of 3.13.1 and 3.13.5 from Revision 2:
Boundary protection is critical to protecting your system and sensitive data. Use a data flow diagram to identify system components handling sensitive information. Create a network diagram of your system and identify boundary protection devices. Establish monitoring capabilities for communications transiting system boundaries. Control the flow data based on organizational policies. Protect authorized information flows into and out of the organization.
If 3.1.1 authorizes access to the system, 3.1.2 authorizes permissions within the system. The rules of chess, for example, limit the types of functions allowed for each piece...
Organizations should prevent the release of nonpublic information on systems accessible to the public. Systems accessible to the public include websites and social media...
Identifying accounts and devices is foundational to creating a secure and accountable system. Accounts may have assignments to people and non-person entities...
%201.png)
%201.png)
