Mapped to NIST 800-171 Requirement: 3.13.6
CMMC Assessment Objective: SC.L2-3.13.6[b]
What This Control Means
Once you’ve identified isolated security functions (SC.L2-3.13.6[a]), this objective confirms those functions are written down and formally documented, including:
• Their purpose (e.g., access control, auditing, encryption)
• Their location in your environment (e.g., separate server, process, or system)
• The method of separation (logical or physical)
• The controls in place to restrict access or modification
Why It Matters
Without documentation:
• There is no clear record of how critical controls are separated from users
• Systems may appear secure in theory but lack defensible structure
• Assessors cannot validate the integrity of your system architecture
• Security functions could be misconfigured or misused without anyone realizing it
This control ensures security mechanisms are intentionally designed and consistently protected.
How to Implement It
1. Document Security Functions in Your SSP
• List each core security function:
◦ Access control enforcement
◦ Authentication
◦ Audit logging
◦ Configuration management
◦ System integrity checking
• Describe where each function is implemented and how it is isolated
2. Use Diagrams for Clarity
• Show where functions live in your architecture (e.g., firewall outside the network boundary, log server in separate VLAN)
3. Explain Access Restrictions
• Define who can manage or view these functions (e.g., system admins only)
• Note separation of duties or privilege boundaries
4. Include 3rd-Party or Cloud-Based Services
• If you use security modules as a service (e.g., AWS IAM, Azure Sentinel), document them too
Evidence the Assessor Will Look For
• SSP entries listing security functions and their isolation methods
• Diagrams showing module placement and access boundaries
• Policy language restricting access to security-critical components
• Product documentation showing how specific tools enforce isolation (e.g., SIEM, firewalls, IAM)
Common Gaps
• Security functions used but not documented as separate or protected
• No defined architecture showing control separation
• General users can view, modify, or disable security modules
• SSP includes security features but doesn’t explain their implementation or isolation
How Cuick Trac Helps
Cuick Trac supports this requirement by:
• Documenting all critical security functions and their implementation boundaries
• Linking those functions to system diagrams and privileged roles
• Tracking isolation enforcement across internal and third-party systems
• Flagging missing documentation or potential security overlap
• Providing full visibility for audit-readiness and CMMC alignment
With Cuick Trac, your security functions are not just used—they’re documented, structured, and protected.
Final CTA
Controls protect your data. Documentation protects your controls.
Schedule a Cuick Trac demo to document your isolated security functions and ensure they’re built—and defended—by design.