April 2, 2025

What's the difference between control and protect?

An excellent question came up on the Cooey Center of Excellence Discord server this past week. (By the way, I strongly recommend this as resource for high-quality answers about CMMC. Many professionals like me spend time there every day, answering questions for free. Join us!)

A user posted the question "What's the difference between control and protect?" with respect to Boundary Protection, which is a control for both L1 (SC.L1-B.1.X) and L2 (SC.L2-3.13.1):

Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

We have eight assessment objectives (AOs):

Determine if:
[a] the external system boundary is defined;
[b] key internal system boundaries are defined;
[c] communications are monitored at the external system boundary;
[d] communications are monitored at key internal boundaries;
[e] communications are controlled at the external system boundary;
[f] communications are controlled at key internal boundaries;
[g] communications are protected at the external system boundary; and
[h] communications are protected at key internal boundaries.

There are four "action words" we need to address: define, monitor, control and protect. Let's take each in turn.

Define Generally speaking, in NIST-speak, "define" means "someone in authority made a decision and it was written down." So, someone needs to decide what is your external boundary (likely a firewall) and any key internal boundary/ies (perhaps a few restricted VLANs). Next, this needs to be documented. Typically an assessor expects to see these shown in the network diagram, and perhaps a short narrative description for these two AOs in the System Security Plan (SSP).

Monitor Let's consult one of my favorite resources, the NIST Glossary: (hint, you should bookmark this and refer to it frequently like I do!)

Continual checking, supervising, critically observing or determining the status in order to identify change from the performance level required or expected.

Okay, that seems pretty straightforward.

Control Another choice from the NIST Glossary:

The means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be of an administrative, technical, management, or legal nature.

So, controlling communications means we have a written policy, standard procedures, standard configurations, consult industry standard best practices, etc. One of my colleagues expresses this as "Who can talk to whom and how." So maybe Access Control Lists (ACLs)? A policy requiring Transport Layer Security (TLS - encryption)?

Protect Last look at the NIST Glossary:

Develop and implement the appropriate safeguards

So "protect" in this case means we are actually doing (most likely technical) things which will fulfill the goals of written controls. Basically, implementing the controls (configuring ACLs, enforcing TLS on devices) that we defined above, to ensure that communications may be received only by the intended recipients.

Clear as mud? I hope this helps you understand these key action words a bit better, as they are used repeatedly throughout the controls for both L1 and L2. If you feel more lost than ever, you know where to find help!

Sincerely,

Glenda R. Snodgrass, CCP/CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107