CMMC System & Communications Protection: Network Security Basics
System and Communications Protection is about safeguarding information as it travels through your network and between your systems and the outside world. It sounds technical—and the underlying technology can be complex—but the Level 1 requirements are manageable for any small business.
CMMC Level 1 has two requirements in this domain. Both focus on the boundary between your network and everything else. Think of it as protecting the doors and windows of your digital building.
If you have a working firewall and keep your guest WiFi separate from your business network, you're already most of the way there.
SC.L1-3.13.1: Boundary Protection
Plain English: Monitor and control what comes into and goes out of your network.
Your network has a boundary—the point where your internal systems connect to the internet. This is where threats try to get in and where your data could leak out. This requirement says you need to watch that boundary and control what crosses it.
Understanding the Boundary
For most small businesses, your network boundary is your router. It's the device that connects your office network to your internet service provider. Everything that enters or leaves your network passes through it.
A firewall is the tool that monitors and controls traffic at this boundary. It decides what's allowed in, what's allowed out, and what gets blocked. Most business-grade routers include firewall functionality built in.
What This Looks Like in Practice
You have a firewall. This might be a dedicated firewall appliance, a router with firewall features, or a firewall provided by your internet service provider. The key is having something that filters traffic between your network and the internet.
The firewall is configured properly. A firewall that allows everything through isn't protecting anything. Unnecessary ports should be closed. Inbound connections should be restricted to only what's needed. Someone should have reviewed the settings rather than just accepting defaults.
Unusual traffic gets noticed. You don't need a security operations center monitoring screens 24/7. But you should have some awareness of what's happening on your network. Many firewalls can alert you to suspicious activity. At minimum, logs should exist that you could review if needed.
Unnecessary services are blocked. If you don't need remote desktop access from the internet, block it. If you don't run a public web server, close port 80. The fewer doors you leave open, the fewer ways attackers can get in.
For Small Businesses
You don't need enterprise-grade equipment. A decent business router from established brands like Cisco, Ubiquiti, or even higher-end Netgear models includes firewall capabilities that meet Level 1 requirements. The important things are:
- The firewall is turned on (not bypassed or disabled)
- Someone has reviewed and configured the settings
- You can access logs if you need them
Evidence You'll Need
- Firewall configuration documentation or screenshots
- A basic network diagram showing where the firewall sits
- Evidence that firewall rules have been reviewed
SC.L1-3.13.5: Public-Access System Separation
Plain English: Keep systems the public can access separate from your internal systems.
If you have anything that people outside your company can reach—a website, a customer portal, public WiFi—those systems shouldn't have direct access to your internal network. A visitor on your guest WiFi shouldn't be able to reach your file server. A hacker who compromises your web server shouldn't land inside your corporate network.
What This Looks Like in Practice
Guest WiFi is on a separate network. This is the most common application for small businesses. Your employees connect to the business WiFi and can access file shares, printers, and internal systems. Guests connect to a separate guest network that only provides internet access—no visibility into your internal resources.
Web servers are isolated. If you host your own website or customer-facing applications, those servers should be separated from internal systems. In network terms, this is often called a DMZ (demilitarized zone)—a network segment that's accessible from the internet but isolated from your internal network.
Remote access goes through controlled channels. When employees access internal systems from outside the office, they should use secure methods like VPN that you control, not direct connections to internal systems exposed to the internet.
Cloud services provide natural separation. If your website is hosted by a provider like GoDaddy, Squarespace, or AWS, it's already separated from your internal network. The hosting provider manages that isolation for you.
Evidence You'll Need
- Network diagram showing separation between public-facing and internal systems
- Guest WiFi configuration showing it's isolated
- Documentation of how remote access is handled
Practical Tips for Small Offices
Network security doesn't require a dedicated IT staff or expensive equipment. Here's how small businesses typically meet these requirements:
Set up guest WiFi on a separate network. Most modern routers support multiple networks. Create one for your business and one for guests. Keep them isolated from each other. This takes about 15 minutes to configure and solves the public-access separation requirement for most small offices.
Review your router and firewall settings. Don't just plug it in and forget it. Log into your router's admin interface. Make sure the firewall is enabled. Close ports you don't need. Change the default admin password. If you're not comfortable doing this yourself, have your IT support person do it and document what they configured.
Don't expose internal systems to the internet. That remote desktop connection that lets you access your office computer from home? If it's open directly to the internet, it's a security risk. Use a VPN instead, or use remote access tools designed for secure connections.
Use VPN for remote access. When employees work remotely, they should connect through a VPN that creates a secure tunnel to your network. Many routers include VPN server functionality, or you can use business VPN services.
Consider a managed firewall service. If network security feels overwhelming, managed firewall services handle the configuration and monitoring for you. For a monthly fee, you get professional management of your network boundary. It's often more cost-effective than hiring expertise in-house.
Assess Your Network Security Compliance
Network security can feel intimidating if you're not technical. But CMMC Level 1 doesn't require you to become a networking expert—it requires you to have basic protections in place and be able to demonstrate them.
CMMCheck walks you through each System and Communications Protection requirement with straightforward questions. No network engineering degree required. You'll understand what's expected and whether your current setup meets the standard.
Ready to check your CMMC Level 1 readiness? Try CMMCheck and assess your compliance in plain English.
This article is part of CMMCheck's Plain English CMMC Level 1 Guide, a complete resource for small businesses navigating DoD cybersecurity requirements.
