CMMC Practice SC.L2-3.13.6

Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

Bold Coast Security Guidance

An organization must practice the "least functionality" posture to system and device configuration and deployment, require it by policy, and have a plan to implement consistently. Start with deny-all, and build the list of acceptable functionality. In the case of a firewall, a list of allowed traffic in BOTH directions is built according to business need, with a final DENY ALL which prevents traffic not previously allowed. It is not permissible to have an "any any" rule to allow all traffic outbound from your internal network to the internet.

Discussion From Source

DRAFT NIST SP 800-171 R2 This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.

References

  • NIST SP 800-171 Rev 1 3.13.6
  • NIST SP 800-53 Rev 4 SC-7(5)