800-53|AC-4

Title

INFORMATION FLOW ENFORCEMENT

Description

The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies].

Supplemental

Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes, for example: (i) prohibiting information transfers between interconnected systems (i.e., allowing access only); (ii) employing hardware mechanisms to enforce one-way information flows; and (iii) implementing trustworthy regrading mechanisms to reassign security attributes and security labels. Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within information systems and between interconnected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict information system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering/inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 22 primarily address cross-domain solution needs which focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, for example, high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf information technology products.

Reference Item Details

Related: AC-17,AC-19,AC-21,AC-3,CM-6,CM-7,SA-8,SC-18,SC-2,SC-5,SC-7

Category: ACCESS CONTROL

Family: ACCESS CONTROL

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.1.22 Ensure 'Allow users to proceed from the HTTPS warning page' is set to 'Disabled'WindowsCIS Microsoft Edge L2 v1.0.1
1.1.34 Ensure 'Configure the list of names that will bypass the HSTS policy check' is set to 'Disabled'WindowsCIS Microsoft Edge L1 v1.0.1
1.4 Use Secure Upstream Caching DNS ServersUnixCIS BIND DNS v1.0.0 L2 Caching Only Name Server
1.7 Declare an EJB authorization policy for deployed applicationsUnixRedhat JBoss EAP 5.x
2.6 Ensure user consent to apps accessing company data on their behalf is not allowedmicrosoft_azureCIS Microsoft 365 Foundations E3 L2 v1.4.0
2.8 Protocol Access Controls - 'telnet.access has been configured'NetAppTNS NetApp Data ONTAP 7G
2.11 Ensure that Sways cannot be shared with people outside of your organizationmicrosoft_azureCIS Microsoft 365 Foundations E3 L1 v1.4.0
3.8 Ensure 'security-level' is set to '0' for Internet-facing interfaceCiscoCIS Cisco Firewall v8.x L1 v4.2.0
4.3 Ensure all forms of mail forwarding are blocked and/or disabledmicrosoft_azureCIS Microsoft 365 Foundations E3 L1 v1.4.0
4.6.4 NIS - restrict NIS server communication - review contentsUnixCIS IBM AIX 7.1 L2 v1.1.0
5.2 SnapMirror - 'snapmirror.access has been configured'NetAppTNS NetApp Data ONTAP 7G
5.2 SnapMirror - 'snapmirror.allow file should be reviewed'NetAppTNS NetApp Data ONTAP 7G
5.3 SnapVault - 'snapvault.access has been configured'NetAppTNS NetApp Data ONTAP 7G
6.9 Ensure that PAN-DB URL Filtering is usedPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
6.10 Ensure that URL Filtering uses the action of block or override on the URL categoriesPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
6.13 Ensure secure URL filtering is enabled for all security policies allowing traffic to the InternetPalo_AltoCIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
18.5.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.5.11.2 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.8.22.1.4 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.2.0
18.8.22.1.4 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 Member Server Level 1 v3.2.0
18.8.22.1.5 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.2.0
18.8.22.1.5 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'WindowsCIS Windows Server 2012 MS L1 v2.2.0
18.8.22.1.5 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.2.0
18.8.22.1.5 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'WindowsCIS Windows Server 2012 DC L1 v2.2.0
18.8.22.1.5 Ensure 'Turn off Internet File Association service' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 Member Server Level 2 v3.2.0
18.8.22.1.5 Ensure 'Turn off Internet File Association service' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 Domain Controller Level 2 v3.2.0
18.8.22.1.6 (L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1
18.8.22.1.6 (L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
18.8.22.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL + NG
18.8.22.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1
18.8.22.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + NG
18.8.22.1.6 Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise v1.12.0 L1 + BL
18.8.22.1.6 Ensure 'Turn off Internet File Association service' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 R2 Member Server Level 2 v3.2.0
18.8.22.1.6 Ensure 'Turn off Internet File Association service' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 R2 Domain Controller Level 2 v3.2.0
18.8.22.1.7 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'WindowsCIS Windows Server 2012 DC L2 v2.2.0
18.8.22.1.7 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 Member Server Level 2 v3.2.0
18.8.22.1.7 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 Domain Controller Level 2 v3.2.0
18.8.22.1.7 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'WindowsCIS Windows Server 2012 MS L2 v2.2.0
18.8.22.1.8 (L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L2
18.8.22.1.8 (L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L2 Bitlocker
18.8.22.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 R2 Member Server Level 2 v3.2.0
18.8.22.1.8 Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 R2 Domain Controller Level 2 v3.2.0
19.7.4.2 (L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1
19.7.4.2 (L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'WindowsCIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
19.7.4.2 Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 Member Server Level 1 v3.2.0
19.7.4.2 Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'WindowsCIS Windows Server 2012 MS L1 v2.2.0
19.7.4.2 Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.2.0
19.7.4.2 Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.2.0
19.7.4.2 Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'WindowsCIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.2.0
19.7.4.2 Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'WindowsCIS Windows Server 2012 DC L1 v2.2.0