Mapped to NIST 800-171 Requirement: 3.13.5
CMMC Assessment Objective: SC.L2-3.13.5[b]
What This Control Means
You must create documentation that clearly identifies any system component accessible from a public network (e.g., the internet), including:
• IP addresses and DNS names
• Role and purpose of the system
• Whether it processes, transmits, or connects to CUI
• Who owns and manages the system
• Any security controls protecting it (e.g., firewall rules, WAF)
The documentation should be kept current and align with your network diagrams and System Security Plan (SSP).
Why It Matters
Without documentation:
• You may overlook exposed systems during security reviews
• You can’t demonstrate perimeter awareness to an assessor
• Internal teams may not know which systems are publicly facing
• Shadow IT or cloud misconfigurations could go undetected
This control ensures your public attack surface is known, visible, and reviewed.
How to Implement It
1. Maintain a Public System Inventory Include:
• IP address or public hostname
• System function (e.g., email gateway, remote access portal)
• Associated business unit or owner
• CUI involvement (Y/N)
• Date last verified
2. Link to Network Diagrams
• Visualize where public systems sit relative to firewalls, DMZs, and internal networks
3. Reference in Your SSP
• Document public interfaces in the system boundary section
• Cross-reference with controls like SC.L2-3.13.1 and SC.L2-3.13.3
4. Document Review and Update Cycles
• Identify who maintains this inventory and how often it’s reviewed
• Align it with vulnerability scanning and penetration testing programs
Evidence the Assessor Will Look For
• A documented list of publicly accessible systems
• Network or architecture diagrams showing public vs. internal separation
• SSP sections referencing external system components
• Policies or procedures requiring system registration or security review
• Examples of recent updates to the public systems inventory
Common Gaps
• Public systems exist but are undocumented
• Inventory is outdated or incomplete (e.g., new cloud services missing)
• No linkage between public systems and CUI exposure
• No responsible party assigned for managing or reviewing public exposure
How Cuick Trac Helps
Cuick Trac supports this requirement by:
• Maintaining a real-time inventory of all public-facing system components
• Documenting system roles, IP addresses, DNS names, and CUI involvement
• Linking public system data to boundary protection and encryption controls
• Assigning ownership and tracking review status
• Providing automated reporting for CMMC assessments and ongoing risk management
With Cuick Trac, your public-facing systems are fully documented, visible, and managed.
Final CTA
Expose only what’s necessary—and document everything you expose.
Schedule a Cuick Trac demo to map and document your public system components with full compliance confidence.