03.13.06: Network Communications – Deny by Default – Allow by Exception
Control Familly: System and Communications Protection
SPRS: N/A
Top Ten Failed Requirement: N/A
Supporting Publications:
SP 800-41 [64]
SP 800-77 [18]
SP 800-189 [67]
Referenced in: N/A
Control Type: N/A
CPCSC Level 2: 03.13.06
CMMC Level(s): N/A
Derived From: NIST SP 800-53r5
SC-07(05)
Deny network communications traffic by default, and allow network communications traffic by exception.
Discussion:
This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, allow-by-exception network communications traffic policy ensures that only essential and approved connections are allowed.
Assessment Methods and Objectives
Examine [SELECT FROM: system and communications protection policy and procedures; procedures for boundary protection; system design documentation; system configuration settings; system audit records; system security plan; other relevant documents or records]
Interview [SELECT FROM: personnel with boundary protection responsibilities; personnel with information security responsibilities; system developers; system administrators]
Test [SELECT FROM: mechanisms for implementing traffic management at managed interfaces]
NIST SP 800-171A r3 Determining Statements Determine if:
A.03.13.06[01]: network communications traffic is denied by default.
A.03.13.06[02]: network communications traffic is allowed by exception.
The Security Requirements
NIST SP 800-171r3 (USA) & ITSP.10.171 (Canada)
3.5. Identification and Authentication
3.12. Security Assessment and Monitoring
3.13. System and Communications Protection
3.14. System and Information Integrity
3.16. System and Services Acquisition
3.17. Supply Chain Risk Management
CMMC 3.0 - N/A
CPCSC - N/A