Basic Security Requirements:

13.1 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.

Derived Security Requirements:

13.3 Separate user functionality from information system management functionality.

13.4 Prevent unauthorized and unintended information transfer via shared system resources.

13.5 Implement sub-networks for publicly accessible system components that are physically or logically separated from internal networks.

13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

13.7 Prevent remote devices from simultaneously establishing non-remote connections with the information system and communicating via some other connection to resources in external networks.

13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

13.9 Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.

13.10 Establish and manage cryptographic keys for cryptography employed in the information system.

13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

13.12 Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.

13.13 Control and monitor the use of mobile code.

13.14 Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.

13.15 Protect the authenticity of communications sessions.

13.16 Protect the confidentiality of CUI at rest.