This Control has the following implementation support Control(s):
Restrict traffic or information flow based on the node type., CC ID: 16396
Restrict traffic or information flow based on the destination address., CC ID: 16378
Restrict traffic or information flow based on the origination address., CC ID: 16484
Assign appropriate roles for enabling or disabling information flow controls., CC ID: 06760
Require the system to identify and authenticate approved devices before establishing a connection., CC ID: 01429
Monitor and report on the organization's interconnectivity risk., CC ID: 13172
Configure network flow monitoring to organizational standards., CC ID: 16364
Perform content filtering scans on network traffic., CC ID: 06761
Establish, implement, and maintain a data loss prevention solution to protect Access Control Lists., CC ID: 12128
Establish, implement, and maintain an automated information flow approval process or semi-automated information flow approval process for transmitting or receiving restricted data or restricted information., CC ID: 06734
Constrain the information flow of restricted data or restricted information., CC ID: 06763
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
An agreement may be formed for an automated transaction when an electronic agent performs an action that is required by law to form the agreement. (§ 13(1)(a), The Electronic Communications and Transactions Act, 2002)
NIDS or NIPS in gateways are located immediately inside the outermost firewall and configured to generate a log entry, and an alert, for any information flows that contravene any rule in firewall rule sets. (Security Control: 1030; Revision: 6, Australian Government Information Security Manual, March 2021)
The organization should ensure the gateways contain a mechanism to inspect and filter data flows for transport and higher layers as defined in the Open Systems Interconnection model. (Control: 1192, Australian Government Information Security Manual: Controls)
Member States must ensure technical storage or access to information for the sole purpose of transmitting communications over an electronic communications network or to provide a service explicitly requested by the user or subscriber is permitted. (Art 5.3, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector)
Electronic communication networks are prohibited from being used to gain access to information that is stored on a subscriber's or user's terminal equipment, or to store information or monitor operations that are performed by a user. (§ 122, Italy Personal Data Protection Code)
¶ 88: List X contractors must seek prior approval from the contracting authority when there are exceptional circumstances that justify the passing of protectively marked assets, including restricted, to an overseas agent. There must be a genuine need to know or an arrangement between the government… (¶ 88, ¶ 89, ¶ 92, ¶ 93, The Contractual process, Version 5.0 October 2010)
The system should be able to keep copies of data and resend them if they get lost or corrupted during the process. (¶ 21.12 Bullet 3, Good Practices For Computerized systems In Regulated GXP Environments)
Verify that all authentication pathways and identity management APIs implement consistent authentication security control strength, such that there are no weaker alternatives per the risk of the application. (1.2.4, Application Security Verification Standard 4.0.3, 4.0.3)
Policies and procedures shall be established, and supporting business processes and technical measures implemented, to ensure protection of confidentiality, integrity, and availability of data exchanged between one or more system interfaces, jurisdictions, or external business relationships to preve… (AIS-04, Cloud Controls Matrix, v3.0)
Implement cryptographically secure and standardized network protocols for the management, import and export of data. (IPY-03, Cloud Controls Matrix, v4.0)
The system should have the ability to monitor different types of illicit information flows when they exceed their stated maximum capacity. (§ 11.6, § F.6, ISO 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008)
PII transmitted using a data-transmission network should be subject to appropriate controls designed to ensure that data reaches its intended destination. (§ A.11.2 ¶ 2, ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors)
PII transmitted using a data-transmission network should be subject to appropriate controls designed to ensure that data reaches its intended destination. (§ A.12.2 ¶ 2, ISO/IEC 27018:2019, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, Second edition)
The organization must implement e-mail technical security measures to guard against unauthorized access to transmitted sensitive information. (CSR 10.3.5, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
Does the configuration control board (ccb) maintain a comprehensive baseline to support enclave operations. (DCHW-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
Verifier generated assertions shall expire after 12 hours and shall not be accepted by the relying party after the 12 hours. (§ 5.6.4 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
Determine whether management comprehensively and effectively identifies, measures, mitigates, monitors, and reports interconnectivity risk. Review whether management does the following: (App A Objective 6.7, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Shared system resources must be configured in such a way as to prevent unauthorized and unintended information transfers. (§ 5.6.15, Exhibit 4 SC-4, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] on metadata. (AC-4(19) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] on metadata. (AC-4(19) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
The organization should use dynamic information flow control based on policy that allows or disallows information flows based on changing conditions or operational considerations. (App F § AC-4(3), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization should implement one-way flows using hardware mechanisms. (App F § AC-4(7), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The Information System must protect information integrity during the aggregation, packaging, and transformation while preparing for transmission. (App F § SC-33, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The information system enforces dynamic information flow control based on {organizationally documented policies}. (AC-4(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The information system enforces {organizationally documented one-way flows} using hardware mechanisms. (AC-4(7), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The information system, when transferring information between different security domains, applies the same security policy filtering to metadata as it applies to data payloads. (AC-4(19), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The information system enforces [Assignment: organization-defined one-way information flows] using hardware mechanisms. (AC-4(7) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
The information system, when transferring information between different security domains, applies the same security policy filtering to metadata as it applies to data payloads. (AC-4(19) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Enforce one-way information flows through hardware-based flow control mechanisms. (AC-4(7) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] on metadata. (AC-4(19) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
When transferring information between different security domains, modify non-releasable information by implementing [Assignment: organization-defined modification action]. (AC-4(23) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Enforce one-way information flows through hardware-based flow control mechanisms. (AC-4(7) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] on metadata. (AC-4(19) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
When transferring information between different security domains, modify non-releasable information by implementing [Assignment: organization-defined modification action]. (AC-4(23) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
The information system, when transferring information between different security domains, applies the same security policy filtering to metadata as it applies to data payloads. (AC-4(19) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
Because most malicious cyber activity targeting the United States is carried out by actors based in foreign countries or using foreign computing infrastructure, we must strengthen the mechanisms we have to collaborate with our allies and partners so that no adversary can evade the rule of law. The U… (STRATEGIC OBJECTIVE 5.1 ¶ 4, National Cybersecurity Strategy)
