Under active development — Content is continuously updated and improved

3.13.6—System and Communications Protection - Derived

Derived Requirement

>Control Description

Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

>Discussion

This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.

>Cross-Framework Mappings

CMMC

SCF

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

•What policies govern denying network communications after inactivity?
•What inactivity timeouts are defined for network sessions?
•Who approves network session timeout configurations?
•How do you differentiate timeouts for different connection types?
•What governance ensures inactive sessions are terminated?

Technical Implementation:

•How do you implement network-level inactivity timeouts?
•What firewalls or network devices enforce session termination?
•What timeout values are configured for different protocols?
•How do you monitor and log inactive session termination?
•What controls prevent indefinite network connections?

Evidence & Documentation:

•Can you show network timeout configurations?
•What evidence demonstrates inactive session termination?
•Can you provide logs of network sessions terminated by timeout?
•What configurations enforce inactivity-based denial?
•What audit findings verify network timeout compliance?

Ask AI

Configure your API key to use AI features.