CPCSC Level 1 Control
03.13.01System and communications protection

CPCSC 03.13.01: Boundary protection

Monitor and control the connections between in-scope systems, external networks, public services, cloud environments, and internal network segments. This guide separates the formal control language from practical implementation, evidence, auditor questions, and related controls.

Open Level 1 Self-Assessment Browse Control Library

Formal Control Language

Official CPCSC Level 1 wording for 03.13.01. Use the Government of Canada page as the source of truth for certification or procurement submissions.

  • Communications at the external managed interfaces to the system are monitored and controlled.
  • Communications at key internal managed interfaces within the system are monitored and controlled.
  • Subnetworks for publicly accessible system components are physically or logically separated from internal networks.
  • External system connections to the system are implemented only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.

Contains information sourced from Government of Canada material used under the Open Government Licence - Canada.

What This Means In Plain English

Know where your system boundary is, then control what crosses it.

For modern teams this may include firewalls, cloud security groups, VPN, identity-based access, remote support tools, public web apps, admin portals, SaaS settings, and segmented networks.

For CPCSC Level 1, the useful test is not whether a policy mentions the control. The useful test is whether an owner can show the system setting, record, ticket, review output, or operating routine that proves the answer is true today and can be repeated when the next contract, customer, or assessment request arrives.

How To Implement It

1

Draw a simple network and system boundary diagram showing in-scope systems, cloud services, users, remote access, vendors, public services, and data flows.

2

Use firewalls, security groups, VPN, zero trust access, identity controls, and network segmentation to restrict inbound and outbound access.

3

Separate public-facing systems from internal systems using cloud accounts, VPCs, subnets, application gateways, reverse proxies, or logical access boundaries.

4

Document external connections and remote administration paths. Remove unmanaged or unknown connections.

5

Review logs and alerts for boundary controls, especially firewalls, VPN, identity access, and public cloud ingress rules.

Evidence Normally Gathered

Network or cloud architecture diagram.

Firewall, VPN, security group, or access gateway configuration.

List of external connections and managed interfaces.

Public-facing system inventory.

Boundary control logs or review notes.

Change tickets for boundary rule updates.

Common Auditor Questions

Where is the system boundary for specified information?

Which external connections are allowed, and who approved them?

How are public-facing components separated from internal systems?

Can you show the firewall, cloud, VPN, or access gateway rules?

How do you review changes to boundary controls?