Back to Control Explorer



Control Acronym



System And Communications Protection

CMMC Level


800-171 Control #


CMMC Description

Implement Domain Name System (DNS) filtering services.

CMMC Clarification

Domain Name System (DNS) filtering blocks access to certain websites or IP addresses. The organization should use DNS to prevent access to known malicious websites or categories of websites. The DNS filtering will prevent users from receiving an IP address for the blocked domain names. A commercial DNS filtering service can be used. Example You are in charge of IT operations for your company. Part of your role is to implement web browser protections. To do this, you purchase a commercial DNS filtering application or service and configure your enterprise environment to use the service. The configuration blocks users from being able to access known malicious websites. The application provider is responsible for ensuring it has the latest list of known malicious websites. As an administrator, you can update this filtering mechanism for your organization, as appropriate, to provide additional DNS blocking or to allow previously blocked websites.

800-171 Description

800-171 Discussion


Other Source Discussion

CIS CONTROLS V7.1 Minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems. Web browsers and email clients are very common points of entry and attack because of their technical complexity, flexibility, and their direct interaction with users and with other systems and websites. Content can be crafted to entice or spoof users into taking actions that greatly increase risk and allow introduction of malicious code, loss of valuable data, and other attacks. Since these applications are the main means that users interact with untrusted environments, these are potential targets for both code exploitation and social engineering. This practice is based on the following CIS control: 7.7 Use Domain Name System (DNS) filtering services to help block access to known malicious domains.

CIS Control References

CIS Controls v7.1 7.7

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 SC-20

CMMC Derived


NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

SC.3.192.[a] the organization uses a DNS filtering service;

Assessment Sub-Criteria 2

SC.3.192.[b] the organization has configured the enterprise to ensure outgoing web access requests utilize the DNS filtering service; and

Assessment Sub-Criteria 3

SC.3.192.[c] the organization monitors the DNS filtering service for effectiveness.

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15