AC.L2-3.13.1[c] — System & Communications Protection (Boundary Protection)Domain: System & Communications Protection (SC) | Practice: SC.L2-3.13.1 | Objective ID: 3.13.1[c] | Source: NIST SP 800-171 Rev. 2 / CMMC 2.0 Level 2 | Assessment Objective: Communications at key internal boundaries are monitored. |
Executive Summary (For Leadership and the Board)
CMMC objective AC.L2-3.13.1[c] sits inside the System & Communications Protection domain (SC.L2-3.13.1 — Boundary Protection) and reads: Communications at key internal boundaries are monitored.. Monitor traffic at key internal boundaries (between network segments, between enclaves, between CUI and non-CUI zones) to detect lateral movement by attackers. For organizations that handle Controlled Unclassified Information (CUI), this objective is part of the foundation that every downstream control depends on.
Under DFARS 252.204-7012, AC.L2-3.13.1[c] will be evaluated during a full third-party CMMC Level 2 assessment, Joint Surveillance Voluntary Assessment, or formal certification gating DoD CUI contract awards. Leadership and the board should be asking: Who owns this objective? When was it last reviewed? Where is the evidence stored? And what is our remediation plan if a C3PAO flags a gap? Failing this objective in isolation may be POA&M-able under CMMC 2.0; failing it in conjunction with related objectives in the same practice is typically not.
Business Question | What Leadership Must Confirm |
|---|---|
Do we have a documented, owned, and current implementation for the requirement that communications at key internal boundaries are monitored? | A named control owner exists, the implementation is documented in the SSP, and a defined review cadence is in force. |
Can we produce evidence that this objective is operating effectively across every CUI-bearing system in scope? | Artifacts (logs, tickets, config exports, attestations) are collected on a defined cadence and tied back to AC.L2-3.13.1[c]. |
What happens if this control fails or drifts out of compliance? | A documented detection, escalation, and remediation path exists, with the vCSO as the executive backstop. |
Can we prove this objective to a C3PAO? | The evidence package — policy, configuration, monitoring output, and recertification records — is pre-built and mapped directly to AC.L2-3.13.1[c]. |
Executive Risk Lens: Failures against this objective routinely surface in Verizon DBIR and Mandiant M-Trends data as contributors to CUI exfiltration, ITAR-relevant data exposure, and engineering CUI loss to nation-state adversaries. A single weak point in Boundary Protection can undermine every other access-control and integrity control in the CUI boundary.
How Authorization Should Flow
AC.L2-3.13.1[c] — Boundary Protection Lifecycle (Request → Authorize → Provision → Recertify → Deprovision)
1. Request | HR / Sponsor | 2. Authorize | Manager + Data Owner | 3. Provision | IAM / Configuration | 4. Recertify | Periodic review | 5. Deprovision | Within SLA on exit / change.
AC.L2-3.13.1[c] — Boundary Protection Lifecycle
Every step produces audit evidence the C3PAO will request. Source of truth: authoritative system-of-record (HRIS, IdP, CMDB, GRC).
Technical Deep Dive (For Engineers, IAM Admins, and ISSOs)
What the Objective Requires
NIST SP 800-171 derives SC.L2-3.13.1 from controls in the NIST SP 800-53 SC family. CMMC 2.0 splits the parent practice into discrete assessment objectives; AC.L2-3.13.1[c] is the specific objective requiring that Communications at key internal boundaries are monitored. To pass — with artifacts — the implementation must demonstrate:
A documented control implementation specifically addressing the requirement that communications at key internal boundaries are monitored, recorded in the System Security Plan (SSP) section for SC.L2-3.13.1.
A named control owner accountable for AC.L2-3.13.1[c], identified in the SSP and the RACI for System & Communications Protection.
Configuration of the supporting technology (where applicable) such that the control is enforced by default and cannot be silently bypassed by a user with normal privileges.
A monitoring and detection mechanism (log, alert, ticket, or recertification campaign) that produces evidence the objective is operating across all CUI-bearing systems in scope.
A documented review cadence — at minimum annual, ideally quarterly for high-risk objectives — with signed evidence of each review.
A defined remediation path (ticket, POA&M entry, or change request) when drift, failure, or exception is detected.
Mapping of AC.L2-3.13.1[c] to the corresponding NIST SP 800-53 Rev. 5 control(s) in the SC family, including any control enhancements adopted by the organization.
Cross-references to related System & Communications Protection objectives in the same practice so the C3PAO sees a coherent story rather than 14 disconnected artifacts.