CMMC SC.3.183 - Deny Network Communications by Default and Allow by Exception

CMMC SC.3.183 - Deny Network Communications by Default and Allow by Exception

Requirement text: SC.3.183: Deny network communications traffic by default and allow network
communications traffic by exception (i.e., deny all, permit by exception).

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
This requirement applies to inbound and outbound network communications traffic at the
system boundary and at identified points within the system. A deny-all, permit-by-exception
network communications traffic policy ensures that only those connections which are
essential and approved are allowed.

CMMC CLARIFICATION
Block all traffic going into and coming out of the network, but permit specific traffic into and
coming out based on the organization’s policies, exceptions, or criteria. This process of
permitting only authorized traffic to the network is called whitelisting which limits the
number of unintentional connections to the network.

Example
You are the IT administrator setting up a new environment to house the company’s CUI. You
install firewalls between this environment and the other networks of the company with
firewall rules that deny all traffic. You go through each service and application that runs in
the new environment and only allow the required ports and network paths to be opened.
You test the functionality of the required services and applications to make sure they work.
You comment each firewall rule so there is documentation why it is required.
You review the firewall rules on a regular basis to make sure there were no unauthorized
changes made (e.g., during troubleshooting of networking issues).

References
• NIST SP 800-171 Rev 1 3.13.6
• NIST SP 800-53 Rev 4 SC-7(5)

    • Related Articles

    • CMMC SC.1.175 – Monitor and Control Communications

      Requirement text: SC.1.175: Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of information systems. ...

    • Systems and Communications Protection: SP 800-171 Security Family 3.13

      System and communications protection requirements provide an array of safeguards for the system. Some of the requirements in this family address the confidentiality information at rest and in transit. The protection of confidentiality can be provided ...

    • CMMC CM.3.069 - Deny Unauthorized Software`

      Requirement text: CM.3.069: Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. DISCUSSION FROM SOURCE: DRAFT ...

    • CMMC SC.3.186 - Terminate Unnecessary Network Sessions

      Requirement text: SC.3.186: Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 This requirement applies to ...

    • CMMC SC.2.179 - Encrypt Sessions for Network Devices Management

      Requirement text: SC.2.179: Use encrypted sessions for the management of network devices. DISCUSSION FROM SOURCE: CMMC Management of network devices is a security critical process and needs to have confidentiality protection and authentication to ...