Back to Control Explorer



Control Acronym



System And Communications Protection

CMMC Level


800-171 Control #


CMMC Description

Utilize a URL categorization service and implement techniques to enforce URL filtering of websites that are not approved by the organization.

CMMC Clarification

Organizations shall have the ability to prevent access to URLs the organization has determined should not be accessed for policy or security reasons. URL filters typically are a blacklist of URLs that block access to known bad sites. Categorization services identify websites according to a set of content attributes and allow organizations to allow or disallow access to entire classes of websites. In addition, organizations may choose to block access to uncategorized sites, which may represent malicious sites. The filters and categories should be updated dynamically through an intel subscription as well as manually. Example 1 You are the security manager for the organization. You installed a web proxy and configured all the computers in the organization to use the proxy to access HTTP and HTTPS sites on the Internet. The proxy servers are updated daily with the vendor’s URL categorization database and you put in rules to block access to hate, gambling, and porn sites as well as all sites that have not yet been categorized. Example 2 You are the IT manager for the organization. You evaluated and selected a cloud filtering service that allowed you to create and manage policies for which sites users could access. To start using the service, you redirect the organization’s DNS to point to the cloud provider so everyone in the organization would be covered by the URL access policies you established.

800-171 Description

800-171 Discussion


Other Source Discussion

CMMC Typically a high percentage of an organization’s internet traffic is web-based. Web-based information and services is access through a Uniform Resource Locator (URL). Information regarding the provenance and purpose of a URL can be used to restrict access for policy or security concerns.

CIS Control References

NIST 800-53 Control Ref.

CMMC Derived

NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15