Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - SC.L2-3.13.1 – Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
Understanding the Requirement
This control requires you to treat your network as a set of defined boundaries — the external perimeter where your environment meets the internet, and the internal boundaries between key network segments — then actively monitor, control, and protect traffic crossing those boundaries. Practically, that means documenting external and internal system boundaries, deploying and configuring firewalls (and related controls like proxies and filters) to allow only authorized traffic, and using monitoring and alerting so you detect and respond to suspicious network activity. The overall goal is to prevent or limit network-based attacks by separating networks, limiting services and ports, and maintaining visibility into communications.
Technical Implementation
-
Define boundaries and document the design: create a simple network diagram that shows the external perimeter (internet connection, DMZ, remote-access concentrators) and key internal boundaries (VLANs or segments for finance, HR, engineering, guest Wi‑Fi). Label trust levels, critical systems, and which services are permitted across each boundary — this drives firewall and monitoring rules.
-
Deploy a perimeter firewall with a deny-by-default policy: place a managed or appliance firewall between your LAN and the internet. Use an explicit allowlist for inbound and outbound services (e.g., only allow inbound HTTPS to a public web server, only allow outbound HTTP/HTTPS where necessary). Block unused ports and protocols at the perimeter and log rule hits so you can spot attempted abuses.
-
Segment internal networks with internal firewalls or ACLs: separate sensitive systems (finance, HR, servers with controlled unclassified information) from general user VLANs and guest Wi‑Fi. Only permit traffic required for business functions (e.g., allow user VLAN to reach the file server on SMB ports only, block direct database access from guest networks). This limits lateral movement if an attacker gains a foothold.
-
Use content controls and web filtering: deploy a web proxy or URL filtering (integrated in the firewall or a cloud service) to block known malicious categories (malware, phishing, high-risk file sharing) and enforce acceptable use. Implement TLS inspection selectively for high-risk traffic if privacy policies and performance allow, or block encrypted connections to risky domains.
-
Monitor and log communications: enable firewall and proxy logging, forward logs to a centralized syslog or cloud log service, and retain logs for incident analysis (define a retention period appropriate to your risk and resources). Add an IDS/IPS or managed detection capability to inspect traffic for threats and generate alerts. Ensure alerting routes to responsible staff and that there's a triage process.
-
Operate controls with change management and maintenance: establish a documented process for firewall rule changes, periodic rule reviews (quarterly), configuration backups, and firmware patching. Keep an inventory of firewall rules and owners, remove stale rules, and test changes in a controlled window to avoid business disruption.
Example in a Small or Medium Business
Acme Design is a 45-person marketing firm that stores client drafts and sensitive contracts on an internal fileserver. The IT manager, Maya, first drew a simple network diagram showing the internet edge, a DMZ for the public web server, internal VLANs for staff, a separate VLAN for finance, and a guest Wi‑Fi VLAN. She installed a managed UTM appliance at the perimeter with a deny-by-default outbound policy, then created allow rules for necessary services (DNS, HTTPS, Office 365 SMTP relay), and blocked all other outbound ports. Maya also added internal segmentation between the staff VLAN and the finance VLAN so that only specific application ports are allowed; guest Wi‑Fi is isolated and only has internet access. A cloud-based web proxy enforces URL filtering to block known malicious categories and prevents employees from reaching risky sites. Firewall and proxy logs forward to a cloud log service with basic alerting; Maya configured alerts for repeated failed connection attempts and unusual outbound connections to suspicious IPs. She documents the boundaries in an internal wiki, schedules quarterly firewall rule reviews, and performs configuration backups before any rule changes—ensuring communications are monitored, controlled, and protected while minimizing impact on daily work.
Summary
Defining your external and internal boundaries, deploying perimeter and internal controls, and combining allowlist firewall rules with web filtering and continuous monitoring lets an SMB effectively monitor, control, and protect organizational communications. Policy elements (network diagrams, change control, rule reviews) ensure decisions are repeatable and auditable, while technical measures (firewalls, segmentation, proxies, logging, IDS/IPS) reduce attack surface and provide the visibility needed to detect and respond to network threats. Together these steps satisfy the control by limiting unauthorized traffic and making network-based attacks harder and easier to investigate.
