3.13.6 has a weight of -5 points

(System and Communication Protection Family) 6/16

 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

Example of Sysytem Security Plan (SSP):

    Deny All, Permit by Exception Network Communications Traffic Policy

    1. Policy Statement: The organization adopts a deny-all, permit-by-exception network communications traffic policy for inbound and outbound traffic at the system boundary and within the system to enhance network security.
    2. Purpose: The policy ensures that network communications traffic is restricted by default and only essential and approved connections are permitted.
    3. Implementation: The organization configures firewalls, routers, and other boundary control devices to deny all network communications traffic by default.
    4. Exceptions: Only specific and authorized network connections are allowed based on predefined rules and policies.
    5. Benefits: This policy reduces the attack surface and minimizes exposure to potential threats and unauthorized access.
    6. Scope: The policy applies to inbound and outbound network communications traffic within the organization’s systems.
    7. Continuous Monitoring: Regularly monitor network traffic to identify and address any unauthorized connections or anomalies.
    8. Compliance: Compliance with this policy ensures a proactive and robust security posture, reducing the risk of unauthorized network access.
    9. Enforcement: The organization enforces this policy through the configuration of network devices and regular security assessments.
    10. Review: The policy is subject to periodic reviews and updates to ensure it remains effective against evolving threats.
    11. Training: Ensure personnel are aware of this policy and understand their roles in implementing and adhering to it.
    12. Documentation: Document the network communications traffic policy and the specific exceptions permitted for audit and reference purposes.
    13. Communication: Communicate the policy and its importance to all relevant stakeholders within the organization.

     

    Example of Plan of Action and Milestones ( POA & M):

    Milestone 1: Policy Development and Communication

    Develop a comprehensive “Deny All, Permit by Exception Network Communications Traffic Policy” that clearly outlines the purpose, scope, implementation, and benefits of the policy. Communicate the policy to all relevant personnel and stakeholders. [Target Date]

    Milestone 2: Configuration of Boundary Control Devices

    Configure firewalls, routers, and other boundary control devices to implement the “deny all” rule for both inbound and outbound network communications traffic. Ensure that all default settings follow the deny-all policy. [Target Date]

    Milestone 3: Predefined Rules and Policies

    Establish predefined rules and policies to permit specific and authorized network connections based on the organization’s requirements. Define the criteria for permitting exceptions and ensure that all exceptions align with the overall security objectives. [Target Date]

    Milestone 4: Continuous Monitoring and Enforcement

    Implement continuous monitoring of network traffic to detect any unauthorized connections or anomalies. Enforce the policy by promptly blocking unauthorized connections and addressing any violations. [Target Date]

    Milestone 5: Training and Awareness

    Conduct training and awareness programs to educate all personnel about the “Deny All, Permit by Exception Network Communications Traffic Policy.” Ensure that employees understand their roles in implementing and adhering to the policy. [Target Date]

    Milestone 6: Documentation and Review

    Document the network communications traffic policy, including all predefined rules and permitted exceptions, for audit and reference purposes. Subject the policy to periodic reviews to ensure its effectiveness against evolving threats and changing organizational requirements. [Target Date]

    Milestone 7: Compliance and Reporting

    Regularly assess the organization’s compliance with the policy and provide periodic reports to relevant stakeholders and management. Demonstrate the successful implementation of the policy and the resulting security posture. [Target Date]

    Milestone 8: Continuous Improvement

    Foster a culture of continuous improvement by encouraging feedback from personnel, conducting regular assessments, and staying informed about emerging best practices and technologies. Regularly update the policy and configuration of network devices to enhance security based on lessons learned and new insights. [Target Date]

    RELEVANT INFORMATION:

    This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed.

     



    Resources to consider:

    Security Policy Document:

    This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.