What does SC.L2-3.13.6 require for CMMC Level 2?

All systems should default to denying outbound network communications. Specific connections are allowed by policy or firewall rules only when needed. This prevents malware or compromised systems from exfiltrating data or communicating with command-and-control servers.

What evidence do I need for SC.L2-3.13.6?

Firewall or host-based egress policies, documented list of allowed outbound destinations, host firewall configurations on critical systems, and testing evidence that unauthorized outbound connections are blocked.

What's the most common failure for SC.L2-3.13.6?

Systems allow all outbound traffic by default. There is no control over where systems can connect. The assessor will ask 'How do you prevent a compromised server from sending data to an attacker?' and the answer will be uncertain.

SC.L2-3.13.6

SC.L2-3.13.6: Network Communication by Exception

Deny network communications by default, allow by exception.

Updated March 30, 2026

A compromised system should not have free rein to send data anywhere. SC.L2-3.13.6 requires a default-deny approach to outbound traffic. While external firewall rules handle some of this, internal systems should also be restricted from initiating unauthorized connections. The assessor will examine both network-level and host-level controls. See SC.L2-3.13.1 (boundary protection) and SC.L2-3.13.5 (default-deny inbound) for related controls.

Family System and Communications Protection

Practice SC.L2-3.13.6

Difficulty Hard

Key evidence Egress firewall rules, host firewall policies, allowed destination list

What the assessor is actually evaluating

The assessor will check:

Egress firewall rules: Your perimeter firewall should restrict outbound traffic. By default, traffic is blocked unless a rule permits it. The assessor will review the egress rule set and verify it is default-deny.
Host firewall configuration: Windows Defender Firewall or similar tool should be enabled on critical systems with outbound rules configured. The assessor will verify this on sampled systems.
Documented allowed destinations: You should have a list of external systems and services that in-scope systems are allowed to contact (e.g., NTP servers, software update servers, SaaS applications).

What a realistic SSP definition looks like

Policy: “The organization implements default-deny network communications. Outbound traffic from in-scope systems is restricted to documented, approved destinations. This is enforced through firewall egress rules and host firewall policies. All in-scope systems have Windows Defender Firewall enabled with outbound restrictions. Approved external destinations are documented and reviewed quarterly.”

Supporting details:

Perimeter firewall egress rules: Outbound traffic from internal networks is blocked by default except for approved destinations (Windows Update, NTP, DNS, web proxy, etc.).
Host firewalls: Windows Defender Firewall is enabled and enforced via Group Policy on all in-scope systems. Default outbound action is “Block.”
Approved destinations: Spreadsheet listing external systems/services and their IP addresses or FQDNs. Includes Windows Update servers, time servers, DNS servers, and approved SaaS applications.
Review process: Quarterly review of approved destination list; any obsolete destinations are removed.

How to present your evidence

Egress firewall policy document: Describes the default-deny approach and how outbound rules are managed.
Firewall egress rule configuration: Show the firewall ruleset with specific allow rules for approved destinations and the implicit deny at the end.
Host firewall policy screenshots: Show Group Policy or host-based firewall configuration on sampled systems. Display the default outbound action (should be “Block”) and any specific outbound allow rules.
Approved destinations list: A spreadsheet documenting all external destinations that in-scope systems are permitted to contact, with business justification for each.
Testing evidence: Attempt to establish an outbound connection to an unauthorized destination from an in-scope system and show the connection is blocked.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Assessor: “How do you control outbound network traffic from your systems?”

You: “Both the perimeter firewall and host firewalls use a default-deny approach. Outbound traffic is only allowed to documented, approved destinations.” [Pull up firewall egress rules and a Group Policy showing host firewall default-block configuration]

Assessor: “What external systems can your servers contact?”

You: “Windows Update, NTP, DNS, our web proxy, and a few approved SaaS applications. Here is the complete list.” [Pull up the approved destinations spreadsheet]

Assessor: “Let me test. Can a system reach an unapproved destination outside your network?”

You: “No. The firewall will block it. You can test by attempting to reach any IP outside our approved list.” [Later, show that the test was blocked]

Common failures

Default-allow outbound traffic: Systems can reach any external destination. There is no egress filtering. A compromised system could freely exfiltrate data.

No documented approved destinations: You have firewall rules allowing outbound traffic, but you cannot explain what destinations are approved or why.

Host firewalls are disabled: Windows Defender Firewall is turned off on systems. Outbound connections are completely unrestricted at the host level.

No egress rules, only ingress: The firewall configuration only shows inbound rules. Outbound traffic is not controlled.

Default-deny outbound at both network and host levels: Perimeter firewall has egress rules. Host firewalls are enabled with default-block on all systems.

Clear, documented approved destinations: A minimal list of external systems that systems are permitted to contact. Each has business justification.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

If you use an MSP/MSSP

If your MSP manages firewalls or systems, request a copy of the egress firewall rules and the approved external destination list. Verify that host firewalls are enabled on managed systems. Participate in quarterly reviews of approved destinations. Ensure the MSP is maintaining default-deny outbound policies.

This guide is for reference only and does not replace official CMMC documentation or professional compliance advice.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← SC.L2-3.13.7: Split Tunneling All Practices SC.L2-3.13.5: Public-Access System Separation →