SC.L2-3.13.6 Network Communication by Exception

CMMC Practice SC.L2-3.13.6 – Network Communication by Exception: Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

Links to Publicly Available Resources

Discussion [NIST SP 800-171 R2]
This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.

Further Discussion
Block all traffic entering and leaving the network, but permit specific traffic based on organizational policies, exceptions, or criteria. This process of permitting only authorized traffic to the network is called whitelisting and limits the number of unintentional connections to the network.
This practice, SC.L2-3.13.6, requires a deny-all permit by exception approach for all network communications. In doing so, it adds specifics for SC.L1-3.13.1, which only requires monitoring, control, and protection of communication channels.