CMMC SC.5.230 - Enforce port and Protocol Compliance

CMMC SC.5.230 - Enforce port and Protocol Compliance

Requirement text: SC.5.230: Enforce port and protocol compliance.

DISCUSSION FROM SOURCE: CMMC
Malicious actors are able to perform command and control and exfiltration of data by
running their own protocols over well-known ports or by hijacking fields within a common
protocol. By defining allowed ports and protocols, and only allowing proper protocol syntax
on the correct authorized ports, the malicious activity is stopped.

CMMC CLARIFICATION
Organizations shall enforce traffic crossing the network boundary is in compliance with the
standard for the protocol in question and using the appropriate well-known port. If the port
or protocol is not known the traffic should be blocked.

Example 1
You are a network engineer for your organization. You have a NextGen firewall installed on
the Internet edge of the network and have configured the firewall to perform protocol
enforcement and block traffic that is not known or specifically approved by the
organization’s security policy.

Example 2
You are a network engineer for your organization. You have configured the IPS device to
monitor and block traffic that is not in compliance with standard or protocols approved for
users to access the Internet.

References
• CMMC
• CIS Controls v7.1 9.2
• NIST 800-53 Rev 4 AC-7(17)

    • Related Articles

    • Security and Compliance Glossary of Terms

      Access Control - The process of granting or denying specific requests to:        1) obtain and use information and related information processing services and        2) enter specific physical facilities (e.g., federal buildings, military ...

    • CMMC SC.4.229 - Enforce URL Filtering of Websites

      Requirement text: SC.4.229: Utilize a URL categorization service and implement techniques to enforce URL filtering of websites that are not approved by the organization. DISCUSSION FROM SOURCE: CMMC Typically a high percentage of an organization’s ...

    • CMMC RM.4.151 - Perform Network Port Scans

      Requirement text: RM.4.151: Perform scans for unauthorized ports available across perimeter network boundaries over the organization’s Internet network boundaries and other organizationally defined boundaries. DISCUSSION FROM SOURCE: CMMC Adversaries ...

    • Systems and Communications Protection: SP 800-171 Security Family 3.13

      System and communications protection requirements provide an array of safeguards for the system. Some of the requirements in this family address the confidentiality information at rest and in transit. The protection of confidentiality can be provided ...

    • CMMC IA.2.078 - Enforce Password Complexity

      Requirement text: IA.2.078: Enforce a minimum password complexity and change of characters when new passwords are created. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 This requirement applies to single-factor authentication of individuals using ...