AC-04(08) Security and Privacy Policy Filters

(a) Enforce information flow control using ac-4.8_prm_1 as a basis for flow control decisions for ac-4.8_prm_2 ; and

(b) ac-04.08_odp.05 data after a filter processing failure in accordance with ac-4.8_prm_4.

Parameter ID Definition
ac-4.8_prm_1 organization-defined security or privacy policy filters
ac-4.8_prm_2 organization-defined information flows
ac-4.8_prm_4 organization-defined security or privacy policy
ac-04.08_odp.01 security policy filter
ac-04.08_odp.02 privacy policy filter
ac-04.08_odp.03 information flows
ac-04.08_odp.04 information flows

Selection (one-or-more):

  • block
  • strip
  • modify
  • quarantine
ac-04.08_odp.06 security policy
ac-04.08_odp.07 privacy policy



Organization-defined security or privacy policy filters can address data structures and content. For example, security or privacy policy filters for data structures can check for maximum file lengths, maximum field sizes, and data/file types (for structured and unstructured data). Security or privacy policy filters for data content can check for specific words, enumerated values or data value ranges, and hidden content. Structured data permits the interpretation of data content by applications. Unstructured data refers to digital information without a data structure or with a data structure that does not facilitate the development of rule sets to address the impact or classification level of the information conveyed by the data or the flow enforcement decisions. Unstructured data consists of bitmap objects that are inherently non-language-based (i.e., image, video, or audio files) and textual objects that are based on written or printed languages. Organizations can implement more than one security or privacy policy filter to meet information flow control objectives.