Back to Control Explorer

SC.3.183

Content

Control Acronym

SC

Family

System And Communications Protection

CMMC Level

3

800-171 Control #

3.13.6

CMMC Description

Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

CMMC Clarification

Block all traffic going into and coming out of the network, but permit specific traffic into and coming out based on the organization’s policies, exceptions, or criteria. This process of permitting only authorized traffic to the network is called whitelisting which limits the number of unintentional connections to the network. Example You are the IT administrator setting up a new environment to house the company’s CUI. You install firewalls between this environment and the other networks of the company with firewall rules that deny all traffic. You go through each service and application that runs in the new environment and only allow the required ports and network paths to be opened. You test the functionality of the required services and applications to make sure they work. You comment each firewall rule so there is documentation why it is required. You review the firewall rules on a regular basis to make sure there were no unauthorized changes made (e.g., during troubleshooting of networking issues).

800-171 Description

Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

800-171 Discussion

This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.

Other Source Discussion

N/A

CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 SC-7(5)

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.13.6

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Sub-Criterias

Assessment Sub-Criteria 1

SC.3.183.[a] network communications traffic is denied by default; and

Assessment Sub-Criteria 2

SC.3.183.[b] network communications traffic is allowed by exception.

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15