Your firewall should block everything by default and only allow the traffic you've explicitly approved.
What it actually means
Network traffic should be denied by default; you open only the specific ports, protocols, and destinations the business needs. This is the opposite of 'allow everything except known-bad.' It applies at your perimeter firewall and, ideally, between internal segments too.
Pass or fail — an assessor needs a "yes" to each
- Does your firewall default-deny inbound (and ideally outbound), allowing only explicitly approved traffic?
- Is there a documented list of approved ports / services with a business justification?
What to have ready
- Firewall ruleset showing a default-deny posture
- Documented allow-list of ports / protocols / services with justifications
Where teams trip up
- Default-allow outbound with only a few blocks
- Accumulated 'any-any' rules no one has reviewed
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →