SC.L2-3.13.6 — Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
What this control requires
Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
Source: CMMC L2 v2.13 SC.L2-3.13.6 / NIST SP 800-171 R2 3.13.6 (official control text).
Why this matters
Most cyberattacks rely on unrestricted network communication to scan for vulnerabilities, exfiltrate data, or establish command-and-control channels. A default-deny posture means all network traffic is blocked unless explicitly permitted by policy. This transforms your network from an open highway into a gated facility where only approved connections pass through. By forcing every communication path to justify its existence, you eliminate shadow data flows, contain lateral movement during breaches, and maintain visibility over what enters and leaves your environment. This control protects CUI from unauthorized disclosure and prevents adversaries from pivoting through your infrastructure.
What evidence assessors expect
Assessors typically look for: screenshot, configuration export, CSV export, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on SC.L2-3.13.6.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →