CMMC Requirement SC.L2-3.13.6 – Network Communication by Exception: Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. A clear, practical explanation of CMMC 2.0 control 3.13.6, mapping it to NIST SP 800-171 and illustrating how to implement a “deny-all, permit-by-exception” network security model. This NIST Special Publication provides information to organizations about firewall technologies and policies.
This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.
Further Discussion
Block all traffic entering and leaving the network, but permit specific traffic based on organizational policies, exceptions, or criteria. This process of permitting only authorized traffic to the network is called whitelisting and limits the number of unintentional connections to the network.
This requirement, SC.L2-3.13.6, requires a deny-all permit by exception approach for all network communications. In doing so, it adds specifics for SC.L2-3.13.1, which only requires monitoring, control, and protection of communication channels.