Reference: CMMC 2.0
Family: SC
Level Introduced: 2
Title: Network Communication by Exception
Practice:
Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
CMMC Clarification:
Block all traffic going into and coming out of the network, but permit specific traffic into and coming out based on the organization's policies, exceptions, or criteria. This process of permitting only authorized traffic to the network is called whitelisting which limits the number of unintentional connections to the network.
Example
You are the IT administrator setting up a new environment to house the company's CUI. You install firewalls between this environment and the other networks of the company with firewall rules that deny all traffic. You go through each service and application that runs in the new environment and only allow the required ports and network paths to be opened. You test the functionality of the required services and applications to make sure they work. You comment each firewall rule so there is documentation why it is required.
You review the firewall rules on a regular basis to make sure there were no unauthorized changes made (e.g., during troubleshooting of networking issues).
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-171 Requirements (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-53 Controls (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.