CMMC Practice RM.4.151

Perform scans for unauthorized ports available across perimeter network boundaries over the organization’s Internet network boundaries and other organizationally defined boundaries.


CMMC Version 1.02, pg. 215

Bold Coast Security Guidance

This practice would naturally be included in a mature vulnerability management program. For Level 4 compliance the organization must have a plan to perform vulnerability scans over it's network environment, from outside and inside perspectives, on a regular scheduled basis. Port scans would be included in the scan configuration set in whatever scanning tool(s) your organization is using. You'll also understand if your environment is configured the way your policy and standard require it to be configured, as regular scanning will validate settings, patching levels, etc.

Discussion From Source

CMMC Adversaries constantly probe trusted boundaries, such as an organization’s perimeter with the Internet, to find opportunities to create unauthorized connections . Organizations must perform their own scans to determine if unauthorized connections are possible. To help validate access control on network boundaries an organization will schedule actions, such as scanning from various points of presence to assets on various network segment boundaries to identify proper boundary access protections are in place and properly configured . This allows the organization to identify if there are trusted network boundaries that may be breached because of a misconfiguration, or due to the trust between one segment of an environment and another . Basically, this means a one- to-many connection attempt from each network boundary. Identifying the results of each test, where it was trying to access, whether it was successful or not, time of day, IP addresses, etc. can all be used to determine if the actions of the environment match the network protection design, i.e., whether an open port is authorized or unauthorized.