SC-7(5): Deny by Default – Allow by Exception

Control Family:

System and Communications Protection

Parent Control:

SC-7: Boundary Protection

CSF v1.1 References:

Threats Addressed:

Lateral Movement

Baselines:

Moderate
High

Previous Version:

NIST Special Publication 800-53 Revision 4:
SC-7(5): Deny By Default / Allow By Exception

Incorporates the following control from the previous version: CA-3(5): Restrictions On External System Connections.

Control Statement

Deny network communications traffic by default and allow network communications traffic by exception [Assignment (one or more): at managed interfaces, for [Assignment: organization-defined systems] ].

Supplemental Guidance

Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system.

Control Statement

Supplemental Guidance

Related Controls

Critical Security Controls Version 8

Critical Security Controls Version 7.1