>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.13.3System and Communications Protection - Derived

Derived Requirement

>Control Description

Separate user functionality from system management functionality.

>Discussion

System management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from system management functionality is physical or logical. Organizations can implement separation of system management functionality from user functionality by using different computers, different central processing units, different instances of operating systems, or different network addresses; virtualization techniques; or combinations of these or other methods, as appropriate.

This type of separation includes web administrative interfaces that use separate authentication methods for users of any other system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls.

>Cross-Framework Mappings

CMMC

SC.L2-3.13.3
Compare

SCF

SEA-03.2
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern denial of network communications by default?
  • What procedures implement default-deny network policies?
  • Who approves exceptions to default-deny rules?
  • How often are allow-list rules reviewed?
  • What governance ensures default-deny enforcement?

Technical Implementation:

  • How do you implement default-deny firewall rules?
  • What network access controls enforce deny-by-default?
  • How are permitted communications explicitly allowed?
  • What monitoring detects policy violations or bypasses?
  • What logging tracks denied network communications?

Evidence & Documentation:

  • Can you show firewall rules implementing default-deny?
  • What configurations demonstrate deny-by-default policies?
  • Can you provide logs of denied network traffic?
  • What evidence shows only explicitly allowed traffic is permitted?
  • What audit findings verify default-deny implementation?

Ask AI

Configure your API key to use AI features.