← All Domains

SC — System and Communications Protection

Stokes Frederick Co

SPRS Score: -131

Objective Progress 12 / 41 (29.3%)
CMMC Practices MET 1 / 16
Domain Score Impact -37

CMMC scoring changes when all assessment objectives for a practice are MET; objective progress updates as each objective is assessed.

SC.L2-3.13.1 DoD Weight: 5 Deduction: -5 Basic
NOT MET
Requirement: Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.13.1[b] = Not Yet Assessed; 3.13.1[c] = Not Yet Assessed; 3.13.1[d] = Not Yet Assessed; 3.13.1[e] = Not Yet Assessed; 3.13.1[f] = Not Yet Assessed; 3.13.1[g] = Not Yet Assessed ; and 1 more

Assessment Objectives (8)

  • 3.13.1[a]
    Determine if: the external system boundary is defined.
    Update objective finding / evidence
    MET
  • 3.13.1[b]
    Determine if: key internal system boundaries are defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.13.1[c]
    Determine if: communications are monitored at the external system boundary.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.13.1[d]
    Determine if: communications are monitored at key internal boundaries.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.13.1[e]
    Determine if: communications are controlled at the external system boundary.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.13.1[f]
    Determine if: communications are controlled at key internal boundaries.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.13.1[g]
    Determine if: communications are protected at the external system boundary.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.13.1[h]
    Determine if: communications are protected at key internal boundaries.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; security plan; list of key internal boundaries of the system; system design documentation; boundary protection hardware and software; enterprise security architecture documentation; system audit logs and records; system configuration settings and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer; personnel with boundary protection responsibilities].
Test: [SELECT FROM: Mechanisms implementing boundary protection capability].
SC.L2-3.13.2 DoD Weight: 5 Deduction: -5 Basic
NOT MET
Requirement: Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.13.2[b] = Not Yet Assessed; 3.13.2[c] = Not Yet Assessed; 3.13.2[d] = Not Yet Assessed; 3.13.2[e] = Not Yet Assessed; 3.13.2[f] = Not Yet Assessed

Assessment Objectives (6)

  • 3.13.2[a]
    Determine if: architectural designs that promote effective information security are identified.
    Update objective finding / evidence
    MET
  • 3.13.2[b]
    Determine if: software development techniques that promote effective information security are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.13.2[c]
    Determine if: systems engineering principles that promote effective information security are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.13.2[d]
    Determine if: identified architectural designs that promote effective information security are employed.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.13.2[e]
    Determine if: identified software development techniques that promote effective information security are employed.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.13.2[f]
    Determine if: identified systems engineering principles that promote effective information security are employed.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Security planning policy; procedures addressing security plan development and implementation; procedures addressing security plan reviews and updates; enterprise architecture documentation; security plan; records of security plan reviews and updates; other relevant documents or records].
Interview: [SELECT FROM: Personnel with security planning and plan implementation responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for security plan development, review, update, and approval; mechanisms supporting the system security plan].
SC.L2-3.13.3 DoD Weight: 1 Deduction: -1 Basic
NOT MET
Requirement: Separate user functionality from system management functionality.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.13.3[b] = Not Yet Assessed; 3.13.3[c] = Not Yet Assessed

Assessment Objectives (3)

  • 3.13.3[a]
    Determine if: user functionality is identified.
    Update objective finding / evidence
    MET
  • 3.13.3[b]
    Determine if: system management functionality is identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.13.3[c]
    Determine if: user functionality is separated from system management functionality.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: System and communications protection policy; procedures addressing application partitioning; system design documentation; system configuration settings and associated documentation; security plan; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer].
Test: [SELECT FROM: Separation of user functionality from system management functionality].
SC.L2-3.13.4 DoD Weight: 1 Deduction: -1 Basic
NOT MET
Requirement: Prevent unauthorized and unintended information transfer via shared system resources.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.13.4 = Not Yet Assessed

Assessment Objectives (1)

  • 3.13.4
    Determine if: unauthorized and unintended information transfer via shared system resources is prevented.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: System and communications protection policy; procedures addressing application partitioning; security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer].
Test: [SELECT FROM: Separation of user functionality from system management functionality].
SC.L2-3.13.5 DoD Weight: 5 Deduction: -5 Basic
NOT MET
Requirement: Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.13.5[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.13.5[a]
    Determine if: publicly accessible system components are identified.
    Update objective finding / evidence
    MET
  • 3.13.5[b]
    Determine if: subnetworks for publicly accessible system components are physically or logically separated from internal networks.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; security plan; list of key internal boundaries of the system; system design documentation; boundary protection hardware and software; system configuration settings and associated documentation; enterprise security architecture documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer; personnel with boundary protection responsibilities].
Test: [SELECT FROM: Mechanisms implementing boundary protection capability].
SC.L2-3.13.6 DoD Weight: 5 Deduction: -5 Basic
NOT MET
Requirement: Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.13.6[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.13.6[a]
    Determine if: network communications traffic is denied by default.
    Update objective finding / evidence
    MET
  • 3.13.6[b]
    Determine if: network communications traffic is allowed by exception.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer; personnel with boundary protection responsibilities].
Test: [SELECT FROM: Mechanisms implementing traffic management at managed interfaces].
SC.L2-3.13.7 DoD Weight: 1 Deduction: -1 Basic
NOT MET
Requirement: Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.13.7 = Not Yet Assessed

Assessment Objectives (1)

  • 3.13.7
    Determine if: remote devices are prevented from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks (i.e., split tunneling).
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; security plan; system design documentation; system hardware and software; system architecture; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer; personnel with boundary protection responsibilities].
Test: [SELECT FROM: Mechanisms implementing boundary protection capability; mechanisms supporting or restricting non-remote connections].
SC.L2-3.13.8 DoD Weight: 3 Deduction: -3 Basic
NOT MET
Requirement: Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.13.8[b] = Not Yet Assessed; 3.13.8[c] = Not Yet Assessed

Assessment Objectives (3)

  • 3.13.8[a]
    Determine if: cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified.
    Update objective finding / evidence
    MET
  • 3.13.8[b]
    Determine if: alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.13.8[c]
    Determine if: either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: System and communications protection policy; procedures addressing transmission confidentiality and integrity; security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer].
Test: [SELECT FROM: Cryptographic mechanisms or mechanisms supporting or implementing transmission confidentiality; organizational processes for defining and implementing alternative physical safeguards].
SC.L2-3.13.9 DoD Weight: 1 Deduction: -1 Basic
NOT MET
Requirement: Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.13.9[b] = Not Yet Assessed; 3.13.9[c] = Not Yet Assessed

Assessment Objectives (3)

  • 3.13.9[a]
    Determine if: a period of inactivity to terminate network connections associated with communications sessions is defined.
    Update objective finding / evidence
    MET
  • 3.13.9[b]
    Determine if: network connections associated with communications sessions are terminated at the end of the sessions.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.13.9[c]
    Determine if: network connections associated with communications sessions are terminated after the defined period of inactivity.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: System and communications protection policy; procedures addressing network disconnect; system design documentation; security plan; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer].
Test: [SELECT FROM: Mechanisms supporting or implementing network disconnect capability].
SC.L2-3.13.10 DoD Weight: 1 Deduction: -1 Basic
NOT MET
Requirement: Establish and manage cryptographic keys for cryptography employed in organizational systems.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.13.10[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.13.10[a]
    Determine if: cryptographic keys are established whenever cryptography is employed.
    Update objective finding / evidence
    MET
  • 3.13.10[b]
    Determine if: cryptographic keys are managed whenever cryptography is employed.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: System and communications protection policy; procedures addressing cryptographic key establishment and management; security plan; system design documentation; cryptographic mechanisms; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; personnel with responsibilities for cryptographic key establishment and management].
Test: [SELECT FROM: Mechanisms supporting or implementing cryptographic key establishment and management].
SC.L2-3.13.11 DoD Weight: 5 Earned: 5 Derived
MET
Requirement: Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

Assessment Objectives (1)

  • 3.13.11
    Determine if: FIPS-validated cryptography is employed to protect the confidentiality of CUI.
    Update objective finding / evidence
    MET
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: System and communications protection policy; procedures addressing cryptographic protection; security plan; system design documentation; system configuration settings and associated documentation; cryptographic module validation certificates; list of FIPS-validated cryptographic modules; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer; personnel with responsibilities for cryptographic protection].
Test: [SELECT FROM: Mechanisms supporting or implementing cryptographic protection].
SC.L2-3.13.12 DoD Weight: 1 Deduction: -1 Basic
NOT MET
Requirement: Security Requirement 3.13.12
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.13.12[b] = Not Yet Assessed; 3.13.12[c] = Not Yet Assessed

Assessment Objectives (3)

  • 3.13.12[a]
    Determine if: collaborative computing devices are identified.
    Update objective finding / evidence
    MET
  • 3.13.12[b]
    Determine if: collaborative computing devices provide indication to users of devices in use.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.13.12[c]
    Determine if: remote activation of collaborative computing devices is prohibited.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: System and communications protection policy; procedures addressing collaborative computing; access control policy and procedures; security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer; personnel with responsibilities for managing collaborative computing devices].
Test: [SELECT FROM: Mechanisms supporting or implementing management of remote activation of collaborative computing devices; mechanisms providing an indication of use of collaborative computing devices].
SC.L2-3.13.13 DoD Weight: 1 Deduction: -1 Basic
NOT MET
Requirement: Control and monitor the use of mobile code.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.13.13[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.13.13[a]
    Determine if: use of mobile code is controlled.
    Update objective finding / evidence
    MET
  • 3.13.13[b]
    Determine if: use of mobile code is monitored.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: System and communications protection policy; procedures addressing mobile code; mobile code usage restrictions, mobile code implementation policy and procedures; security plan; list of acceptable mobile code and mobile code technologies; list of unacceptable mobile code and mobile technologies; authorization records; system monitoring records; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; personnel with responsibilities for managing mobile code].
Test: [SELECT FROM: Organizational process for controlling, authorizing, monitoring, and restricting mobile code; mechanisms supporting or implementing the management of mobile code; mechanisms supporting or implementing the monitoring of mobile code].
SC.L2-3.13.14 DoD Weight: 1 Deduction: -1 Basic
NOT MET
Requirement: Control and monitor the use of Voice over Internet Protocol (VoIP) technologies
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.13.14[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.13.14[a]
    Determine if: use of Voice over Internet Protocol (VoIP) technologies is controlled.
    Update objective finding / evidence
    MET
  • 3.13.14[b]
    Determine if: use of Voice over Internet Protocol (VoIP) technologies is monitored.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: System and communications protection policy; procedures addressing VoIP; VoIP usage restrictions; VoIP implementation guidance; security plan; system design documentation; system configuration settings and associated documentation; system monitoring records; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; personnel with responsibilities for managing VoIP].
Test: [SELECT FROM: Organizational process for authorizing, monitoring, and controlling VoIP; mechanisms supporting or implementing authorizing, monitoring, and controlling VoIP].
SC.L2-3.13.15 DoD Weight: 5 Deduction: -5 Basic
NOT MET
Requirement: Protect the authenticity of communications sessions
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.13.15 = Not Yet Assessed

Assessment Objectives (1)

  • 3.13.15
    Determine if: the authenticity of communications sessions is protected.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: System and communications protection policy; procedures addressing session authenticity; security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities].
Test: [SELECT FROM: Mechanisms supporting or implementing session authenticity].
SC.L2-3.13.16 DoD Weight: 1 Deduction: -1 Basic
NOT MET
Requirement: Protect the confidentiality of CUI at rest.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.13.16 = Not Yet Assessed

Assessment Objectives (1)

  • 3.13.16
    Determine if: the confidentiality of CUI at rest is protected.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: System and communications protection policy; procedures addressing protection of information at rest; security plan; system design documentation; list of information at rest requiring confidentiality protections; system configuration settings and associated documentation; cryptographic mechanisms and associated configuration documentation; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer].
Test: [SELECT FROM: Mechanisms supporting or implementing confidentiality protections for information at rest].