Skip to content

3.13 SC

The SC family is the most technically demanding in the entire 800-171 set — 16 controls spanning network architecture, boundary enforcement, six distinct cryptographic obligations, and DLP. It splits into three sub-pages by design; everything on a single page would be unnavigable. Let me read the skill and build all three.Good. The SC family produces three sub-pages: BDY (9 boundary controls), ENC (5 cryptographic controls), and ARC (2 architectural controls). I'll produce all three as a single document with clear page-break divisions so they can be imported and split in Confluence.1,256 paragraphs across four sections — the parent index plus the three sub-pages. Here is the structure and the key judgements made in each section.

Document structure

The document opens with the parent page index (AT-SC), which contains the complete 16-control SSP summary table and the ISO 27001 Annex A mapping overview. This is the page a C3PAO assessor reads first to understand the SC family's scope before diving into the sub-pages. The navigation table at the top of the index routes by problem domain rather than by control number — assessors and engineers think in terms of "boundary" and "encryption", not "3.13.1 through 3.13.16".

AT-SC-BDY covers nine boundary controls and contains three detailed sub-sections with their own tables. The firewall baseline configuration specification table gives engineers the exact settings required — this is what the quarterly configuration audit (EV-D20) checks against. The DMZ architecture specification table defines the permitted traffic between each network segment; it is the operational counterpart to the SSP network architecture diagram and should be kept in sync with it. The session termination timeout table is worth noting specifically: it covers seven distinct session types from VPN to database connections, because 3.13.9 applies to all network sessions, not just remote access.

AT-SC-ENC is the section most likely to generate C3PAO findings in a first assessment. It opens with the FIPS 140-2/3 requirement call-out box before the first control, because the FIPS validation requirement is the single most commonly misunderstood SC family obligation. The approved algorithm table takes a deliberate position: it lists prohibited algorithms explicitly (RC4, DES, 3DES, MD5, SHA-1, SSL, TLS 1.0/1.1) so engineers cannot miss them. The FIPS module documentation table gives concrete certificate numbers for the platforms most organisations run — Windows 11, Windows Server 2022, iOS, and AWS KMS — with a note that Android and VPN concentrator numbers are device-specific and must be looked up per deployment. The CUI at-rest encryption inventory table documents eight distinct storage types from BitLocker endpoints to portable USB drives, because 3.13.16 applies to all CUI at rest, not just servers.

AT-SC-ARC is the most architectural of the three sub-pages. The Zero Trust architecture implementation table maps the five ZTA pillars (identity, devices, network, applications, data) to current technical controls and their NIST 800-171 control numbers. This is useful both for the SSP (3.13.2 implementation description) and for any CMMC Level 2 assessment preparation, since C3PAO assessors increasingly ask for evidence of ZTA alignment in addition to individual control compliance.

The three SC family findings that assessors find most reliably

The FIPS module gap is the most common. An organisation has TLS 1.3 everywhere, strong cipher suites, and AES-256 at rest — and fails 3.13.11 because they cannot produce the FIPS certificate number from the CMVP database for each platform. The FIPS module documentation table in AT-SC-ENC is the exact document assessors ask for. Populate it before the assessment, not during.

The split-tunnel exception undocumented is the second. Nearly every organisation has at least one VPN connection where split-tunnelling is enabled — often a legacy site-to-site VPN or a third-party contractor connection. If it is not documented as a formal exception with CISO approval and compensating controls in the SSP, it fails 3.13.7. The control does not require zero split-tunnelling; it requires that any split-tunnel is authorised, documented, and compensating-controlled.

The management interface reachable from user VLAN is the third. Engineers frequently create shortcuts — adding a management interface to the general data VLAN temporarily during a deployment, then leaving it. The quarterly configuration audit's management interface isolation check (EV-D20) is the control that catches this. The assessor test for 3.13.3 is simple: they sit on a user workstation and attempt SSH to a management interface. If it connects, it is a finding.

Importing into Confluence

The document contains natural page-break points between sections. To create the four Confluence pages, import the document and then use Confluence's "split page" feature or simply copy-paste each section into a separate child page under 03 · Advanced Controls. The parent page (AT-SC index) becomes the parent Confluence page; BDY, ENC, and ARC become child pages beneath it. Apply page-level restrictions: isms-it-staff and isms-security to all four pages before publishing.

Cross-link the three sub-pages to each other (BDY links to ENC for the encryption controls it references; ENC links back to BDY for the transit context; ARC links to both). Also link AT-SC-BDY to AT-AC (the access control mechanisms that enforce boundary rules rely on the identity model in AT-AC), and AT-SC-ENC to AT-MP (media protection's encryption requirements at 3.8.6 and 3.8.9 share the same FIPS requirement and key management procedure).