NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-7(5)Deny by Default — Allow by Exception

Deny network communications traffic by default and allow network communications traffic by exception {{ insert: param, sc-07.05_odp.01 }}.

CMMC Practice Mapping

NIST 800-171 Mapping

Related Controls

No related controls listed

Supplemental Guidance

Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system.

Practitioner Notes

Your firewall rules should start with "deny all" and only add specific "allow" rules for traffic you have explicitly approved. This is the principle of least privilege applied to network traffic.

Example 1: On your perimeter firewall, set the default rule to deny all inbound and outbound traffic. Then add specific allow rules for each business need — HTTPS outbound for web browsing, SMTP to your email provider, VPN for remote workers. Each rule should reference a change request with business justification.

Example 2: On Windows endpoints, configure the Windows Firewall via GPO to block all inbound connections by default. Only allow specific exceptions like your management tools (SCCM, remote desktop from admin VLAN) and security agents. Log all blocked connections for review.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability