NIST SP 800-171 Rev 2 practice 3.13.6 requires organizations to deny network communications traffic by default and allow traffic only by explicit exception. This means all inbound and outbound traffic is blocked unless a specific rule exists to permit it, implemented at firewalls, routers, and network access control devices at external system boundaries and key internal boundaries. The practice operationalizes a 'deny all, permit by exception' posture as opposed to a permissive 'allow all, deny by exception' approach. It applies to both inbound traffic entering organizational systems and outbound traffic leaving them, ensuring that only authorized communications can traverse network boundaries. This practice is grounded in NIST SP 800-171 Rev 2 security requirement 3.13.6 under the System and Communications Protection family.
Where it stops · what it isn't
- —This practice does not govern authentication or access control for users logging into systems — that falls under the Access Control (AC) domain.
- —This practice does not require encryption of network traffic in transit — encryption is addressed by SC-L2-3.13.8.
- —This practice does not address internal host-based firewalls unless those hosts represent key internal boundaries defined by the organization.
- —This practice does not govern the content inspection or deep packet inspection of allowed traffic — that may fall under other SC or SI practices.
- —This practice does not define what constitutes 'authorized' traffic — that determination must be made by organizational policy and is a prerequisite condition, not part of this practice's scope.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/system-and-communications-protection