Level 5 CMMC - CMMC Practices


Reference: CMMC 1.02

Family: SC

Level Introduced: 4

Utilize a URL categorization service and implement techniques to enforce URL filtering of websites that are not approved by the organization.

CMMC Clarification:
Organizations shall have the ability to prevent access to URLs the organization has determined should not be accessed for policy or security reasons. URL filters typically are a blacklist of URLs that block access to known bad sites. Categorization services identify websites according to a set of content attributes and allow organizations to allow or disallow access to entire classes of websites. In addition, organizations may choose to block access to uncategorized sites, which may represent malicious sites. The filters and categories should be updated dynamically through an intel subscription as well as manually.

Example 1
You are the security manager for the organization. You installed a web proxy and configured all the computers in the organization to use the proxy to access HTTP and HTTPS sites on the Internet. The proxy servers are updated daily with the vendor’s URL categorization database and you put in rules to block access to hate, gambling, and porn sites as well as all sites that have not yet been categorized.

Example 2
You are the IT manager for the organization. You evaluated and selected a cloud filtering service that allowed you to create and manage policies for which sites users could access. To start using the service, you redirect the organization’s DNS to point to the cloud provider so everyone in the organization would be covered by the URL access policies you established.

Typically a high percentage of an organization’s internet traffic is web-based. Web-based information and services is access through a Uniform Resource Locator (URL). Information regarding the provenance and purpose of a URL can be used to restrict access for policy or security concerns.

Source: CMMC v1.02

Source: CMMC v1.02