SC.L2-3.13.6: Network Communication by Exception
Network Communication by Exception requires a deny-all-by-default posture where only explicitly authorized traffic is permitted. This zero-trust approach is critical for CMMC Level 2 compliance and dramatically reduces your attack surface. Without it, unauthorized communications can slip through and expose sensitive data.
What this means
This control mandates that your organization block all inbound and outbound network traffic by default, then explicitly allow only necessary communications based on business requirements. Rather than maintaining a blocklist of known threats, you maintain an allowlist of approved connections—a far more secure model. This applies to firewalls, routers, proxies, and any network boundary device.
How to comply
- 1.Configure firewall rules to deny all traffic by default (both inbound and outbound)
- 2.Document all approved network flows, protocols, ports, and destinations required for operations
- 3.Create explicit allow rules only for authorized communications tied to specific business needs
- 4.Apply the same deny-by-default policy to all network boundary devices and segments
- 5.Review and audit firewall rules quarterly to remove obsolete or unused allow rules
- 6.Log all network traffic attempts, including denied connections, for monitoring and investigation
- 7.Test the default-deny configuration to verify unauthorized traffic is actually blocked
Evidence auditors look for
- Firewall configuration files showing default deny policy with explicit allow rules
- Network access control lists (ACLs) documented with business justification for each rule
- Change management records showing approval and testing of firewall rule changes
- Network traffic logs demonstrating both allowed and denied connections
- Quarterly access reviews confirming all active rules remain necessary
- Configuration audit reports from firewall management tools
- Evidence of testing performed to validate the default-deny posture
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically inventories your firewall rules and network access policies, flags allow rules without documented business justification, and tracks quarterly access reviews—eliminating manual spreadsheet audits and ensuring your deny-by-default configuration stays compliant.
See how GRCWatch handles this control automatically
Start free trial