>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.13.2System and Communications Protection - Basic

Basic Requirement

>Control Description

Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

>Discussion

Organizations apply systems security engineering principles to new development systems or systems undergoing major upgrades. For legacy systems, organizations apply systems security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems. The application of systems security engineering concepts and principles helps to develop trustworthy, secure, and resilient systems and system components and reduce the susceptibility of organizations to disruptions, hazards, and threats.

Examples of these concepts and principles include developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk. Organizations that apply security engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk-management decisions. [SP 800-160-1] provides guidance on systems security engineering.

>Cross-Framework Mappings

CMMC

SC.L2-3.13.2
Compare

SCF

CLD-03
Compare
SEA-01
Compare
SEA-03
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern use of encrypted sessions for remote access?
  • What procedures define encryption requirements for remote connections?
  • Who approves remote access encryption standards?
  • What governance ensures all remote access is encrypted?
  • What training addresses encrypted remote access requirements?

Technical Implementation:

  • What VPN or encryption technologies secure remote access?
  • How do you enforce encryption for all remote connections?
  • What FIPS 140-2 validated cryptography is used?
  • How do you prevent unencrypted remote access?
  • What monitoring detects unencrypted remote connections?

Evidence & Documentation:

  • Can you demonstrate remote access encryption implementation?
  • What configurations show mandatory encryption for remote access?
  • Can you provide evidence of FIPS-validated encryption?
  • What logs verify all remote sessions are encrypted?
  • What audit findings confirm encrypted remote access compliance?

Ask AI

Configure your API key to use AI features.