SC-7(5): Deny By Default / Allow By Exception

CSF v1.1 References:

Threats Addressed:


  • Moderate
  • High

Next Version:

Control Statement

The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception).

Supplemental Guidance

This control enhancement applies to both inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.