CMMC Practice SC.L2-3.13.6 – Network Communication by Exception: Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
Links to Publicly Available Resources
This is guidance for Cisco on how to control network access by using ASA rules on how to configure your firewalls. This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. Trend Micro’s Deep Security Help Center
Discussion [NIST SP 800-171 R2]
This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.
Further Discussion
Block all traffic entering and leaving the network, but permit specific traffic based on organizational policies, exceptions, or criteria. This process of permitting only authorized traffic to the network is called whitelisting and limits the number of unintentional connections to the network.
This practice, SC.L2-3.13.6, requires a deny-all permit by exception approach for all network communications. In doing so, it adds specifics for SC.L1-3.13.1, which only requires monitoring, control, and protection of communication channels.