SC.L2-3.13.6—Network Communication by Exception
Level 2
800-171: 3.13.6
>Control Description
Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is your firewall and network access control policy?
- •How do you implement deny-all, permit-by-exception for network traffic?
- •What is your process for approving firewall rule changes?
- •Who reviews firewall rules periodically to ensure deny-by-default is maintained?
- •How often do you review and remove unnecessary permit rules?
Technical Implementation:
- •What firewall configurations implement deny-by-default?
- •How are firewall rules structured to deny all then permit exceptions?
- •What implicit deny rules are at the end of ACLs?
- •What tools verify deny-by-default is properly configured?
- •What logging captures denied traffic?
Evidence & Documentation:
- •What network diagrams show boundary protection architecture?
- •What firewall rule sets and configurations can you provide?
- •What encryption implementation documentation shows FIPS-validated crypto?
- •What key management procedures can you provide?
- •What network segmentation documentation shows proper separation?
- •What evidence shows cryptographic mechanisms protect CUI?
- •What configuration documentation shows security controls are properly implemented?
Ask AI
Configure your API key to use AI features.