NIST 800-171 • LEVEL 2 • SYSTEM AND COMMUNICATIONS PROTECTION

3.13.6Network Communications – Deny by Default – Allow by Exception

This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, allow-by-exception network communications traffic policy ensures that only essential and approved connections are allowed.

CMMC Practice Mapping

NIST 800-53 Controls

SC-7(7)

Assessment Objectives

  • network communications traffic is denied by default.
  • network communications traffic is allowed by exception.

Practitioner Notes

Your network should block everything by default and only allow the traffic you have explicitly approved. This is the opposite of the common (and dangerous) approach where everything is open and you try to block known-bad traffic.

Example 1: On your perimeter firewall, set the default rule for both inbound and outbound traffic to Deny All. Then add specific allow rules above it: allow outbound HTTPS (443), allow outbound DNS (53) only to your designated DNS servers, allow inbound VPN (UDP 500/4500 or WireGuard port) to your VPN concentrator. Every rule should have a documented business justification.

Example 2: On Windows endpoints via GPO, configure Windows Defender Firewall to block all inbound connections by default for all profiles. Under Inbound Rules, create exceptions only for approved services. Log blocked connections by enabling Logging > Log dropped packets: Yes in the firewall profile properties.

Related NIST 800-171 Requirements

3.13.1 Boundary Protection 3.13.2 Employ Architectural Designs, Software Development Techniques, and Systems Engineering Principles That Promote Effective Information Security 3.13.3 Separate User Functionality from System Management Functionality 3.13.4 Information in Shared System Resources