Overview:
Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
Action Items:
3.13.6[a]
Determine if: network communications traffic is denied by default.
3.13.6[b]
Determine if: network communications traffic is allowed by exception.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
1
Examine: System and communications protection policy; procedures addressing boundary protection; system security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].
2
Interview: System or network administrators; personnel with information security responsibilities; system developer; personnel with boundary protection responsibilities].
3
Test: Mechanisms implementing traffic management at managed interfaces].
Related Documents (document name and content will vary by organization):
1) System and communications protection policy
2) procedures addressing boundary protection
3) system security plan
4) system design documentation
5) system configuration settings and associated documentation
6) system audit logs and records
7) other relevant documents or records
Additional Guidance:
This requirement applies to inbound and outbound network communications traffic, both at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.
Article ID: 198
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/nist-800-171-default-deny-all-3-13-6-198.html