Part of a Collection
This article is part of the collection: The 14 CMMC Domains: A Comprehensive Guide
CMMC Deep Dive: System and Communications Protection (SC)
A guide to the System and Communications Protection (SC) domain, covering the security of your networks and data in transit.
Published: June 25th, 2024By: CMMC Dashboard TeamLast updated: August 7th, 2025
System and Communications ProtectionSCFirewallEncryption
This article is part of our series on The 14 CMMC Domains.
The System and Communications Protection (SC) domain is broad, covering the security of your networks and the information transmitted over them. It focuses on protecting the confidentiality and integrity of information at the system and network level.
Why It Matters
This domain protects against network-based attacks like eavesdropping, man-in-the-middle attacks, and denial-of-service. It ensures that your network architecture is defensible and that data is protected as it moves.
Key Practices
- SC.L1-3.13.1: Monitor, control, and protect communications at system boundaries (i.e., use firewalls).
- SC.L1-3.13.5: Implement subnetworks for publicly accessible systems (DMZ).
- SC.L2-3.13.6: Deny network traffic by default (deny-all, permit-by-exception).
- SC.L2-3.13.8: Encrypt CUI during transmission.
- SC.L2-3.13.11: Employ FIPS-validated cryptography.
What Assessors Look For
- Firewall configurations and rule sets.
- Network diagrams showing segmentation and DMZs.
- Proof that encryption (e.g., TLS, VPNs) is used to protect CUI in transit.
- Documentation verifying the use of FIPS-validated cryptographic modules.