Requirement text: SC.4.229: Utilize a URL categorization service and implement techniques to enforce
URL filtering of websites that are not approved by the organization.
DISCUSSION FROM SOURCE: CMMC
Typically a high percentage of an organization’s internet traffic is web-based. Web-based
information and services is access through a Uniform Resource Locator (URL). Information
regarding the provenance and purpose of a URL can be used to restrict access for policy or
security concerns.
CMMC CLARIFICATION
Organizations shall have the ability to prevent access to URLs the organization has
determined should not be accessed for policy or security reasons. URL filters typically are a
blacklist of URLs that block access to known bad sites. Categorization services identify
websites according to a set of content attributes and allow organizations to allow or disallow
access to entire classes of websites. In addition, organizations may choose to block access to
uncategorized sites, which may represent malicious sites. The filters and categories should
be updated dynamically through an intel subscription as well as manually.
Example 1
You are the security manager for the organization. You installed a web proxy and configured
all the computers in the organization to use the proxy to access HTTP and HTTPS sites on
the Internet. The proxy servers are updated daily with the vendor’s URL categorization
database and you put in rules to block access to hate, gambling, and porn sites as well as all
sites that have not yet been categorized.
Example 2
You are the IT manager for the organization. You evaluated and selected a cloud filtering
service that allowed you to create and manage policies for which sites users could access. To
start using the service, you redirect the organization’s DNS to point to the cloud provider so
everyone in the organization would be covered by the URL access policies you established.
References
• CMMC
• CIS Controls v7.1 7.4