Level 5 CMMC - CMMC Practices

SC.3.183  

Reference: CMMC 1.02

Family: SC

Level Introduced: 3

Practice:
Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

CMMC Clarification:
Block all traffic going into and coming out of the network, but permit specific traffic into and coming out based on the organization’s policies, exceptions, or criteria. This process of permitting only authorized traffic to the network is called whitelisting which limits the number of unintentional connections to the network.

Example
You are the IT administrator setting up a new environment to house the company’s CUI. You install firewalls between this environment and the other networks of the company with firewall rules that deny all traffic. You go through each service and application that runs in the new environment and only allow the required ports and network paths to be opened. You test the functionality of the required services and applications to make sure they work. You comment each firewall rule so there is documentation why it is required.

You review the firewall rules on a regular basis to make sure there were no unauthorized changes made (e.g., during troubleshooting of networking issues).

3.13.6

Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

Discussion:
This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.

Source: NIST Special Publication 800-171 Rev. 2

SC-7 (5)

BOUNDARY PROTECTION | DENY BY DEFAULT / ALLOW BY EXCEPTION

Description:
The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).

Supplemental Guidance:
This control enhancement applies to both inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02