AC-4: Information Flow Enforcement
Control Family:
Threats Addressed:
Baselines:
- Low
N/A
- Moderate
- AC-4
- High
- AC-4
Next Version:
- NIST Special Publication 800-53 Revision 5:
- AC-4: Information Flow Enforcement
Control Statement
The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies].
Supplemental Guidance
Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels.
Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products.
Control Enhancements
AC-4(1): Object Security Attributes
Baseline(s):
The information system uses [Assignment: organization-defined security attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.
AC-4(2): Processing Domains
Baseline(s):
The information system uses protected processing domains to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.
AC-4(3): Dynamic Information Flow Control
Baseline(s):
The information system enforces dynamic information flow control based on [Assignment: organization-defined policies].
AC-4(4): Content Check Encrypted Information
Baseline(s):
The information system prevents encrypted information from bypassing content-checking mechanisms by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method]].
AC-4(5): Embedded Data Types
Baseline(s):
The information system enforces [Assignment: organization-defined limitations] on embedding data types within other data types.
AC-4(6): Metadata
Baseline(s):
The information system enforces information flow control based on [Assignment: organization-defined metadata].
AC-4(7): One-Way Flow Mechanisms
Baseline(s):
The information system enforces [Assignment: organization-defined one-way information flows] using hardware mechanisms.
AC-4(8): Security Policy Filters
Baseline(s):
The information system enforces information flow control using [Assignment: organization-defined security policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows].
AC-4(9): Human Reviews
Baseline(s):
The information system enforces the use of human reviews for [Assignment: organization-defined information flows] under the following conditions: [Assignment: organization-defined conditions].
AC-4(10): Enable / Disable Security Policy Filters
Baseline(s):
The information system provides the capability for privileged administrators to enable/disable [Assignment: organization-defined security policy filters] under the following conditions: [Assignment: organization-defined conditions].
AC-4(11): Configuration Of Security Policy Filters
Baseline(s):
The information system provides the capability for privileged administrators to configure [Assignment: organization-defined security policy filters] to support different security policies.
AC-4(12): Data Type Identifiers
Baseline(s):
The information system, when transferring information between different security domains, uses [Assignment: organization-defined data type identifiers] to validate data essential for information flow decisions.
AC-4(13): Decomposition Into Policy-Relevant Subcomponents
Baseline(s):
The information system, when transferring information between different security domains, decomposes information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms.
AC-4(14): Security Policy Filter Constraints
Baseline(s):
The information system, when transferring information between different security domains, implements [Assignment: organization-defined security policy filters] requiring fully enumerated formats that restrict data structure and content.
AC-4(15): Detection Of Unsanctioned Information
Baseline(s):
The information system, when transferring information between different security domains, examines the information for the presence of [Assignment: organized-defined unsanctioned information] and prohibits the transfer of such information in accordance with the [Assignment: organization-defined security policy].
AC-4(17): Domain Authentication
Baseline(s):
The information system uniquely identifies and authenticates source and destination points by [Selection (one or more): organization, system, application, individual] for information transfer.
AC-4(18): Security Attribute Binding
Baseline(s):
The information system binds security attributes to information using [Assignment: organization-defined binding techniques] to facilitate information flow policy enforcement.
AC-4(19): Validation Of Metadata
Baseline(s):
The information system, when transferring information between different security domains, applies the same security policy filtering to metadata as it applies to data payloads.
AC-4(20): Approved Solutions
Baseline(s):
The organization employs [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains.
AC-4(21): Physical / Logical Separation Of Information Flows
Baseline(s):
The information system separates information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information].
AC-4(22): Access Only
Baseline(s):
The information system provides access from a single device to computing platforms, applications, or data residing on multiple different security domains, while preventing any information flow between the different security domains.