SC-7(5): Deny By Default / Allow By Exception

Control Family:

System And Communications Protection

Parent Control:

SC-7: Boundary Protection

Priority:

P1: Implement P1 security controls first.

CSF v1.1 References:

PR.AC-5
PR.DS-5
PR.PT-4
DE.CM-1

Threats Addressed:

Lateral Movement

Baselines:

Moderate
High

Next Version:

NIST Special Publication 800-53 Revision 5:
SC-7(5): Deny by Default – Allow by Exception

Control Statement

The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).

Supplemental Guidance

This control enhancement applies to both inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.

Control Statement

Supplemental Guidance

Related Controls

Critical Security Controls Version 8

Critical Security Controls Version 7.1