03.13.06 —
What this control requires
Source: NIST SP 800-171 R3 §03.13.06 (official control text).
Why this matters
A deny-by-default network posture means only explicitly permitted traffic crosses system boundaries — everything else is blocked. This prevents lateral movement by attackers, stops data exfiltration through unauthorized channels, and limits the blast radius of compromised endpoints. Without this control, adversaries exploit open ports and permissive firewall rules to pivot between systems, exfiltrate CUI, and maintain persistent access. Enforcing allow-by-exception at both perimeter and internal boundaries creates chokepoints where security teams monitor and control every approved connection, making unauthorized network activity immediately detectable.
What evidence assessors expect
Assessors typically look for: screenshot, configuration export, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on 03.13.06.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →