NIST SP 800-171
Control 3.13.6
Deny Network Traffic by Default
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
What This Means in Plain English
Your firewalls and network security devices should block all traffic by default and only allow specifically approved traffic through. This 'default deny' approach ensures that only known-good traffic flows through your network.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- FortiGate firewall configured with implicit deny-all as the default policy
- Explicit allow rules documented with business justification for each permitted flow
- Host-based firewalls on endpoints configured to deny inbound traffic by default
- Cisco Meraki switch port ACLs denying traffic not matching approved profiles
- Quarterly firewall rule review removing stale or unnecessary permit rules
Assessment Guidance
Assessors will verify that the default firewall policy is deny-all, review explicit allow rules for business justification, test that unapproved traffic is blocked, and check that firewall rules are reviewed regularly.
Common Implementation Gaps
- Default-allow firewall policy instead of default-deny
- Allow rules without documented business justification
- Overly broad allow rules (any-to-any on some ports)
- Host-based firewalls disabled or set to allow all
- Firewall rules never reviewed or cleaned up
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | SC-7(5) |
| PCI DSS | Req 1.2.1 - Restrict inbound and outbound traffic |
Need Help Implementing 3.13.6?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment