03.13.01 — (a) Monitor and control communications at external managed interfaces to the system and key internal managed interfaces within the system. (b) Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. (c) Connect to external systems only through managed interfaces that consist of boundary protection devices arranged in accordance with an organizational security architecture.

What this control requires

(a) Monitor and control communications at external managed interfaces to the system and key internal managed interfaces within the system. (b) Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. (c) Connect to external systems only through managed interfaces that consist of boundary protection devices arranged in accordance with an organizational security architecture.

Source: NIST SP 800-171 R3 §03.13.01 (official control text).

Why this matters

Boundary protection creates controlled choke points where your network meets the internet and between internal trust zones. Without managed interfaces — firewalls, gateways, screened subnets — attackers gain direct access to internal systems, laterally traverse your network undetected, or exfiltrate data without inspection. This control enforces the principle that all traffic crossing trust boundaries must pass through inspection points that log, filter, and block malicious communications. Subnetworks (DMZs) isolate internet-facing systems so a compromised web server cannot directly reach your file shares or domain controllers.

What evidence assessors expect

Assessors typically look for: screenshot, PDF, CSV export, configuration export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls