AC-04 Information Flow Enforcement

Baselines

Guidance

Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see CA-3 ). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels.

Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS).

References 4

• SP 800-160-1 Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018.
• SP 800-162 Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019.
• SP 800-178 Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178.
• IR 8112 Grassi P, Lefkovitz N, Nadeau E, Galluzzo R, Dinh, A (2018) Attribute Metadata: A Proposed Schema for Evaluating Federated Attributes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8112.

Control Enhancements 32

• AC-04(01) Object Security and Privacy Attributes L M H P
• AC-04(02) Processing Domains L M H P
• AC-04(03) Dynamic Information Flow Control L M H P
• AC-04(04) Flow Control of Encrypted Information L M H P
• AC-04(05) Embedded Data Types L M H P
• AC-04(06) Metadata L M H P
• AC-04(07) One-way Flow Mechanisms L M H P
• AC-04(08) Security and Privacy Policy Filters L M H P
• AC-04(09) Human Reviews L M H P
• AC-04(10) Enable and Disable Security or Privacy Policy Filters L M H P
• AC-04(11) Configuration of Security or Privacy Policy Filters L M H P
• AC-04(12) Data Type Identifiers L M H P
• AC-04(13) Decomposition into Policy-relevant Subcomponents L M H P
• AC-04(14) Security or Privacy Policy Filter Constraints L M H P
• AC-04(15) Detection of Unsanctioned Information L M H P
• AC-04(16) Information Transfers on Interconnected Systems
• AC-04(17) Domain Authentication L M H P
• AC-04(18) Security Attribute Binding
• AC-04(19) Validation of Metadata L M H P
• AC-04(20) Approved Solutions L M H P
• AC-04(21) Physical or Logical Separation of Information Flows L M H P
• AC-04(22) Access Only L M H P
• AC-04(23) Modify Non-releasable Information L M H P
• AC-04(24) Internal Normalized Format L M H P
• AC-04(25) Data Sanitization L M H P
• AC-04(26) Audit Filtering Actions L M H P
• AC-04(27) Redundant/Independent Filtering Mechanisms L M H P
• AC-04(28) Linear Filter Pipelines L M H P
• AC-04(29) Filter Orchestration Engines L M H P
• AC-04(30) Filter Mechanisms Using Multiple Processes L M H P
• AC-04(31) Failed Content Transfer Prevention L M H P
• AC-04(32) Process Requirements for Information Transfer L M H P

Related controls 17

• AC-03 Access Enforcement L M H P
• AC-06 Least Privilege L M H P
• AC-16 Security and Privacy Attributes L M H P
• AC-17 Remote Access L M H P
• AC-19 Access Control for Mobile Devices L M H P
• AC-21 Information Sharing L M H P
• AU-10 Non-repudiation L M H P
• CA-03 Information Exchange L M H P
• CA-09 Internal System Connections L M H P
• CM-07 Least Functionality L M H P
• PL-09 Central Management L M H P
• PM-24 Data Integrity Board L M H P
• SA-17 Developer Security and Privacy Architecture and Design L M H P
• SC-04 Information in Shared System Resources L M H P
• SC-07 Boundary Protection L M H P
• SC-16 Transmission of Security and Privacy Attributes L M H P
• SC-31 Covert Channel Analysis L M H P