SC-7(5): Deny By Default / Allow By Exception
- NIST Special Publication 800-53 Revision 5:
- SC-7(5): Deny by Default – Allow by Exception
The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).
This control enhancement applies to both inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.