SC β System & Communications Protection Domain Notes
CMMC Domain: SC (System & Communications Protection)
NIST 800-171 Family: 3.13.x
SC.L2-3.13.7 β SPLIT TUNNELING
Control: Prevent remote devices from simultaneously using non-remote connections with the system AND local unprotected connections.
Developer Debate
- Active internal debate at multiple orgs: does localhost access violate 3.13.7?
- "We've had internal debates on how to support devs who need localhost access"
- Source: https://old.reddit.com/r/CMMC/comments/1qd79o6/ (2026-01-14)
Practical Guidance
- Standard interpretation: disable split tunneling on VPN connections used to access CUI systems
- Localhost (127.0.0.1) access for dev tools generally not the concern β concern is traffic to internet bypassing VPN
- Document your interpretation in the SSP and be prepared to defend it
SC.L2-3.13.9 β CONNECTION TERMINATION
Control: Terminate network connections at end of session or after defined inactivity period.
- Address together with AC.L2-3.1.11 (session termination) β same Conditional Access policy can cover both
- Inactivity period YOU define; document it in SSP
- Source: Good4Next3years comment in https://old.reddit.com/r/CMMC/comments/1rkubyj/ (2026-03-04)
SC General Notes
Encryption / FIPS
- FIPS mode is a real requirement; standard Windows FIPS mode in Intune
- Windows Server FIPS protection for data in transit β dedicated thread (2026-02-03)
- Source: https://old.reddit.com/r/CMMC/comments/1qv3evv/ (2026-02-03)
Firewall / Network Boundary
- Block-all inbound/outbound with allow-by-exception is expected
- Know your firewall posture before the assessment
- Fortigate (40F) commonly used for CMMC environments β VPN + ZTNA thread active
- Source: https://old.reddit.com/r/CMMC/comments/1qw1kc3/ (2026-02-04) β Fortigate for CMMC L2
CUI in Email
- "Not using email for CUI" thread active (score 13, 28 comments) β 2026-02-20
- Community generally: don't use regular email for CUI; use PreVeil, GCC High encrypted email, or SFTP
- Source: https://old.reddit.com/r/CMMC/comments/1ra19ta/ (2026-02-20)
SIEM Placement (In-Scope vs Supporting)
- Question: Does SIEM sit inside the CUI boundary (in-scope) or outside as supporting security system?
- "SIEM is handling CUI and sits inside your CUI boundary OR is it outside the boundary as a supporting security system?"
- This affects scope β get clarity on your architecture before assessment
- Source: https://old.reddit.com/r/CMMC/comments/1ova7nt/ (2026-01-29) comments
CUI Online Tools
- Active thread on required-online tools that handle CUI β how to classify and control
- Source: https://old.reddit.com/r/CMMC/comments/1rmtvi2/ (2026-03-06)
SC.L2-3.13.11 β FIPS-VALIDATED CRYPTOGRAPHY (NEW DISCUSSION)
Control: Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
Assessor Interpretation Challenges
- Debate: There's ongoing community debate and varying assessor interpretations regarding the strictness and scoping of this control.
- Counter-intuitive Advice: Some assessors have suggested that if encryption is not the primary protection mechanism for CUI (e.g., physical security, RBAC, ACLs are), then removing non-FIPS compliant encryption might be acceptable to achieve compliance. This is generally considered counter-intuitive to general security best practices.
- Scoping Question: Should FIPS mode be enabled across the entire CUI enclave, or only for systems where encryption is actively serving as the primary protection for CUI?
- Source: https://old.reddit.com/r/CMMC/comments/1rub61h/ (2026-03-15)
RMM Tools as Security Protection Assets (SPAs) - LogMeIn Example
Context: Discussion on how Remote Monitoring and Management (RMM) tools interact with CUI environments for CMMC compliance.
SPA Classification Criteria
- Insight: RMM tools like LogMeIn can be classified as a Security Protection Asset (SPA) (rather than a full Cloud Service Provider requiring FedRAMP Moderate+) if they are strictly configured and managed.
- Key Requirements:
- File transfer, screenshotting, and copy/paste functionalities must be disabled.
- Strong Multi-Factor Authentication (MFA) and Role-Based Access Control (RBAC) specifically for administrators.
- Comprehensive logging of all RMM activities.
- An administrative policy that mandates users close all CUI before a remote support session begins.
- Adequate user training to ensure adherence to these policies.
- A formal Memorandum of Understanding (MoU) with the MSP detailing the lockdown configurations and background check processes for personnel.
- Implication: Without these strict controls, the RMM tool would likely be considered a CSP and necessitate FedRAMP Moderate+ approval.
- ITAR Caveat: Note that this SPA classification might not be sufficient if ITAR (International Traffic in Arms Regulations) data is involved.
- Source: https://old.reddit.com/r/CMMC/comments/1rsnzyg/ (2026-03-14)
Related Posts
- Split tunneling debate β 2026-01-14
- Not using email for CUI β 2026-02-20
- Windows Server FIPS for data in transit β 2026-02-03
- Fortigate for CMMC Level 2 - SSL VPN + ZTNA β 2026-02-04
- CUI required online tools β 2026-03-06
- Is GCC High required for CMMC Compliance? β 2026-01-20