Network Communication Denial (NIST 800-171 3.13.6)
Control 3.13.6 requires organizations to deny all network traffic by default and only permit specific communications as exceptions. This zero-trust approach to network access prevents unauthorized data exfiltration and reduces your attack surface. Implementing deny-by-default policies is fundamental to protecting controlled unclassified information (CUI) in regulated environments.
What this means
Your organization must configure network devices, firewalls, and security appliances to block all incoming and outgoing network traffic unless explicitly permitted. Rather than maintaining a list of blocked services, you maintain an allowlist of approved communications. This inverts the traditional security model—nothing moves across your network without explicit authorization. The policy applies to all network interfaces, protocols, and destinations to prevent both external threats and insider threats from exfiltrating data.
How to comply
- 1.Audit all network traffic flows and document legitimate business communications
- 2.Configure firewalls and network appliances with default-deny rules for both inbound and outbound traffic
- 3.Create explicit allow rules for approved applications, services, and destinations
- 4.Implement network segmentation to isolate systems handling CUI from untrusted networks
- 5.Review and test all firewall rules before deployment to prevent service disruption
- 6.Document the business justification for each allowed traffic exception
- 7.Establish a change management process for adding new network exceptions
- 8.Monitor network traffic logs to identify and block unauthorized connection attempts
Evidence auditors look for
- Firewall configuration files showing default-deny rules with dated change logs
- Network access control lists (ACLs) listing all permitted traffic flows by source, destination, and protocol
- Router and switch configurations with stateful inspection enabled
- Proxy server logs demonstrating blocked versus allowed application traffic
- Data flow diagrams mapping approved network communications
- Change tickets and approvals for each network exception added
- Network traffic analysis reports showing rule effectiveness
- Incident logs showing blocked unauthorized connection attempts
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates network traffic discovery and firewall rule documentation, generating evidence of your deny-by-default configuration and tracking all approved exceptions in a centralized control library.
See how GRCWatch handles this control automatically
Start free trial