SC.L2-3.13.6 Network Communication by Exception
Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
Source: NIST SP 800-171 Rev 2 3.13.6
Discussion: This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.
Assessment Objectives:
Determine if:
- [a] network communications traffic is denied by default; and
- [b] network communications traffic is allowed by exception.
Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer; personnel with boundary protection responsibilities].
Test: [SELECT FROM: Mechanisms implementing traffic management at managed interfaces].
SPRS Score: 5
POA&M Allowed: No