3.13.6 — Deny Everything by Default
What It Says
Section titled “What It Says”Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
What It Actually Means
Section titled “What It Actually Means”Every firewall — perimeter, internal, host-based — must follow the same principle: block everything, then allow only what’s explicitly needed.
This applies to:
- Inbound traffic — only approved services receive connections from outside
- Outbound traffic — this is where most companies fail. If your outbound rules allow everything, an attacker who gets in can exfiltrate data freely
- Internal traffic between zones — CUI zone to corporate zone, DMZ to internal
For each allowed flow, you should be able to answer:
- What — source, destination, port, protocol
- Why — business justification
- Who — who approved it
- When — when was it last reviewed
The assessor will review your firewall rules. Any ‘allow any any’ rule — especially between zones — is an instant finding. Legacy rules that nobody remembers creating are common problems.
Pass or Fail
Section titled “Pass or Fail”Your assessor needs a “yes” to every row:
| # | Question | What “yes” looks like |
|---|---|---|
| 1 | Is network traffic denied by default? | Last rule on all firewalls is deny-all |
| 2 | Is network traffic allowed only by exception? | Each allow rule is documented with source, destination, port, protocol, and justification |
| 3 | Does this apply to both inbound and outbound? | Outbound filtering is in place — not just inbound |
What to Have Ready on Assessment Day
Section titled “What to Have Ready on Assessment Day”Documents they’ll review: System and communications protection policy; system security plan; firewall rule sets; network diagrams; system configuration settings; firewall rule review records
People they’ll talk to: System or network administrators; personnel with information security responsibilities
Live demos they’ll ask for: Mechanisms implementing default-deny network policies; traffic blocked by default-deny rules
The Assessor’s Playbook
Section titled “The Assessor’s Playbook”These are the actual questions. Have answers ready.
- “Show me your firewall rules. What’s the last rule?”
- “Are outbound connections filtered or is everything allowed out?”
- “Walk me through three allow rules — what’s the business justification for each?”
- “When were your firewall rules last reviewed? Show me the review record.”
- “Are there any ‘allow any any’ rules? Where and why?”
- “How do you handle requests for new firewall rules?”
Where Companies Trip Up
Section titled “Where Companies Trip Up”Allow-by-default. The default action is ‘permit’ instead of ‘deny.’ Invert it on every firewall.
No outbound filtering. Inbound is locked down but any traffic can leave the network. An attacker can exfiltrate CUI freely.
Legacy ‘any any’ rules. Rules created years ago by someone no longer with the company. Nobody knows what they’re for but nobody dares delete them. Review and clean.
No rule documentation. Rules exist but nobody can explain what they’re for. Every rule needs a documented justification.
No periodic review. Rules accumulate over time. Without quarterly reviews, your firewall becomes increasingly permissive.
How to Talk About This
Section titled “How to Talk About This”Connected Requirements
Section titled “Connected Requirements”| Requirement | Why it matters here |
|---|---|
| 3.13.1 — Guard the Boundaries | Default-deny enforced at every boundary |
| 3.13.5 — DMZ for Public Systems | DMZ-to-internal firewall rules must be default-deny |
| 3.4.7 — Block What’s Not Needed | Default-deny principle applied to network traffic |
Implementation
Section titled “Implementation”Step-by-step guides for Microsoft 365, AWS, Azure, and GCP are available to Ancitus clients.
Start a conversation →CMMC Practice ID: SC.L2-3.13.6 | SPRS Weight: 5 points | POA&M Eligible: No