800-53|AC-4

Title

INFORMATION FLOW ENFORCEMENT

Description

The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies].

Supplemental

Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products.

Reference Item Details

Related: AC-17,AC-19,AC-21,AC-3,CM-6,CM-7,SA-8,SC-18,SC-2,SC-5,SC-7

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2.1.3 Configure 'Prohibit connection to non-domain networks when connected to domain authenticated network'WindowsCIS Windows 8 L1 v1.0.0
1.4 Use Secure Upstream Caching DNS ServersUnixCIS BIND DNS v1.0.0 L2 Caching Only Name Server
2.8 Protocol Access Controls - 'telnet.access has been configured'NetAppTNS NetApp Data ONTAP 7G
3.8 Ensure 'security-level' is set to '0' for Internet-facing interfaceCiscoCIS Cisco Firewall v8.x L1 v4.2.0
4.10 Ensure that data masking is enabled for sensitive dataSnowflakeCIS Snowflake Foundations v1.0.0 L2
5.2 SnapMirror - 'snapmirror.access has been configured'NetAppTNS NetApp Data ONTAP 7G
5.3 SnapVault - 'snapvault.access has been configured'NetAppTNS NetApp Data ONTAP 7G
6.9 Ensure that PAN-DB URL Filtering is usedPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
6.10 Ensure that URL Filtering uses the action of block or override on the URL categoriesPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
6.13 Ensure secure URL filtering is enabled for all security policies allowing traffic to the InternetPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
8.1.15 Set 'Navigate windows and frames across different domains' to 'Enabled:Disable'WindowsCIS IE 9 v1.0.0
8.1.20 Set 'Web sites in less privileged Web content zones can navigate into this zone' to 'Enabled:Disable'WindowsCIS IE 9 v1.0.0
8.1.27 Set 'Navigate windows and frames across different domains' to 'Enabled:Disable'WindowsCIS IE 11 v1.0.0
8.1.27 Set 'Navigate windows and frames across different domains' to 'Enabled:Disable'WindowsCIS IE 10 v1.1.0
8.1.33 Set 'Web sites in less privileged Web content zones can navigate into this zone' to 'Enabled:Disable'WindowsCIS IE 11 v1.0.0
8.1.33 Set 'Web sites in less privileged Web content zones can navigate into this zone' to 'Enabled:Disable'WindowsCIS IE 10 v1.1.0
8.3.19 Set 'Navigate windows and frames across different domains' to 'Enabled:Disable'WindowsCIS IE 9 v1.0.0
8.3.29 Set 'Web sites in less privileged Web content zones can navigate into this zone' to 'Enabled:Disable'WindowsCIS IE 9 v1.0.0
8.3.32 Set 'Navigate windows and frames across different domains' to 'Enabled:Disable'WindowsCIS IE 10 v1.1.0
8.3.32 Set 'Navigate windows and frames across different domains' to 'Enabled:Disable'WindowsCIS IE 11 v1.0.0
8.3.38 Set 'Web sites in less privileged Web content zones can navigate into this zone' to 'Enabled:Disable'WindowsCIS IE 11 v1.0.0
8.3.38 Set 'Web sites in less privileged Web content zones can navigate into this zone' to 'Enabled:Disable'WindowsCIS IE 10 v1.1.0
18.5.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.5.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.8.22.1.6 (L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
18.8.22.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
18.8.22.1.8 (L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L2
18.8.22.1.8 (L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L2 Bitlocker
19.7.4.2 (L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
19.7.4.2 Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
AIOS-14-005200 - Apple iOS/iPadOS must not allow non-DoD applications to access DoD data.MDMMobileIron - DISA Apple iOS/iPadOS 14 v1r3
AIOS-14-005200 - Apple iOS/iPadOS must not allow non-DoD applications to access DoD data.MDMAirWatch - DISA Apple iOS/iPadOS 14 v1r3
AMLS-L2-000100 - The Arista Multilayer Switch must enforce approved authorizations for controlling the flow of information within the network based on organization-defined information flow control policies.AristaDISA STIG Arista MLS DCS-7000 Series L2S v1r3
AMLS-L2-000110 - The Arista Multilayer Switch must enforce approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.AristaDISA STIG Arista MLS DCS-7000 Series L2S v1r3
AMLS-L3-000100 - The Arista Multilayer Switch must enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy.AristaDISA STIG Arista MLS DCS-7000 Series RTR v1r4
AMLS-L3-000110 - The Arista Multilayer Switch must disable Protocol Independent Multicast (PIM) on all interfaces that are not required to support multicast routing.AristaDISA STIG Arista MLS DCS-7000 Series RTR v1r4
AMLS-L3-000120 - The Arista Multilayer Switch must bind a Protocol Independent Multicast (PIM) neighbor filter to interfaces that have PIM enabled - PIM neighbor filter to interfaces that have PIM enabled.AristaDISA STIG Arista MLS DCS-7000 Series RTR v1r4
AMLS-L3-000130 - The Arista Multilayer Switch must establish boundaries for IPv6 Admin-Local, IPv6 Site-Local, IPv6 Organization-Local scope, and IPv4 Local-Scope multicast traffic.AristaDISA STIG Arista MLS DCS-7000 Series RTR v1r4
AMLS-L3-000140 - The Arista Multilayer Switch must be configured so inactive router interfaces are disabled.AristaDISA STIG Arista MLS DCS-7000 Series RTR v1r4
AMLS-L3-000150 - The Arista Multilayer Switch must protect an enclave connected to an Alternate Gateway by using an inbound filter that only permits packets with destination addresses within the sites address space.AristaDISA STIG Arista MLS DCS-7000 Series RTR v1r4
AMLS-L3-000160 - If Border Gateway Protocol (BGP) is enabled on The Arista Multilayer Switch, The Arista Multilayer Switch must not be a BGP peer with a router from an Autonomous System belonging to any Alternate Gateway.AristaDISA STIG Arista MLS DCS-7000 Series RTR v1r4
AMLS-L3-000170 - The Arista Multilayer Switch must not redistribute static routes to alternate gateway service provider into an Exterior Gateway Protocol or Interior Gateway Protocol to the NIPRNet or to other Autonomous System.AristaDISA STIG Arista MLS DCS-7000 Series RTR v1r4
AMLS-L3-000180 - The Arista Multilayer Switch must enforce that Interior Gateway Protocol instances configured on the out-of-band management gateway router only peer with their own routing domain.AristaDISA STIG Arista MLS DCS-7000 Series RTR v1r4
AMLS-L3-000190 - The Arista Multilayer Switch must enforce that the managed network domain and the management network domain are separate routing domains and the Interior Gateway Protocol instances are not redistributed or advertised to each other.AristaDISA STIG Arista MLS DCS-7000 Series RTR v1r4
AMLS-L3-000200 - The Arista Multilayer Switch must enforce that any interface used for out-of-band management traffic is configured to be passive for the Interior Gateway Protocol that is utilized on that management interface.AristaDISA STIG Arista MLS DCS-7000 Series RTR v1r4
AMLS-L3-000210 - The Arista Multilayer Switch must enforce information flow control using explicit security attributes (for example, IP addresses, port numbers, protocol, Autonomous System, or interface) on information, source, and destination objects.AristaDISA STIG Arista MLS DCS-7000 Series RTR v1r4
AMLS-L3-000220 - The Arista Multilayer Switch must enable neighbor router authentication for control plane protocols except RIP - BGPAristaDISA STIG Arista MLS DCS-7000 Series RTR v1r4
AMLS-L3-000220 - The Arista Multilayer Switch must enable neighbor router authentication for control plane protocols except RIP - IS-IS auth modeAristaDISA STIG Arista MLS DCS-7000 Series RTR v1r4
AMLS-L3-000220 - The Arista Multilayer Switch must enable neighbor router authentication for control plane protocols except RIP - IS-IS md5 keyAristaDISA STIG Arista MLS DCS-7000 Series RTR v1r4
AMLS-L3-000220 - The Arista Multilayer Switch must enable neighbor router authentication for control plane protocols except RIP - OSPF MD5 KeyAristaDISA STIG Arista MLS DCS-7000 Series RTR v1r4